package org.trellisldp.webac;

import java.util.Arrays;
import java.util.Collections;
import java.util.HashSet;
import java.util.List;
import java.util.Objects;
import java.util.Set;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.annotation.Priority;
import javax.inject.Inject;
import javax.ws.rs.ForbiddenException;
import javax.ws.rs.NotAuthorizedException;
import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.container.ContainerRequestFilter;
import javax.ws.rs.container.ContainerResponseContext;
import javax.ws.rs.container.ContainerResponseFilter;
import javax.ws.rs.core.Link;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriBuilder;
import javax.ws.rs.ext.Provider;
import org.apache.commons.rdf.api.IRI;
import org.eclipse.microprofile.config.Config;
import org.eclipse.microprofile.config.ConfigProvider;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.trellisldp.api.Session;
import org.trellisldp.api.TrellisUtils;
import org.trellisldp.http.core.HttpSession;
import org.trellisldp.http.core.Prefer;
import org.trellisldp.vocabulary.ACL;
import org.trellisldp.vocabulary.Trellis;

@Provider
@Priority(2000)
/* loaded from: input_file:org/trellisldp/webac/WebAcFilter.class */
public class WebAcFilter implements ContainerRequestFilter, ContainerResponseFilter {
    public static final String CONFIG_WEBAC_CHALLENGES = "trellis.webac.challenges";
    public static final String CONFIG_WEBAC_READABLE_METHODS = "trellis.webac.readable-methods";
    public static final String CONFIG_WEBAC_WRITABLE_METHODS = "trellis.webac.writable-methods";
    public static final String CONFIG_WEBAC_APPENDABLE_METHODS = "trellis.webac.appendable-methods";
    public static final String CONFIG_WEBAC_REALM = "trellis.webac.realm";
    public static final String CONFIG_WEBAC_SCOPE = "trellis.webac.scope";
    private static final Logger LOGGER = LoggerFactory.getLogger(WebAcFilter.class);
    private static final Set<String> readable = new HashSet(Arrays.asList("GET", "HEAD", "OPTIONS"));
    private static final Set<String> writable = new HashSet(Arrays.asList("PUT", "PATCH", "DELETE"));
    private static final Set<String> appendable = new HashSet(Collections.singletonList("POST"));
    protected final WebAcService accessService;
    private final List<String> challenges;
    private final String baseUrl;

    public WebAcFilter() {
        this(null);
    }

    @Inject
    public WebAcFilter(WebAcService webAcService) {
        this(webAcService, ConfigProvider.getConfig());
    }

    private WebAcFilter(WebAcService webAcService, Config config) {
        this(webAcService, Arrays.asList(((String) config.getOptionalValue(CONFIG_WEBAC_CHALLENGES, String.class).orElse("")).split(",")), (String) config.getOptionalValue(CONFIG_WEBAC_REALM, String.class).orElse("trellis"), (String) config.getOptionalValue(CONFIG_WEBAC_SCOPE, String.class).orElse(""), (String) config.getOptionalValue("trellis.http.base-url", String.class).orElse(null));
    }

    public WebAcFilter(WebAcService webAcService, List<String> list, String str, String str2, String str3) {
        Objects.requireNonNull(list, "Challenges may not be null!");
        Objects.requireNonNull(str, "Realm may not be null!");
        Objects.requireNonNull(str2, "Scope may not be null!");
        String str4 = " realm=\"" + str + "\"";
        String str5 = str2.isEmpty() ? "" : " scope=\"" + str2 + "\"";
        this.accessService = webAcService;
        this.challenges = (List) list.stream().map((v0) -> {
            return v0.trim();
        }).map(str6 -> {
            return str6 + str4 + str5;
        }).collect(Collectors.toList());
        this.baseUrl = str3;
        Config config = ConfigProvider.getConfig();
        config.getOptionalValue(CONFIG_WEBAC_READABLE_METHODS, String.class).ifPresent(str7 -> {
            Stream map = Arrays.stream(str7.split(",")).map((v0) -> {
                return v0.trim();
            }).map((v0) -> {
                return v0.toUpperCase();
            });
            Set<String> set = readable;
            set.getClass();
            map.forEach((v1) -> {
                r1.add(v1);
            });
        });
        config.getOptionalValue(CONFIG_WEBAC_WRITABLE_METHODS, String.class).ifPresent(str8 -> {
            Stream map = Arrays.stream(str8.split(",")).map((v0) -> {
                return v0.trim();
            }).map((v0) -> {
                return v0.toUpperCase();
            });
            Set<String> set = writable;
            set.getClass();
            map.forEach((v1) -> {
                r1.add(v1);
            });
        });
        config.getOptionalValue(CONFIG_WEBAC_APPENDABLE_METHODS, String.class).ifPresent(str9 -> {
            Stream map = Arrays.stream(str9.split(",")).map((v0) -> {
                return v0.trim();
            }).map((v0) -> {
                return v0.toUpperCase();
            });
            Set<String> set = appendable;
            set.getClass();
            map.forEach((v1) -> {
                r1.add(v1);
            });
        });
    }

    public void filter(ContainerRequestContext containerRequestContext) {
        String path = containerRequestContext.getUriInfo().getPath();
        Session from = HttpSession.from(containerRequestContext.getSecurityContext());
        String method = containerRequestContext.getMethod();
        Set<IRI> accessModes = this.accessService.getAccessModes(TrellisUtils.buildTrellisIdentifier(path), from);
        if (((List) containerRequestContext.getUriInfo().getQueryParameters().getOrDefault("ext", Collections.emptyList())).contains("acl") || reqAudit(containerRequestContext)) {
            verifyCanControl(accessModes, from, path);
            return;
        }
        if (readable.contains(method)) {
            verifyCanRead(accessModes, from, path);
        } else if (writable.contains(method)) {
            verifyCanWrite(accessModes, from, path);
        } else if (appendable.contains(method)) {
            verifyCanAppend(accessModes, from, path);
        }
    }

    public void filter(ContainerRequestContext containerRequestContext, ContainerResponseContext containerResponseContext) {
        if (!Response.Status.Family.SUCCESSFUL.equals(containerResponseContext.getStatusInfo().getFamily()) || "DELETE".equals(containerRequestContext.getMethod()) || ((List) containerRequestContext.getUriInfo().getQueryParameters().getOrDefault("ext", Collections.emptyList())).contains("acl")) {
            return;
        }
        containerResponseContext.getHeaders().add("Link", Link.fromUri(getRequestUri(containerRequestContext).queryParam("ext", new Object[]{"acl"}).build(new Object[0])).rel("acl").build(new Object[0]));
    }

    private boolean reqAudit(ContainerRequestContext containerRequestContext) {
        Prefer valueOf = Prefer.valueOf(containerRequestContext.getHeaderString("Prefer"));
        if (valueOf != null) {
            return valueOf.getInclude().contains(Trellis.PreferAudit.getIRIString());
        }
        return false;
    }

    private UriBuilder getRequestUri(ContainerRequestContext containerRequestContext) {
        return this.baseUrl != null ? UriBuilder.fromUri(this.baseUrl).path(containerRequestContext.getUriInfo().getPath()) : containerRequestContext.getUriInfo().getAbsolutePathBuilder();
    }

    protected void verifyCanAppend(Set<IRI> set, Session session, String str) {
        if (set.contains(ACL.Append) || set.contains(ACL.Write)) {
            LOGGER.debug("User: {} can append to {}", session.getAgent(), str);
            return;
        }
        LOGGER.warn("User: {} cannot Append to {}", session.getAgent(), str);
        if (!Trellis.AnonymousAgent.equals(session.getAgent())) {
            throw new ForbiddenException();
        }
        throw new NotAuthorizedException(this.challenges.get(0), this.challenges.subList(1, this.challenges.size()).toArray());
    }

    protected void verifyCanControl(Set<IRI> set, Session session, String str) {
        if (set.contains(ACL.Control)) {
            LOGGER.debug("User: {} can control {}", session.getAgent(), str);
            return;
        }
        LOGGER.warn("User: {} cannot Control {}", session.getAgent(), str);
        if (!Trellis.AnonymousAgent.equals(session.getAgent())) {
            throw new ForbiddenException();
        }
        throw new NotAuthorizedException(this.challenges.get(0), this.challenges.subList(1, this.challenges.size()).toArray());
    }

    protected void verifyCanWrite(Set<IRI> set, Session session, String str) {
        if (set.contains(ACL.Write)) {
            LOGGER.debug("User: {} can write to {}", session.getAgent(), str);
            return;
        }
        LOGGER.warn("User: {} cannot Write to {}", session.getAgent(), str);
        if (!Trellis.AnonymousAgent.equals(session.getAgent())) {
            throw new ForbiddenException();
        }
        throw new NotAuthorizedException(this.challenges.get(0), this.challenges.subList(1, this.challenges.size()).toArray());
    }

    protected void verifyCanRead(Set<IRI> set, Session session, String str) {
        if (set.contains(ACL.Read)) {
            LOGGER.debug("User: {} can read {}", session.getAgent(), str);
            return;
        }
        LOGGER.warn("User: {} cannot Read from {}", session.getAgent(), str);
        if (!Trellis.AnonymousAgent.equals(session.getAgent())) {
            throw new ForbiddenException();
        }
        throw new NotAuthorizedException(this.challenges.get(0), this.challenges.subList(1, this.challenges.size()).toArray());
    }
}
