package dev.dsf.fhir.dao.command;

import dev.dsf.common.auth.conf.Identity;
import dev.dsf.fhir.authorization.AuthorizationRule;
import dev.dsf.fhir.authorization.AuthorizationRuleProvider;
import dev.dsf.fhir.help.ResponseGenerator;
import jakarta.ws.rs.WebApplicationException;
import java.sql.Connection;
import java.util.List;
import java.util.Optional;
import java.util.stream.Collectors;
import org.hl7.fhir.r4.model.Bundle;
import org.hl7.fhir.r4.model.Resource;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:dev/dsf/fhir/dao/command/AuthorizationHelperImpl.class */
public class AuthorizationHelperImpl implements AuthorizationHelper {
    private static final Logger logger = LoggerFactory.getLogger(AuthorizationHelperImpl.class);
    private static final Logger audit = LoggerFactory.getLogger("dsf-audit-logger");
    private final AuthorizationRuleProvider authorizationRuleProvider;
    private final ResponseGenerator responseGenerator;

    public AuthorizationHelperImpl(AuthorizationRuleProvider authorizationRuleProvider, ResponseGenerator responseGenerator) {
        this.authorizationRuleProvider = authorizationRuleProvider;
        this.responseGenerator = responseGenerator;
    }

    private Optional<AuthorizationRule<Resource>> getAuthorizationRule(Class<?> cls) {
        return this.authorizationRuleProvider.getAuthorizationRule(cls).map(authorizationRule -> {
            return authorizationRule;
        });
    }

    private Optional<AuthorizationRule<Resource>> getAuthorizationRule(String str) {
        return this.authorizationRuleProvider.getAuthorizationRule(str).map(authorizationRule -> {
            return authorizationRule;
        });
    }

    private WebApplicationException forbidden(String str, Identity identity) throws WebApplicationException {
        return new WebApplicationException(this.responseGenerator.forbiddenNotAllowed(str, identity));
    }

    @Override // dev.dsf.fhir.dao.command.AuthorizationHelper
    public void checkCreateAllowed(int i, Connection connection, Identity identity, Resource resource) throws WebApplicationException {
        String resourceTypeName = getResourceTypeName(resource);
        getAuthorizationRule(resource.getClass()).flatMap(authorizationRule -> {
            return authorizationRule.reasonCreateAllowed(connection, identity, resource);
        }).ifPresentOrElse(str -> {
            audit.info("Create of {} allowed for identity '{}' via bundle at index {}, reason: {}", new Object[]{resourceTypeName, identity.getName(), Integer.valueOf(i), str});
        }, () -> {
            audit.info("Create of {} denied for identity '{}' via bundle at index {}", new Object[]{resourceTypeName, identity.getName(), Integer.valueOf(i)});
            throw forbidden("create", identity);
        });
    }

    private String getResourceTypeName(Resource resource) {
        return resource.getResourceType().name();
    }

    @Override // dev.dsf.fhir.dao.command.AuthorizationHelper
    public void checkReadAllowed(int i, Connection connection, Identity identity, Resource resource) throws WebApplicationException {
        String resourceTypeName = getResourceTypeName(resource);
        String idPart = resource.getIdElement().getIdPart();
        long longValue = resource.getIdElement().getVersionIdPartAsLong().longValue();
        getAuthorizationRule(resource.getClass()).flatMap(authorizationRule -> {
            return authorizationRule.reasonReadAllowed(connection, identity, resource);
        }).ifPresentOrElse(str -> {
            audit.info("Read of {}/{}/_history/{} allowed for identity '{}' via bundle at index {}, reason: {}", new Object[]{resourceTypeName, idPart, Long.valueOf(longValue), identity.getName(), Integer.valueOf(i), str});
        }, () -> {
            audit.info("Read of {}/{}/_history/{} denied for identity '{}' via bundle at index {}", new Object[]{resourceTypeName, idPart, Long.valueOf(longValue), identity.getName(), Integer.valueOf(i)});
            throw forbidden("read", identity);
        });
    }

    @Override // dev.dsf.fhir.dao.command.AuthorizationHelper
    public void checkUpdateAllowed(int i, Connection connection, Identity identity, Resource resource, Resource resource2) throws WebApplicationException {
        String resourceTypeName = getResourceTypeName(resource);
        String idPart = resource.getIdElement().getIdPart();
        long longValue = resource.getIdElement().getVersionIdPartAsLong().longValue();
        getAuthorizationRule(resource.getClass()).flatMap(authorizationRule -> {
            return authorizationRule.reasonUpdateAllowed(connection, identity, resource, resource2);
        }).ifPresentOrElse(str -> {
            audit.info("Update of {}/{}/_history/{} allowed for identity '{}' via bundle at index {}, reason: {}", new Object[]{resourceTypeName, idPart, Long.valueOf(longValue), identity.getName(), Integer.valueOf(i), str});
        }, () -> {
            audit.info("Update of {}/{}/_history/{} denied for identity '{}' via bundle at index {}", new Object[]{resourceTypeName, idPart, Long.valueOf(longValue), identity.getName(), Integer.valueOf(i)});
            throw forbidden("update", identity);
        });
    }

    @Override // dev.dsf.fhir.dao.command.AuthorizationHelper
    public void checkDeleteAllowed(int i, Connection connection, Identity identity, Resource resource) throws WebApplicationException {
        String resourceTypeName = getResourceTypeName(resource);
        String idPart = resource.getIdElement().getIdPart();
        long longValue = resource.getIdElement().getVersionIdPartAsLong().longValue();
        getAuthorizationRule(resource.getClass()).flatMap(authorizationRule -> {
            return authorizationRule.reasonDeleteAllowed(connection, identity, resource);
        }).ifPresentOrElse(str -> {
            audit.info("Delete of {}/{}/_history/{} allowed for identity '{}' via bundle at index {}, reason: {}", new Object[]{resourceTypeName, idPart, Long.valueOf(longValue), identity.getName(), Integer.valueOf(i), str});
        }, () -> {
            audit.info("Delete of {}/{}/_history/{} denied for identity '{}' via bundle at index {}", new Object[]{resourceTypeName, idPart, Long.valueOf(longValue), identity.getName(), Integer.valueOf(i)});
            throw forbidden("delete", identity);
        });
    }

    @Override // dev.dsf.fhir.dao.command.AuthorizationHelper
    public void checkSearchAllowed(int i, Identity identity, String str) throws WebApplicationException {
        getAuthorizationRule(str).flatMap(authorizationRule -> {
            return authorizationRule.reasonSearchAllowed(identity);
        }).ifPresentOrElse(str2 -> {
            audit.info("Search of {} allowed for identity '{}' via bundle at index {}, reason: {}", new Object[]{str, identity.getName(), Integer.valueOf(i), str2});
        }, () -> {
            audit.info("Search of {} denied for identity '{}' via bundle at index {}", new Object[]{str, identity.getName(), Integer.valueOf(i)});
            throw forbidden("search", identity);
        });
    }

    @Override // dev.dsf.fhir.dao.command.AuthorizationHelper
    public void filterIncludeResults(int i, Connection connection, Identity identity, Bundle bundle) {
        bundle.setEntry((List) bundle.getEntry().stream().filter(bundleEntryComponent -> {
            return Bundle.SearchEntryMode.MATCH.equals(bundleEntryComponent.getSearch().getMode()) || (Bundle.SearchEntryMode.INCLUDE.equals(bundleEntryComponent.getSearch().getMode()) && filterIncludeResource(i, identity, bundleEntryComponent.getResource()));
        }).collect(Collectors.toList()));
    }

    private boolean filterIncludeResource(int i, Identity identity, Resource resource) {
        String resourceTypeName = getResourceTypeName(resource);
        String idPart = resource.getIdElement().getIdPart();
        long longValue = resource.getIdElement().getVersionIdPartAsLong().longValue();
        return ((Boolean) getAuthorizationRule(resource.getClass()).flatMap(authorizationRule -> {
            return authorizationRule.reasonReadAllowed(identity, resource);
        }).map(str -> {
            logger.debug("Inclusion of {}/{}/_history/{} allowed for identity '{}' via bundle at index {}: {}", new Object[]{resourceTypeName, idPart, Long.valueOf(longValue), identity.getName(), Integer.valueOf(i), str});
            return true;
        }).orElseGet(() -> {
            logger.debug("Inclusion of {}/{}/_history/{} denied for identity '{} via bundle at index {}: read not allowed", new Object[]{resourceTypeName, idPart, Long.valueOf(longValue), identity.getName(), Integer.valueOf(i)});
            return false;
        })).booleanValue();
    }
}
