package org.fcrepo.auth.webac;

import com.fasterxml.jackson.core.JsonParseException;
import java.io.IOException;
import java.io.InputStream;
import java.io.PrintWriter;
import java.net.URI;
import java.nio.charset.StandardCharsets;
import java.security.Principal;
import java.util.Arrays;
import java.util.Collections;
import java.util.Enumeration;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.inject.Inject;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.ws.rs.BadRequestException;
import javax.ws.rs.core.Link;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.UriBuilder;
import org.apache.commons.io.IOUtils;
import org.apache.jena.atlas.RuntimeIOException;
import org.apache.jena.query.QueryParseException;
import org.apache.jena.rdf.model.Model;
import org.apache.jena.rdf.model.ModelFactory;
import org.apache.jena.rdf.model.Resource;
import org.apache.jena.rdf.model.Statement;
import org.apache.jena.riot.Lang;
import org.apache.jena.riot.RDFLanguages;
import org.apache.jena.riot.RiotException;
import org.apache.jena.riot.WebContent;
import org.apache.jena.sparql.modify.request.UpdateData;
import org.apache.jena.sparql.modify.request.UpdateDataDelete;
import org.apache.jena.sparql.modify.request.UpdateModify;
import org.apache.jena.update.UpdateFactory;
import org.apache.jena.update.UpdateRequest;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.subject.PrincipalCollection;
import org.apache.shiro.subject.SimplePrincipalCollection;
import org.apache.shiro.subject.Subject;
import org.fcrepo.auth.common.ServletContainerAuthFilter;
import org.fcrepo.config.FedoraPropsConfig;
import org.fcrepo.http.commons.api.rdf.HttpIdentifierConverter;
import org.fcrepo.http.commons.domain.MultiPrefer;
import org.fcrepo.http.commons.domain.RDFMediaType;
import org.fcrepo.http.commons.domain.SinglePrefer;
import org.fcrepo.http.commons.domain.ldp.LdpPreferTag;
import org.fcrepo.http.commons.session.TransactionConstants;
import org.fcrepo.http.commons.session.TransactionProvider;
import org.fcrepo.kernel.api.FedoraTypes;
import org.fcrepo.kernel.api.RdfLexicon;
import org.fcrepo.kernel.api.Transaction;
import org.fcrepo.kernel.api.TransactionManager;
import org.fcrepo.kernel.api.TransactionUtils;
import org.fcrepo.kernel.api.exception.InvalidResourceIdentifierException;
import org.fcrepo.kernel.api.exception.MalformedRdfException;
import org.fcrepo.kernel.api.exception.PathNotFoundException;
import org.fcrepo.kernel.api.exception.RepositoryRuntimeException;
import org.fcrepo.kernel.api.exception.TransactionRuntimeException;
import org.fcrepo.kernel.api.identifiers.FedoraId;
import org.fcrepo.kernel.api.models.FedoraResource;
import org.fcrepo.kernel.api.models.ResourceFactory;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.web.filter.RequestContextFilter;

/* loaded from: input_file:WEB-INF/lib/fcrepo-auth-webac-6.0.0-beta-1.jar:org/fcrepo/auth/webac/WebACFilter.class */
public class WebACFilter extends RequestContextFilter {
    private static Subject FOAF_AGENT_SUBJECT;

    @Inject
    private FedoraPropsConfig fedoraPropsConfig;

    @Inject
    private ResourceFactory resourceFactory;

    @Inject
    private TransactionManager transactionManager;
    private static final Logger log = LoggerFactory.getLogger((Class<?>) WebACFilter.class);
    private static final MediaType sparqlUpdate = MediaType.valueOf(WebContent.contentTypeSPARQLUpdate);
    private static final Principal FOAF_AGENT_PRINCIPAL = new Principal() { // from class: org.fcrepo.auth.webac.WebACFilter.1
        @Override // java.security.Principal
        public String getName() {
            return URIConstants.FOAF_AGENT_VALUE;
        }

        @Override // java.security.Principal
        public String toString() {
            return getName();
        }
    };
    private static final PrincipalCollection FOAF_AGENT_PRINCIPAL_COLLECTION = new SimplePrincipalCollection(FOAF_AGENT_PRINCIPAL, WebACAuthorizingRealm.class.getCanonicalName());
    private static Set<URI> directOrIndirect = (Set) Set.of(RdfLexicon.INDIRECT_CONTAINER, RdfLexicon.DIRECT_CONTAINER).stream().map((v0) -> {
        return v0.toString();
    }).map(URI::create).collect(Collectors.toSet());
    private static Set<String> rdfContentTypes = Set.of("text/turtle", "application/ld+json", "text/rdf+n3", "application/rdf+xml", "application/n-triples");

    public static HttpIdentifierConverter identifierConverter(HttpServletRequest httpServletRequest) {
        return new HttpIdentifierConverter(UriBuilder.fromUri(getBaseUri(httpServletRequest)).path("/{path: .*}"));
    }

    public static URI getBaseUri(HttpServletRequest httpServletRequest) {
        String str = httpServletRequest.getScheme() + "://" + httpServletRequest.getServerName() + (httpServletRequest.getServerPort() != 80 ? ":" + httpServletRequest.getServerPort() : "") + "/";
        String stringBuffer = httpServletRequest.getRequestURL().toString();
        String str2 = httpServletRequest.getContextPath() + httpServletRequest.getServletPath();
        return URI.create(str2.length() == 0 ? str : stringBuffer.split(str2)[0] + str2 + "/");
    }

    private void addURIToAuthorize(HttpServletRequest httpServletRequest, URI uri) {
        Set set = (Set) httpServletRequest.getAttribute(WebACAuthorizingRealm.URIS_TO_AUTHORIZE);
        if (set == null) {
            set = new HashSet();
            httpServletRequest.setAttribute(WebACAuthorizingRealm.URIS_TO_AUTHORIZE, set);
        }
        set.add(uri);
    }

    @Override // org.springframework.web.filter.RequestContextFilter, org.springframework.web.filter.OncePerRequestFilter
    protected void doFilterInternal(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws ServletException, IOException {
        try {
            transaction(httpServletRequest);
            Subject subject = SecurityUtils.getSubject();
            HttpServletRequest httpServletRequest2 = httpServletRequest;
            if (isSparqlUpdate(httpServletRequest2) || isRdfRequest(httpServletRequest2)) {
                httpServletRequest2 = new CachedHttpRequest(httpServletRequest2);
            }
            String stringBuffer = httpServletRequest2.getRequestURL().toString();
            try {
                FedoraId.create(identifierConverter(httpServletRequest2).toInternalId(stringBuffer));
            } catch (IllegalArgumentException e) {
            } catch (InvalidResourceIdentifierException e2) {
                printException(httpServletResponse, 400, e2);
                return;
            }
            addURIToAuthorize(httpServletRequest2, URI.create(stringBuffer));
            if (subject.isAuthenticated()) {
                log.debug("User is authenticated");
                if (subject.hasRole(ServletContainerAuthFilter.FEDORA_ADMIN_ROLE)) {
                    log.debug("User has fedoraAdmin role");
                } else if (!subject.hasRole(ServletContainerAuthFilter.FEDORA_USER_ROLE)) {
                    log.debug("User has no recognized servlet container role");
                    httpServletResponse.sendError(403);
                    return;
                } else {
                    log.debug("User has fedoraUser role");
                    if (!isAuthorized(subject, httpServletRequest2)) {
                        httpServletResponse.sendError(403);
                        return;
                    }
                }
            } else {
                log.debug("User is NOT authenticated");
                if (!isAuthorized(getFoafAgentSubject(), httpServletRequest2)) {
                    httpServletResponse.sendError(403);
                    return;
                }
            }
            filterChain.doFilter(httpServletRequest2, httpServletResponse);
        } catch (TransactionRuntimeException e3) {
            printException(httpServletResponse, 409, e3);
        }
    }

    private void printException(HttpServletResponse httpServletResponse, int i, Throwable th) throws IOException {
        String message = th.getMessage();
        httpServletResponse.resetBuffer();
        httpServletResponse.setStatus(i);
        httpServletResponse.setContentType(RDFMediaType.TEXT_PLAIN_WITH_CHARSET);
        httpServletResponse.setContentLength(message.length());
        httpServletResponse.setCharacterEncoding("UTF-8");
        PrintWriter writer = httpServletResponse.getWriter();
        writer.write(message);
        writer.flush();
    }

    private Subject getFoafAgentSubject() {
        if (FOAF_AGENT_SUBJECT == null) {
            FOAF_AGENT_SUBJECT = new Subject.Builder().principals(FOAF_AGENT_PRINCIPAL_COLLECTION).buildSubject();
        }
        return FOAF_AGENT_SUBJECT;
    }

    private Transaction transaction(HttpServletRequest httpServletRequest) {
        if (httpServletRequest.getHeader(TransactionConstants.ATOMIC_ID_HEADER) == null) {
            return null;
        }
        return new TransactionProvider(this.transactionManager, httpServletRequest, getBaseUri(httpServletRequest), this.fedoraPropsConfig.getJmsBaseUrl()).provide();
    }

    private String getContainerUrl(HttpServletRequest httpServletRequest) {
        String pathInfo = httpServletRequest.getPathInfo();
        String replace = httpServletRequest.getRequestURL().toString().replace(pathInfo, "");
        String[] split = pathInfo.split("/");
        return replace + String.join("/", (String[]) Arrays.copyOfRange(split, 0, split.length - 1));
    }

    private FedoraResource getContainer(HttpServletRequest httpServletRequest) {
        return resource(httpServletRequest) != null ? resource(httpServletRequest).getContainer() : resource(httpServletRequest, getIdFromRequest(httpServletRequest, getContainerUrl(httpServletRequest)));
    }

    private FedoraResource resource(HttpServletRequest httpServletRequest) {
        return resource(httpServletRequest, getIdFromRequest(httpServletRequest));
    }

    private FedoraResource resource(HttpServletRequest httpServletRequest, FedoraId fedoraId) {
        try {
            return this.resourceFactory.getResource(transaction(httpServletRequest), fedoraId);
        } catch (PathNotFoundException e) {
            return null;
        }
    }

    private FedoraId getIdFromRequest(HttpServletRequest httpServletRequest) {
        return getIdFromRequest(httpServletRequest, httpServletRequest.getRequestURL().toString());
    }

    private FedoraId getIdFromRequest(HttpServletRequest httpServletRequest, String str) {
        return FedoraId.create(identifierConverter(httpServletRequest).toInternalId(str));
    }

    private boolean isAuthorized(Subject subject, HttpServletRequest httpServletRequest) throws IOException {
        String stringBuffer = httpServletRequest.getRequestURL().toString();
        boolean endsWith = stringBuffer.endsWith("fcr:acl");
        boolean z = stringBuffer.endsWith(FedoraTypes.FCR_TX) || stringBuffer.endsWith(TransactionConstants.TX_PREFIX);
        URI create = URI.create(stringBuffer);
        log.debug("Request URI is {}", create);
        FedoraResource resource = resource(httpServletRequest);
        FedoraResource container = getContainer(httpServletRequest);
        WebACPermission webACPermission = new WebACPermission(URIConstants.WEBAC_MODE_READ, create);
        WebACPermission webACPermission2 = new WebACPermission(URIConstants.WEBAC_MODE_WRITE, create);
        WebACPermission webACPermission3 = new WebACPermission(URIConstants.WEBAC_MODE_APPEND, create);
        WebACPermission webACPermission4 = new WebACPermission(URIConstants.WEBAC_MODE_CONTROL, create);
        String method = httpServletRequest.getMethod();
        boolean z2 = -1;
        switch (method.hashCode()) {
            case -531492226:
                if (method.equals("OPTIONS")) {
                    z2 = false;
                    break;
                }
                break;
            case 70454:
                if (method.equals("GET")) {
                    z2 = 2;
                    break;
                }
                break;
            case 79599:
                if (method.equals("PUT")) {
                    z2 = 3;
                    break;
                }
                break;
            case 2213344:
                if (method.equals("HEAD")) {
                    z2 = true;
                    break;
                }
                break;
            case 2461856:
                if (method.equals("POST")) {
                    z2 = 4;
                    break;
                }
                break;
            case 75900968:
                if (method.equals("PATCH")) {
                    z2 = 6;
                    break;
                }
                break;
            case 2012838315:
                if (method.equals("DELETE")) {
                    z2 = 5;
                    break;
                }
                break;
        }
        switch (z2) {
            case false:
            case true:
            case true:
                if (endsWith) {
                    if (subject.isPermitted(webACPermission4)) {
                        log.debug("GET allowed by {} permission", webACPermission4);
                        return true;
                    }
                    log.debug("GET prohibited without {} permission", webACPermission4);
                    return false;
                }
                if (!subject.isPermitted(webACPermission)) {
                    return false;
                }
                if (isAuthorizedForEmbeddedRequest(httpServletRequest, subject, resource)) {
                    return true;
                }
                log.debug("GET/HEAD/OPTIONS request to {} denied, user {} not authorized for an embedded resource", stringBuffer, subject.toString());
                return false;
            case true:
                if (endsWith) {
                    if (subject.isPermitted(webACPermission4)) {
                        log.debug("PUT allowed by {} permission", webACPermission4);
                        return true;
                    }
                    log.debug("PUT prohibited without {} permission", webACPermission4);
                    return false;
                }
                if (subject.isPermitted(webACPermission2)) {
                    if (isAuthorizedForMembershipResource(httpServletRequest, subject, resource, container)) {
                        log.debug("PUT allowed by {} permission", webACPermission2);
                        return true;
                    }
                    log.debug("PUT denied, not authorized to write to membershipRelation");
                    return false;
                }
                if (resource != null) {
                    log.debug("PUT prohibited to existing resource without {} permission", webACPermission2);
                    return false;
                }
                log.debug("Resource doesn't exist; checking parent resources for acl:Append permission");
                if (!subject.isPermitted(webACPermission3)) {
                    log.debug("PUT prohibited for new resource without inherited {} permission", webACPermission3);
                    return false;
                }
                if (isAuthorizedForMembershipResource(httpServletRequest, subject, resource, container)) {
                    log.debug("PUT allowed for new resource by inherited {} permission", webACPermission3);
                    return true;
                }
                log.debug("PUT denied, not authorized to write to membershipRelation");
                return false;
            case true:
                if (z && subject.isAuthenticated()) {
                    log.debug("POST allowed to transaction endpoint for authenticated user {}", ((Principal) subject.getPrincipal()).getName());
                    return true;
                }
                if (subject.isPermitted(webACPermission2)) {
                    if (isAuthorizedForMembershipResource(httpServletRequest, subject, resource, container)) {
                        log.debug("POST allowed by {} permission", webACPermission2);
                        return true;
                    }
                    log.debug("POST denied, not authorized to write to membershipRelation");
                    return false;
                }
                if (resource == null) {
                    log.debug("POST prohibited to non-existent resource without {} permission", webACPermission2);
                    return false;
                }
                if (isBinaryOrDescription(resource)) {
                    log.debug("POST prohibited to binary resource without {} permission", webACPermission2);
                    return false;
                }
                if (!subject.isPermitted(webACPermission3)) {
                    log.debug("POST prohibited to container without {} permission", webACPermission3);
                    return false;
                }
                if (isAuthorizedForMembershipResource(httpServletRequest, subject, resource, container)) {
                    log.debug("POST allowed to container by {} permission", webACPermission3);
                    return true;
                }
                log.debug("POST denied, not authorized to write to membershipRelation");
                return false;
            case true:
                if (endsWith) {
                    if (subject.isPermitted(webACPermission4)) {
                        log.debug("DELETE allowed by {} permission", webACPermission4);
                        return true;
                    }
                    log.debug("DELETE prohibited without {} permission", webACPermission4);
                    return false;
                }
                if (!isAuthorizedForMembershipResource(httpServletRequest, subject, resource, container)) {
                    log.debug("DELETE denied, not authorized to write to membershipRelation");
                    return false;
                }
                if (!subject.isPermitted(webACPermission2)) {
                    return false;
                }
                if (isAuthorizedForContainedResources(resource, URIConstants.WEBAC_MODE_WRITE, httpServletRequest, subject, true)) {
                    return true;
                }
                log.debug("DELETE denied, not authorized to write to a descendant of {}", resource);
                return false;
            case true:
                if (endsWith) {
                    if (subject.isPermitted(webACPermission4)) {
                        log.debug("PATCH allowed by {} permission", webACPermission4);
                        return true;
                    }
                    log.debug("PATCH prohibited without {} permission", webACPermission4);
                    return false;
                }
                if (subject.isPermitted(webACPermission2)) {
                    if (isAuthorizedForMembershipResource(httpServletRequest, subject, resource, container)) {
                        return true;
                    }
                    log.debug("PATCH denied, not authorized to write to membershipRelation");
                    return false;
                }
                if (!subject.isPermitted(webACPermission3)) {
                    return false;
                }
                if (isAuthorizedForMembershipResource(httpServletRequest, subject, resource, container)) {
                    return isPatchContentPermitted(httpServletRequest);
                }
                log.debug("PATCH denied, not authorized to write to membershipRelation");
                return false;
            default:
                return false;
        }
    }

    private boolean isPatchContentPermitted(HttpServletRequest httpServletRequest) throws IOException {
        if (!isSparqlUpdate(httpServletRequest)) {
            log.debug("Cannot verify authorization on NON-SPARQL Patch request.");
            return false;
        }
        if (httpServletRequest.getInputStream() == null) {
            log.debug("Authorizing SPARQL request with no content.");
            return true;
        }
        boolean z = false;
        try {
            z = !hasDeleteClause(IOUtils.toString((InputStream) httpServletRequest.getInputStream(), StandardCharsets.UTF_8));
        } catch (QueryParseException e) {
            log.error("Cannot verify authorization! Exception while inspecting SPARQL query!", (Throwable) e);
        }
        return z;
    }

    private boolean hasDeleteClause(String str) {
        UpdateRequest create = UpdateFactory.create(str);
        return create.getOperations().stream().filter(update -> {
            return update instanceof UpdateDataDelete;
        }).map(update2 -> {
            return (UpdateDataDelete) update2;
        }).anyMatch(updateDataDelete -> {
            return updateDataDelete.getQuads().size() > 0;
        }) || create.getOperations().stream().filter(update3 -> {
            return update3 instanceof UpdateModify;
        }).peek(update4 -> {
            log.debug("Inspecting update statement for DELETE clause: {}", update4.toString());
        }).map(update5 -> {
            return (UpdateModify) update5;
        }).filter((v0) -> {
            return v0.hasDeleteClause();
        }).anyMatch(updateModify -> {
            return updateModify.getDeleteQuads().size() > 0;
        });
    }

    private boolean isSparqlUpdate(HttpServletRequest httpServletRequest) {
        try {
            if (httpServletRequest.getMethod().equals("PATCH")) {
                if (sparqlUpdate.isCompatible(MediaType.valueOf(httpServletRequest.getContentType()))) {
                    return true;
                }
            }
            return false;
        } catch (IllegalArgumentException e) {
            return false;
        }
    }

    private boolean isRdfRequest(HttpServletRequest httpServletRequest) {
        return httpServletRequest.getContentType() != null && rdfContentTypes.contains(httpServletRequest.getContentType());
    }

    private boolean isPayloadIndirectOrDirect(HttpServletRequest httpServletRequest) {
        return Collections.list(httpServletRequest.getHeaders("Link")).stream().map(Link::valueOf).map((v0) -> {
            return v0.getUri();
        }).anyMatch(uri -> {
            return directOrIndirect.contains(uri);
        });
    }

    private boolean isResourceIndirectOrDirect(FedoraResource fedoraResource) {
        return fedoraResource != null && fedoraResource.getTypes().stream().anyMatch(uri -> {
            return directOrIndirect.contains(uri);
        });
    }

    private boolean isAuthorizedForMembershipResource(HttpServletRequest httpServletRequest, Subject subject, FedoraResource fedoraResource, FedoraResource fedoraResource2) throws IOException {
        URI hasMemberFromRequest;
        if (fedoraResource == null || !httpServletRequest.getMethod().equalsIgnoreCase("POST")) {
            if (httpServletRequest.getMethod().equalsIgnoreCase("PUT")) {
                if (isResourceIndirectOrDirect(fedoraResource2)) {
                    URI hasMemberFromResource = getHasMemberFromResource(httpServletRequest, fedoraResource2);
                    addURIToAuthorize(httpServletRequest, hasMemberFromResource);
                    if (!subject.isPermitted(new WebACPermission(URIConstants.WEBAC_MODE_WRITE, hasMemberFromResource))) {
                        return false;
                    }
                }
            } else if (isSparqlUpdate(httpServletRequest) && isResourceIndirectOrDirect(fedoraResource)) {
                URI hasMemberFromPatch = getHasMemberFromPatch(httpServletRequest);
                if (hasMemberFromPatch != null) {
                    log.debug("Found membership resource: {}", hasMemberFromPatch);
                    addURIToAuthorize(httpServletRequest, hasMemberFromPatch);
                    if (!subject.isPermitted(new WebACPermission(URIConstants.WEBAC_MODE_WRITE, hasMemberFromPatch))) {
                        return false;
                    }
                }
            } else if (httpServletRequest.getMethod().equalsIgnoreCase("DELETE")) {
                if (isResourceIndirectOrDirect(fedoraResource)) {
                    URI hasMemberFromResource2 = getHasMemberFromResource(httpServletRequest);
                    addURIToAuthorize(httpServletRequest, hasMemberFromResource2);
                    if (!subject.isPermitted(new WebACPermission(URIConstants.WEBAC_MODE_WRITE, hasMemberFromResource2))) {
                        return false;
                    }
                } else if (isResourceIndirectOrDirect(fedoraResource2)) {
                    URI hasMemberFromResource3 = getHasMemberFromResource(httpServletRequest, fedoraResource2);
                    addURIToAuthorize(httpServletRequest, hasMemberFromResource3);
                    if (!subject.isPermitted(new WebACPermission(URIConstants.WEBAC_MODE_WRITE, hasMemberFromResource3))) {
                        return false;
                    }
                }
            }
        } else if (isResourceIndirectOrDirect(fedoraResource)) {
            URI hasMemberFromResource4 = getHasMemberFromResource(httpServletRequest);
            addURIToAuthorize(httpServletRequest, hasMemberFromResource4);
            if (!subject.isPermitted(new WebACPermission(URIConstants.WEBAC_MODE_WRITE, hasMemberFromResource4))) {
                return false;
            }
        }
        if (!isPayloadIndirectOrDirect(httpServletRequest) || (hasMemberFromRequest = getHasMemberFromRequest(httpServletRequest)) == null) {
            return true;
        }
        log.debug("Found membership resource: {}", hasMemberFromRequest);
        addURIToAuthorize(httpServletRequest, hasMemberFromRequest);
        return subject.isPermitted(new WebACPermission(URIConstants.WEBAC_MODE_WRITE, hasMemberFromRequest));
    }

    private URI getHasMemberFromRequest(HttpServletRequest httpServletRequest) throws IOException {
        String stringBuffer = httpServletRequest.getRequestURL().toString();
        Lang contentTypeToLang = RDFLanguages.contentTypeToLang(httpServletRequest.getContentType());
        try {
            Model createDefaultModel = ModelFactory.createDefaultModel();
            createDefaultModel.getReader(contentTypeToLang.getName().toUpperCase()).read(createDefaultModel, (InputStream) httpServletRequest.getInputStream(), stringBuffer);
            Statement property = createDefaultModel.getProperty((Resource) null, RdfLexicon.MEMBERSHIP_RESOURCE);
            if (property != null) {
                return URI.create(property.getObject().toString());
            }
            return null;
        } catch (RuntimeIOException e) {
            if (!(e.getCause() instanceof JsonParseException)) {
                throw new RepositoryRuntimeException(e.getMessage(), e);
            }
            Throwable cause = e.getCause();
            throw new MalformedRdfException(cause.getMessage(), cause);
        } catch (RiotException e2) {
            throw new BadRequestException("RDF was not parsable: " + e2.getMessage(), e2);
        }
    }

    private URI getHasMemberFromPatch(HttpServletRequest httpServletRequest) throws IOException {
        String iOUtils = IOUtils.toString((InputStream) httpServletRequest.getInputStream(), StandardCharsets.UTF_8);
        String replaceAll = httpServletRequest.getRequestURL().toString().replace(httpServletRequest.getContextPath(), "").replaceAll(httpServletRequest.getPathInfo(), "").replaceAll("rest$", "");
        UpdateRequest create = UpdateFactory.create(iOUtils);
        Stream flatMap = create.getOperations().stream().filter(update -> {
            return update instanceof UpdateData;
        }).map(update2 -> {
            return (UpdateData) update2;
        }).flatMap(updateData -> {
            return updateData.getQuads().stream();
        });
        List list = (List) create.getOperations().stream().filter(update3 -> {
            return update3 instanceof UpdateModify;
        }).peek(update4 -> {
            log.debug("Inspecting update statement for DELETE clause: {}", update4.toString());
        }).map(update5 -> {
            return (UpdateModify) update5;
        }).collect(Collectors.toList());
        Stream flatMap2 = list.stream().flatMap(updateModify -> {
            return updateModify.getInsertQuads().stream();
        });
        return (URI) Stream.concat(Stream.concat(flatMap, flatMap2), list.stream().flatMap(updateModify2 -> {
            return updateModify2.getDeleteQuads().stream();
        })).filter(quad -> {
            return quad.getPredicate().equals(RdfLexicon.MEMBERSHIP_RESOURCE.asNode()) && quad.getObject().isURI();
        }).map(quad2 -> {
            return quad2.getObject().getURI();
        }).map(str -> {
            return str.replace("file:///", replaceAll);
        }).findFirst().map(URI::create).orElse(null);
    }

    private URI getHasMemberFromResource(HttpServletRequest httpServletRequest) {
        return getHasMemberFromResource(httpServletRequest, resource(httpServletRequest));
    }

    private URI getHasMemberFromResource(HttpServletRequest httpServletRequest, FedoraResource fedoraResource) {
        return (URI) fedoraResource.getTriples().filter(triple -> {
            return triple.getPredicate().equals(RdfLexicon.MEMBERSHIP_RESOURCE.asNode()) && triple.getObject().isURI();
        }).map((v0) -> {
            return v0.getObject();
        }).map((v0) -> {
            return v0.getURI();
        }).findFirst().map(URI::create).orElse(null);
    }

    private static boolean isBinaryOrDescription(FedoraResource fedoraResource) {
        return fedoraResource.getTypes().stream().map((v0) -> {
            return v0.toString();
        }).anyMatch(str -> {
            return str.equals(RdfLexicon.NON_RDF_SOURCE.toString()) || str.equals(RdfLexicon.FEDORA_NON_RDF_SOURCE_DESCRIPTION_URI);
        });
    }

    private static boolean isEmbeddedRequest(HttpServletRequest httpServletRequest) {
        Enumeration headers = httpServletRequest.getHeaders("Prefer");
        HashSet hashSet = new HashSet();
        while (headers.hasMoreElements()) {
            hashSet.add(new SinglePrefer((String) headers.nextElement()));
        }
        MultiPrefer multiPrefer = new MultiPrefer(hashSet);
        if (multiPrefer.hasReturn().booleanValue()) {
            return new LdpPreferTag(multiPrefer.getReturn()).displayEmbed();
        }
        return false;
    }

    private boolean isAuthorizedForEmbeddedRequest(HttpServletRequest httpServletRequest, Subject subject, FedoraResource fedoraResource) {
        if (isEmbeddedRequest(httpServletRequest)) {
            return isAuthorizedForContainedResources(fedoraResource, URIConstants.WEBAC_MODE_READ, httpServletRequest, subject, false);
        }
        return true;
    }

    private boolean isAuthorizedForContainedResources(FedoraResource fedoraResource, URI uri, HttpServletRequest httpServletRequest, Subject subject, boolean z) {
        if (isBinaryOrDescription(fedoraResource)) {
            return true;
        }
        return this.resourceFactory.getChildren(TransactionUtils.openTxId(transaction(httpServletRequest)), fedoraResource.getFedoraId()).noneMatch(fedoraResource2 -> {
            URI create = URI.create(fedoraResource2.getFedoraId().getFullId());
            log.debug("Found embedded resource: {}", fedoraResource2);
            addURIToAuthorize(httpServletRequest, create);
            if (subject.isPermitted(new WebACPermission(uri, create))) {
                return z && !isAuthorizedForContainedResources(fedoraResource2, uri, httpServletRequest, subject, z);
            }
            log.debug("Failed to access embedded resource: {}", create);
            return true;
        });
    }
}
