package dev.dsf.fhir.authorization;

import ca.uhn.fhir.model.api.annotation.ResourceDef;
import dev.dsf.common.auth.conf.Identity;
import dev.dsf.fhir.authentication.FhirServerRole;
import dev.dsf.fhir.authentication.OrganizationProvider;
import dev.dsf.fhir.authorization.read.ReadAccessHelper;
import dev.dsf.fhir.dao.CodeSystemDao;
import dev.dsf.fhir.dao.OrganizationDao;
import dev.dsf.fhir.dao.ResourceDao;
import dev.dsf.fhir.dao.provider.DaoProvider;
import dev.dsf.fhir.help.ParameterConverter;
import dev.dsf.fhir.search.PageAndCount;
import dev.dsf.fhir.search.PartialResult;
import dev.dsf.fhir.search.SearchQuery;
import dev.dsf.fhir.search.SearchQueryParameterError;
import dev.dsf.fhir.search.parameters.basic.AbstractUrlAndVersionParameter;
import dev.dsf.fhir.service.ReferenceResolver;
import dev.dsf.fhir.service.ResourceReference;
import dev.dsf.fhir.webservice.jaxrs.RootServiceJaxrs;
import java.sql.Connection;
import java.sql.SQLException;
import java.util.Collection;
import java.util.Collections;
import java.util.EnumSet;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.stream.Stream;
import org.hl7.fhir.r4.model.CodeSystem;
import org.hl7.fhir.r4.model.Coding;
import org.hl7.fhir.r4.model.Identifier;
import org.hl7.fhir.r4.model.Organization;
import org.hl7.fhir.r4.model.OrganizationAffiliation;
import org.hl7.fhir.r4.model.Reference;
import org.hl7.fhir.r4.model.Resource;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.InitializingBean;

/* loaded from: input_file:dev/dsf/fhir/authorization/AbstractAuthorizationRule.class */
public abstract class AbstractAuthorizationRule<R extends Resource, D extends ResourceDao<R>> implements AuthorizationRule<R>, InitializingBean {
    private static final Logger logger = LoggerFactory.getLogger(AbstractAuthorizationRule.class);
    protected static final String ORGANIZATION_IDENTIFIER_SYSTEM = "http://dsf.dev/sid/organization-identifier";
    protected final Class<R> resourceType;
    protected final DaoProvider daoProvider;
    protected final String serverBase;
    protected final ReferenceResolver referenceResolver;
    protected final OrganizationProvider organizationProvider;
    protected final ReadAccessHelper readAccessHelper;
    protected final ParameterConverter parameterConverter;

    public AbstractAuthorizationRule(Class<R> cls, DaoProvider daoProvider, String str, ReferenceResolver referenceResolver, OrganizationProvider organizationProvider, ReadAccessHelper readAccessHelper, ParameterConverter parameterConverter) {
        this.resourceType = cls;
        this.daoProvider = daoProvider;
        this.serverBase = str;
        this.referenceResolver = referenceResolver;
        this.organizationProvider = organizationProvider;
        this.readAccessHelper = readAccessHelper;
        this.parameterConverter = parameterConverter;
    }

    public void afterPropertiesSet() throws Exception {
        Objects.requireNonNull(this.resourceType, "resourceType");
        Objects.requireNonNull(this.daoProvider, "daoProvider");
        Objects.requireNonNull(this.serverBase, "serverBase");
        Objects.requireNonNull(this.referenceResolver, "referenceResolver");
        Objects.requireNonNull(this.organizationProvider, "organizationProvider");
        Objects.requireNonNull(this.readAccessHelper, "readAccessHelper");
        Objects.requireNonNull(this.parameterConverter, "parameterConverter");
    }

    @Override // dev.dsf.fhir.authorization.AuthorizationRule
    public Class<R> getResourceType() {
        return this.resourceType;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public String getResourceTypeName() {
        return getResourceType().getAnnotation(ResourceDef.class).name();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public final D getDao() {
        return this.daoProvider.getDao(this.resourceType).orElseThrow();
    }

    @Override // dev.dsf.fhir.authorization.AuthorizationRule
    public final Optional<String> reasonCreateAllowed(Identity identity, R r) {
        try {
            Connection newReadOnlyAutoCommitTransaction = this.daoProvider.newReadOnlyAutoCommitTransaction();
            try {
                Optional<String> reasonCreateAllowed = reasonCreateAllowed(newReadOnlyAutoCommitTransaction, identity, r);
                if (newReadOnlyAutoCommitTransaction != null) {
                    newReadOnlyAutoCommitTransaction.close();
                }
                return reasonCreateAllowed;
            } finally {
            }
        } catch (SQLException e) {
            logger.debug("Error while accessing database", e);
            logger.warn("Error while accessing database: {} - {}", e.getClass().getName(), e.getMessage());
            throw new RuntimeException(e);
        }
    }

    @Override // dev.dsf.fhir.authorization.AuthorizationRule
    public final Optional<String> reasonReadAllowed(Identity identity, R r) {
        try {
            Connection newReadOnlyAutoCommitTransaction = this.daoProvider.newReadOnlyAutoCommitTransaction();
            try {
                Optional<String> reasonReadAllowed = reasonReadAllowed(newReadOnlyAutoCommitTransaction, identity, r);
                if (newReadOnlyAutoCommitTransaction != null) {
                    newReadOnlyAutoCommitTransaction.close();
                }
                return reasonReadAllowed;
            } finally {
            }
        } catch (SQLException e) {
            logger.debug("Error while accessing database", e);
            logger.warn("Error while accessing database: {} - {}", e.getClass().getName(), e.getMessage());
            throw new RuntimeException(e);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public List<OrganizationAffiliation> getAffiliations(Connection connection, String str) {
        if (str == null) {
            return Collections.emptyList();
        }
        try {
            return this.daoProvider.getOrganizationAffiliationDao().readActiveNotDeletedByMemberOrganizationIdentifierIncludingOrganizationIdentifiersWithTransaction(connection, str);
        } catch (SQLException e) {
            logger.debug("Error while accessing database", e);
            logger.warn("Error while accessing database: {} - {}", e.getClass().getName(), e.getMessage());
            throw new RuntimeException(e);
        }
    }

    @Override // dev.dsf.fhir.authorization.AuthorizationRule
    public final Optional<String> reasonUpdateAllowed(Identity identity, R r, R r2) {
        try {
            Connection newReadOnlyAutoCommitTransaction = this.daoProvider.newReadOnlyAutoCommitTransaction();
            try {
                Optional<String> reasonUpdateAllowed = reasonUpdateAllowed(newReadOnlyAutoCommitTransaction, identity, r, r2);
                if (newReadOnlyAutoCommitTransaction != null) {
                    newReadOnlyAutoCommitTransaction.close();
                }
                return reasonUpdateAllowed;
            } finally {
            }
        } catch (SQLException e) {
            logger.debug("Error while accessing database", e);
            logger.warn("Error while accessing database: {} - {}", e.getClass().getName(), e.getMessage());
            throw new RuntimeException(e);
        }
    }

    @Override // dev.dsf.fhir.authorization.AuthorizationRule
    public final Optional<String> reasonDeleteAllowed(Identity identity, R r) {
        try {
            Connection newReadOnlyAutoCommitTransaction = this.daoProvider.newReadOnlyAutoCommitTransaction();
            try {
                Optional<String> reasonDeleteAllowed = reasonDeleteAllowed(newReadOnlyAutoCommitTransaction, identity, r);
                if (newReadOnlyAutoCommitTransaction != null) {
                    newReadOnlyAutoCommitTransaction.close();
                }
                return reasonDeleteAllowed;
            } finally {
            }
        } catch (SQLException e) {
            logger.debug("Error while accessing database", e);
            logger.warn("Error while accessing database: {} - {}", e.getClass().getName(), e.getMessage());
            throw new RuntimeException(e);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public final boolean organizationWithIdentifierExists(Connection connection, Identifier identifier) {
        Map<String, List<String>> of = Map.of("identifier", Collections.singletonList(identifier.getSystem() + "|" + identifier.getValue()));
        OrganizationDao organizationDao = this.daoProvider.getOrganizationDao();
        SearchQuery<Organization> configureParameters = organizationDao.createSearchQueryWithoutUserFilter(PageAndCount.exists()).configureParameters(of);
        List<SearchQueryParameterError> unsupportedQueryParameters = configureParameters.getUnsupportedQueryParameters();
        if (!unsupportedQueryParameters.isEmpty()) {
            logger.warn("Unable to search for Organization: Unsupported query parameters: {}", unsupportedQueryParameters);
            throw new IllegalStateException("Unable to search for Organization: Unsupported query parameters.");
        }
        try {
            return organizationDao.searchWithTransaction(connection, configureParameters).getTotal() >= 1;
        } catch (SQLException e) {
            logger.debug("Unable to search for Organization", e);
            logger.warn("Unable to search for Organization: {} - {}", e.getClass().getName(), e.getMessage());
            throw new RuntimeException("Unable to search for Organization", e);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public final boolean roleExists(Connection connection, Coding coding) {
        String system = coding.getSystem();
        String version = coding.getVersion();
        String code = coding.getCode();
        Map<String, List<String>> of = Map.of(AbstractUrlAndVersionParameter.PARAMETER_NAME, Collections.singletonList(system + (coding.hasVersion() ? "|" + version : RootServiceJaxrs.PATH)));
        CodeSystemDao codeSystemDao = this.daoProvider.getCodeSystemDao();
        SearchQuery<CodeSystem> configureParameters = codeSystemDao.createSearchQueryWithoutUserFilter(PageAndCount.single()).configureParameters(of);
        List<SearchQueryParameterError> unsupportedQueryParameters = configureParameters.getUnsupportedQueryParameters();
        if (!unsupportedQueryParameters.isEmpty()) {
            logger.warn("Unable to search for CodeSystem: Unsupported query parameters: {}", unsupportedQueryParameters);
            throw new IllegalStateException("Unable to search for CodeSystem: Unsupported query parameters");
        }
        try {
            PartialResult<CodeSystem> searchWithTransaction = codeSystemDao.searchWithTransaction(connection, configureParameters);
            if (searchWithTransaction.getTotal() >= 1) {
                if (hasCode(searchWithTransaction.getPartialResult().get(0), code)) {
                    return true;
                }
            }
            return false;
        } catch (SQLException e) {
            logger.debug("Unable to search for CodeSystem", e);
            logger.warn("Unable to search for CodeSystem: {} - {}", e.getClass().getName(), e.getMessage());
            throw new RuntimeException("Unable to search for CodeSystem", e);
        }
    }

    private boolean hasCode(CodeSystem codeSystem, String str) {
        return codeSystem.getConcept().stream().filter((v0) -> {
            return v0.hasCode();
        }).map((v0) -> {
            return v0.getCode();
        }).anyMatch(str2 -> {
            return str2.equals(str);
        });
    }

    protected final boolean isCurrentIdentityPartOfReferencedOrganizations(Connection connection, Identity identity, String str, Collection<? extends Reference> collection) {
        return isCurrentIdentityPartOfReferencedOrganizations(connection, identity, str, collection.stream());
    }

    protected final boolean isCurrentIdentityPartOfReferencedOrganizations(Connection connection, Identity identity, String str, Stream<? extends Reference> stream) {
        return stream.anyMatch(reference -> {
            return isCurrentIdentityPartOfReferencedOrganization(connection, identity, str, reference);
        });
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public final boolean isCurrentIdentityPartOfReferencedOrganization(Connection connection, Identity identity, String str, Reference reference) {
        if (reference == null) {
            logger.warn("Null reference while checking if user part of referenced organization");
            return false;
        }
        ResourceReference resourceReference = new ResourceReference(str, reference, new Class[]{Organization.class});
        ResourceReference.ReferenceType type = resourceReference.getType(this.serverBase);
        if (!EnumSet.of(ResourceReference.ReferenceType.LITERAL_INTERNAL, ResourceReference.ReferenceType.LOGICAL).contains(type)) {
            logger.warn("Reference of type {} not supported while checking if user part of referenced organization", type);
            return false;
        }
        Optional<Resource> resolveReference = this.referenceResolver.resolveReference(identity, resourceReference, connection);
        if (!resolveReference.isPresent() || !(resolveReference.get() instanceof Organization)) {
            logger.warn("Reference to organization could not be resolved while checking if user part of referenced organization");
            return false;
        }
        boolean equals = identity.getOrganization().getIdElement().getIdPart().equals(resolveReference.get().getIdElement().getIdPart());
        if (!equals) {
            logger.warn("Current user not part of organization {} while checking if user part of referenced organization", resolveReference.get().getIdElement().getValue());
        }
        return equals;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public final boolean isLocalOrganization(Organization organization) {
        if (organization == null || !organization.hasIdElement()) {
            return false;
        }
        return ((Boolean) this.organizationProvider.getLocalOrganization().map(organization2 -> {
            return Boolean.valueOf(organization2.getIdElement().equals(organization.getIdElement()));
        }).orElse(false)).booleanValue();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @SafeVarargs
    public final Optional<ResourceReference> createIfLiteralInternalOrLogicalReference(String str, Reference reference, Class<? extends Resource>... clsArr) {
        ResourceReference resourceReference = new ResourceReference(str, reference, clsArr);
        return EnumSet.of(ResourceReference.ReferenceType.LITERAL_INTERNAL, ResourceReference.ReferenceType.LOGICAL).contains(resourceReference.getType(this.serverBase)) ? Optional.of(resourceReference) : Optional.empty();
    }

    protected final Optional<Resource> resolveReference(Connection connection, Identity identity, Optional<ResourceReference> optional) {
        return optional.flatMap(resourceReference -> {
            return this.referenceResolver.resolveReference(identity, resourceReference, connection);
        });
    }

    @Override // dev.dsf.fhir.authorization.AuthorizationRule
    public Optional<String> reasonPermanentDeleteAllowed(Identity identity, R r) {
        try {
            Connection newReadOnlyAutoCommitTransaction = this.daoProvider.newReadOnlyAutoCommitTransaction();
            try {
                Optional<String> reasonPermanentDeleteAllowed = reasonPermanentDeleteAllowed(newReadOnlyAutoCommitTransaction, identity, r);
                if (newReadOnlyAutoCommitTransaction != null) {
                    newReadOnlyAutoCommitTransaction.close();
                }
                return reasonPermanentDeleteAllowed;
            } finally {
            }
        } catch (SQLException e) {
            logger.debug("Error while accessing database", e);
            logger.warn("Error while accessing database: {} - {}", e.getClass().getName(), e.getMessage());
            throw new RuntimeException(e);
        }
    }

    @Override // dev.dsf.fhir.authorization.AuthorizationRule
    public final Optional<String> reasonSearchAllowed(Identity identity) {
        if (identity.hasDsfRole(FhirServerRole.SEARCH)) {
            logger.info("Search of {} authorized for identity '{}'", getResourceTypeName(), identity.getName());
            return Optional.of("Identity has role " + FhirServerRole.SEARCH);
        }
        logger.warn("Search of {} unauthorized for identity '{}', no role {}", new Object[]{getResourceTypeName(), identity.getName(), FhirServerRole.SEARCH});
        return Optional.empty();
    }

    @Override // dev.dsf.fhir.authorization.AuthorizationRule
    public final Optional<String> reasonHistoryAllowed(Identity identity) {
        if (identity.hasDsfRole(FhirServerRole.HISTORY)) {
            logger.info("History of {} authorized for identity '{}'", getResourceTypeName(), identity.getName());
            return Optional.of("Identity has role " + FhirServerRole.HISTORY);
        }
        logger.warn("History of {} unauthorized for identity '{}', no role {}", new Object[]{getResourceTypeName(), identity.getName(), FhirServerRole.HISTORY});
        return Optional.empty();
    }

    @Override // dev.dsf.fhir.authorization.AuthorizationRule
    public Optional<String> reasonPermanentDeleteAllowed(Connection connection, Identity identity, R r) {
        String idPart = r.getIdElement().getIdPart();
        long longValue = r.getIdElement().getVersionIdPartAsLong().longValue();
        if (identity.isLocalIdentity() && identity.hasDsfRole(FhirServerRole.PERMANENT_DELETE) && reasonDeleteAllowed(connection, identity, r).isPresent()) {
            logger.info("Permanent delete of {}/{}/_history/{} authorized for identity '{}'", new Object[]{getResourceTypeName(), idPart, Long.valueOf(longValue), identity.getName()});
            return Optional.of("Identity is local identity and has role " + FhirServerRole.PERMANENT_DELETE);
        }
        logger.warn("Permanent delete of {}/{}/_history/{} unauthorized for identity '{}', not a local identity or no role {}", new Object[]{getResourceTypeName(), idPart, Long.valueOf(longValue), identity.getName(), FhirServerRole.PERMANENT_DELETE});
        return Optional.empty();
    }
}
