package org.trellisldp.http;

import java.io.IOException;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashSet;
import java.util.List;
import java.util.Objects;
import java.util.Set;
import java.util.stream.Collectors;
import javax.annotation.Priority;
import javax.inject.Inject;
import javax.ws.rs.ForbiddenException;
import javax.ws.rs.NotAllowedException;
import javax.ws.rs.NotAuthorizedException;
import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.container.ContainerRequestFilter;
import javax.ws.rs.container.ContainerResponseContext;
import javax.ws.rs.container.ContainerResponseFilter;
import javax.ws.rs.core.Link;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriBuilder;
import javax.ws.rs.ext.Provider;
import org.apache.commons.rdf.api.IRI;
import org.apache.commons.rdf.api.RDF;
import org.apache.tamaya.Configuration;
import org.apache.tamaya.ConfigurationProvider;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.trellisldp.api.AccessControlService;
import org.trellisldp.api.Session;
import org.trellisldp.api.TrellisUtils;
import org.trellisldp.http.core.HttpConstants;
import org.trellisldp.http.impl.HttpSession;
import org.trellisldp.vocabulary.ACL;
import org.trellisldp.vocabulary.Trellis;

@Provider
@Priority(2000)
/* loaded from: input_file:org/trellisldp/http/WebAcFilter.class */
public class WebAcFilter implements ContainerRequestFilter, ContainerResponseFilter {
    public static final String CONFIG_AUTH_CHALLENGES = "trellis.auth.challenges";
    public static final String CONFIG_AUTH_REALM = "trellis.auth.realm";
    private static final Logger LOGGER = LoggerFactory.getLogger(WebAcFilter.class);
    private static final RDF rdf = TrellisUtils.getInstance();
    private static final Set<String> readable = new HashSet(Arrays.asList("GET", "HEAD", "OPTIONS"));
    private static final Set<String> writable = new HashSet(Arrays.asList("PUT", HttpConstants.PATCH, "DELETE"));
    private static final Set<String> appendable = new HashSet(Arrays.asList("POST"));
    private final AccessControlService accessService;
    private final List<String> challenges;
    private final String baseUrl;

    @Inject
    public WebAcFilter(AccessControlService accessControlService) {
        this(accessControlService, ConfigurationProvider.getConfiguration());
    }

    private WebAcFilter(AccessControlService accessControlService, Configuration configuration) {
        this(accessControlService, Arrays.asList(configuration.getOrDefault(CONFIG_AUTH_CHALLENGES, "").split(",")), configuration.getOrDefault(CONFIG_AUTH_REALM, "trellis"), configuration.get(HttpConstants.CONFIG_HTTP_BASE_URL));
    }

    @Deprecated
    public WebAcFilter(AccessControlService accessControlService, List<String> list, String str) {
        this(accessControlService, list, str, ConfigurationProvider.getConfiguration().get(HttpConstants.CONFIG_HTTP_BASE_URL));
    }

    public WebAcFilter(AccessControlService accessControlService, List<String> list, String str, String str2) {
        Objects.requireNonNull(list, "Challenges may not be null!");
        Objects.requireNonNull(str, "Realm may not be null!");
        this.accessService = (AccessControlService) Objects.requireNonNull(accessControlService, "Access Control service may not be null!");
        this.challenges = (List) list.stream().map((v0) -> {
            return v0.trim();
        }).map(str3 -> {
            return str3 + " realm=\"" + str + "\"";
        }).collect(Collectors.toList());
        this.baseUrl = str2;
    }

    public void filter(ContainerRequestContext containerRequestContext) throws IOException {
        Session httpSession;
        String path = containerRequestContext.getUriInfo().getPath();
        Object property = containerRequestContext.getProperty(HttpConstants.SESSION_PROPERTY);
        if (Objects.nonNull(property)) {
            httpSession = (Session) property;
        } else {
            httpSession = new HttpSession();
            containerRequestContext.setProperty(HttpConstants.SESSION_PROPERTY, httpSession);
        }
        String method = containerRequestContext.getMethod();
        Set<IRI> accessModes = this.accessService.getAccessModes(rdf.createIRI("trellis:data/" + path), httpSession);
        if (((List) containerRequestContext.getUriInfo().getQueryParameters().getOrDefault(HttpConstants.EXT, Collections.emptyList())).contains(HttpConstants.ACL)) {
            verifyCanControl(accessModes, httpSession, path);
            return;
        }
        if (readable.contains(method)) {
            verifyCanRead(accessModes, httpSession, path);
        } else if (writable.contains(method)) {
            verifyCanWrite(accessModes, httpSession, path);
        } else {
            if (!appendable.contains(method)) {
                throw new NotAllowedException(Response.status(Response.Status.METHOD_NOT_ALLOWED).build());
            }
            verifyCanAppend(accessModes, httpSession, path);
        }
    }

    public void filter(ContainerRequestContext containerRequestContext, ContainerResponseContext containerResponseContext) throws IOException {
        if (Response.Status.Family.SUCCESSFUL.equals(containerResponseContext.getStatusInfo().getFamily())) {
            if (containerRequestContext.getUriInfo().getQueryParameters().containsKey(HttpConstants.EXT) && ((List) containerRequestContext.getUriInfo().getQueryParameters().get(HttpConstants.EXT)).contains(HttpConstants.ACL)) {
                return;
            }
            containerResponseContext.getHeaders().add("Link", Link.fromUri(getRequestUri(containerRequestContext).queryParam(HttpConstants.EXT, new Object[]{HttpConstants.ACL}).build(new Object[0])).rel(HttpConstants.ACL).build(new Object[0]));
        }
    }

    private UriBuilder getRequestUri(ContainerRequestContext containerRequestContext) {
        return Objects.nonNull(this.baseUrl) ? UriBuilder.fromUri(this.baseUrl).path(containerRequestContext.getUriInfo().getPath()) : containerRequestContext.getUriInfo().getAbsolutePathBuilder();
    }

    private void verifyCanAppend(Set<IRI> set, Session session, String str) {
        if (set.contains(ACL.Append) || set.contains(ACL.Write)) {
            LOGGER.debug("User: {} can append to {}", session.getAgent(), str);
            return;
        }
        LOGGER.warn("User: {} cannot Append to {}", session.getAgent(), str);
        if (!Trellis.AnonymousAgent.equals(session.getAgent())) {
            throw new ForbiddenException();
        }
        throw new NotAuthorizedException(this.challenges.get(0), this.challenges.subList(1, this.challenges.size()).toArray());
    }

    private void verifyCanControl(Set<IRI> set, Session session, String str) {
        if (set.contains(ACL.Control)) {
            LOGGER.debug("User: {} can control {}", session.getAgent(), str);
            return;
        }
        LOGGER.warn("User: {} cannot Control {}", session.getAgent(), str);
        if (!Trellis.AnonymousAgent.equals(session.getAgent())) {
            throw new ForbiddenException();
        }
        throw new NotAuthorizedException(this.challenges.get(0), this.challenges.subList(1, this.challenges.size()).toArray());
    }

    private void verifyCanWrite(Set<IRI> set, Session session, String str) {
        if (set.contains(ACL.Write)) {
            LOGGER.debug("User: {} can write to {}", session.getAgent(), str);
            return;
        }
        LOGGER.warn("User: {} cannot Write to {}", session.getAgent(), str);
        if (!Trellis.AnonymousAgent.equals(session.getAgent())) {
            throw new ForbiddenException();
        }
        throw new NotAuthorizedException(this.challenges.get(0), this.challenges.subList(1, this.challenges.size()).toArray());
    }

    private void verifyCanRead(Set<IRI> set, Session session, String str) {
        if (set.contains(ACL.Read)) {
            LOGGER.debug("User: {} can read {}", session.getAgent(), str);
            return;
        }
        LOGGER.warn("User: {} cannot Read from {}", session.getAgent(), str);
        if (!Trellis.AnonymousAgent.equals(session.getAgent())) {
            throw new ForbiddenException();
        }
        throw new NotAuthorizedException(this.challenges.get(0), this.challenges.subList(1, this.challenges.size()).toArray());
    }
}
