package org.trellisldp.http;

import java.io.IOException;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import javax.annotation.Priority;
import javax.ws.rs.ForbiddenException;
import javax.ws.rs.NotAllowedException;
import javax.ws.rs.NotAuthorizedException;
import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.container.ContainerRequestFilter;
import javax.ws.rs.container.ContainerResponseContext;
import javax.ws.rs.container.ContainerResponseFilter;
import javax.ws.rs.container.PreMatching;
import javax.ws.rs.core.Link;
import javax.ws.rs.core.Response;
import org.apache.commons.rdf.api.IRI;
import org.apache.commons.rdf.api.RDF;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.trellisldp.api.AccessControlService;
import org.trellisldp.api.RDFUtils;
import org.trellisldp.api.Session;
import org.trellisldp.http.domain.HttpConstants;
import org.trellisldp.http.impl.HttpSession;
import org.trellisldp.vocabulary.ACL;
import org.trellisldp.vocabulary.Trellis;

@Priority(1900)
@PreMatching
/* loaded from: input_file:org/trellisldp/http/WebAcFilter.class */
public class WebAcFilter implements ContainerRequestFilter, ContainerResponseFilter {
    private final AccessControlService accessService;
    private final Map<String, String> partitions;
    private final List<String> challenges;
    private static final RDF rdf = RDFUtils.getInstance();
    private static final Logger LOGGER = LoggerFactory.getLogger(WebAcFilter.class);
    private static final Set<String> readable = new HashSet(Arrays.asList("GET", "HEAD", "OPTIONS"));
    private static final Set<String> writable = new HashSet(Arrays.asList("PUT", HttpConstants.PATCH, "DELETE"));
    private static final Set<String> appendable = new HashSet(Arrays.asList("POST"));

    public WebAcFilter(Map<String, String> map, List<String> list, AccessControlService accessControlService) {
        this.accessService = accessControlService;
        this.partitions = map;
        this.challenges = list.isEmpty() ? Collections.singletonList("BASIC") : list;
    }

    public void filter(ContainerRequestContext containerRequestContext) throws IOException {
        Session httpSession;
        String path = containerRequestContext.getUriInfo().getPath();
        Object property = containerRequestContext.getProperty(HttpConstants.SESSION_PROPERTY);
        if (Objects.nonNull(property)) {
            httpSession = (Session) property;
        } else {
            httpSession = new HttpSession();
            containerRequestContext.setProperty(HttpConstants.SESSION_PROPERTY, httpSession);
        }
        String method = containerRequestContext.getMethod();
        if (this.partitions.containsKey(path.split("/")[0])) {
            Set<IRI> accessModes = this.accessService.getAccessModes(rdf.createIRI("trellis:" + path), httpSession);
            if (((List) containerRequestContext.getUriInfo().getQueryParameters().getOrDefault("ext", Collections.emptyList())).contains(HttpConstants.ACL)) {
                verifyCanControl(accessModes, httpSession, path);
                return;
            }
            if (readable.contains(method)) {
                verifyCanRead(accessModes, httpSession, path);
            } else if (writable.contains(method)) {
                verifyCanWrite(accessModes, httpSession, path);
            } else {
                if (!appendable.contains(method)) {
                    throw new NotAllowedException(Response.status(Response.Status.METHOD_NOT_ALLOWED).build());
                }
                verifyCanAppend(accessModes, httpSession, path);
            }
        }
    }

    public void filter(ContainerRequestContext containerRequestContext, ContainerResponseContext containerResponseContext) throws IOException {
        if (containerRequestContext.getUriInfo().getQueryParameters().containsKey("ext") && ((List) containerRequestContext.getUriInfo().getQueryParameters().get("ext")).contains(HttpConstants.ACL)) {
            return;
        }
        containerResponseContext.getHeaders().add("Link", Link.fromUri(containerRequestContext.getUriInfo().getAbsolutePathBuilder().queryParam("ext", new Object[]{HttpConstants.ACL}).build(new Object[0])).rel(HttpConstants.ACL).build(new Object[0]));
    }

    private void verifyCanAppend(Set<IRI> set, Session session, String str) {
        if (set.contains(ACL.Append) || set.contains(ACL.Write)) {
            return;
        }
        LOGGER.warn("User: {} cannot Append to {}", session.getAgent(), str);
        if (!Trellis.AnonymousUser.equals(session.getAgent())) {
            throw new ForbiddenException();
        }
        throw new NotAuthorizedException(this.challenges.get(0), this.challenges.subList(1, this.challenges.size()).toArray());
    }

    private void verifyCanControl(Set<IRI> set, Session session, String str) {
        if (set.contains(ACL.Control)) {
            return;
        }
        LOGGER.warn("User: {} cannot Control {}", session.getAgent(), str);
        if (!Trellis.AnonymousUser.equals(session.getAgent())) {
            throw new ForbiddenException();
        }
        throw new NotAuthorizedException(this.challenges.get(0), this.challenges.subList(1, this.challenges.size()).toArray());
    }

    private void verifyCanWrite(Set<IRI> set, Session session, String str) {
        if (set.contains(ACL.Write)) {
            return;
        }
        LOGGER.warn("User: {} cannot Write to {}", session.getAgent(), str);
        if (!Trellis.AnonymousUser.equals(session.getAgent())) {
            throw new ForbiddenException();
        }
        throw new NotAuthorizedException(this.challenges.get(0), this.challenges.subList(1, this.challenges.size()).toArray());
    }

    private void verifyCanRead(Set<IRI> set, Session session, String str) {
        if (set.contains(ACL.Read)) {
            return;
        }
        LOGGER.warn("User: {} cannot Read from {}", session.getAgent(), str);
        if (!Trellis.AnonymousUser.equals(session.getAgent())) {
            throw new ForbiddenException();
        }
        throw new NotAuthorizedException(this.challenges.get(0), this.challenges.subList(1, this.challenges.size()).toArray());
    }
}
