package org.trellisldp.webac;

import java.io.IOException;
import java.io.InputStream;
import java.lang.annotation.Documented;
import java.lang.annotation.ElementType;
import java.lang.annotation.Retention;
import java.lang.annotation.RetentionPolicy;
import java.lang.annotation.Target;
import java.util.Collections;
import java.util.HashSet;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.concurrent.CompletableFuture;
import java.util.concurrent.CompletionStage;
import java.util.function.Function;
import java.util.function.Predicate;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.annotation.PostConstruct;
import javax.enterprise.context.ApplicationScoped;
import javax.inject.Inject;
import javax.inject.Qualifier;
import org.apache.commons.rdf.api.Dataset;
import org.apache.commons.rdf.api.Graph;
import org.apache.commons.rdf.api.IRI;
import org.apache.commons.rdf.api.RDF;
import org.apache.commons.rdf.api.RDFTerm;
import org.apache.jena.commonsrdf.JenaCommonsRDF;
import org.apache.jena.rdf.model.Model;
import org.apache.jena.rdf.model.ModelFactory;
import org.apache.jena.riot.Lang;
import org.apache.jena.riot.RDFParser;
import org.apache.jena.riot.RiotException;
import org.eclipse.microprofile.config.inject.ConfigProperty;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.trellisldp.api.CacheService;
import org.trellisldp.api.Metadata;
import org.trellisldp.api.RDFFactory;
import org.trellisldp.api.Resource;
import org.trellisldp.api.ResourceService;
import org.trellisldp.api.Session;
import org.trellisldp.api.TrellisRuntimeException;
import org.trellisldp.api.TrellisUtils;
import org.trellisldp.vocabulary.ACL;
import org.trellisldp.vocabulary.FOAF;
import org.trellisldp.vocabulary.Trellis;
import org.trellisldp.vocabulary.VCARD;

@ApplicationScoped
/* loaded from: input_file:org/trellisldp/webac/WebAcService.class */
public class WebAcService {
    public static final String CONFIG_WEBAC_MEMBERSHIP_CHECK = "trellis.webac.membership-check";
    public static final String CONFIG_WEBAC_DEFAULT_ACL_LOCATION = "trellis.webac.default-acl-location";
    public static final String CONFIG_WEBAC_INITIALIZE_ROOT_ACL = "trellis.webac.initialize-root-acl";
    public static final String DEFAULT_ACL_LOCATION = "org/trellisldp/webac/defaultAcl.ttl";
    private static final Logger LOGGER = LoggerFactory.getLogger(WebAcService.class);
    private static final CompletionStage<Void> DONE = CompletableFuture.completedFuture(null);
    private static final RDF rdf = RDFFactory.getInstance();
    private static final IRI root = rdf.createIRI("trellis:data/");
    private static final IRI rootAuth = rdf.createIRI("trellis:data/#auth");
    private static final Set<IRI> allModes = new HashSet();
    private List<Authorization> defaultRootAuthorizations;

    @Inject
    @ConfigProperty(name = CONFIG_WEBAC_MEMBERSHIP_CHECK, defaultValue = "false")
    boolean checkMembershipResources;

    @Inject
    @ConfigProperty(name = CONFIG_WEBAC_INITIALIZE_ROOT_ACL, defaultValue = "true")
    boolean initializeRoot;

    @Inject
    @ConfigProperty(name = CONFIG_WEBAC_DEFAULT_ACL_LOCATION, defaultValue = DEFAULT_ACL_LOCATION)
    String defaultAuthResourceLocation;

    @Inject
    ResourceService resourceService;

    @Inject
    @TrellisAuthorizationCache
    CacheService<String, AuthorizedModes> cache;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/trellisldp/webac/WebAcService$Authorizations.class */
    public static class Authorizations {
        private final IRI resource;
        private final Stream<Authorization> stream;

        public Authorizations(IRI iri) {
            this(iri, Stream.empty());
        }

        public Authorizations(IRI iri, Stream<Authorization> stream) {
            this.resource = iri;
            this.stream = stream;
        }

        public IRI getIdentifier() {
            return this.resource;
        }

        public Stream<Authorization> stream() {
            return this.stream;
        }
    }

    @TrellisAuthorizationCache
    /* loaded from: input_file:org/trellisldp/webac/WebAcService$NoopAuthorizationCache.class */
    public static class NoopAuthorizationCache implements CacheService<String, AuthorizedModes> {
        public AuthorizedModes get(String str, Function<String, AuthorizedModes> function) {
            return function.apply(str);
        }

        public /* bridge */ /* synthetic */ Object get(Object obj, Function function) {
            return get((String) obj, (Function<String, AuthorizedModes>) function);
        }
    }

    @Target({ElementType.TYPE, ElementType.METHOD, ElementType.FIELD, ElementType.PARAMETER})
    @Qualifier
    @Documented
    @Retention(RetentionPolicy.RUNTIME)
    /* loaded from: input_file:org/trellisldp/webac/WebAcService$TrellisAuthorizationCache.class */
    public @interface TrellisAuthorizationCache {
    }

    @PostConstruct
    public void initialize() {
        this.defaultRootAuthorizations = Collections.unmodifiableList(getDefaultRootAuthorizations(this.defaultAuthResourceLocation));
        if (this.initializeRoot) {
            try {
                Dataset generateDefaultRootAuthorizationsDataset = generateDefaultRootAuthorizationsDataset(this.defaultAuthResourceLocation);
                try {
                    this.resourceService.get(root).thenCompose(resource -> {
                        return initialize(resource, generateDefaultRootAuthorizationsDataset);
                    }).exceptionally(th -> {
                        LOGGER.warn("Unable to auto-initialize Trellis: {}. See DEBUG log for more info", th.getMessage());
                        LOGGER.debug("Error auto-initializing Trellis", th);
                        return null;
                    }).toCompletableFuture().join();
                    if (generateDefaultRootAuthorizationsDataset != null) {
                        generateDefaultRootAuthorizationsDataset.close();
                    }
                } finally {
                }
            } catch (Exception e) {
                throw new TrellisRuntimeException("Error initializing Trellis ACL", e);
            }
        }
    }

    private CompletionStage<Void> initialize(Resource resource, Dataset dataset) {
        if (resource.hasMetadata(Trellis.PreferAccessControl)) {
            LOGGER.info("Root ACL is present, not initializing: {}", resource.getIdentifier());
            return DONE;
        }
        LOGGER.info("Initializing root ACL: {}", resource.getIdentifier());
        Stream stream = resource.stream(Trellis.PreferUserManaged);
        try {
            Objects.requireNonNull(dataset);
            stream.forEach(dataset::add);
            if (stream != null) {
                stream.close();
            }
            HashSet hashSet = new HashSet(resource.getMetadataGraphNames());
            hashSet.add(Trellis.PreferAccessControl);
            return this.resourceService.replace(Metadata.builder(resource).metadataGraphNames(hashSet).build(), dataset);
        } catch (Throwable th) {
            if (stream != null) {
                try {
                    stream.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    public Set<IRI> getAccessModes(IRI iri, Session session) {
        return getAuthorizedModes(iri, session).getAccessModes();
    }

    public AuthorizedModes getAuthorizedModes(IRI iri, Session session) {
        Objects.requireNonNull(session, "A non-null session must be provided!");
        if (Trellis.AdministratorAgent.equals(session.getAgent())) {
            return new AuthorizedModes(null, allModes);
        }
        LOGGER.debug("Looking up ACL for agent [{}] on resource [{}]", session.getAgent(), iri);
        AuthorizedModes authorizedModes = (AuthorizedModes) this.cache.get(generateCacheKey(iri, session.getAgent()), str -> {
            return getAuthz(iri, session.getAgent());
        });
        return (AuthorizedModes) session.getDelegatedBy().map(iri2 -> {
            HashSet hashSet = new HashSet(authorizedModes.getAccessModes());
            hashSet.retainAll(((AuthorizedModes) this.cache.get(generateCacheKey(iri, iri2), str2 -> {
                return getAuthz(iri, iri2);
            })).getAccessModes());
            return new AuthorizedModes(authorizedModes.getEffectiveAcl().orElse(null), hashSet);
        }).orElse(authorizedModes);
    }

    public static String generateCacheKey(IRI iri, IRI iri2) {
        return String.join("||", iri.getIRIString(), iri2.getIRIString());
    }

    private AuthorizedModes getAuthz(IRI iri, IRI iri2) {
        AuthorizedModes modesFor = getModesFor(iri, iri2);
        if (modesFor.getAccessModes().isEmpty()) {
            LOGGER.debug("Agent [{}] has no access to resource [{}]", iri2, iri);
        }
        HashSet hashSet = new HashSet(modesFor.getAccessModes());
        if (!this.checkMembershipResources || !hasWritableMode(hashSet)) {
            return modesFor;
        }
        Optional container = TrellisUtils.getContainer(iri);
        ResourceService resourceService = this.resourceService;
        Objects.requireNonNull(resourceService);
        container.map(resourceService::get).map((v0) -> {
            return v0.toCompletableFuture();
        }).map((v0) -> {
            return v0.join();
        }).flatMap((v0) -> {
            return v0.getMembershipResource();
        }).map(TrellisUtils::normalizeIdentifier).map(iri3 -> {
            return getModesFor(iri3, iri2);
        }).ifPresent(authorizedModes -> {
            if (!authorizedModes.getAccessModes().contains(ACL.Write)) {
                hashSet.remove(ACL.Write);
            }
            if (authorizedModes.getAccessModes().contains(ACL.Append)) {
                return;
            }
            hashSet.remove(ACL.Append);
        });
        return new AuthorizedModes(modesFor.getEffectiveAcl().orElse(null), hashSet);
    }

    private AuthorizedModes getModesFor(IRI iri, IRI iri2) {
        return (AuthorizedModes) getNearestResource(iri).map(resource -> {
            Authorizations allAuthorizationsFor = getAllAuthorizationsFor(resource, false);
            return new AuthorizedModes(allAuthorizationsFor.getIdentifier(), (Set) allAuthorizationsFor.stream().filter(agentFilter(iri2)).flatMap(authorization -> {
                return authorization.getMode().stream();
            }).collect(Collectors.toSet()));
        }).orElseGet(() -> {
            return new AuthorizedModes(root, Collections.emptySet());
        });
    }

    private Optional<Resource> getNearestResource(IRI iri) {
        Resource resource = (Resource) this.resourceService.get(iri).toCompletableFuture().join();
        return resourceExists(resource) ? Optional.of(resource) : TrellisUtils.getContainer(iri).flatMap(this::getNearestResource);
    }

    private Predicate<Authorization> agentFilter(IRI iri) {
        return authorization -> {
            return authorization.getAgentClass().contains(FOAF.Agent) || (authorization.getAgentClass().contains(ACL.AuthenticatedAgent) && !Trellis.AnonymousAgent.equals(iri)) || authorization.getAgent().contains(iri) || authorization.getAgentGroup().stream().anyMatch(isAgentInGroup(iri));
        };
    }

    private Predicate<IRI> isAgentInGroup(IRI iri) {
        return iri2 -> {
            return ((Boolean) this.resourceService.get(TrellisUtils.normalizeIdentifier(iri2)).thenApply(resource -> {
                Stream map = resource.stream(Trellis.PreferUserManaged).filter(quad -> {
                    return quad.getSubject().equals(iri2) && quad.getPredicate().equals(VCARD.hasMember);
                }).map((v0) -> {
                    return v0.getObject();
                });
                try {
                    Objects.requireNonNull(iri);
                    Boolean valueOf = Boolean.valueOf(map.anyMatch((v1) -> {
                        return r1.equals(v1);
                    }));
                    if (map != null) {
                        map.close();
                    }
                    return valueOf;
                } catch (Throwable th) {
                    if (map != null) {
                        try {
                            map.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    }
                    throw th;
                }
            }).toCompletableFuture().join()).booleanValue();
        };
    }

    private Authorizations getAllAuthorizationsFor(Resource resource, boolean z) {
        LOGGER.debug("Checking ACL for: {}", resource.getIdentifier());
        if (!resource.hasMetadata(Trellis.PreferAccessControl)) {
            if (root.equals(resource.getIdentifier())) {
                return new Authorizations(root, this.defaultRootAuthorizations.stream());
            }
            LOGGER.debug("No ACL for {}; looking up parent resource", resource.getIdentifier());
            return (Authorizations) TrellisUtils.getContainer(resource.getIdentifier()).flatMap(this::getNearestResource).map(resource2 -> {
                return getAllAuthorizationsFor(resource2, true);
            }).orElseGet(() -> {
                return new Authorizations(root);
            });
        }
        try {
            Graph graph = (Graph) resource.stream(Trellis.PreferAccessControl).map((v0) -> {
                return v0.asTriple();
            }).collect(TrellisUtils.toGraph());
            try {
                List<Authorization> authorizationFromGraph = getAuthorizationFromGraph(resource.getIdentifier(), graph);
                if (z) {
                    Authorizations authorizations = new Authorizations(resource.getIdentifier(), authorizationFromGraph.stream().filter(getInheritedAuth(resource.getIdentifier())));
                    if (graph != null) {
                        graph.close();
                    }
                    return authorizations;
                }
                Authorizations authorizations2 = new Authorizations(resource.getIdentifier(), authorizationFromGraph.stream().filter(authorization -> {
                    return authorization.getAccessTo().contains(resource.getIdentifier());
                }));
                if (graph != null) {
                    graph.close();
                }
                return authorizations2;
            } finally {
            }
        } catch (Exception e) {
            throw new TrellisRuntimeException("Error closing graph", e);
        }
    }

    static List<Authorization> getAuthorizationFromGraph(IRI iri, Graph graph) {
        return (List) graph.stream().map((v0) -> {
            return v0.getSubject();
        }).distinct().map(blankNodeOrIRI -> {
            try {
                Graph graph2 = (Graph) graph.stream(blankNodeOrIRI, (IRI) null, (RDFTerm) null).collect(TrellisUtils.toGraph());
                try {
                    Authorization from = Authorization.from(blankNodeOrIRI, graph2);
                    if (graph2 != null) {
                        graph2.close();
                    }
                    return from;
                } finally {
                }
            } catch (Exception e) {
                throw new TrellisRuntimeException("Error closing graph", e);
            }
        }).filter(authorization -> {
            return authorization.getAccessTo().contains(iri) || authorization.getDefault().contains(iri);
        }).collect(Collectors.toList());
    }

    static boolean hasWritableMode(Set<IRI> set) {
        return set.contains(ACL.Write) || set.contains(ACL.Append);
    }

    static boolean resourceExists(Resource resource) {
        return (Resource.SpecialResources.MISSING_RESOURCE.equals(resource) || Resource.SpecialResources.DELETED_RESOURCE.equals(resource)) ? false : true;
    }

    static Predicate<Authorization> getInheritedAuth(IRI iri) {
        return authorization -> {
            return root.equals(iri) || authorization.getDefault().contains(iri);
        };
    }

    static List<Authorization> getDefaultRootAuthorizations(String str) {
        return (List) generateDefaultRootAuthorizationsDataset(str).getGraph(Trellis.PreferAccessControl).map(graph -> {
            return Authorization.from(rootAuth, graph);
        }).map((v0) -> {
            return Collections.singletonList(v0);
        }).orElse(Collections.emptyList());
    }

    static Dataset generateDefaultRootAuthorizationsDataset(String str) {
        InputStream resourceAsStream;
        Dataset createDataset = rdf.createDataset();
        Model createDefaultModel = ModelFactory.createDefaultModel();
        try {
            try {
                resourceAsStream = Thread.currentThread().getContextClassLoader().getResourceAsStream(str);
            } catch (IOException | RiotException e) {
                LOGGER.warn("Couldn't initialize root ACL with {}, falling back to default: {}", str, e.getMessage());
                createDefaultModel.close();
            }
            try {
                if (resourceAsStream != null) {
                    LOGGER.debug("Using classpath resource for default root ACL: {}", str);
                    RDFParser.source(resourceAsStream).lang(Lang.TURTLE).base("trellis:data/").parse(createDefaultModel);
                } else {
                    LOGGER.debug("Using external resource for default root ACL: {}", str);
                    RDFParser.source(str).lang(Lang.TURTLE).base("trellis:data/").parse(createDefaultModel);
                }
                Stream map = JenaCommonsRDF.fromJena(createDefaultModel.getGraph()).stream().map(triple -> {
                    return rdf.createQuad(Trellis.PreferAccessControl, triple.getSubject(), triple.getPredicate(), triple.getObject());
                });
                Objects.requireNonNull(createDataset);
                map.forEach(createDataset::add);
                if (resourceAsStream != null) {
                    resourceAsStream.close();
                }
                createDefaultModel.close();
                if (createDataset.size() == 0) {
                    createDataset.add(rdf.createQuad(Trellis.PreferAccessControl, rootAuth, ACL.mode, ACL.Read));
                    createDataset.add(rdf.createQuad(Trellis.PreferAccessControl, rootAuth, ACL.mode, ACL.Write));
                    createDataset.add(rdf.createQuad(Trellis.PreferAccessControl, rootAuth, ACL.mode, ACL.Control));
                    createDataset.add(rdf.createQuad(Trellis.PreferAccessControl, rootAuth, ACL.mode, ACL.Append));
                    createDataset.add(rdf.createQuad(Trellis.PreferAccessControl, rootAuth, ACL.agentClass, FOAF.Agent));
                    createDataset.add(rdf.createQuad(Trellis.PreferAccessControl, rootAuth, ACL.default_, root));
                    createDataset.add(rdf.createQuad(Trellis.PreferAccessControl, rootAuth, ACL.accessTo, root));
                }
                return createDataset;
            } catch (Throwable th) {
                if (resourceAsStream != null) {
                    try {
                        resourceAsStream.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
                throw th;
            }
        } catch (Throwable th3) {
            createDefaultModel.close();
            throw th3;
        }
    }

    static {
        allModes.add(ACL.Read);
        allModes.add(ACL.Write);
        allModes.add(ACL.Control);
        allModes.add(ACL.Append);
    }
}
