package dev.dsf.fhir.authorization;

import ca.uhn.fhir.context.FhirContext;
import dev.dsf.common.auth.conf.Identity;
import dev.dsf.common.auth.conf.OrganizationIdentity;
import dev.dsf.fhir.authentication.FhirServerRole;
import dev.dsf.fhir.authentication.OrganizationProvider;
import dev.dsf.fhir.authorization.process.ProcessAuthorizationHelper;
import dev.dsf.fhir.authorization.read.ReadAccessHelper;
import dev.dsf.fhir.dao.TaskDao;
import dev.dsf.fhir.dao.provider.DaoProvider;
import dev.dsf.fhir.help.ParameterConverter;
import dev.dsf.fhir.service.ReferenceResolver;
import dev.dsf.fhir.service.ResourceReference;
import dev.dsf.fhir.webservice.jaxrs.RootServiceJaxrs;
import java.sql.Connection;
import java.sql.SQLException;
import java.util.ArrayList;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.function.Predicate;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.hl7.fhir.r4.model.ActivityDefinition;
import org.hl7.fhir.r4.model.Base;
import org.hl7.fhir.r4.model.Organization;
import org.hl7.fhir.r4.model.Resource;
import org.hl7.fhir.r4.model.StringType;
import org.hl7.fhir.r4.model.Task;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:dev/dsf/fhir/authorization/TaskAuthorizationRule.class */
public class TaskAuthorizationRule extends AbstractAuthorizationRule<Task, TaskDao> {
    private static final String CODE_SYSTEM_BPMN_MESSAGE = "http://dsf.dev/fhir/CodeSystem/bpmn-message";
    private static final String CODE_SYSTEM_BPMN_MESSAGE_MESSAGE_NAME = "message-name";
    private static final String CODE_SYSTEM_BPMN_MESSAGE_BUSINESS_KEY = "business-key";
    private static final String NAMING_SYSTEM_TASK_IDENTIFIER = "http://dsf.dev/sid/task-identifier";
    private final ProcessAuthorizationHelper processAuthorizationHelper;
    private final FhirContext fhirContext;
    private static final Logger logger = LoggerFactory.getLogger(TaskAuthorizationRule.class);
    private static final String INSTANTIATES_CANONICAL_PATTERN_STRING = "(?<processUrl>http[s]{0,1}://(?<domain>(?:(?:[a-zA-Z0-9]{1,63}|[a-zA-Z0-9][a-zA-Z0-9-]{0,61}[a-zA-Z0-9])\\.)+(?:[a-zA-Z0-9]{1,63}))/bpe/Process/(?<processName>[a-zA-Z0-9-]+))\\|(?<processVersion>\\d+\\.\\d+)$";
    private static final Pattern INSTANTIATES_CANONICAL_PATTERN = Pattern.compile(INSTANTIATES_CANONICAL_PATTERN_STRING);

    public TaskAuthorizationRule(DaoProvider daoProvider, String str, ReferenceResolver referenceResolver, OrganizationProvider organizationProvider, ReadAccessHelper readAccessHelper, ParameterConverter parameterConverter, ProcessAuthorizationHelper processAuthorizationHelper, FhirContext fhirContext) {
        super(Task.class, daoProvider, str, referenceResolver, organizationProvider, readAccessHelper, parameterConverter);
        this.processAuthorizationHelper = processAuthorizationHelper;
        this.fhirContext = fhirContext;
    }

    @Override // dev.dsf.fhir.authorization.AbstractAuthorizationRule
    public void afterPropertiesSet() throws Exception {
        super.afterPropertiesSet();
        Objects.requireNonNull(this.processAuthorizationHelper, "processAuthorizationHelper");
        Objects.requireNonNull(this.fhirContext, "fhirContext");
    }

    @Override // dev.dsf.fhir.authorization.AuthorizationRule
    public Optional<String> reasonCreateAllowed(Connection connection, Identity identity, Task task) {
        if (!identity.hasDsfRole(FhirServerRole.CREATE)) {
            logger.warn("Create of Task unauthorized for identity '{}', no role {}", identity.getName(), FhirServerRole.CREATE);
            return Optional.empty();
        }
        if (Task.TaskStatus.DRAFT.equals(task.getStatus())) {
            if (!identity.isLocalIdentity() || !(identity instanceof OrganizationIdentity)) {
                logger.warn("Create of Task unauthorized for identity '{}', Task.status draft, not allowed for non local organization identity", identity.getName());
                return Optional.empty();
            }
            Optional<String> draftTaskOk = draftTaskOk(connection, identity, task);
            if (draftTaskOk.isEmpty()) {
                logger.info("Create of Task authorized for local organization identity '{}', Task.status draft", identity.getName());
                return Optional.of("Local identity, Task.status draft");
            }
            logger.warn("Create of Task unauthorized for identity '{}', Task.status draft, {}", identity.getName(), draftTaskOk.get());
            return Optional.empty();
        }
        if (!Task.TaskStatus.REQUESTED.equals(task.getStatus())) {
            logger.warn("Create of Task unauthorized for identity '{}', Task.status not {} and not {}", new Object[]{identity.getName(), Task.TaskStatus.DRAFT.toCode(), Task.TaskStatus.REQUESTED.toCode()});
            return Optional.empty();
        }
        Optional<String> requestedTaskOk = requestedTaskOk(connection, identity, task);
        if (!requestedTaskOk.isEmpty()) {
            logger.warn("Create of Task unauthorized for identity '{}', Task.status requested, {}", identity.getName(), requestedTaskOk.get());
            return Optional.empty();
        }
        if (taskAllowedForRequesterAndRecipient(connection, identity, task)) {
            logger.info("Create of Task authorized for identity '{}', Task.status requested, process allowed for current identity", identity.getName());
            return Optional.of("Local or remote identity, Task.status requested, Task.requester current identity's organization, Task.restriction.recipient local organization, process with instantiatesCanonical and message-name allowed for current identity, Task defines needed profile");
        }
        logger.warn("Create of Task unauthorized for identity '{}', Task.status requested, process with instantiatesCanonical, message-name, requester or recipient not allowed", identity.getName());
        return Optional.empty();
    }

    private Optional<String> requestedTaskOk(Connection connection, Identity identity, Task task) {
        ArrayList arrayList = new ArrayList();
        if (task.getIdentifier().stream().anyMatch(identifier -> {
            return NAMING_SYSTEM_TASK_IDENTIFIER.equals(identifier.getSystem());
        })) {
            arrayList.add("Task.identifier[http://dsf.dev/sid/task-identifier] defined");
        }
        if (!task.hasRequester()) {
            arrayList.add("Task.requester missing");
        } else if (!isCurrentIdentityPartOfReferencedOrganization(connection, identity, "Task.requester", task.getRequester())) {
            arrayList.add("Task.requester current identity not part of referenced organization");
        }
        if (!task.hasRestriction()) {
            arrayList.add("Task.restriction not defined");
        } else if (task.getRestriction().getRecipient().size() == 1) {
            Optional<Resource> resolveReference = this.referenceResolver.resolveReference(identity, new ResourceReference("Task.restriction.recipient", task.getRestriction().getRecipientFirstRep(), new Class[]{Organization.class}), connection);
            if (resolveReference.isPresent()) {
                Resource resource = resolveReference.get();
                if (!(resource instanceof Organization)) {
                    arrayList.add("Task.restriction.recipient not a organization");
                } else if (!isLocalOrganization((Organization) resource)) {
                    arrayList.add("Task.restriction.recipient not local organization");
                }
            } else {
                arrayList.add("Task.restriction.recipient could not be resolved");
            }
        } else {
            arrayList.add("Task.restriction.recipient missing or more than one");
        }
        if (!task.hasInstantiatesCanonical()) {
            arrayList.add("Task.instantiatesCanonical not defined");
        } else if (!INSTANTIATES_CANONICAL_PATTERN.matcher(task.getInstantiatesCanonical()).matches()) {
            arrayList.add("Task.instantiatesCanonical not matching (?<processUrl>http[s]{0,1}://(?<domain>(?:(?:[a-zA-Z0-9]{1,63}|[a-zA-Z0-9][a-zA-Z0-9-]{0,61}[a-zA-Z0-9])\\.)+(?:[a-zA-Z0-9]{1,63}))/bpe/Process/(?<processName>[a-zA-Z0-9-]+))\\|(?<processVersion>\\d+\\.\\d+)$ pattern");
        }
        if (!task.hasInput()) {
            arrayList.add("Task.input empty");
        } else if (getMessageNames(task).count() != 1) {
            arrayList.add("Task.input with system http://dsf.dev/fhir/CodeSystem/bpmn-message and code message-name with non empty string value not defined or more than one");
        }
        if (task.hasOutput()) {
            arrayList.add("Task.output not empty");
        }
        return arrayList.isEmpty() ? Optional.empty() : Optional.of((String) arrayList.stream().collect(Collectors.joining(", ")));
    }

    private Optional<String> draftTaskOk(Connection connection, Identity identity, Task task) {
        ArrayList arrayList = new ArrayList();
        if (task.getIdentifier().stream().noneMatch(identifier -> {
            return NAMING_SYSTEM_TASK_IDENTIFIER.equals(identifier.getSystem());
        })) {
            arrayList.add("Task.identifier[http://dsf.dev/sid/task-identifier] missing");
        }
        if (task.hasRequester()) {
            Optional<Resource> resolveReference = this.referenceResolver.resolveReference(identity, new ResourceReference("Task.requester", task.getRequester(), new Class[]{Organization.class}), connection);
            if (resolveReference.isPresent()) {
                Resource resource = resolveReference.get();
                if (!(resource instanceof Organization)) {
                    arrayList.add("Task.requester not a organization");
                } else if (!isLocalOrganization((Organization) resource)) {
                    arrayList.add("Task.requester not local organization");
                }
            } else {
                arrayList.add("Task.requester could not be resolved");
            }
        } else {
            arrayList.add("Task.requester missing");
        }
        if (!task.hasRestriction()) {
            arrayList.add("Task.restriction not defined");
        } else if (task.getRestriction().getRecipient().size() == 1) {
            Optional<Resource> resolveReference2 = this.referenceResolver.resolveReference(identity, new ResourceReference("Task.restriction.recipient", task.getRestriction().getRecipientFirstRep(), new Class[]{Organization.class}), connection);
            if (resolveReference2.isPresent()) {
                Resource resource2 = resolveReference2.get();
                if (!(resource2 instanceof Organization)) {
                    arrayList.add("Task.restriction.recipient not a organization");
                } else if (!isLocalOrganization((Organization) resource2)) {
                    arrayList.add("Task.restriction.recipient not local organization");
                }
            } else {
                arrayList.add("Task.restriction.recipient could not be resolved");
            }
        } else {
            arrayList.add("Task.restriction.recipient missing or more than one");
        }
        if (!task.hasInstantiatesCanonical()) {
            arrayList.add("Task.instantiatesCanonical not defined");
        } else if (!INSTANTIATES_CANONICAL_PATTERN.matcher(task.getInstantiatesCanonical()).matches()) {
            arrayList.add("Task.instantiatesCanonical not matching (?<processUrl>http[s]{0,1}://(?<domain>(?:(?:[a-zA-Z0-9]{1,63}|[a-zA-Z0-9][a-zA-Z0-9-]{0,61}[a-zA-Z0-9])\\.)+(?:[a-zA-Z0-9]{1,63}))/bpe/Process/(?<processName>[a-zA-Z0-9-]+))\\|(?<processVersion>\\d+\\.\\d+)$ pattern");
        }
        if (!task.hasInput()) {
            arrayList.add("Task.input empty");
        } else if (getMessageNames(task).count() != 1) {
            arrayList.add("Task.input with system http://dsf.dev/fhir/CodeSystem/bpmn-message and code message-name with non empty string value not defined or more than one");
        }
        if (task.hasOutput()) {
            arrayList.add("Task.output not empty");
        }
        return arrayList.isEmpty() ? Optional.empty() : Optional.of((String) arrayList.stream().collect(Collectors.joining(", ")));
    }

    private Stream<String> getMessageNames(Task task) {
        return task.getInput().stream().filter((v0) -> {
            return v0.hasType();
        }).filter(parameterComponent -> {
            return parameterComponent.getType().hasCoding();
        }).filter(parameterComponent2 -> {
            return parameterComponent2.getType().getCoding().stream().filter((v0) -> {
                return v0.hasSystem();
            }).filter((v0) -> {
                return v0.hasCode();
            }).anyMatch(coding -> {
                return CODE_SYSTEM_BPMN_MESSAGE.equals(coding.getSystem()) && CODE_SYSTEM_BPMN_MESSAGE_MESSAGE_NAME.equals(coding.getCode());
            });
        }).filter((v0) -> {
            return v0.hasValue();
        }).filter(parameterComponent3 -> {
            return parameterComponent3.getValue() instanceof StringType;
        }).map((v0) -> {
            return v0.getValue();
        }).map(type -> {
            return (StringType) type;
        }).map((v0) -> {
            return v0.getValueAsString();
        }).filter(str -> {
            return !str.isBlank();
        });
    }

    private boolean taskAllowedForRequesterAndRecipient(Connection connection, Identity identity, Task task) {
        Optional<Identity> localOrganizationAsIdentity = this.organizationProvider.getLocalOrganizationAsIdentity();
        if (localOrganizationAsIdentity.isEmpty()) {
            logger.warn("Local organization does not exist");
            return false;
        }
        Matcher matcher = INSTANTIATES_CANONICAL_PATTERN.matcher(task.getInstantiatesCanonical());
        if (!matcher.matches()) {
            logger.warn("Task.instantiatesCanonical not matching {} pattern", INSTANTIATES_CANONICAL_PATTERN_STRING);
            return false;
        }
        String group = matcher.group("processUrl");
        String group2 = matcher.group("processVersion");
        try {
            Optional<ActivityDefinition> readByProcessUrlVersionAndStatusDraftOrActiveWithTransaction = this.daoProvider.getActivityDefinitionDao().readByProcessUrlVersionAndStatusDraftOrActiveWithTransaction(connection, group, group2);
            if (readByProcessUrlVersionAndStatusDraftOrActiveWithTransaction.isEmpty()) {
                logger.warn("No ActivityDefinition with process-url '{}' and process-version '{}'", group, group2);
                return false;
            }
            ActivityDefinition activityDefinition = readByProcessUrlVersionAndStatusDraftOrActiveWithTransaction.get();
            Identity identity2 = localOrganizationAsIdentity.get();
            List list = (List) task.getMeta().getProfile().stream().filter((v0) -> {
                return v0.hasValue();
            }).map((v0) -> {
                return v0.getValueAsString();
            }).collect(Collectors.toList());
            String str = getMessageNames(task).findFirst().get();
            boolean anyMatch = this.processAuthorizationHelper.getRecipients(activityDefinition, group, group2, str, list).anyMatch(recipient -> {
                return recipient.isRecipientAuthorized(identity2, getAffiliations(connection, this.organizationProvider.getLocalOrganizationIdentifierValue()));
            });
            boolean anyMatch2 = this.processAuthorizationHelper.getRequesters(activityDefinition, group, group2, str, list).anyMatch(requester -> {
                return requester.isRequesterAuthorized(identity, getAffiliations(connection, (String) identity.getOrganizationIdentifierValue().orElse(null)));
            });
            if (!anyMatch && !anyMatch2) {
                logger.warn("Task not allowed for requester and recipient");
            } else if (!anyMatch) {
                logger.warn("Task not allowed for recipient");
            } else if (!anyMatch2) {
                logger.warn("Task not allowed for requester");
            }
            return anyMatch && anyMatch2;
        } catch (SQLException e) {
            logger.debug("Error while reading ActivityDefinitions", e);
            logger.warn("Error while reading ActivityDefinitions: {} - {}", e.getClass().getName(), e.getMessage());
            return false;
        }
    }

    private boolean taskAllowedForRecipient(Connection connection, Task task) {
        Optional<Identity> localOrganizationAsIdentity = this.organizationProvider.getLocalOrganizationAsIdentity();
        if (localOrganizationAsIdentity.isEmpty()) {
            logger.warn("Local organization does not exist");
            return false;
        }
        Matcher matcher = INSTANTIATES_CANONICAL_PATTERN.matcher(task.getInstantiatesCanonical());
        if (!matcher.matches()) {
            logger.warn("Task.instantiatesCanonical not matching {} pattern", INSTANTIATES_CANONICAL_PATTERN_STRING);
            return false;
        }
        String group = matcher.group("processUrl");
        String group2 = matcher.group("processVersion");
        try {
            Optional<ActivityDefinition> readByProcessUrlVersionAndStatusDraftOrActiveWithTransaction = this.daoProvider.getActivityDefinitionDao().readByProcessUrlVersionAndStatusDraftOrActiveWithTransaction(connection, group, group2);
            if (readByProcessUrlVersionAndStatusDraftOrActiveWithTransaction.isEmpty()) {
                logger.warn("No ActivityDefinition with process-url '{}' and process-version '{}'", group, group2);
                return false;
            }
            ActivityDefinition activityDefinition = readByProcessUrlVersionAndStatusDraftOrActiveWithTransaction.get();
            Identity identity = localOrganizationAsIdentity.get();
            List list = (List) task.getMeta().getProfile().stream().filter((v0) -> {
                return v0.hasValue();
            }).map((v0) -> {
                return v0.getValueAsString();
            }).collect(Collectors.toList());
            boolean anyMatch = this.processAuthorizationHelper.getRecipients(activityDefinition, group, group2, getMessageNames(task).findFirst().get(), list).anyMatch(recipient -> {
                return recipient.isRecipientAuthorized(identity, getAffiliations(connection, this.organizationProvider.getLocalOrganizationIdentifierValue()));
            });
            if (!anyMatch) {
                logger.warn("Task not allowed for recipient");
            }
            return anyMatch;
        } catch (SQLException e) {
            logger.debug("Error while reading ActivityDefinitions", e);
            logger.warn("Error while reading ActivityDefinitions: {} - {}", e.getClass().getName(), e.getMessage());
            return false;
        }
    }

    @Override // dev.dsf.fhir.authorization.AuthorizationRule
    public Optional<String> reasonReadAllowed(Connection connection, Identity identity, Task task) {
        String uuid = this.parameterConverter.toUuid(getResourceTypeName(), task.getIdElement().getIdPart()).toString();
        long longValue = task.getIdElement().getVersionIdPartAsLong().longValue();
        if (!identity.hasDsfRole(FhirServerRole.READ)) {
            logger.warn("Read of Task/{}/_history/{} unauthorized for identity '{}', no role {}", new Object[]{uuid, Long.valueOf(longValue), identity.getName(), FhirServerRole.READ});
            return Optional.empty();
        }
        if (isCurrentIdentityPartOfReferencedOrganization(connection, identity, "Task.requester", task.getRequester())) {
            logger.info("Read of Task/{}/_history/{} authorized for identity '{}', Task.requester reference could be resolved and current identity part of referenced organization", new Object[]{uuid, Long.valueOf(longValue), identity.getName()});
            return Optional.of("Task.requester resolved and identity part of referenced organization");
        }
        if (identity.isLocalIdentity() && isCurrentIdentityPartOfReferencedOrganization(connection, identity, "Task.restriction.recipient", task.getRestriction().getRecipientFirstRep())) {
            logger.info("Read of Task/{}/_history/{} authorized for identity '{}', Task.restriction.recipient reference could be resolved and current identity part of referenced organization", new Object[]{uuid, Long.valueOf(longValue), identity.getName()});
            return Optional.of("Task.restriction.recipient resolved and local identity part of referenced organization");
        }
        logger.warn("Read of Task/{}/_history/{} unauthorized for identity '{}', Task.requester or Task.restriction.recipient references could not be resolved or current identity not part of referenced organizations", new Object[]{uuid, Long.valueOf(longValue), identity.getName()});
        return Optional.empty();
    }

    @Override // dev.dsf.fhir.authorization.AuthorizationRule
    public Optional<String> reasonUpdateAllowed(Connection connection, Identity identity, Task task, Task task2) {
        String uuid = this.parameterConverter.toUuid(getResourceTypeName(), task.getIdElement().getIdPart()).toString();
        long longValue = task.getIdElement().getVersionIdPartAsLong().longValue();
        if (!identity.hasDsfRole(FhirServerRole.UPDATE)) {
            logger.warn("Update of Task/{}/_history/{} unauthorized for identity '{}', no role {}", new Object[]{uuid, Long.valueOf(longValue), identity.getName(), FhirServerRole.UPDATE});
            return Optional.empty();
        }
        if (!identity.isLocalIdentity() || !(identity instanceof OrganizationIdentity)) {
            logger.warn("Update of Task/{}/_history/{} unauthorized for non local organization identity '{}'", new Object[]{uuid, Long.valueOf(longValue), identity.getName()});
            return Optional.empty();
        }
        if (Task.TaskStatus.DRAFT.equals(task.getStatus()) && Task.TaskStatus.DRAFT.equals(task2.getStatus())) {
            Optional<String> draftTaskOk = draftTaskOk(connection, identity, task2);
            if (draftTaskOk.isEmpty()) {
                logger.info("Update of Task/{}/_history/{} ({} -> {}) authorized for local identity '{}'", new Object[]{uuid, Long.valueOf(longValue), Task.TaskStatus.DRAFT.toCode(), Task.TaskStatus.DRAFT.toCode(), identity.getName()});
                return Optional.of("Local identity, old Task.status draft, new Task.status draft");
            }
            logger.warn("Update of Task/{}/_history/{} ({} -> {}) unauthorized for identity '{}', {}", new Object[]{uuid, Long.valueOf(longValue), Task.TaskStatus.DRAFT.toCode(), Task.TaskStatus.DRAFT.toCode(), identity.getName(), draftTaskOk.get()});
            return Optional.empty();
        }
        if (Task.TaskStatus.REQUESTED.equals(task.getStatus()) && Task.TaskStatus.INPROGRESS.equals(task2.getStatus())) {
            Optional<String> reasonNotSame = reasonNotSame(task, task2);
            if (!reasonNotSame.isEmpty()) {
                logger.warn("Update of Task/{}/_history/{} ({} -> {}) unauthorized for local identity '{}', modification of Task properties {} not allowed", new Object[]{uuid, Long.valueOf(longValue), Task.TaskStatus.REQUESTED.toCode(), Task.TaskStatus.INPROGRESS.toCode(), identity.getName(), reasonNotSame.get()});
                return Optional.empty();
            }
            if (!taskAllowedForRecipient(connection, task2)) {
                logger.warn("Update of Task/{}/_history/{} ({} -> {}) unauthorized for local identity '{}', process with instantiatesCanonical, message-name, requester or recipient not allowed", new Object[]{uuid, Long.valueOf(longValue), Task.TaskStatus.REQUESTED.toCode(), Task.TaskStatus.INPROGRESS.toCode(), identity.getName()});
                return Optional.empty();
            }
            if (task2.hasOutput()) {
                logger.warn("Update of Task/{}/_history/{} ({} -> {}) unauthorized for local identity '{}', Task.output not expected", new Object[]{uuid, Long.valueOf(longValue), Task.TaskStatus.REQUESTED.toCode(), Task.TaskStatus.INPROGRESS.toCode(), identity.getName()});
                return Optional.empty();
            }
            String str = (hasBusinessKey(task) || !hasBusinessKey(task2)) ? RootServiceJaxrs.PATH : " (business-key added)";
            logger.info("Update of Task/{}/_history/{} ({} -> {}) authorized for local identity '{}', old Task.status requested, new Task.status in-progress, process allowed for current identity", new Object[]{uuid, Long.valueOf(longValue), Task.TaskStatus.REQUESTED.toCode(), Task.TaskStatus.INPROGRESS.toCode(), identity.getName()});
            return Optional.of("Local identity, Task.status in-progress, Task.restriction.recipient local organization, process with instantiatesCanonical and message-name allowed for current identity, Task defines needed profile, Task.instantiatesCanonical not modified, Task.requester not modified, Task.restriction not modified, Task.input not modified" + str + ", Task has no output");
        }
        if (Task.TaskStatus.INPROGRESS.equals(task.getStatus()) && Task.TaskStatus.COMPLETED.equals(task2.getStatus())) {
            Optional<String> reasonNotSame2 = reasonNotSame(task, task2);
            if (!reasonNotSame2.isEmpty()) {
                logger.warn("Update of Task/{}/_history/{} ({} -> {}) unauthorized for local identity '{}', modification of Task properties {} not allowed", new Object[]{uuid, Long.valueOf(longValue), Task.TaskStatus.INPROGRESS.toCode(), Task.TaskStatus.COMPLETED.toCode(), identity.getName(), reasonNotSame2.get()});
                return Optional.empty();
            }
            if (taskAllowedForRecipient(connection, task2)) {
                logger.info("Update of Task/{}/_history/{} ({} -> {}) authorized for local identity '{}', old Task.status in-progress, new Task.status completed, process allowed for current identity", new Object[]{uuid, Long.valueOf(longValue), Task.TaskStatus.INPROGRESS.toCode(), Task.TaskStatus.COMPLETED.toCode(), identity.getName()});
                return Optional.of("Local identity, Task.status completed, Task.restriction.recipient local organization, process with instantiatesCanonical and message-name allowed for current identity, Task defines needed profile, Task.instantiatesCanonical not modified, Task.requester not modified, Task.restriction not modified, Task.input not modified");
            }
            logger.warn("Update of Task/{}/_history/{} ({} -> {}) unauthorized for local identity '{}', process with instantiatesCanonical, message-name, requester or recipient not allowed", new Object[]{uuid, Long.valueOf(longValue), Task.TaskStatus.INPROGRESS.toCode(), Task.TaskStatus.COMPLETED.toCode(), identity.getName()});
            return Optional.empty();
        }
        if (Task.TaskStatus.INPROGRESS.equals(task.getStatus()) && Task.TaskStatus.FAILED.equals(task2.getStatus())) {
            Optional<String> reasonNotSame3 = reasonNotSame(task, task2);
            if (!reasonNotSame3.isEmpty()) {
                logger.warn("Update of Task/{}/_history/{} ({} -> {}) unauthorized for local identity '{}', modification of Task properties {} not allowed", new Object[]{uuid, Long.valueOf(longValue), Task.TaskStatus.INPROGRESS.toCode(), Task.TaskStatus.FAILED.toCode(), identity.getName(), reasonNotSame3.get()});
                return Optional.empty();
            }
            if (taskAllowedForRecipient(connection, task2)) {
                logger.info("Update of Task/{}/_history/{} ({} -> {}) authorized for local identity '{}', old Task.status in-progress, new Task.status failed, process allowed for current identity", new Object[]{uuid, Long.valueOf(longValue), Task.TaskStatus.INPROGRESS.toCode(), Task.TaskStatus.FAILED.toCode(), identity.getName()});
                return Optional.of("Local identity, Task.status failed, Task.restriction.recipient local organization, process with instantiatesCanonical and message-name allowed for current identity, Task defines needed profile, Task.instantiatesCanonical not modified, Task.requester not modified, Task.restriction not modified, Task.input not modified");
            }
            logger.warn("Update of Task/{}/_history/{} ({} -> {}) unauthorized for local identity '{}', process with instantiatesCanonical, message-name, requester or recipient not allowed", new Object[]{uuid, Long.valueOf(longValue), Task.TaskStatus.INPROGRESS.toCode(), Task.TaskStatus.FAILED.toCode(), identity.getName()});
            return Optional.empty();
        }
        Logger logger2 = logger;
        Object[] objArr = new Object[6];
        objArr[0] = uuid;
        objArr[1] = Long.valueOf(longValue);
        objArr[2] = task.getStatus() != null ? task.getStatus().toCode() : null;
        objArr[3] = task2.getStatus() != null ? task2.getStatus().toCode() : null;
        objArr[4] = identity.getName();
        objArr[5] = Stream.of((Object[]) new Stream[]{Stream.of((Object[]) new Task.TaskStatus[]{Task.TaskStatus.DRAFT, Task.TaskStatus.DRAFT}), Stream.of((Object[]) new Task.TaskStatus[]{Task.TaskStatus.REQUESTED, Task.TaskStatus.INPROGRESS}), Stream.of((Object[]) new Task.TaskStatus[]{Task.TaskStatus.INPROGRESS, Task.TaskStatus.COMPLETED}), Stream.of((Object[]) new Task.TaskStatus[]{Task.TaskStatus.INPROGRESS, Task.TaskStatus.FAILED})}).map(stream -> {
            return (String) stream.map((v0) -> {
                return v0.toCode();
            }).collect(Collectors.joining("->"));
        }).collect(Collectors.joining(", ", "[", "]"));
        logger2.warn("Update of Task/{}/_history/{} ({} -> {}) unauthorized for local identity '{}', old vs. new Task.status not one of {}", objArr);
        return Optional.empty();
    }

    private Optional<String> reasonNotSame(Task task, Task task2) {
        ArrayList arrayList = new ArrayList();
        if (!task.getRequester().equalsDeep(task2.getRequester())) {
            arrayList.add("Task.requester");
        }
        if (!task.getRestriction().equalsDeep(task2.getRestriction())) {
            arrayList.add("Task.restriction");
        }
        if (!task.getInstantiatesCanonical().equals(task2.getInstantiatesCanonical())) {
            arrayList.add("Task.instantiatesCanonical");
        }
        List input = task.getInput();
        List input2 = task2.getInput();
        if (Task.TaskStatus.REQUESTED.equals(task.getStatus()) && !hasBusinessKey(task) && Task.TaskStatus.INPROGRESS.equals(task2.getStatus()) && hasBusinessKey(task2)) {
            input2 = input2.stream().filter(isBusinessKey().negate()).toList();
        }
        if (input.size() != input2.size()) {
            arrayList.add("Task.input");
        } else {
            int i = 0;
            while (true) {
                if (i >= input.size()) {
                    break;
                }
                if (!((Task.ParameterComponent) input.get(i)).equalsDeep((Base) input2.get(i))) {
                    arrayList.add("Task.input[" + i + "]");
                    break;
                }
                i++;
            }
        }
        if (arrayList.isEmpty()) {
            return Optional.empty();
        }
        logger.debug("Old Task: {}", this.fhirContext.newJsonParser().setStripVersionsFromReferences(false).encodeResourceToString(task));
        logger.debug("New Task: {}", this.fhirContext.newJsonParser().setStripVersionsFromReferences(false).encodeResourceToString(task2));
        return Optional.of((String) arrayList.stream().collect(Collectors.joining(", ")));
    }

    private boolean hasBusinessKey(Task task) {
        return task.getInput().stream().anyMatch(isBusinessKey());
    }

    private Predicate<Task.ParameterComponent> isBusinessKey() {
        return parameterComponent -> {
            return parameterComponent.getType().getCoding().stream().anyMatch(coding -> {
                return CODE_SYSTEM_BPMN_MESSAGE.equals(coding.getSystem()) && CODE_SYSTEM_BPMN_MESSAGE_BUSINESS_KEY.equals(coding.getCode());
            });
        };
    }

    @Override // dev.dsf.fhir.authorization.AuthorizationRule
    public Optional<String> reasonDeleteAllowed(Connection connection, Identity identity, Task task) {
        String uuid = this.parameterConverter.toUuid(getResourceTypeName(), task.getIdElement().getIdPart()).toString();
        long longValue = task.getIdElement().getVersionIdPartAsLong().longValue();
        if (!identity.hasDsfRole(FhirServerRole.DELETE)) {
            logger.warn("Delete of Task/{}/_history/{} unauthorized for identity '{}', no role {}", new Object[]{uuid, Long.valueOf(longValue), identity.getName(), FhirServerRole.DELETE});
            return Optional.empty();
        }
        if (!identity.isLocalIdentity() || !(identity instanceof OrganizationIdentity)) {
            logger.warn("Delete of Task/{}/_history/{} unauthorized for non local organization identity '{}'", new Object[]{uuid, Long.valueOf(longValue), identity.getName()});
            return Optional.empty();
        }
        if (Task.TaskStatus.DRAFT.equals(task.getStatus())) {
            logger.info("Delete of Task/{}/_history/{} authorized for local identity '{}', Task.status draft", new Object[]{uuid, Long.valueOf(longValue), identity.getName()});
            return Optional.of("Local identity, Task.status draft");
        }
        logger.warn("Delete of Task/{}/_history/{} unauthorized for local identity '{}', Task.status not draft", new Object[]{uuid, Long.valueOf(longValue), identity.getName()});
        return Optional.empty();
    }
}
