package dev.dsf.fhir.authorization;

import dev.dsf.common.auth.conf.Identity;
import dev.dsf.fhir.authentication.FhirServerRole;
import dev.dsf.fhir.authentication.OrganizationProvider;
import dev.dsf.fhir.authorization.read.ReadAccessHelper;
import dev.dsf.fhir.dao.ReadAccessDao;
import dev.dsf.fhir.dao.ResourceDao;
import dev.dsf.fhir.dao.provider.DaoProvider;
import dev.dsf.fhir.help.ParameterConverter;
import dev.dsf.fhir.service.ReferenceResolver;
import dev.dsf.fhir.webservice.jaxrs.OrganizationServiceJaxrs;
import java.sql.Connection;
import java.sql.SQLException;
import java.util.List;
import java.util.Optional;
import java.util.UUID;
import java.util.stream.Collectors;
import org.hl7.fhir.r4.model.Resource;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.InitializingBean;

/* loaded from: input_file:dev/dsf/fhir/authorization/AbstractMetaTagAuthorizationRule.class */
public abstract class AbstractMetaTagAuthorizationRule<R extends Resource, D extends ResourceDao<R>> extends AbstractAuthorizationRule<R, D> implements AuthorizationRule<R>, InitializingBean {
    private static final Logger logger = LoggerFactory.getLogger(AbstractMetaTagAuthorizationRule.class);
    private final ReadAccessDao readAccessDao;

    public AbstractMetaTagAuthorizationRule(Class<R> cls, DaoProvider daoProvider, String str, ReferenceResolver referenceResolver, OrganizationProvider organizationProvider, ReadAccessHelper readAccessHelper, ParameterConverter parameterConverter) {
        super(cls, daoProvider, str, referenceResolver, organizationProvider, readAccessHelper, parameterConverter);
        this.readAccessDao = daoProvider.getReadAccessDao();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public final boolean hasValidReadAccessTag(Connection connection, Resource resource) {
        return this.readAccessHelper.isValid(resource, identifier -> {
            return organizationWithIdentifierExists(connection, identifier);
        }, coding -> {
            return roleExists(connection, coding);
        });
    }

    @Override // dev.dsf.fhir.authorization.AuthorizationRule
    public final Optional<String> reasonCreateAllowed(Connection connection, Identity identity, R r) {
        if (!identity.isLocalIdentity() || !identity.hasDsfRole(FhirServerRole.CREATE)) {
            logger.warn("Create of {} unauthorized for identity '{}', not a local identity or no role {}", getResourceTypeName(), FhirServerRole.CREATE);
            return Optional.empty();
        }
        Optional<String> newResourceOkForCreate = newResourceOkForCreate(connection, identity, r);
        if (!newResourceOkForCreate.isEmpty()) {
            logger.warn("Create of {} unauthorized, {}", getResourceTypeName(), newResourceOkForCreate.get());
            return Optional.empty();
        }
        if (resourceExists(connection, r)) {
            logger.warn("Create of {} unauthorized, unique resource already exists", getResourceTypeName());
            return Optional.empty();
        }
        logger.info("Create of {} authorized for identity '{}'", getResourceTypeName(), identity.getName());
        return Optional.of("Identity is local identity and has role " + FhirServerRole.CREATE);
    }

    protected abstract boolean resourceExists(Connection connection, R r);

    protected abstract Optional<String> newResourceOkForCreate(Connection connection, Identity identity, R r);

    @Override // dev.dsf.fhir.authorization.AuthorizationRule
    public final Optional<String> reasonReadAllowed(Connection connection, Identity identity, R r) {
        UUID uuid = this.parameterConverter.toUuid(getResourceTypeName(), r.getIdElement().getIdPart());
        long longValue = r.getIdElement().getVersionIdPartAsLong().longValue();
        if (!identity.hasDsfRole(FhirServerRole.READ)) {
            logger.warn("Read of {}/{}/_history/{} unauthorized for identity '{}', no role {}", new Object[]{getResourceTypeName(), uuid.toString(), Long.valueOf(longValue), identity.getName(), FhirServerRole.READ});
            return Optional.empty();
        }
        try {
            List<String> accessTypes = this.readAccessDao.getAccessTypes(connection, uuid, longValue, identity.isLocalIdentity(), this.parameterConverter.toUuid(OrganizationServiceJaxrs.PATH, identity.getOrganization().getIdElement().getIdPart()));
            if (accessTypes.isEmpty()) {
                logger.warn("Read of {}/{}/_history/{} unauthorized for identity '{}', no matching access tags", new Object[]{getResourceTypeName(), uuid.toString(), Long.valueOf(longValue), identity.getName(), FhirServerRole.READ});
                return Optional.empty();
            }
            String str = (String) accessTypes.stream().collect(Collectors.joining(", ", "{", "}"));
            Logger logger2 = logger;
            Object[] objArr = new Object[6];
            objArr[0] = getResourceTypeName();
            objArr[1] = uuid.toString();
            objArr[2] = Long.valueOf(longValue);
            objArr[3] = identity.getName();
            objArr[4] = accessTypes.size() == 1 ? "tag" : "tags";
            objArr[5] = str;
            logger2.info("Read of {}/{}/_history/{} authorized for identity '{}', matching access {} {}", objArr);
            return Optional.of("Identity has role " + FhirServerRole.READ + ", matching access " + (accessTypes.size() == 1 ? "tag" : "tags") + " " + str);
        } catch (SQLException e) {
            logger.warn("Error while checking read access", e);
            throw new RuntimeException(e);
        }
    }

    protected abstract Optional<String> newResourceOkForUpdate(Connection connection, Identity identity, R r);

    @Override // dev.dsf.fhir.authorization.AuthorizationRule
    public final Optional<String> reasonUpdateAllowed(Connection connection, Identity identity, R r, R r2) {
        String idPart = r.getIdElement().getIdPart();
        long longValue = r.getIdElement().getVersionIdPartAsLong().longValue();
        if (!identity.isLocalIdentity() || !identity.hasDsfRole(FhirServerRole.UPDATE)) {
            logger.warn("Update of {}/{}/_history/{} unauthorized for identity '{}', not a local identity or no role {}", new Object[]{getResourceTypeName(), idPart.toString(), Long.valueOf(longValue), identity.getName(), FhirServerRole.UPDATE});
            return Optional.empty();
        }
        Optional<String> newResourceOkForUpdate = newResourceOkForUpdate(connection, identity, r2);
        if (!newResourceOkForUpdate.isEmpty()) {
            logger.warn("Update of {}/{}/_history/{} unauthorized, {}", new Object[]{getResourceTypeName(), idPart.toString(), Long.valueOf(longValue), newResourceOkForUpdate.get()});
            return Optional.empty();
        }
        if (modificationsOk(connection, r, r2)) {
            logger.info("Update of {}/{}/_history/{} authorized for identity '{}'", new Object[]{getResourceTypeName(), idPart.toString(), Long.valueOf(longValue), identity.getName()});
            return Optional.of("Identity is local identity and has role " + FhirServerRole.UPDATE);
        }
        logger.warn("Update of {}/{}/_history/{} unauthorized, modification not allowed", new Object[]{getResourceTypeName(), idPart.toString(), Long.valueOf(longValue)});
        return Optional.empty();
    }

    protected abstract boolean modificationsOk(Connection connection, R r, R r2);

    @Override // dev.dsf.fhir.authorization.AuthorizationRule
    public final Optional<String> reasonDeleteAllowed(Connection connection, Identity identity, R r) {
        String idPart = r.getIdElement().getIdPart();
        long longValue = r.getIdElement().getVersionIdPartAsLong().longValue();
        if (identity.isLocalIdentity() && identity.hasDsfRole(FhirServerRole.DELETE)) {
            logger.info("Delete of {}/{}/_history/{} authorized for identity '{}'", new Object[]{getResourceTypeName(), idPart, Long.valueOf(longValue), identity.getName()});
            return Optional.of("Identity is local identity and has role " + FhirServerRole.DELETE);
        }
        logger.warn("Delete of {}/{}/_history/{} unauthorized for identity '{}', not a local identity or no role {}", new Object[]{getResourceTypeName(), idPart, Long.valueOf(longValue), identity.getName(), FhirServerRole.DELETE});
        return Optional.empty();
    }
}
