package org.trellisldp.webac;

import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.function.Predicate;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.apache.commons.rdf.api.BlankNodeOrIRI;
import org.apache.commons.rdf.api.Graph;
import org.apache.commons.rdf.api.IRI;
import org.apache.commons.rdf.api.RDF;
import org.apache.commons.rdf.api.RDFTerm;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.trellisldp.api.AccessControlService;
import org.trellisldp.api.Authorization;
import org.trellisldp.api.RDFUtils;
import org.trellisldp.api.Resource;
import org.trellisldp.api.ResourceService;
import org.trellisldp.api.RuntimeRepositoryException;
import org.trellisldp.api.Session;
import org.trellisldp.vocabulary.ACL;
import org.trellisldp.vocabulary.FOAF;
import org.trellisldp.vocabulary.Trellis;
import org.trellisldp.vocabulary.VCARD;

/* loaded from: input_file:org/trellisldp/webac/WebACService.class */
public class WebACService implements AccessControlService {
    private static final Logger LOGGER = LoggerFactory.getLogger(WebACService.class);
    private static final RDF rdf = RDFUtils.getInstance();
    private final ResourceService resourceService;

    public WebACService(ResourceService resourceService) {
        Objects.requireNonNull(resourceService, "A non-null ResourceService must be provided!");
        this.resourceService = resourceService;
    }

    public Boolean anyMatch(Session session, IRI iri, Predicate<IRI> predicate) {
        Objects.requireNonNull(session, "A non-null session must be provided!");
        Objects.requireNonNull(predicate, "A non-null predicate must be provided!");
        if (Trellis.RepositoryAdministrator.equals(session.getAgent())) {
            return true;
        }
        return Boolean.valueOf(((Stream) getNearestResource(iri).map(resource -> {
            return getAllAuthorizationsFor(resource, true).filter(delegateFilter(session).negate()).filter(agentFilter(session));
        }).orElseGet(Stream::empty)).peek(authorization -> {
            LOGGER.debug("Applying Authorization {} to {}", authorization.getIdentifier(), iri);
        }).anyMatch(authorization2 -> {
            return authorization2.getMode().stream().anyMatch(predicate);
        }));
    }

    private Optional<Resource> getNearestResource(IRI iri) {
        Optional<Resource> optional = this.resourceService.get(iri);
        return optional.isPresent() ? optional : this.resourceService.getContainer(iri).flatMap(this::getNearestResource);
    }

    private Predicate<Authorization> agentFilter(Session session) {
        return authorization -> {
            return authorization.getAgentClass().contains(FOAF.Agent) || authorization.getAgent().contains(session.getAgent()) || authorization.getAgentGroup().stream().anyMatch(isAgentInGroup(session.getAgent()));
        };
    }

    private Predicate<Authorization> delegateFilter(Session session) {
        return authorization -> {
            return session.getDelegatedBy().filter(iri -> {
                return !authorization.getAgent().contains(iri);
            }).isPresent();
        };
    }

    private Predicate<Authorization> getInheritedAuth(IRI iri) {
        return authorization -> {
            return authorization.getDefault().contains(iri);
        };
    }

    private Predicate<Authorization> getAccessToAuth(IRI iri) {
        return authorization -> {
            return authorization.getAccessTo().contains(iri);
        };
    }

    private Predicate<IRI> isAgentInGroup(IRI iri) {
        return iri2 -> {
            return this.resourceService.get(cleanIdentifier(iri2)).filter(resource -> {
                Stream map = resource.stream(Trellis.PreferUserManaged).filter(triple -> {
                    return triple.getSubject().equals(iri2) && triple.getPredicate().equals(VCARD.hasMember);
                }).map((v0) -> {
                    return v0.getObject();
                });
                Throwable th = null;
                try {
                    try {
                        Objects.requireNonNull(iri);
                        boolean anyMatch = map.anyMatch((v1) -> {
                            return r1.equals(v1);
                        });
                        if (map != null) {
                            $closeResource(null, map);
                        }
                        return anyMatch;
                    } finally {
                    }
                } catch (Throwable th2) {
                    if (map != null) {
                        $closeResource(th, map);
                    }
                    throw th2;
                }
            }).isPresent();
        };
    }

    private List<Authorization> getAuthorizationFromGraph(Graph graph) {
        return (List) graph.stream((BlankNodeOrIRI) null, org.trellisldp.vocabulary.RDF.type, ACL.Authorization).map((v0) -> {
            return v0.getSubject();
        }).distinct().map(blankNodeOrIRI -> {
            try {
                Graph createGraph = rdf.createGraph();
                Throwable th = null;
                try {
                    try {
                        Stream stream = graph.stream(blankNodeOrIRI, (IRI) null, (RDFTerm) null);
                        Objects.requireNonNull(createGraph);
                        stream.forEach(createGraph::add);
                        Authorization from = Authorization.from(blankNodeOrIRI, createGraph);
                        if (createGraph != null) {
                            $closeResource(null, createGraph);
                        }
                        return from;
                    } finally {
                    }
                } catch (Throwable th2) {
                    if (createGraph != null) {
                        $closeResource(th, createGraph);
                    }
                    throw th2;
                }
            } catch (Exception e) {
                throw new RuntimeRepositoryException("Error Processing graph", e);
            }
        }).collect(Collectors.toList());
    }

    private Stream<Authorization> getAllAuthorizationsFor(Resource resource, Boolean bool) {
        LOGGER.debug("Checking ACL for: {}", resource.getIdentifier());
        Optional container = this.resourceService.getContainer(resource.getIdentifier());
        if (!resource.hasAcl().booleanValue()) {
            LOGGER.debug("No ACL for {}; looking up parent resource", resource.getIdentifier());
            ResourceService resourceService = this.resourceService;
            Objects.requireNonNull(resourceService);
            return (Stream) container.flatMap(resourceService::get).map(resource2 -> {
                return getAllAuthorizationsFor(resource2, false);
            }).orElseGet(Stream::empty);
        }
        try {
            Graph createGraph = rdf.createGraph();
            try {
                Stream stream = resource.stream(Trellis.PreferAccessControl);
                Objects.requireNonNull(createGraph);
                stream.forEach(createGraph::add);
                List<Authorization> authorizationFromGraph = getAuthorizationFromGraph(createGraph);
                if (bool.booleanValue() || !authorizationFromGraph.stream().anyMatch(getInheritedAuth(resource.getIdentifier()))) {
                    Stream<Authorization> filter = authorizationFromGraph.stream().filter(getAccessToAuth(resource.getIdentifier()));
                    if (createGraph != null) {
                        $closeResource(null, createGraph);
                    }
                    return filter;
                }
                Stream<Authorization> filter2 = authorizationFromGraph.stream().filter(getInheritedAuth(resource.getIdentifier()));
                if (createGraph != null) {
                    $closeResource(null, createGraph);
                }
                return filter2;
            } catch (Throwable th) {
                if (createGraph != null) {
                    $closeResource(null, createGraph);
                }
                throw th;
            }
        } catch (Exception e) {
            throw new RuntimeRepositoryException(e);
        }
    }

    private static String cleanIdentifier(String str) {
        String str2 = str.split("#")[0].split("\\?")[0];
        return str2.endsWith("/") ? str2.substring(0, str2.length() - 1) : str2;
    }

    private static IRI cleanIdentifier(IRI iri) {
        return rdf.createIRI(cleanIdentifier(iri.getIRIString()));
    }

    private static /* synthetic */ void $closeResource(Throwable th, AutoCloseable autoCloseable) {
        if (th == null) {
            autoCloseable.close();
            return;
        }
        try {
            autoCloseable.close();
        } catch (Throwable th2) {
            th.addSuppressed(th2);
        }
    }
}
