package io.onfhir.authz;

import akka.http.scaladsl.model.StatusCodes$;
import akka.http.scaladsl.server.Directive;
import akka.http.scaladsl.server.Directive$;
import akka.http.scaladsl.server.Directive$SingleValueTransformers$;
import akka.http.scaladsl.server.Rejection;
import akka.http.scaladsl.server.StandardRoute$;
import akka.http.scaladsl.server.directives.BasicDirectives$;
import akka.http.scaladsl.server.directives.FutureDirectives$;
import akka.http.scaladsl.server.directives.RouteDirectives$;
import akka.http.scaladsl.server.util.Tuple$;
import io.onfhir.Onfhir$;
import io.onfhir.api.model.FHIRRequest;
import io.onfhir.api.model.FHIRResponse$;
import io.onfhir.api.model.Parameter;
import io.onfhir.api.package$FHIR_INTERACTIONS$;
import io.onfhir.api.package$FHIR_OPERATIONS$;
import io.onfhir.api.package$FHIR_PARAMETER_CATEGORIES$;
import io.onfhir.api.util.FHIRUtil$;
import io.onfhir.api.util.ResourceChecker$;
import io.onfhir.authz.AuthzManager;
import io.onfhir.config.OnfhirConfig$;
import io.onfhir.db.ResourceManager$;
import io.onfhir.exception.AuthorizationFailedException;
import org.json4s.JsonAST;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import scala.MatchError;
import scala.None$;
import scala.Option;
import scala.Option$;
import scala.Predef$;
import scala.Predef$ArrowAssoc$;
import scala.Some;
import scala.Tuple2;
import scala.collection.IterableLike;
import scala.collection.Seq;
import scala.collection.Seq$;
import scala.collection.TraversableLike;
import scala.collection.TraversableOnce;
import scala.collection.immutable.Iterable;
import scala.collection.immutable.Iterable$;
import scala.collection.immutable.List;
import scala.collection.immutable.List$;
import scala.collection.immutable.Set;
import scala.concurrent.ExecutionContextExecutor;
import scala.concurrent.Future;
import scala.concurrent.Future$;
import scala.runtime.BoxedUnit;
import scala.runtime.BoxesRunTime;
import scala.util.Failure;
import scala.util.Success;

/* compiled from: AuthzManager.scala */
/* loaded from: input_file:io/onfhir/authz/AuthzManager$.class */
public final class AuthzManager$ {
    public static AuthzManager$ MODULE$;
    private final ExecutionContextExecutor executionContext;
    private final Logger logger;

    static {
        new AuthzManager$();
    }

    public ExecutionContextExecutor executionContext() {
        return this.executionContext;
    }

    private Logger logger() {
        return this.logger;
    }

    public Directive<BoxedUnit> authorize(Option<AuthzContext> option, FHIRRequest fHIRRequest) {
        return Directive$SingleValueTransformers$.MODULE$.flatMap$extension(Directive$.MODULE$.SingleValueTransformers(FutureDirectives$.MODULE$.onComplete(() -> {
            return MODULE$.authorizeF(option, fHIRRequest);
        })), r11 -> {
            Directive directive;
            if (r11 instanceof Success) {
                AuthzResult authzResult = (AuthzResult) ((Success) r11).value();
                directive = authzResult.isAuthorized() ? BasicDirectives$.MODULE$.pass() : StandardRoute$.MODULE$.toDirective(RouteDirectives$.MODULE$.reject(Predef$.MODULE$.wrapRefArray(new Rejection[]{new AuthzManager.FhirAuthorizationFailedRejection(authzResult)})), Tuple$.MODULE$.forUnit());
            } else {
                if (!(r11 instanceof Failure)) {
                    throw new MatchError(r11);
                }
                MODULE$.logger().error("Exception while processing authorization", ((Failure) r11).exception());
                directive = StandardRoute$.MODULE$.toDirective(RouteDirectives$.MODULE$.reject(Predef$.MODULE$.wrapRefArray(new Rejection[]{new AuthzManager.FhirAuthorizationFailedRejection(AuthzResult$.MODULE$.failureInvalidRequest("Cannot process request for authorization!"))})), Tuple$.MODULE$.forUnit());
            }
            return directive;
        }, Tuple$.MODULE$.forUnit());
    }

    /* JADX INFO: Access modifiers changed from: private */
    public Future<AuthzResult> authorizeF(Option<AuthzContext> option, FHIRRequest fHIRRequest) {
        if (isPublic(fHIRRequest, option)) {
            return Future$.MODULE$.apply(() -> {
                return AuthzResult$.MODULE$.success();
            }, executionContext());
        }
        logger().debug(new StringBuilder(36).append("Authorizing request for context ").append(option).append(" ...").toString());
        return forceAuthorization(option, fHIRRequest);
    }

    public Future<AuthzResult> forceAuthorization(Option<AuthzContext> option, FHIRRequest fHIRRequest) {
        boolean z;
        Future<AuthzResult> apply;
        AuthzResult authorizationDecision = getAuthorizationDecision(option, fHIRRequest);
        String interaction = fHIRRequest.interaction();
        String TRANSACTION = package$FHIR_INTERACTIONS$.MODULE$.TRANSACTION();
        if (TRANSACTION != null ? !TRANSACTION.equals(interaction) : interaction != null) {
            String BATCH = package$FHIR_INTERACTIONS$.MODULE$.BATCH();
            z = BATCH != null ? BATCH.equals(interaction) : interaction == null;
        } else {
            z = true;
        }
        if (z) {
            apply = handleBatchAndTransaction(option, fHIRRequest, authorizationDecision);
        } else {
            String result = authorizationDecision.result();
            apply = (result != null ? !result.equals("filtering") : "filtering" != 0) ? Future$.MODULE$.apply(() -> {
                return authorizationDecision;
            }, executionContext()) : authorizeForSimpleInteraction(fHIRRequest, authorizationDecision);
        }
        return apply;
    }

    private Future<AuthzResult> handleBatchAndTransaction(Option<AuthzContext> option, FHIRRequest fHIRRequest, AuthzResult authzResult) {
        Future<AuthzResult> map;
        if ("unauthorized".equals(authzResult.result())) {
            throw new AuthorizationFailedException(authzResult);
        }
        String interaction = fHIRRequest.interaction();
        String BATCH = package$FHIR_INTERACTIONS$.MODULE$.BATCH();
        if (BATCH != null ? !BATCH.equals(interaction) : interaction != null) {
            String TRANSACTION = package$FHIR_INTERACTIONS$.MODULE$.TRANSACTION();
            if (TRANSACTION != null ? !TRANSACTION.equals(interaction) : interaction != null) {
                throw new MatchError(interaction);
            }
            map = Future$.MODULE$.find((Iterable) ((TraversableLike) fHIRRequest.childRequests().to(Predef$.MODULE$.fallbackStringCanBuildFrom())).map(fHIRRequest2 -> {
                return MODULE$.authorizeForSimpleInteraction(fHIRRequest2, MODULE$.getAuthorizationDecision(option, fHIRRequest2)).map(authzResult2 -> {
                    return Predef$ArrowAssoc$.MODULE$.$minus$greater$extension(Predef$.MODULE$.ArrowAssoc(fHIRRequest2), authzResult2);
                }, MODULE$.executionContext());
            }, Iterable$.MODULE$.canBuildFrom()), tuple2 -> {
                return BoxesRunTime.boxToBoolean($anonfun$handleBatchAndTransaction$9(tuple2));
            }, executionContext()).map(option2 -> {
                AuthzResult authzResult2;
                if (None$.MODULE$.equals(option2)) {
                    authzResult2 = AuthzResult$.MODULE$.success();
                } else {
                    if (!(option2 instanceof Some)) {
                        throw new MatchError(option2);
                    }
                    Tuple2 tuple22 = (Tuple2) ((Some) option2).value();
                    fHIRRequest.setResponse(FHIRResponse$.MODULE$.errorResponse(StatusCodes$.MODULE$.Unauthorized(), Option$.MODULE$.option2Iterable(((AuthzResult) tuple22._2()).toOutcomeIssue().map(outcomeIssue -> {
                        return outcomeIssue.copy(outcomeIssue.copy$default$1(), outcomeIssue.copy$default$2(), outcomeIssue.copy$default$3(), outcomeIssue.copy$default$4(), (Seq) outcomeIssue.expression().$plus$plus(Seq$.MODULE$.apply(Predef$.MODULE$.wrapRefArray(new String[]{new StringBuilder(12).append("Request Uri:").append(((FHIRRequest) tuple22._1()).requestUri()).toString()})), Seq$.MODULE$.canBuildFrom()));
                    })).toSeq(), FHIRResponse$.MODULE$.errorResponse$default$3()));
                    authzResult2 = (AuthzResult) tuple22._2();
                }
                return authzResult2;
            }, executionContext());
        } else {
            map = Future$.MODULE$.sequence((TraversableOnce) ((TraversableLike) fHIRRequest.childRequests().filter(fHIRRequest3 -> {
                return BoxesRunTime.boxToBoolean($anonfun$handleBatchAndTransaction$1(fHIRRequest3));
            })).map(fHIRRequest4 -> {
                return MODULE$.authorizeForSimpleInteraction(fHIRRequest4, MODULE$.getAuthorizationDecision(option, fHIRRequest4)).map(authzResult2 -> {
                    return Predef$ArrowAssoc$.MODULE$.$minus$greater$extension(Predef$.MODULE$.ArrowAssoc(fHIRRequest4), authzResult2);
                }, MODULE$.executionContext());
            }, Seq$.MODULE$.canBuildFrom()), Seq$.MODULE$.canBuildFrom(), executionContext()).map(seq -> {
                ((IterableLike) seq.filterNot(tuple22 -> {
                    return BoxesRunTime.boxToBoolean($anonfun$handleBatchAndTransaction$5(tuple22));
                })).foreach(tuple23 -> {
                    $anonfun$handleBatchAndTransaction$6(tuple23);
                    return BoxedUnit.UNIT;
                });
                return AuthzResult$.MODULE$.success();
            }, executionContext());
        }
        return map;
    }

    private Future<AuthzResult> authorizeForSimpleInteraction(FHIRRequest fHIRRequest, AuthzResult authzResult) {
        String result = authzResult.result();
        if (result != null ? result.equals("filtering") : "filtering" == 0) {
            if (authzResult.resourceRestrictions().nonEmpty()) {
                return authorizeAgainstGivenContent(fHIRRequest, authzResult.resourceRestrictions()).flatMap(obj -> {
                    return $anonfun$authorizeForSimpleInteraction$1(fHIRRequest, authzResult, BoxesRunTime.unboxToBoolean(obj));
                }, executionContext());
            }
        }
        return Future$.MODULE$.apply(() -> {
            return authzResult;
        }, executionContext());
    }

    private Future<Object> authorizeAgainstGivenContent(FHIRRequest fHIRRequest, List<Parameter> list) {
        return Future$.MODULE$.apply(() -> {
            boolean z;
            boolean z2;
            String interaction = fHIRRequest.interaction();
            String CREATE = package$FHIR_INTERACTIONS$.MODULE$.CREATE();
            if (CREATE != null ? !CREATE.equals(interaction) : interaction != null) {
                String UPDATE = package$FHIR_INTERACTIONS$.MODULE$.UPDATE();
                z = UPDATE != null ? UPDATE.equals(interaction) : interaction == null;
            } else {
                z = true;
            }
            if (z) {
                z2 = ResourceChecker$.MODULE$.checkIfResourceSatisfies((String) fHIRRequest.resourceType().get(), list, (JsonAST.JObject) fHIRRequest.resource().get());
            } else {
                String PATCH = package$FHIR_INTERACTIONS$.MODULE$.PATCH();
                z2 = (PATCH != null ? !PATCH.equals(interaction) : interaction != null) ? true : true;
            }
            return z2;
        }, executionContext());
    }

    private Future<Object> authorizeAgainstResourceContent(FHIRRequest fHIRRequest, List<Parameter> list) {
        boolean z;
        Future<Object> apply;
        Future<Object> apply2;
        if (fHIRRequest.resourceId().isDefined()) {
            Set set = (Set) ((TraversableOnce) list.map(parameter -> {
                return FHIRUtil$.MODULE$.extractElementPaths((String) fHIRRequest.resourceType().get(), parameter);
            }, List$.MODULE$.canBuildFrom())).reduce((set2, set3) -> {
                return set2.$plus$plus(set3);
            });
            String str = (String) fHIRRequest.resourceType().get();
            String str2 = (String) fHIRRequest.resourceId().get();
            Option<String> versionId = fHIRRequest.versionId();
            Option<Tuple2<Object, Set<String>>> some = new Some<>(Predef$ArrowAssoc$.MODULE$.$minus$greater$extension(Predef$.MODULE$.ArrowAssoc(BoxesRunTime.boxToBoolean(true)), set));
            return ResourceManager$.MODULE$.getResource(str, str2, versionId, some, true, ResourceManager$.MODULE$.getResource$default$6(str, str2, versionId, some, true)).map(option -> {
                return BoxesRunTime.boxToBoolean($anonfun$authorizeAgainstResourceContent$3(fHIRRequest, list, option));
            }, executionContext());
        }
        if (!fHIRRequest.resourceType().isDefined()) {
            return Future$.MODULE$.apply(() -> {
                return true;
            }, executionContext());
        }
        String interaction = fHIRRequest.interaction();
        String UPDATE = package$FHIR_INTERACTIONS$.MODULE$.UPDATE();
        if (UPDATE != null ? !UPDATE.equals(interaction) : interaction != null) {
            String DELETE = package$FHIR_INTERACTIONS$.MODULE$.DELETE();
            if (DELETE != null ? !DELETE.equals(interaction) : interaction != null) {
                String SEARCH = package$FHIR_INTERACTIONS$.MODULE$.SEARCH();
                if (SEARCH != null ? !SEARCH.equals(interaction) : interaction != null) {
                    String HISTORY_TYPE = package$FHIR_INTERACTIONS$.MODULE$.HISTORY_TYPE();
                    z = HISTORY_TYPE != null ? HISTORY_TYPE.equals(interaction) : interaction == null;
                } else {
                    z = true;
                }
            } else {
                z = true;
            }
        } else {
            z = true;
        }
        if (z) {
            Tuple2<Object, List<Parameter>> authorizeAgainstCompartmentSearch = authorizeAgainstCompartmentSearch(fHIRRequest, list);
            if (authorizeAgainstCompartmentSearch == null || false != authorizeAgainstCompartmentSearch._1$mcZ$sp()) {
                if (authorizeAgainstCompartmentSearch != null) {
                    boolean _1$mcZ$sp = authorizeAgainstCompartmentSearch._1$mcZ$sp();
                    List list2 = (List) authorizeAgainstCompartmentSearch._2();
                    if (true == _1$mcZ$sp) {
                        fHIRRequest.queryParams_$eq((List) fHIRRequest.queryParams().$plus$plus(list2, List$.MODULE$.canBuildFrom()));
                        apply2 = Future$.MODULE$.apply(() -> {
                            return true;
                        }, executionContext());
                    }
                }
                throw new MatchError(authorizeAgainstCompartmentSearch);
            }
            apply2 = Future$.MODULE$.apply(() -> {
                return false;
            }, executionContext());
            apply = apply2;
        } else {
            apply = Future$.MODULE$.apply(() -> {
                return true;
            }, executionContext());
        }
        return apply;
    }

    private Tuple2<Object, List<Parameter>> authorizeAgainstCompartmentSearch(FHIRRequest fHIRRequest, List<Parameter> list) {
        Tuple2<Object, List<Parameter>> $minus$greater$extension;
        Some compartmentType = fHIRRequest.compartmentType();
        if (None$.MODULE$.equals(compartmentType)) {
            $minus$greater$extension = Predef$ArrowAssoc$.MODULE$.$minus$greater$extension(Predef$.MODULE$.ArrowAssoc(BoxesRunTime.boxToBoolean(true)), list);
        } else {
            if (!(compartmentType instanceof Some)) {
                throw new MatchError(compartmentType);
            }
            String str = (String) compartmentType.value();
            Option find = list.find(parameter -> {
                return BoxesRunTime.boxToBoolean($anonfun$authorizeAgainstCompartmentSearch$1(str, parameter));
            });
            $minus$greater$extension = Predef$ArrowAssoc$.MODULE$.$minus$greater$extension(Predef$.MODULE$.ArrowAssoc(BoxesRunTime.boxToBoolean(find.map(parameter2 -> {
                return (String) ((Tuple2) parameter2.valuePrefixList().head())._2();
            }).forall(str2 -> {
                return BoxesRunTime.boxToBoolean($anonfun$authorizeAgainstCompartmentSearch$3(fHIRRequest, str2));
            }))), find.nonEmpty() ? list.filterNot(parameter3 -> {
                return BoxesRunTime.boxToBoolean($anonfun$authorizeAgainstCompartmentSearch$4(parameter3));
            }) : list);
        }
        return $minus$greater$extension;
    }

    private AuthzResult getAuthorizationDecision(Option<AuthzContext> option, FHIRRequest fHIRRequest) {
        AuthzResult failureInvalidToken;
        if (None$.MODULE$.equals(option)) {
            AuthzResult authorizeForPublic = AuthzConfigurationManager$.MODULE$.authorizationHandler().authorizeForPublic(fHIRRequest.interaction(), fHIRRequest.resourceType(), fHIRRequest.resourceId());
            failureInvalidToken = !authorizeForPublic.isAuthorized() ? AuthzResult$.MODULE$.failureInvalidRequest("Missing access token!") : authorizeForPublic;
        } else {
            if (option instanceof Some) {
                AuthzContext authzContext = (AuthzContext) ((Some) option).value();
                if (authzContext.isActive()) {
                    failureInvalidToken = AuthzConfigurationManager$.MODULE$.authorizationHandler().authorize(authzContext, fHIRRequest.interaction(), fHIRRequest.resourceType(), fHIRRequest.resourceId());
                }
            }
            failureInvalidToken = AuthzResult$.MODULE$.failureInvalidToken("Invalid access token or we cannot resolve it...");
        }
        return failureInvalidToken;
    }

    private boolean isPublic(FHIRRequest fHIRRequest, Option<AuthzContext> option) {
        boolean isDefined;
        if (OnfhirConfig$.MODULE$.authzConfig().isSecure()) {
            String interaction = fHIRRequest.interaction();
            String CAPABILITIES = package$FHIR_INTERACTIONS$.MODULE$.CAPABILITIES();
            if (CAPABILITIES != null ? !CAPABILITIES.equals(interaction) : interaction != null) {
                String VALIDATION = package$FHIR_OPERATIONS$.MODULE$.VALIDATION();
                isDefined = (VALIDATION != null ? !VALIDATION.equals(interaction) : interaction != null) ? false : option.isDefined();
            } else {
                isDefined = true;
            }
            if (!isDefined) {
                return false;
            }
        }
        return true;
    }

    public static final /* synthetic */ boolean $anonfun$handleBatchAndTransaction$1(FHIRRequest fHIRRequest) {
        return fHIRRequest.response().isEmpty();
    }

    public static final /* synthetic */ boolean $anonfun$handleBatchAndTransaction$5(Tuple2 tuple2) {
        return ((AuthzResult) tuple2._2()).isAuthorized();
    }

    public static final /* synthetic */ void $anonfun$handleBatchAndTransaction$6(Tuple2 tuple2) {
        ((FHIRRequest) tuple2._1()).setResponse(FHIRResponse$.MODULE$.errorResponse(StatusCodes$.MODULE$.Unauthorized(), Option$.MODULE$.option2Iterable(((AuthzResult) tuple2._2()).toOutcomeIssue()).toSeq(), FHIRResponse$.MODULE$.errorResponse$default$3()));
    }

    public static final /* synthetic */ boolean $anonfun$handleBatchAndTransaction$9(Tuple2 tuple2) {
        return !((AuthzResult) tuple2._2()).isAuthorized();
    }

    public static final /* synthetic */ AuthzResult $anonfun$authorizeForSimpleInteraction$2(AuthzResult authzResult, boolean z) {
        AuthzResult failureInsufficientScope;
        if (true == z) {
            failureInsufficientScope = authzResult;
        } else {
            if (false != z) {
                throw new MatchError(BoxesRunTime.boxToBoolean(z));
            }
            failureInsufficientScope = AuthzResult$.MODULE$.failureInsufficientScope("User is not authorized to execute the interaction on this resource instance");
        }
        return failureInsufficientScope;
    }

    public static final /* synthetic */ Future $anonfun$authorizeForSimpleInteraction$1(FHIRRequest fHIRRequest, AuthzResult authzResult, boolean z) {
        Future apply;
        if (true == z) {
            apply = MODULE$.authorizeAgainstResourceContent(fHIRRequest, authzResult.resourceRestrictions()).map(obj -> {
                return $anonfun$authorizeForSimpleInteraction$2(authzResult, BoxesRunTime.unboxToBoolean(obj));
            }, MODULE$.executionContext());
        } else {
            if (false != z) {
                throw new MatchError(BoxesRunTime.boxToBoolean(z));
            }
            apply = Future$.MODULE$.apply(() -> {
                return AuthzResult$.MODULE$.failureInsufficientScope("User is not authorized to supply the given content");
            }, MODULE$.executionContext());
        }
        return apply;
    }

    public static final /* synthetic */ boolean $anonfun$authorizeAgainstResourceContent$4(FHIRRequest fHIRRequest, List list, JsonAST.JObject jObject) {
        return ResourceChecker$.MODULE$.checkIfResourceSatisfies((String) fHIRRequest.resourceType().get(), list, jObject);
    }

    public static final /* synthetic */ boolean $anonfun$authorizeAgainstResourceContent$3(FHIRRequest fHIRRequest, List list, Option option) {
        return option.forall(jObject -> {
            return BoxesRunTime.boxToBoolean($anonfun$authorizeAgainstResourceContent$4(fHIRRequest, list, jObject));
        });
    }

    public static final /* synthetic */ boolean $anonfun$authorizeAgainstCompartmentSearch$1(String str, Parameter parameter) {
        String paramCategory = parameter.paramCategory();
        String COMPARTMENT = package$FHIR_PARAMETER_CATEGORIES$.MODULE$.COMPARTMENT();
        if (paramCategory != null ? paramCategory.equals(COMPARTMENT) : COMPARTMENT == null) {
            Object _1 = ((Tuple2) parameter.valuePrefixList().head())._1();
            if (_1 != null ? _1.equals(str) : str == null) {
                return true;
            }
        }
        return false;
    }

    public static final /* synthetic */ boolean $anonfun$authorizeAgainstCompartmentSearch$3(FHIRRequest fHIRRequest, String str) {
        Object obj = fHIRRequest.compartmentId().get();
        return str != null ? str.equals(obj) : obj == null;
    }

    public static final /* synthetic */ boolean $anonfun$authorizeAgainstCompartmentSearch$4(Parameter parameter) {
        String paramCategory = parameter.paramCategory();
        String COMPARTMENT = package$FHIR_PARAMETER_CATEGORIES$.MODULE$.COMPARTMENT();
        return paramCategory != null ? !paramCategory.equals(COMPARTMENT) : COMPARTMENT != null;
    }

    private AuthzManager$() {
        MODULE$ = this;
        this.executionContext = Onfhir$.MODULE$.actorSystem().dispatcher();
        this.logger = LoggerFactory.getLogger(getClass());
    }
}
