package org.trellisldp.webac;

import java.util.Arrays;
import java.util.Collections;
import java.util.HashSet;
import java.util.List;
import java.util.Objects;
import java.util.Set;
import java.util.function.Predicate;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.annotation.Priority;
import javax.inject.Inject;
import javax.ws.rs.ForbiddenException;
import javax.ws.rs.NotAuthorizedException;
import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.container.ContainerRequestFilter;
import javax.ws.rs.container.ContainerResponseContext;
import javax.ws.rs.container.ContainerResponseFilter;
import javax.ws.rs.core.Link;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriBuilder;
import javax.ws.rs.ext.Provider;
import org.apache.commons.rdf.api.IRI;
import org.apache.commons.rdf.api.RDF;
import org.eclipse.microprofile.config.Config;
import org.eclipse.microprofile.config.ConfigProvider;
import org.eclipse.microprofile.metrics.annotation.Timed;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.trellisldp.api.RDFFactory;
import org.trellisldp.api.Session;
import org.trellisldp.api.TrellisUtils;
import org.trellisldp.http.core.HttpSession;
import org.trellisldp.http.core.Prefer;
import org.trellisldp.http.core.TrellisRequest;
import org.trellisldp.vocabulary.ACL;
import org.trellisldp.vocabulary.Trellis;

@Provider
@Priority(2000)
/* loaded from: input_file:org/trellisldp/webac/WebAcFilter.class */
public class WebAcFilter implements ContainerRequestFilter, ContainerResponseFilter {
    public static final String CONFIG_WEBAC_CHALLENGES = "trellis.webac.challenges";
    public static final String CONFIG_WEBAC_READABLE_METHODS = "trellis.webac.readable-methods";
    public static final String CONFIG_WEBAC_WRITABLE_METHODS = "trellis.webac.writable-methods";
    public static final String CONFIG_WEBAC_APPENDABLE_METHODS = "trellis.webac.appendable-methods";
    public static final String CONFIG_WEBAC_REALM = "trellis.webac.realm";
    public static final String CONFIG_WEBAC_SCOPE = "trellis.webac.scope";
    public static final String CONFIG_WEBAC_ENABED = "trellis.webac.enabled";
    public static final String SESSION_WEBAC_MODES = "trellis.webac.session-modes";
    private static final String SLASH = "/";
    private WebAcService accessService;
    private List<String> challenges;
    private String baseUrl;
    private final boolean enabled;
    private static final Logger LOGGER = LoggerFactory.getLogger(WebAcFilter.class);
    private static final Set<String> readable = new HashSet(Arrays.asList("GET", "HEAD", "OPTIONS"));
    private static final Set<String> writable = new HashSet(Arrays.asList("PUT", "PATCH", "DELETE"));
    private static final Set<String> appendable = new HashSet(Collections.singletonList("POST"));
    private static final RDF rdf = RDFFactory.getInstance();

    public WebAcFilter() {
        Config config = ConfigProvider.getConfig();
        String str = (String) config.getOptionalValue(CONFIG_WEBAC_REALM, String.class).orElse("trellis");
        String str2 = (String) config.getOptionalValue(CONFIG_WEBAC_SCOPE, String.class).orElse("");
        this.challenges = (List) Arrays.stream(((String) config.getOptionalValue(CONFIG_WEBAC_CHALLENGES, String.class).orElse("")).split(",")).map((v0) -> {
            return v0.trim();
        }).map(str3 -> {
            return buildChallenge(str3, str, str2);
        }).collect(Collectors.toList());
        this.baseUrl = (String) config.getOptionalValue("trellis.http.base-url", String.class).orElse(null);
        this.enabled = ((Boolean) config.getOptionalValue(CONFIG_WEBAC_ENABED, Boolean.class).orElse(Boolean.TRUE)).booleanValue();
        config.getOptionalValue(CONFIG_WEBAC_READABLE_METHODS, String.class).ifPresent(str4 -> {
            Stream map = Arrays.stream(str4.split(",")).map((v0) -> {
                return v0.trim();
            }).map((v0) -> {
                return v0.toUpperCase();
            });
            Set<String> set = readable;
            set.getClass();
            map.forEach((v1) -> {
                r1.add(v1);
            });
        });
        config.getOptionalValue(CONFIG_WEBAC_WRITABLE_METHODS, String.class).ifPresent(str5 -> {
            Stream map = Arrays.stream(str5.split(",")).map((v0) -> {
                return v0.trim();
            }).map((v0) -> {
                return v0.toUpperCase();
            });
            Set<String> set = writable;
            set.getClass();
            map.forEach((v1) -> {
                r1.add(v1);
            });
        });
        config.getOptionalValue(CONFIG_WEBAC_APPENDABLE_METHODS, String.class).ifPresent(str6 -> {
            Stream map = Arrays.stream(str6.split(",")).map((v0) -> {
                return v0.trim();
            }).map((v0) -> {
                return v0.toUpperCase();
            });
            Set<String> set = appendable;
            set.getClass();
            map.forEach((v1) -> {
                r1.add(v1);
            });
        });
    }

    @Inject
    public void setAccessService(WebAcService webAcService) {
        this.accessService = (WebAcService) Objects.requireNonNull(webAcService, "Access service may not be null!");
    }

    public void setChallenges(List<String> list) {
        this.challenges = (List) Objects.requireNonNull(list, "Challenges may not be null!");
    }

    public void setBaseUrl(String str) {
        this.baseUrl = str;
    }

    @Timed
    public void filter(ContainerRequestContext containerRequestContext) {
        if (this.enabled) {
            String path = containerRequestContext.getUriInfo().getPath();
            Session buildSession = buildSession(containerRequestContext, this.baseUrl);
            String method = containerRequestContext.getMethod();
            AuthorizedModes authorizedModes = this.accessService.getAuthorizedModes(TrellisUtils.buildTrellisIdentifier(path), buildSession);
            containerRequestContext.setProperty(SESSION_WEBAC_MODES, authorizedModes);
            Prefer valueOf = Prefer.valueOf(containerRequestContext.getHeaderString("Prefer"));
            if (((List) containerRequestContext.getUriInfo().getQueryParameters().getOrDefault("ext", Collections.emptyList())).contains("acl") || reqAudit(valueOf)) {
                verifyCanControl(authorizedModes.getAccessModes(), buildSession, path);
                return;
            }
            if (readable.contains(method) || reqRepresentation(valueOf)) {
                verifyCanRead(authorizedModes.getAccessModes(), buildSession, path);
            }
            if (writable.contains(method)) {
                verifyCanWrite(authorizedModes.getAccessModes(), buildSession, path);
            }
            if (appendable.contains(method)) {
                verifyCanAppend(authorizedModes.getAccessModes(), buildSession, path);
            }
        }
    }

    public void filter(ContainerRequestContext containerRequestContext, ContainerResponseContext containerResponseContext) {
        Object property = containerRequestContext.getProperty(SESSION_WEBAC_MODES);
        if (Response.Status.Family.SUCCESSFUL.equals(containerResponseContext.getStatusInfo().getFamily()) && !"DELETE".equals(containerRequestContext.getMethod()) && (property instanceof AuthorizedModes)) {
            AuthorizedModes authorizedModes = (AuthorizedModes) property;
            if (authorizedModes.getAccessModes().contains(ACL.Control)) {
                String str = ((List) containerRequestContext.getUriInfo().getQueryParameters().getOrDefault("ext", Collections.emptyList())).contains("acl") ? "acl self" : "acl";
                String path = containerRequestContext.getUriInfo().getPath();
                containerResponseContext.getHeaders().add("Link", Link.fromUri(UriBuilder.fromPath(path.startsWith(SLASH) ? path : SLASH + path).queryParam("ext", new Object[]{"acl"}).build(new Object[0])).rel(str).build(new Object[0]));
                containerResponseContext.getHeaders().add("Link", Link.fromUri(UriBuilder.fromPath(authorizedModes.getEffectiveAcl().getIRIString().replace("trellis:data/", SLASH)).queryParam("ext", new Object[]{"acl"}).build(new Object[0])).rel(Trellis.effectiveAcl.getIRIString()).build(new Object[0]));
            }
        }
    }

    protected void verifyCanAppend(Set<IRI> set, Session session, String str) {
        if (set.contains(ACL.Append) || set.contains(ACL.Write)) {
            LOGGER.debug("User: {} can append to {}", session.getAgent(), str);
            return;
        }
        LOGGER.warn("User: {} cannot Append to {}", session.getAgent(), str);
        if (!Trellis.AnonymousAgent.equals(session.getAgent())) {
            throw new ForbiddenException();
        }
        throw new NotAuthorizedException(this.challenges.get(0), this.challenges.subList(1, this.challenges.size()).toArray());
    }

    protected void verifyCanControl(Set<IRI> set, Session session, String str) {
        if (set.contains(ACL.Control)) {
            LOGGER.debug("User: {} can control {}", session.getAgent(), str);
            return;
        }
        LOGGER.warn("User: {} cannot Control {}", session.getAgent(), str);
        if (!Trellis.AnonymousAgent.equals(session.getAgent())) {
            throw new ForbiddenException();
        }
        throw new NotAuthorizedException(this.challenges.get(0), this.challenges.subList(1, this.challenges.size()).toArray());
    }

    protected void verifyCanWrite(Set<IRI> set, Session session, String str) {
        if (set.contains(ACL.Write)) {
            LOGGER.debug("User: {} can write to {}", session.getAgent(), str);
            return;
        }
        LOGGER.warn("User: {} cannot Write to {}", session.getAgent(), str);
        if (!Trellis.AnonymousAgent.equals(session.getAgent())) {
            throw new ForbiddenException();
        }
        throw new NotAuthorizedException(this.challenges.get(0), this.challenges.subList(1, this.challenges.size()).toArray());
    }

    protected void verifyCanRead(Set<IRI> set, Session session, String str) {
        if (set.contains(ACL.Read)) {
            LOGGER.debug("User: {} can read {}", session.getAgent(), str);
            return;
        }
        LOGGER.warn("User: {} cannot Read from {}", session.getAgent(), str);
        if (!Trellis.AnonymousAgent.equals(session.getAgent())) {
            throw new ForbiddenException();
        }
        throw new NotAuthorizedException(this.challenges.get(0), this.challenges.subList(1, this.challenges.size()).toArray());
    }

    static boolean reqAudit(Prefer prefer) {
        return prefer != null && prefer.getInclude().contains(Trellis.PreferAudit.getIRIString());
    }

    static boolean reqRepresentation(Prefer prefer) {
        return prefer != null && prefer.getPreference().filter(Predicate.isEqual("representation")).isPresent();
    }

    static String getBaseUrl(ContainerRequestContext containerRequestContext, String str) {
        return str != null ? str : TrellisRequest.buildBaseUrl(containerRequestContext.getUriInfo().getBaseUri(), containerRequestContext.getHeaders());
    }

    static Session buildSession(ContainerRequestContext containerRequestContext, String str) {
        Session from = HttpSession.from(containerRequestContext.getSecurityContext());
        String baseUrl = getBaseUrl(containerRequestContext, str);
        if (!from.getAgent().getIRIString().startsWith(baseUrl)) {
            return from;
        }
        String substring = from.getAgent().getIRIString().substring(baseUrl.length());
        return substring.startsWith(SLASH) ? new HttpSession(rdf.createIRI("trellis:data/" + substring.substring(1))) : new HttpSession(rdf.createIRI("trellis:data/" + substring));
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static String buildChallenge(String str, String str2, String str3) {
        return str + (str2.isEmpty() ? "" : " realm=\"" + str2 + "\"") + (str3.isEmpty() ? "" : " scope=\"" + str3 + "\"");
    }
}
