package org.fcrepo.auth.webac;

import com.github.jsonldjava.core.JsonLdConsts;
import java.net.URI;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.function.Function;
import java.util.function.Predicate;
import java.util.stream.Collectors;
import java.util.stream.IntStream;
import java.util.stream.Stream;
import javax.annotation.PostConstruct;
import javax.inject.Inject;
import org.apache.jena.graph.Node;
import org.apache.jena.graph.NodeFactory;
import org.apache.jena.graph.Triple;
import org.fcrepo.config.AuthPropsConfig;
import org.fcrepo.http.api.FedoraAcl;
import org.fcrepo.kernel.api.FedoraTypes;
import org.fcrepo.kernel.api.Transaction;
import org.fcrepo.kernel.api.exception.PathNotFoundException;
import org.fcrepo.kernel.api.exception.PathNotFoundRuntimeException;
import org.fcrepo.kernel.api.exception.RepositoryException;
import org.fcrepo.kernel.api.identifiers.FedoraId;
import org.fcrepo.kernel.api.models.FedoraResource;
import org.fcrepo.kernel.api.models.NonRdfSourceDescription;
import org.fcrepo.kernel.api.models.ResourceFactory;
import org.fcrepo.kernel.api.models.TimeMap;
import org.fcrepo.kernel.api.models.WebacAcl;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.stereotype.Component;

@Component
/* loaded from: input_file:WEB-INF/lib/fcrepo-auth-webac-6.0.0-beta-1.jar:org/fcrepo/auth/webac/WebACRolesProvider.class */
public class WebACRolesProvider {

    @Inject
    private AuthPropsConfig authPropsConfig;

    @Inject
    private ResourceFactory resourceFactory;
    private String userBaseUri;
    private String groupBaseUri;
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) WebACRolesProvider.class);
    private static final Node RDF_TYPE_NODE = NodeFactory.createURI(JsonLdConsts.RDF_TYPE);
    private static final Node VCARD_GROUP_NODE = NodeFactory.createURI(URIConstants.VCARD_GROUP_VALUE);
    private static final Node VCARD_MEMBER_NODE = NodeFactory.createURI(URIConstants.VCARD_MEMBER_VALUE);
    private static final Function<List<String>, Predicate<WebACAuthorization>> accessToClass = list -> {
        return webACAuthorization -> {
            return list.stream().anyMatch(str -> {
                return webACAuthorization.getAccessToClassURIs().contains(str);
            });
        };
    };
    private static final Function<List<String>, Predicate<WebACAuthorization>> accessTo = list -> {
        return webACAuthorization -> {
            return list.stream().anyMatch(str -> {
                return webACAuthorization.getAccessToURIs().contains(str);
            });
        };
    };
    private static final Predicate<Triple> hasAclPredicate = triple -> {
        return triple.getPredicate().getNameSpace().equals("http://www.w3.org/ns/auth/acl#");
    };

    @PostConstruct
    public void setup() {
        this.userBaseUri = this.authPropsConfig.getUserAgentBaseUri();
        this.groupBaseUri = this.authPropsConfig.getGroupAgentBaseUri();
    }

    public Map<String, Collection<String>> getRoles(FedoraResource fedoraResource, Transaction transaction) {
        LOGGER.debug("Getting agent roles for: {}", fedoraResource.getId());
        Optional<ACLHandle> effectiveAcl = getEffectiveAcl(fedoraResource, false);
        ArrayList arrayList = new ArrayList();
        if (fedoraResource instanceof WebacAcl) {
            arrayList.add(fedoraResource.getContainer().getId());
        } else {
            arrayList.add(fedoraResource.getDescribedResource().getId());
        }
        List<URI> types = fedoraResource.getDescription().getTypes();
        effectiveAcl.map(aCLHandle -> {
            return aCLHandle.resource;
        }).filter(fedoraResource2 -> {
            return !fedoraResource2.getId().equals(fedoraResource.getId());
        }).ifPresent(fedoraResource3 -> {
            arrayList.add(fedoraResource3.getId());
            types.addAll(fedoraResource3.getTypes());
        });
        if (!effectiveAcl.isPresent()) {
            arrayList.addAll(getAllPathAncestors(fedoraResource.getId()));
        }
        Predicate<WebACAuthorization> apply = accessTo.apply(arrayList);
        Predicate<WebACAuthorization> apply2 = accessToClass.apply((List) types.stream().map((v0) -> {
            return v0.toString();
        }).collect(Collectors.toList()));
        List list = (List) effectiveAcl.map(aCLHandle2 -> {
            return aCLHandle2.authorizations;
        }).orElseGet(() -> {
            return getDefaultAuthorizations();
        });
        HashMap hashMap = new HashMap();
        list.stream().filter(apply.or(apply2)).forEach(webACAuthorization -> {
            Stream.concat(webACAuthorization.getAgents().stream(), dereferenceAgentGroups(transaction, webACAuthorization.getAgentGroups()).stream()).filter(str -> {
                return (str.equals(URIConstants.FOAF_AGENT_VALUE) || str.equals(URIConstants.WEBAC_AUTHENTICATED_AGENT_VALUE)) ? false : true;
            }).forEach(str2 -> {
                ((Collection) hashMap.computeIfAbsent(str2, str2 -> {
                    return new HashSet();
                })).addAll((Collection) webACAuthorization.getModes().stream().map((v0) -> {
                    return v0.toString();
                }).collect(Collectors.toSet()));
            });
            webACAuthorization.getAgentClasses().stream().filter(str3 -> {
                return str3.equals(URIConstants.FOAF_AGENT_VALUE) || str3.equals(URIConstants.WEBAC_AUTHENTICATED_AGENT_VALUE);
            }).forEach(str4 -> {
                ((Collection) hashMap.computeIfAbsent(str4, str4 -> {
                    return new HashSet();
                })).addAll((Collection) webACAuthorization.getModes().stream().map((v0) -> {
                    return v0.toString();
                }).collect(Collectors.toSet()));
            });
        });
        LOGGER.debug("Unfiltered ACL: {}", hashMap);
        return hashMap;
    }

    private static List<String> getAllPathAncestors(String str) {
        List asList = Arrays.asList(str.replace(FedoraTypes.FEDORA_ID_PREFIX, "").split("/"));
        return (List) IntStream.range(1, asList.size()).mapToObj(i -> {
            String join = String.join("/", asList.subList(1, i));
            return "info:fedora" + (!join.isBlank() ? "/" : "") + join;
        }).collect(Collectors.toList());
    }

    private List<String> dereferenceAgentGroups(Transaction transaction, Collection<String> collection) {
        List<String> list = (List) collection.stream().flatMap(str -> {
            if (!str.startsWith(FedoraTypes.FEDORA_ID_PREFIX)) {
                if (str.equals(URIConstants.FOAF_AGENT_VALUE)) {
                    return Stream.of(str);
                }
                LOGGER.info("Ignoring agentGroup: {}", str);
                return Stream.empty();
            }
            int indexOf = str.indexOf("#");
            try {
                return getAgentMembers(this.resourceFactory.getResource(transaction, FedoraId.create(indexOf > 0 ? str.substring(0, indexOf) : str)), indexOf > 0 ? str.substring(indexOf) : null);
            } catch (PathNotFoundException e) {
                throw new PathNotFoundRuntimeException(e.getMessage(), e);
            }
        }).collect(Collectors.toList());
        if (LOGGER.isDebugEnabled() && !collection.isEmpty()) {
            LOGGER.debug("Found {} members in {} agentGroups resources", Integer.valueOf(list.size()), Integer.valueOf(collection.size()));
        }
        return list;
    }

    private Stream<String> getAgentMembers(FedoraResource fedoraResource, String str) {
        List list = (List) fedoraResource.getTriples().filter(triple -> {
            return str == null || triple.getSubject().getURI().endsWith(str);
        }).collect(Collectors.toList());
        return list.stream().anyMatch(triple2 -> {
            return triple2.matches(triple2.getSubject(), RDF_TYPE_NODE, VCARD_GROUP_NODE);
        }) ? list.stream().filter(triple3 -> {
            return triple3.predicateMatches(VCARD_MEMBER_NODE);
        }).map((v0) -> {
            return v0.getObject();
        }).flatMap(WebACRolesProvider::nodeToStringStream).map(this::stripUserAgentBaseURI) : Stream.empty();
    }

    private String stripUserAgentBaseURI(String str) {
        return (this.userBaseUri == null || !str.startsWith(this.userBaseUri)) ? str : str.substring(this.userBaseUri.length());
    }

    private static Stream<String> nodeToStringStream(Node node) {
        return node.isURI() ? Stream.of(node.getURI()) : node.isLiteral() ? Stream.of(node.getLiteralValue().toString()) : Stream.empty();
    }

    private List<WebACAuthorization> getAuthorizations(FedoraResource fedoraResource, boolean z) {
        ArrayList arrayList = new ArrayList();
        if (LOGGER.isDebugEnabled()) {
            LOGGER.debug("ACL: {}", fedoraResource.getId());
        }
        if (fedoraResource.isAcl()) {
            List list = (List) fedoraResource.getTriples().collect(Collectors.toList());
            Set set = (Set) list.stream().filter(triple -> {
                return triple.getPredicate().getURI().equals(JsonLdConsts.RDF_TYPE) && triple.getObject().getURI().equals(URIConstants.WEBAC_AUTHORIZATION_VALUE);
            }).map(triple2 -> {
                return triple2.getSubject();
            }).collect(Collectors.toSet());
            HashMap hashMap = new HashMap();
            list.stream().filter(hasAclPredicate).forEach(triple3 -> {
                if (set.contains(triple3.getSubject())) {
                    Map map = (Map) hashMap.computeIfAbsent(triple3.getSubject().getURI(), str -> {
                        return new HashMap();
                    });
                    String uri = triple3.getPredicate().getURI();
                    List list2 = (List) map.computeIfAbsent(uri, str2 -> {
                        return new ArrayList();
                    });
                    Stream<String> nodeToStringStream = nodeToStringStream(triple3.getObject());
                    Objects.requireNonNull(list2);
                    nodeToStringStream.forEach((v1) -> {
                        r1.add(v1);
                    });
                    if (uri.equals(URIConstants.WEBAC_AGENT_VALUE)) {
                        Stream<String> additionalAgentValues = additionalAgentValues(triple3.getObject());
                        Objects.requireNonNull(list2);
                        additionalAgentValues.forEach((v1) -> {
                            r1.add(v1);
                        });
                    }
                }
            });
            if (LOGGER.isDebugEnabled()) {
                LOGGER.debug("Adding acl:Authorization from {}", fedoraResource.getId());
            }
            hashMap.values().forEach(map -> {
                WebACAuthorization createAuthorizationFromMap = createAuthorizationFromMap(map);
                if (!z || createAuthorizationFromMap.getDefaults().size() > 0) {
                    arrayList.add(createAuthorizationFromMap);
                }
            });
        }
        return arrayList;
    }

    private static WebACAuthorization createAuthorizationFromMap(Map<String, List<String>> map) {
        return new WebACAuthorization(map.getOrDefault(URIConstants.WEBAC_AGENT_VALUE, Collections.emptyList()), map.getOrDefault(URIConstants.WEBAC_AGENT_CLASS_VALUE, Collections.emptyList()), (Collection) map.getOrDefault(URIConstants.WEBAC_MODE_VALUE, Collections.emptyList()).stream().map(URI::create).collect(Collectors.toList()), map.getOrDefault("http://www.w3.org/ns/auth/acl#accessTo", Collections.emptyList()), map.getOrDefault("http://www.w3.org/ns/auth/acl#accessToClass", Collections.emptyList()), map.getOrDefault(URIConstants.WEBAC_AGENT_GROUP_VALUE, Collections.emptyList()), map.getOrDefault(URIConstants.WEBAC_DEFAULT_VALUE, Collections.emptyList()));
    }

    Optional<ACLHandle> getEffectiveAcl(FedoraResource fedoraResource, boolean z) {
        try {
            FedoraResource acl = fedoraResource.getAcl();
            if (acl != null) {
                List<WebACAuthorization> authorizations = getAuthorizations(acl, z);
                if (authorizations.size() > 0) {
                    return Optional.of(new ACLHandle(fedoraResource, authorizations));
                }
            }
            FedoraResource container = fedoraResource.getContainer();
            if (container == null && ((fedoraResource instanceof NonRdfSourceDescription) || (fedoraResource instanceof TimeMap))) {
                FedoraResource describedResource = fedoraResource.getDescribedResource();
                if (!Objects.equals(fedoraResource, describedResource)) {
                    container = describedResource;
                }
            }
            if (container == null) {
                LOGGER.debug("No ACLs defined on this node or in parent hierarchy");
                return Optional.empty();
            }
            LOGGER.trace("Checking parent resource for ACL. No ACL found at {}", fedoraResource.getId());
            return getEffectiveAcl(container, true);
        } catch (RepositoryException e) {
            LOGGER.debug("Exception finding effective ACL: {}", e.getMessage());
            return Optional.empty();
        }
    }

    private List<WebACAuthorization> getDefaultAuthorizations() {
        HashMap hashMap = new HashMap();
        ArrayList arrayList = new ArrayList();
        FedoraAcl.getDefaultAcl(null, this.authPropsConfig.getRootAuthAclPath()).listStatements().mapWith((v0) -> {
            return v0.asTriple();
        }).forEachRemaining(triple -> {
            if (hasAclPredicate.test(triple)) {
                String uri = triple.getPredicate().getURI();
                List list = (List) hashMap.computeIfAbsent(uri, str -> {
                    return new ArrayList();
                });
                Stream<String> nodeToStringStream = nodeToStringStream(triple.getObject());
                Objects.requireNonNull(list);
                nodeToStringStream.forEach((v1) -> {
                    r1.add(v1);
                });
                if (uri.equals(URIConstants.WEBAC_AGENT_VALUE)) {
                    Stream<String> additionalAgentValues = additionalAgentValues(triple.getObject());
                    Objects.requireNonNull(list);
                    additionalAgentValues.forEach((v1) -> {
                        r1.add(v1);
                    });
                }
            }
        });
        arrayList.add(createAuthorizationFromMap(hashMap));
        return arrayList;
    }

    private Stream<String> additionalAgentValues(Node node) {
        if (node.isURI()) {
            String uri = node.getURI();
            if (this.userBaseUri != null && uri.startsWith(this.userBaseUri)) {
                return Stream.of(uri.substring(this.userBaseUri.length()));
            }
            if (this.groupBaseUri != null && uri.startsWith(this.groupBaseUri)) {
                return Stream.of(uri.substring(this.groupBaseUri.length()));
            }
        }
        return Stream.empty();
    }

    public void setUserBaseUri(String str) {
        this.userBaseUri = str;
    }

    public void setGroupBaseUri(String str) {
        this.groupBaseUri = str;
    }
}
