package org.fcrepo.auth.webac;

import java.net.URI;
import java.security.Principal;
import java.util.Collection;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import javax.inject.Inject;
import javax.servlet.http.HttpServletRequest;
import org.apache.http.auth.BasicUserPrincipal;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import org.fcrepo.auth.common.ContainerRolesPrincipalProvider;
import org.fcrepo.auth.common.DelegateHeaderPrincipalProvider;
import org.fcrepo.auth.common.HttpHeaderPrincipalProvider;
import org.fcrepo.auth.common.ServletContainerAuthFilter;
import org.fcrepo.config.FedoraPropsConfig;
import org.fcrepo.http.commons.session.TransactionConstants;
import org.fcrepo.http.commons.session.TransactionProvider;
import org.fcrepo.kernel.api.ContainmentIndex;
import org.fcrepo.kernel.api.Transaction;
import org.fcrepo.kernel.api.TransactionManager;
import org.fcrepo.kernel.api.TransactionUtils;
import org.fcrepo.kernel.api.exception.PathNotFoundException;
import org.fcrepo.kernel.api.exception.RepositoryConfigurationException;
import org.fcrepo.kernel.api.identifiers.FedoraId;
import org.fcrepo.kernel.api.models.FedoraResource;
import org.fcrepo.kernel.api.models.ResourceFactory;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;

/* loaded from: input_file:WEB-INF/lib/fcrepo-auth-webac-6.0.0-beta-1.jar:org/fcrepo/auth/webac/WebACAuthorizingRealm.class */
public class WebACAuthorizingRealm extends AuthorizingRealm {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) WebACAuthorizingRealm.class);
    private static final ContainerRolesPrincipalProvider.ContainerRolesPrincipal adminPrincipal = new ContainerRolesPrincipalProvider.ContainerRolesPrincipal(ServletContainerAuthFilter.FEDORA_ADMIN_ROLE);
    private static final ContainerRolesPrincipalProvider.ContainerRolesPrincipal userPrincipal = new ContainerRolesPrincipalProvider.ContainerRolesPrincipal(ServletContainerAuthFilter.FEDORA_USER_ROLE);
    public static final String URIS_TO_AUTHORIZE = "URIS_TO_AUTHORIZE";

    @Inject
    private FedoraPropsConfig fedoraPropsConfig;

    @Inject
    private HttpServletRequest request;

    @Inject
    private WebACRolesProvider rolesProvider;

    @Inject
    private TransactionManager transactionManager;

    @Inject
    private ResourceFactory resourceFactory;

    @Autowired
    @Qualifier("containmentIndex")
    private ContainmentIndex containmentIndex;

    private Transaction transaction() {
        if (this.request.getHeader(TransactionConstants.ATOMIC_ID_HEADER) == null) {
            return null;
        }
        return new TransactionProvider(this.transactionManager, this.request, WebACFilter.getBaseUri(this.request), this.fedoraPropsConfig.getJmsBaseUrl()).provide();
    }

    @Override // org.apache.shiro.realm.AuthorizingRealm
    protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
        SimpleAuthorizationInfo simpleAuthorizationInfo = new SimpleAuthorizationInfo();
        boolean z = false;
        Collection byType = principalCollection.byType(DelegateHeaderPrincipalProvider.DelegatedHeaderPrincipal.class);
        if (principalCollection.byType(ContainerRolesPrincipalProvider.ContainerRolesPrincipal.class).contains(adminPrincipal)) {
            if (byType.size() > 1) {
                throw new RepositoryConfigurationException("Too many delegates! " + byType);
            }
            if (byType.size() < 1) {
                simpleAuthorizationInfo.addRole(ServletContainerAuthFilter.FEDORA_ADMIN_ROLE);
                return simpleAuthorizationInfo;
            }
            z = true;
            simpleAuthorizationInfo.addRole(ServletContainerAuthFilter.FEDORA_USER_ROLE);
        } else if (principalCollection.byType(ContainerRolesPrincipalProvider.ContainerRolesPrincipal.class).contains(userPrincipal)) {
            simpleAuthorizationInfo.addRole(ServletContainerAuthFilter.FEDORA_USER_ROLE);
        }
        Set<URI> set = (Set) this.request.getAttribute(URIS_TO_AUTHORIZE);
        if (set == null) {
            set = new HashSet();
        }
        HashMap hashMap = new HashMap();
        String str = this.request.getContextPath() + this.request.getServletPath();
        for (URI uri : set) {
            if (WebACFilter.identifierConverter(this.request).inInternalDomain(uri.toString())) {
                FedoraId create = FedoraId.create(uri.toString());
                log.debug("Getting roles for id {}", create.getFullId());
                hashMap.put(uri, getRolesForId(create));
            } else {
                String path = uri.getPath();
                if (path.startsWith(str)) {
                    path = path.replaceFirst(str, "");
                }
                log.debug("Getting roles for path {}", path);
                hashMap.put(uri, getRolesForPath(path));
            }
        }
        Iterator it = principalCollection.asList().iterator();
        while (it.hasNext()) {
            log.debug("User has principal with name: {}", ((Principal) it.next()).getName());
        }
        Principal principal = (Principal) principalCollection.oneByType(BasicUserPrincipal.class);
        Collection byType2 = principalCollection.byType(HttpHeaderPrincipalProvider.HttpHeaderPrincipal.class);
        if (z && byType.size() == 1) {
            DelegateHeaderPrincipalProvider.DelegatedHeaderPrincipal delegatedHeaderPrincipal = (DelegateHeaderPrincipalProvider.DelegatedHeaderPrincipal) byType.iterator().next();
            log.debug("Admin user is delegating to {}", delegatedHeaderPrincipal);
            addPermissions(simpleAuthorizationInfo, hashMap, delegatedHeaderPrincipal.getName());
            addPermissions(simpleAuthorizationInfo, hashMap, URIConstants.WEBAC_AUTHENTICATED_AGENT_VALUE);
        } else if (principal != null) {
            log.debug("Basic user principal username: {}", principal.getName());
            addPermissions(simpleAuthorizationInfo, hashMap, principal.getName());
            addPermissions(simpleAuthorizationInfo, hashMap, URIConstants.WEBAC_AUTHENTICATED_AGENT_VALUE);
        } else {
            log.debug("No basic user principal found");
        }
        if (byType2.isEmpty()) {
            log.debug("No header principals found!");
        }
        byType2.forEach(httpHeaderPrincipal -> {
            addPermissions(simpleAuthorizationInfo, hashMap, httpHeaderPrincipal.getName());
        });
        addPermissions(simpleAuthorizationInfo, hashMap, URIConstants.FOAF_AGENT_VALUE);
        return simpleAuthorizationInfo;
    }

    private Map<String, Collection<String>> getRolesForPath(String str) {
        return getRolesForId(WebACFilter.identifierConverter(this.request).pathToInternalId(str));
    }

    private Map<String, Collection<String>> getRolesForId(FedoraId fedoraId) {
        Map<String, Collection<String>> map = null;
        FedoraResource resourceOrParentFromPath = getResourceOrParentFromPath(fedoraId);
        if (resourceOrParentFromPath != null) {
            map = this.rolesProvider.getRoles(resourceOrParentFromPath, transaction());
        }
        return map;
    }

    private void addPermissions(SimpleAuthorizationInfo simpleAuthorizationInfo, Map<URI, Map<String, Collection<String>>> map, String str) {
        Collection<String> collection;
        if (map != null) {
            for (URI uri : map.keySet()) {
                log.debug("Adding permissions gathered for URI {}", uri);
                Map<String, Collection<String>> map2 = map.get(uri);
                if (map2 != null && (collection = map2.get(str)) != null) {
                    Iterator<String> it = collection.iterator();
                    while (it.hasNext()) {
                        WebACPermission webACPermission = new WebACPermission(URI.create(it.next()), uri);
                        simpleAuthorizationInfo.addObjectPermission(webACPermission);
                        log.debug("Added permission {}", webACPermission);
                    }
                }
            }
        }
    }

    @Override // org.apache.shiro.realm.AuthenticatingRealm
    protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
        return null;
    }

    @Override // org.apache.shiro.realm.AuthenticatingRealm, org.apache.shiro.realm.Realm
    public boolean supports(AuthenticationToken authenticationToken) {
        return false;
    }

    private FedoraResource getResourceOrParentFromPath(FedoraId fedoraId) {
        try {
            log.debug("Testing FedoraResource for {}", fedoraId.getFullIdPath());
            return this.resourceFactory.getResource(transaction(), fedoraId);
        } catch (PathNotFoundException e) {
            log.debug("Resource {} not found getting container", fedoraId.getFullIdPath());
            FedoraId containerIdByPath = this.containmentIndex.getContainerIdByPath(TransactionUtils.openTxId(transaction()), fedoraId, false);
            log.debug("Attempting to get FedoraResource for {}", fedoraId.getFullIdPath());
            try {
                log.debug("Got FedoraResource for {}", containerIdByPath.getFullIdPath());
                return this.resourceFactory.getResource(transaction(), containerIdByPath);
            } catch (PathNotFoundException e2) {
                log.debug("Path {} does not exist, but we should never end up here.", containerIdByPath.getFullIdPath());
                return null;
            }
        }
    }
}
