package org.eclipse.edc.identityhub.query;

import java.time.Instant;
import java.util.Collection;
import java.util.HashSet;
import java.util.List;
import java.util.Objects;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.eclipse.edc.iam.identitytrust.spi.model.PresentationQueryMessage;
import org.eclipse.edc.iam.verifiablecredentials.spi.model.RevocationServiceRegistry;
import org.eclipse.edc.iam.verifiablecredentials.spi.model.VerifiableCredential;
import org.eclipse.edc.identityhub.spi.ScopeToCriterionTransformer;
import org.eclipse.edc.identityhub.spi.store.CredentialStore;
import org.eclipse.edc.identityhub.spi.verifiablecredentials.model.VcStatus;
import org.eclipse.edc.identityhub.spi.verifiablecredentials.model.VerifiableCredentialResource;
import org.eclipse.edc.identityhub.spi.verifiablecredentials.resolution.CredentialQueryResolver;
import org.eclipse.edc.identityhub.spi.verifiablecredentials.resolution.QueryResult;
import org.eclipse.edc.spi.monitor.Monitor;
import org.eclipse.edc.spi.query.Criterion;
import org.eclipse.edc.spi.query.QuerySpec;
import org.eclipse.edc.spi.result.Result;

/* loaded from: input_file:org/eclipse/edc/identityhub/query/CredentialQueryResolverImpl.class */
public class CredentialQueryResolverImpl implements CredentialQueryResolver {
    private final CredentialStore credentialStore;
    private final ScopeToCriterionTransformer scopeTransformer;
    private final RevocationServiceRegistry revocationServiceRegistry;
    private final Monitor monitor;

    public CredentialQueryResolverImpl(CredentialStore credentialStore, ScopeToCriterionTransformer scopeToCriterionTransformer, RevocationServiceRegistry revocationServiceRegistry, Monitor monitor) {
        this.credentialStore = credentialStore;
        this.scopeTransformer = scopeToCriterionTransformer;
        this.revocationServiceRegistry = revocationServiceRegistry;
        this.monitor = monitor;
    }

    public QueryResult query(String str, PresentationQueryMessage presentationQueryMessage, List<String> list) {
        Stream stream;
        if (presentationQueryMessage.getPresentationDefinition() != null) {
            throw new UnsupportedOperationException("Querying with a DIF Presentation Exchange definition is not yet supported.");
        }
        List<String> scopes = presentationQueryMessage.getScopes();
        Result<List<Criterion>> parseScopes = parseScopes(list);
        if (parseScopes.failed()) {
            return QueryResult.invalidScope(parseScopes.getFailureMessages());
        }
        List<Criterion> list2 = (List) parseScopes.getContent();
        if (list2.isEmpty()) {
            if (scopes.isEmpty()) {
                return QueryResult.success(Stream.empty());
            }
            String formatted = "Permission was not granted on any credentials (empty access token scope list), but %d were requested.".formatted(Integer.valueOf(scopes.size()));
            this.monitor.warning(formatted, new Throwable[0]);
            QueryResult.unauthorized(formatted.formatted(Integer.valueOf(scopes.size())));
        }
        Result<Collection<VerifiableCredentialResource>> queryCredentials = queryCredentials(list2, str);
        if (queryCredentials.failed()) {
            return QueryResult.storageFailure(queryCredentials.getFailureMessages());
        }
        Collection collection = (Collection) queryCredentials.getContent();
        if (scopes.isEmpty()) {
            stream = collection.stream();
        } else {
            Result<List<Criterion>> parseScopes2 = parseScopes(scopes);
            if (parseScopes2.failed()) {
                return QueryResult.invalidScope(parseScopes2.getFailureMessages());
            }
            Result<Collection<VerifiableCredentialResource>> queryCredentials2 = queryCredentials((List) parseScopes2.getContent(), str);
            if (queryCredentials2.failed()) {
                return QueryResult.storageFailure(queryCredentials2.getFailureMessages());
            }
            Collection collection2 = (Collection) queryCredentials2.getContent();
            if (!new HashSet(collection.stream().map((v0) -> {
                return v0.getId();
            }).toList()).containsAll(collection2.stream().map((v0) -> {
                return v0.getId();
            }).toList())) {
                return QueryResult.unauthorized("Invalid query: requested Credentials outside of scope.");
            }
            stream = collection2.stream();
        }
        return QueryResult.success(stream.filter(this::filterInvalidCredentials).map((v0) -> {
            return v0.getVerifiableCredential();
        }));
    }

    private boolean filterInvalidCredentials(VerifiableCredentialResource verifiableCredentialResource) {
        Instant now = Instant.now();
        VerifiableCredential credential = verifiableCredentialResource.getVerifiableCredential().credential();
        if (credential.getIssuanceDate().isAfter(now)) {
            this.monitor.warning("Credential '%s' is not yet valid.".formatted(credential.getId()), new Throwable[0]);
            return false;
        }
        if (credential.getExpirationDate() != null && credential.getExpirationDate().isBefore(now)) {
            this.monitor.warning("Credential '%s' is expired.".formatted(credential.getId()), new Throwable[0]);
            return false;
        }
        List credentialStatus = credential.getCredentialStatus();
        Result success = (credentialStatus == null || credentialStatus.isEmpty()) ? Result.success() : this.revocationServiceRegistry.checkValidity(credential);
        if (!success.failed()) {
            return true;
        }
        this.monitor.warning("Credential '%s' not valid: %s".formatted(credential.getId(), success.getFailureDetail()), new Throwable[0]);
        return false;
    }

    private Result<List<Criterion>> parseScopes(List<String> list) {
        Stream<String> stream = list.stream();
        ScopeToCriterionTransformer scopeToCriterionTransformer = this.scopeTransformer;
        Objects.requireNonNull(scopeToCriterionTransformer);
        List list2 = stream.map(scopeToCriterionTransformer::transform).toList();
        return list2.stream().anyMatch((v0) -> {
            return v0.failed();
        }) ? Result.failure(list2.stream().flatMap(result -> {
            return result.getFailureMessages().stream();
        }).toList()) : Result.success(list2.stream().map((v0) -> {
            return v0.getContent();
        }).toList());
    }

    private Result<Collection<VerifiableCredentialResource>> queryCredentials(List<Criterion> list, String str) {
        Stream<R> map = list.stream().map(criterion -> {
            return convertToQuerySpec(criterion, str);
        });
        CredentialStore credentialStore = this.credentialStore;
        Objects.requireNonNull(credentialStore);
        List list2 = map.map(credentialStore::query).toList();
        return list2.stream().anyMatch((v0) -> {
            return v0.failed();
        }) ? Result.failure(list2.stream().flatMap(storeResult -> {
            return storeResult.getFailureMessages().stream();
        }).toList()) : Result.success((Collection) list2.stream().flatMap(storeResult2 -> {
            return ((Collection) storeResult2.getContent()).stream();
        }).collect(Collectors.toList()));
    }

    private QuerySpec convertToQuerySpec(Criterion criterion, String str) {
        return QuerySpec.Builder.newInstance().filter(List.of(criterion, new Criterion("participantId", "=", str), new Criterion("state", "!=", Integer.valueOf(VcStatus.REVOKED.code())), new Criterion("state", "!=", Integer.valueOf(VcStatus.EXPIRED.code())))).build();
    }
}
