package dev.dsf.fhir.authorization;

import ca.uhn.fhir.context.FhirContext;
import dev.dsf.common.auth.conf.Identity;
import dev.dsf.fhir.authentication.FhirServerRole;
import dev.dsf.fhir.authentication.OrganizationProvider;
import dev.dsf.fhir.authorization.process.ProcessAuthorizationHelper;
import dev.dsf.fhir.authorization.read.ReadAccessHelper;
import dev.dsf.fhir.dao.TaskDao;
import dev.dsf.fhir.dao.provider.DaoProvider;
import dev.dsf.fhir.help.ParameterConverter;
import dev.dsf.fhir.service.ReferenceResolver;
import dev.dsf.fhir.service.ResourceReference;
import java.sql.Connection;
import java.sql.SQLException;
import java.util.ArrayList;
import java.util.EnumSet;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.function.Predicate;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.hl7.fhir.r4.model.ActivityDefinition;
import org.hl7.fhir.r4.model.Base;
import org.hl7.fhir.r4.model.Organization;
import org.hl7.fhir.r4.model.Resource;
import org.hl7.fhir.r4.model.StringType;
import org.hl7.fhir.r4.model.Task;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:dev/dsf/fhir/authorization/TaskAuthorizationRule.class */
public class TaskAuthorizationRule extends AbstractAuthorizationRule<Task, TaskDao> {
    private static final String CODE_SYSTEM_BPMN_MESSAGE = "http://dsf.dev/fhir/CodeSystem/bpmn-message";
    private static final String CODE_SYSTEM_BPMN_MESSAGE_MESSAGE_NAME = "message-name";
    private static final String CODE_SYSTEM_BPMN_MESSAGE_BUSINESS_KEY = "business-key";
    private final ProcessAuthorizationHelper processAuthorizationHelper;
    private static final Logger logger = LoggerFactory.getLogger(TaskAuthorizationRule.class);
    private static final String INSTANTIATES_CANONICAL_PATTERN_STRING = "(?<processUrl>http[s]{0,1}://(?<domain>(?:(?:[a-zA-Z0-9]{1,63}|[a-zA-Z0-9][a-zA-Z0-9-]{0,61}[a-zA-Z0-9])\\.)+(?:[a-zA-Z0-9]{1,63}))/bpe/Process/(?<processName>[a-zA-Z0-9-]+))\\|(?<processVersion>\\d+\\.\\d+)$";
    private static final Pattern INSTANTIATES_CANONICAL_PATTERN = Pattern.compile(INSTANTIATES_CANONICAL_PATTERN_STRING);

    public TaskAuthorizationRule(DaoProvider daoProvider, String str, ReferenceResolver referenceResolver, OrganizationProvider organizationProvider, ReadAccessHelper readAccessHelper, ParameterConverter parameterConverter, ProcessAuthorizationHelper processAuthorizationHelper) {
        super(Task.class, daoProvider, str, referenceResolver, organizationProvider, readAccessHelper, parameterConverter);
        this.processAuthorizationHelper = processAuthorizationHelper;
    }

    @Override // dev.dsf.fhir.authorization.AbstractAuthorizationRule
    public void afterPropertiesSet() throws Exception {
        super.afterPropertiesSet();
        Objects.requireNonNull(this.processAuthorizationHelper, "processAuthorizationHelper");
    }

    @Override // dev.dsf.fhir.authorization.AuthorizationRule
    public Optional<String> reasonCreateAllowed(Connection connection, Identity identity, Task task) {
        if (!identity.hasDsfRole(FhirServerRole.CREATE)) {
            logger.warn("Create of Task unauthorized for identity '{}', no role {}", getResourceTypeName(), FhirServerRole.CREATE);
            return Optional.empty();
        }
        Optional<String> newResourceOk = newResourceOk(connection, identity, task);
        if (!newResourceOk.isEmpty()) {
            logger.warn("Create of Task unauthorized, " + newResourceOk.get());
            return Optional.empty();
        }
        if (taskAllowed(connection, identity, task)) {
            logger.info("Create of Task authorized for identity '{}'", identity.getName());
            return Optional.of("local or remote user, task.status draft or requested, task.requester current users organization, task.restriction.recipient local organization, process with instantiatesCanonical and message-name allowed for current user, task matches profile");
        }
        logger.warn("Create of Task unauthorized, process with instantiatesCanonical, message-name, requester or recipient not allowed for current user", identity.getName());
        return Optional.empty();
    }

    private Optional<String> newResourceOk(Connection connection, Identity identity, Task task) {
        ArrayList arrayList = new ArrayList();
        if (!task.hasStatus()) {
            arrayList.add("task.status missing");
        } else if (!EnumSet.of(Task.TaskStatus.DRAFT, Task.TaskStatus.REQUESTED).contains(task.getStatus())) {
            arrayList.add("task.status not draft or requested");
        }
        if (!task.hasRequester()) {
            arrayList.add("task.requester missing");
        } else if (!isCurrentIdentityPartOfReferencedOrganization(connection, identity, "task.requester", task.getRequester())) {
            arrayList.add("task.requester user not part of referenced organization");
        }
        if (!task.hasRestriction()) {
            arrayList.add("task.restriction missing");
        } else if (task.getRestriction().getRecipient().size() == 1) {
            Optional<Resource> resolveReference = this.referenceResolver.resolveReference(identity, new ResourceReference("task.restriction.recipient", task.getRestriction().getRecipientFirstRep(), new Class[]{Organization.class}), connection);
            if (!resolveReference.isPresent()) {
                arrayList.add("task.restriction.recipient could not be resolved");
            } else if (!(resolveReference.get() instanceof Organization)) {
                arrayList.add("task.restriction.recipient not a organization");
            } else if (!isLocalOrganization((Organization) resolveReference.get())) {
                arrayList.add("task.restriction.recipient not local organization");
            }
        } else {
            arrayList.add("task.restriction.recipient missing or more than one");
        }
        if (!task.hasInstantiatesCanonical()) {
            arrayList.add("task.instantiatesCanonical missing");
        } else if (!INSTANTIATES_CANONICAL_PATTERN.matcher(task.getInstantiatesCanonical()).matches()) {
            arrayList.add("task.instantiatesCanonical not matching (?<processUrl>http[s]{0,1}://(?<domain>(?:(?:[a-zA-Z0-9]{1,63}|[a-zA-Z0-9][a-zA-Z0-9-]{0,61}[a-zA-Z0-9])\\.)+(?:[a-zA-Z0-9]{1,63}))/bpe/Process/(?<processName>[a-zA-Z0-9-]+))\\|(?<processVersion>\\d+\\.\\d+)$ pattern");
        }
        if (!task.hasInput()) {
            arrayList.add("task.input empty");
        } else if (getMessageNames(task).count() != 1) {
            arrayList.add("task.input with system http://dsf.dev/fhir/CodeSystem/bpmn-message and code message-name with string value not empty missing or more than one");
        }
        if (task.hasOutput()) {
            arrayList.add("task.output not empty");
        }
        return arrayList.isEmpty() ? Optional.empty() : Optional.of((String) arrayList.stream().collect(Collectors.joining(", ")));
    }

    private Stream<String> getMessageNames(Task task) {
        return task.getInput().stream().filter((v0) -> {
            return v0.hasType();
        }).filter(parameterComponent -> {
            return parameterComponent.getType().hasCoding();
        }).filter(parameterComponent2 -> {
            return parameterComponent2.getType().getCoding().stream().filter((v0) -> {
                return v0.hasSystem();
            }).filter((v0) -> {
                return v0.hasCode();
            }).anyMatch(coding -> {
                return CODE_SYSTEM_BPMN_MESSAGE.equals(coding.getSystem()) && CODE_SYSTEM_BPMN_MESSAGE_MESSAGE_NAME.equals(coding.getCode());
            });
        }).filter((v0) -> {
            return v0.hasValue();
        }).filter(parameterComponent3 -> {
            return parameterComponent3.getValue() instanceof StringType;
        }).map((v0) -> {
            return v0.getValue();
        }).map(type -> {
            return (StringType) type;
        }).map(stringType -> {
            return stringType.getValueAsString();
        }).filter(str -> {
            return !str.isBlank();
        });
    }

    private boolean taskAllowed(Connection connection, Identity identity, Task task) {
        Optional<Identity> localOrganizationAsIdentity = this.organizationProvider.getLocalOrganizationAsIdentity();
        if (localOrganizationAsIdentity.isEmpty()) {
            logger.warn("Local organization does not exist");
            return false;
        }
        Matcher matcher = INSTANTIATES_CANONICAL_PATTERN.matcher(task.getInstantiatesCanonical());
        if (!matcher.matches()) {
            logger.warn("task.instantiatesCanonical not matching {} pattern", INSTANTIATES_CANONICAL_PATTERN_STRING);
            return false;
        }
        String group = matcher.group("processUrl");
        String group2 = matcher.group("processVersion");
        try {
            Optional<ActivityDefinition> readByProcessUrlVersionAndStatusDraftOrActiveWithTransaction = this.daoProvider.getActivityDefinitionDao().readByProcessUrlVersionAndStatusDraftOrActiveWithTransaction(connection, group, group2);
            if (readByProcessUrlVersionAndStatusDraftOrActiveWithTransaction.isEmpty()) {
                logger.warn("No ActivityDefinition with process-url '{}' and process-version '{}'", group, group2);
                return false;
            }
            ActivityDefinition activityDefinition = readByProcessUrlVersionAndStatusDraftOrActiveWithTransaction.get();
            Identity identity2 = localOrganizationAsIdentity.get();
            List list = (List) task.getMeta().getProfile().stream().filter((v0) -> {
                return v0.hasValue();
            }).map((v0) -> {
                return v0.getValueAsString();
            }).collect(Collectors.toList());
            String str = getMessageNames(task).findFirst().get();
            boolean anyMatch = this.processAuthorizationHelper.getRecipients(activityDefinition, group, group2, str, list).anyMatch(recipient -> {
                return recipient.isRecipientAuthorized(identity2, getAffiliations(connection, this.organizationProvider.getLocalOrganizationIdentifierValue()));
            });
            boolean anyMatch2 = this.processAuthorizationHelper.getRequesters(activityDefinition, group, group2, str, list).anyMatch(requester -> {
                return requester.isRequesterAuthorized(identity, getAffiliations(connection, (String) identity.getOrganizationIdentifierValue().orElse(null)));
            });
            if (!anyMatch) {
                logger.warn("Task not allowed for recipient");
            }
            if (!anyMatch2) {
                logger.warn("Task not allowed for requester");
            }
            return anyMatch && anyMatch2;
        } catch (SQLException e) {
            logger.warn("Error while reading ActivityDefinitions", e);
            return false;
        }
    }

    @Override // dev.dsf.fhir.authorization.AuthorizationRule
    public Optional<String> reasonReadAllowed(Connection connection, Identity identity, Task task) {
        String idPart = task.getIdElement().getIdPart();
        long longValue = task.getIdElement().getVersionIdPartAsLong().longValue();
        if (!identity.hasDsfRole(FhirServerRole.READ)) {
            logger.warn("Read of Task/{}/_history/{} unauthorized for identity '{}', no role {}", new Object[]{idPart.toString(), Long.valueOf(longValue), identity.getName(), FhirServerRole.READ});
            return Optional.empty();
        }
        if (isCurrentIdentityPartOfReferencedOrganization(connection, identity, "task.requester", task.getRequester())) {
            logger.info("Read of Task authorized, task.requester reference could be resolved and user '{}' is part of referenced organization", identity.getName());
            return Optional.of("task.requester resolved and user part of referenced organization");
        }
        if (identity.isLocalIdentity() && isCurrentIdentityPartOfReferencedOrganization(connection, identity, "task.restriction.recipient", task.getRestriction().getRecipientFirstRep())) {
            logger.info("Read of Task authorized, task.restriction.recipient reference could be resolved and user '{}' is part of referenced organization", identity.getName());
            return Optional.of("task.restriction.recipient resolved and local user part of referenced organization");
        }
        logger.warn("Read of Task unauthorized, task.requester or task.restriction.recipient references could not be resolved or user '{}' not part of referenced organizations", identity.getName());
        return Optional.empty();
    }

    @Override // dev.dsf.fhir.authorization.AuthorizationRule
    public Optional<String> reasonUpdateAllowed(Connection connection, Identity identity, Task task, Task task2) {
        String idPart = task.getIdElement().getIdPart();
        long longValue = task.getIdElement().getVersionIdPartAsLong().longValue();
        if (!identity.hasDsfRole(FhirServerRole.UPDATE)) {
            logger.warn("Update of Task/{}/_history/{} unauthorized for identity '{}', no role {}", new Object[]{idPart.toString(), Long.valueOf(longValue), identity.getName(), FhirServerRole.UPDATE});
            return Optional.empty();
        }
        if (Task.TaskStatus.DRAFT.equals(task.getStatus()) && isCurrentIdentityPartOfReferencedOrganization(connection, identity, "task.requester", task.getRequester())) {
            Optional<String> newResourceOk = newResourceOk(connection, identity, task2);
            if (newResourceOk.isEmpty()) {
                logger.info("Update of Task authorized for local or remote user '{}'", identity.getName());
                return Optional.of("local or remote user, task.status draft or requested, task.requester current users organization, task.restriction.recipient local organization");
            }
            logger.warn("Create of Task unauthorized, " + newResourceOk.get());
            return Optional.empty();
        }
        if (!identity.isLocalIdentity() || !EnumSet.of(Task.TaskStatus.REQUESTED, Task.TaskStatus.INPROGRESS).contains(task.getStatus()) || !isCurrentIdentityPartOfReferencedOrganization(connection, identity, "task.restriction.recipient", task.getRestriction().getRecipientFirstRep())) {
            logger.warn("Update of Task unauthorized, expected task.status draft and current user part of task.requester or task.status requester or inprogress and current local user part of task.restriction.recipient");
            return Optional.empty();
        }
        Optional<String> reasonNotSame = reasonNotSame(task, task2);
        if (!reasonNotSame.isEmpty()) {
            logger.warn("Update of Task unauthorized, task properties {} changed", reasonNotSame.get());
            return Optional.empty();
        }
        if (Task.TaskStatus.REQUESTED.equals(task.getStatus()) && Task.TaskStatus.INPROGRESS.equals(task2.getStatus())) {
            if (task2.hasOutput()) {
                logger.warn("Update of Task unauthorized, task.output not expected");
                return Optional.empty();
            }
            logger.info("local user (user is part of task.restriction.recipient organization), task.status inprogress, properties task.instantiatesCanonical, task.requester, task.restriction, task.input not changed");
            return Optional.of("local user (user part of task.restriction.recipient), task.status inprogress, properties task.instantiatesCanonical, task.requester, task.restriction, task.input not changed");
        }
        if (Task.TaskStatus.INPROGRESS.equals(task.getStatus()) && (Task.TaskStatus.COMPLETED.equals(task2.getStatus()) || Task.TaskStatus.FAILED.equals(task2.getStatus()))) {
            logger.info("local user (user is part of task.restriction.recipient organization), task.status completed or failed, properties task.instantiatesCanonical, task.requester, task.restriction, task.input not changed");
            return Optional.of("local user (user part of task.restriction.recipient), task.status completed or failed, properties task.instantiatesCanonical, task.requester, task.restriction, task.input not changed");
        }
        logger.warn("Update of Task unauthorized, task.status change {} -> {} not allowed", task.getStatus(), task2.getStatus());
        return Optional.empty();
    }

    private Optional<String> reasonNotSame(Task task, Task task2) {
        ArrayList arrayList = new ArrayList();
        if (!task.getRequester().equalsDeep(task2.getRequester())) {
            arrayList.add("task.requester");
        }
        if (!task.getRestriction().equalsDeep(task2.getRestriction())) {
            arrayList.add("task.restriction");
        }
        if (!task.getInstantiatesCanonical().equals(task2.getInstantiatesCanonical())) {
            arrayList.add("task.instantiatesCanonical");
        }
        List input = task.getInput();
        List input2 = task2.getInput();
        if (Task.TaskStatus.REQUESTED.equals(task.getStatus()) && input.stream().noneMatch(isBusinessKey()) && Task.TaskStatus.INPROGRESS.equals(task2.getStatus()) && input2.stream().anyMatch(isBusinessKey())) {
            input2 = input2.stream().filter(isBusinessKey().negate()).toList();
        }
        if (input.size() != input2.size()) {
            arrayList.add("task.input");
        } else {
            int i = 0;
            while (true) {
                if (i >= input.size()) {
                    break;
                }
                if (!((Task.ParameterComponent) input.get(i)).equalsDeep((Base) input2.get(i))) {
                    arrayList.add("task.input[" + i + "]");
                    break;
                }
                i++;
            }
        }
        if (arrayList.isEmpty()) {
            return Optional.empty();
        }
        logger.debug("Old Task: {}", FhirContext.forR4().newJsonParser().setStripVersionsFromReferences(false).encodeResourceToString(task));
        logger.debug("New Task: {}", FhirContext.forR4().newJsonParser().setStripVersionsFromReferences(false).encodeResourceToString(task2));
        return Optional.of((String) arrayList.stream().collect(Collectors.joining(", ")));
    }

    private Predicate<Task.ParameterComponent> isBusinessKey() {
        return parameterComponent -> {
            return parameterComponent.getType().getCoding().stream().anyMatch(coding -> {
                return CODE_SYSTEM_BPMN_MESSAGE.equals(coding.getSystem()) && CODE_SYSTEM_BPMN_MESSAGE_BUSINESS_KEY.equals(coding.getCode());
            });
        };
    }

    @Override // dev.dsf.fhir.authorization.AuthorizationRule
    public Optional<String> reasonDeleteAllowed(Connection connection, Identity identity, Task task) {
        String idPart = task.getIdElement().getIdPart();
        long longValue = task.getIdElement().getVersionIdPartAsLong().longValue();
        if (!identity.hasDsfRole(FhirServerRole.DELETE)) {
            logger.warn("Delete of Task/{}/_history/{} unauthorized for identity '{}', no role {}", new Object[]{idPart.toString(), Long.valueOf(longValue), identity.getName(), FhirServerRole.DELETE});
            return Optional.empty();
        }
        if (Task.TaskStatus.DRAFT.equals(task.getStatus()) && isCurrentIdentityPartOfReferencedOrganization(connection, identity, "task.requester", task.getRequester())) {
            logger.info("Delete of Task authorized for user '{}', task.status draft, task.requester resolved and user part of referenced organization", identity.getName());
            return Optional.of("task.status draft, task.requester resolved and user part of referenced organization");
        }
        if (identity.isLocalIdentity() && Task.TaskStatus.DRAFT.equals(task.getStatus()) && isCurrentIdentityPartOfReferencedOrganization(connection, identity, "task.restriction.recipient", task.getRestriction().getRecipientFirstRep())) {
            logger.info("Delete of Task authorized for local user '{}', task.status draft, task.restriction.recipient resolved and user part of referenced organization", identity.getName());
            return Optional.of("local user, task.status draft, task.restriction.recipient resolved and user part of referenced organization");
        }
        logger.warn("Delete of Task unauthorized, task.status not draft, task.requester not current user or task.restriction.recipient not local user");
        return Optional.empty();
    }
}
