package com.mobi.rest.security;

import com.mobi.jaas.api.engines.EngineManager;
import com.mobi.persistence.utils.Bindings;
import com.mobi.persistence.utils.Models;
import com.mobi.repository.api.OsgiRepository;
import com.mobi.rest.security.annotations.ActionAttributes;
import com.mobi.rest.security.annotations.ActionId;
import com.mobi.rest.security.annotations.AttributeValue;
import com.mobi.rest.security.annotations.DefaultResourceId;
import com.mobi.rest.security.annotations.ResourceAttributes;
import com.mobi.rest.security.annotations.ResourceId;
import com.mobi.rest.security.annotations.SubjectAttributes;
import com.mobi.rest.security.annotations.Value;
import com.mobi.rest.security.annotations.ValueType;
import com.mobi.rest.util.ErrorUtils;
import com.mobi.rest.util.MobiWebException;
import com.mobi.rest.util.RestUtils;
import com.mobi.security.policy.api.Decision;
import com.mobi.security.policy.api.PDP;
import com.mobi.security.policy.api.Request;
import com.mobi.security.policy.api.Response;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.lang.annotation.Annotation;
import java.lang.reflect.Method;
import java.nio.charset.StandardCharsets;
import java.util.Arrays;
import java.util.HashMap;
import java.util.Map;
import java.util.Optional;
import java.util.stream.Stream;
import javax.annotation.Priority;
import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.container.ContainerRequestFilter;
import javax.ws.rs.container.ResourceInfo;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.Form;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.MultivaluedHashMap;
import javax.ws.rs.core.MultivaluedMap;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriInfo;
import javax.ws.rs.ext.Provider;
import javax.ws.rs.ext.Providers;
import org.apache.commons.fileupload.FileItemIterator;
import org.apache.commons.fileupload.FileItemStream;
import org.apache.commons.fileupload.FileUpload;
import org.apache.commons.fileupload.RequestContext;
import org.apache.commons.fileupload.util.Streams;
import org.apache.commons.lang3.StringUtils;
import org.eclipse.rdf4j.model.IRI;
import org.eclipse.rdf4j.model.Literal;
import org.eclipse.rdf4j.model.ValueFactory;
import org.eclipse.rdf4j.model.impl.ValidatingValueFactory;
import org.eclipse.rdf4j.query.Binding;
import org.eclipse.rdf4j.query.BindingSet;
import org.eclipse.rdf4j.query.TupleQuery;
import org.eclipse.rdf4j.query.TupleQueryResult;
import org.eclipse.rdf4j.repository.RepositoryConnection;
import org.osgi.service.component.annotations.Component;
import org.osgi.service.component.annotations.Reference;
import org.osgi.service.component.annotations.ServiceScope;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Provider
@Priority(1999)
@Component(scope = ServiceScope.PROTOTYPE, property = {"osgi.jaxrs.extension=true"})
/* loaded from: input_file:com/mobi/rest/security/XACMLRequestFilter.class */
public class XACMLRequestFilter implements ContainerRequestFilter {
    private final Logger log = LoggerFactory.getLogger(XACMLRequestFilter.class);
    final ValueFactory vf = new ValidatingValueFactory();

    @Reference
    EngineManager engineManager;

    @Reference
    PDP pdp;

    @Reference(target = "(id=system)")
    OsgiRepository repository;

    @Context
    ResourceInfo resourceInfo;

    @Context
    UriInfo uriInfo;

    @Context
    Providers providers;

    public void filter(ContainerRequestContext containerRequestContext) throws IOException {
        IRI resourceIdIri;
        IRI createIRI;
        this.log.debug("Authorizing...");
        long currentTimeMillis = System.currentTimeMillis();
        try {
            MultivaluedMap<String, String> pathParameters = this.uriInfo.getPathParameters();
            MultivaluedMap<String, String> queryParameters = this.uriInfo.getQueryParameters();
            Method resourceMethod = this.resourceInfo.getResourceMethod();
            if (resourceMethod.getAnnotation(ResourceId.class) == null) {
                this.log.info(String.format("Request authorization skipped. %dms", Long.valueOf(System.currentTimeMillis() - currentTimeMillis)));
                return;
            }
            IRI iri = (IRI) RestUtils.optActiveUser(containerRequestContext, this.engineManager).map((v0) -> {
                return v0.getResource();
            }).orElse(this.vf.createIRI("http://mobi.com/users/anon"));
            SubjectAttributes subjectAttributes = (SubjectAttributes) resourceMethod.getAnnotation(SubjectAttributes.class);
            HashMap hashMap = new HashMap();
            if (subjectAttributes != null) {
                setAttributes(hashMap, subjectAttributes.value(), pathParameters, queryParameters, containerRequestContext);
            }
            ResourceId resourceId = (ResourceId) resourceMethod.getAnnotation(ResourceId.class);
            try {
                resourceIdIri = getResourceIdIri(resourceId, containerRequestContext, queryParameters, pathParameters);
            } catch (MobiWebException e) {
                DefaultResourceId[] defaultValue = resourceId.defaultValue();
                if (defaultValue.length == 0) {
                    throw e;
                }
                this.log.info("Attempting to resolve a default Resource ID.");
                resourceIdIri = getResourceIdIri(getResourceIdFromDefault(defaultValue[0]), containerRequestContext, queryParameters, pathParameters);
            }
            ResourceAttributes resourceAttributes = (ResourceAttributes) resourceMethod.getAnnotation(ResourceAttributes.class);
            HashMap hashMap2 = new HashMap();
            if (resourceAttributes != null) {
                setAttributes(hashMap2, resourceAttributes.value(), pathParameters, queryParameters, containerRequestContext);
            }
            ActionId actionId = (ActionId) resourceMethod.getAnnotation(ActionId.class);
            if (actionId == null) {
                String method = containerRequestContext.getMethod();
                boolean z = -1;
                switch (method.hashCode()) {
                    case 70454:
                        if (method.equals("GET")) {
                            z = 3;
                            break;
                        }
                        break;
                    case 79599:
                        if (method.equals("PUT")) {
                            z = 2;
                            break;
                        }
                        break;
                    case 2461856:
                        if (method.equals("POST")) {
                            z = false;
                            break;
                        }
                        break;
                    case 2012838315:
                        if (method.equals("DELETE")) {
                            z = true;
                            break;
                        }
                        break;
                }
                switch (z) {
                    case false:
                        createIRI = this.vf.createIRI("http://mobi.com/ontologies/policy#Create");
                        break;
                    case true:
                        createIRI = this.vf.createIRI("http://mobi.com/ontologies/policy#Delete");
                        break;
                    case true:
                        createIRI = this.vf.createIRI("http://mobi.com/ontologies/policy#Update");
                        break;
                    case true:
                    default:
                        createIRI = this.vf.createIRI("http://mobi.com/ontologies/policy#Read");
                        break;
                }
            } else {
                createIRI = this.vf.createIRI(actionId.value());
            }
            ActionAttributes actionAttributes = (ActionAttributes) resourceMethod.getAnnotation(ActionAttributes.class);
            HashMap hashMap3 = new HashMap();
            if (actionAttributes != null) {
                setAttributes(hashMap3, actionAttributes.value(), pathParameters, queryParameters, containerRequestContext);
            }
            Request createRequest = this.pdp.createRequest(Arrays.asList(iri), hashMap, Arrays.asList(resourceIdIri), hashMap2, Arrays.asList(createIRI), hashMap3);
            this.log.debug(createRequest.toString());
            Response evaluate = this.pdp.evaluate(createRequest, this.vf.createIRI("urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:permit-overrides"));
            this.log.debug(evaluate.toString());
            Decision decision = evaluate.getDecision();
            if (decision != Decision.PERMIT) {
                if (decision == Decision.DENY) {
                    throw ErrorUtils.sendError(getMessageOrDefault(evaluate, "You do not have permission to perform this action"), Response.Status.UNAUTHORIZED);
                }
                if (decision == Decision.INDETERMINATE) {
                    throw ErrorUtils.sendError(getMessageOrDefault(evaluate, "Request indeterminate"), Response.Status.INTERNAL_SERVER_ERROR);
                }
            }
            this.log.info(String.format("Request permitted. %dms", Long.valueOf(System.currentTimeMillis() - currentTimeMillis)));
        } catch (IllegalArgumentException e2) {
            throw ErrorUtils.sendError(e2, e2.getMessage(), Response.Status.BAD_REQUEST);
        } catch (IllegalStateException e3) {
            throw ErrorUtils.sendError(e3, e3.getMessage(), Response.Status.INTERNAL_SERVER_ERROR);
        }
    }

    private IRI getResourceIdIri(ResourceId resourceId, ContainerRequestContext containerRequestContext, MultivaluedMap<String, String> multivaluedMap, MultivaluedMap<String, String> multivaluedMap2) {
        IRI createIRI;
        if (resourceId != null) {
            String value = resourceId.value();
            switch (resourceId.type()) {
                case PATH:
                    validatePathParam(value, multivaluedMap2, true);
                    createIRI = this.vf.createIRI((String) multivaluedMap2.getFirst(value));
                    break;
                case QUERY:
                    validateQueryParam(value, multivaluedMap, true);
                    createIRI = this.vf.createIRI((String) multivaluedMap.getFirst(value));
                    break;
                case BODY:
                    MultivaluedMap<String, String> formData = getFormData(containerRequestContext);
                    validateFormParam(value, formData, true);
                    createIRI = this.vf.createIRI((String) formData.getFirst(value));
                    break;
                case PROP_PATH:
                    IRI propPathStart = getPropPathStart(validatePropPathValue(resourceId.start()), multivaluedMap2, multivaluedMap, containerRequestContext, true);
                    RepositoryConnection connection = this.repository.getConnection();
                    try {
                        TupleQueryResult propPathResult = getPropPathResult(propPathStart, resourceId.value(), connection);
                        if (!propPathResult.hasNext()) {
                            throw ErrorUtils.sendError("No results returned for property path", Response.Status.INTERNAL_SERVER_ERROR);
                        }
                        createIRI = (IRI) Bindings.requiredResource((BindingSet) propPathResult.next(), "value");
                        propPathResult.close();
                        if (connection != null) {
                            connection.close();
                            break;
                        }
                    } catch (Throwable th) {
                        if (connection != null) {
                            try {
                                connection.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        }
                        throw th;
                    }
                    break;
                case PRIMITIVE:
                default:
                    createIRI = this.vf.createIRI(resourceId.value());
                    break;
            }
        } else {
            createIRI = this.vf.createIRI(this.uriInfo.getAbsolutePath().toString());
        }
        return createIRI;
    }

    private Literal getLiteral(String str, String str2) {
        return this.vf.createLiteral(str, this.vf.createIRI(str2));
    }

    private ResourceId getResourceIdFromDefault(final DefaultResourceId defaultResourceId) {
        return new ResourceId() { // from class: com.mobi.rest.security.XACMLRequestFilter.1
            @Override // com.mobi.rest.security.annotations.ResourceId
            public String value() {
                return defaultResourceId.value();
            }

            @Override // com.mobi.rest.security.annotations.ResourceId
            public ValueType type() {
                return defaultResourceId.type();
            }

            @Override // com.mobi.rest.security.annotations.ResourceId
            public Value[] start() {
                return defaultResourceId.start();
            }

            @Override // com.mobi.rest.security.annotations.ResourceId
            public DefaultResourceId[] defaultValue() {
                return new DefaultResourceId[0];
            }

            @Override // java.lang.annotation.Annotation
            public Class<? extends Annotation> annotationType() {
                return ResourceId.class;
            }
        };
    }

    private String getMessageOrDefault(com.mobi.security.policy.api.Response response, String str) {
        return StringUtils.isEmpty(response.getStatusMessage()) ? str : response.getStatusMessage();
    }

    private boolean validatePathParam(String str, MultivaluedMap<String, String> multivaluedMap, boolean z) {
        if (multivaluedMap.containsKey(str) || !z) {
            return multivaluedMap.containsKey(str);
        }
        throw ErrorUtils.sendError("Path does not contain parameter " + str, Response.Status.INTERNAL_SERVER_ERROR);
    }

    private boolean validateQueryParam(String str, MultivaluedMap<String, String> multivaluedMap, boolean z) {
        if (multivaluedMap.containsKey(str) || !z) {
            return multivaluedMap.containsKey(str);
        }
        throw ErrorUtils.sendError("Query parameters do not contain " + str, Response.Status.INTERNAL_SERVER_ERROR);
    }

    private boolean validateFormParam(String str, MultivaluedMap<String, String> multivaluedMap, boolean z) {
        if ((!multivaluedMap.containsKey(str) || multivaluedMap.get(str) == null) && z) {
            throw ErrorUtils.sendError("Form parameters do not contain " + str, Response.Status.INTERNAL_SERVER_ERROR);
        }
        return multivaluedMap.containsKey(str) && multivaluedMap.get(str) != null;
    }

    private Value validatePropPathValue(Value[] valueArr) {
        if (valueArr.length != 1) {
            throw ErrorUtils.sendError("A Property Path value requires exactly one starting point", Response.Status.INTERNAL_SERVER_ERROR);
        }
        return valueArr[0];
    }

    private MultivaluedMap<String, String> getFormData(ContainerRequestContext containerRequestContext) {
        if (!containerRequestContext.hasEntity() || (!typeEqual(MediaType.MULTIPART_FORM_DATA_TYPE, containerRequestContext.getMediaType()) && !typeEqual(MediaType.APPLICATION_FORM_URLENCODED_TYPE, containerRequestContext.getMediaType()))) {
            throw ErrorUtils.sendError("Expected Request to have form data", Response.Status.INTERNAL_SERVER_ERROR);
        }
        if (typeEqual(MediaType.MULTIPART_FORM_DATA_TYPE, containerRequestContext.getMediaType())) {
            return getFormDataMultipart(containerRequestContext);
        }
        if (typeEqual(MediaType.APPLICATION_FORM_URLENCODED_TYPE, containerRequestContext.getMediaType())) {
            return getFormDataUrlEncoded(containerRequestContext);
        }
        throw ErrorUtils.sendError("Expected Request to have form data", Response.Status.INTERNAL_SERVER_ERROR);
    }

    private MultivaluedMap<String, String> getFormDataMultipart(final ContainerRequestContext containerRequestContext) {
        try {
            final ByteArrayInputStream byteArrayInputStream = Models.toByteArrayInputStream(containerRequestContext.getEntityStream());
            MultivaluedHashMap multivaluedHashMap = new MultivaluedHashMap();
            FileItemIterator itemIterator = new FileUpload().getItemIterator(new RequestContext() { // from class: com.mobi.rest.security.XACMLRequestFilter.2
                public String getCharacterEncoding() {
                    return StandardCharsets.UTF_8.name();
                }

                public String getContentType() {
                    return containerRequestContext.getMediaType().toString();
                }

                public int getContentLength() {
                    return 0;
                }

                public InputStream getInputStream() throws IOException {
                    return byteArrayInputStream;
                }
            });
            while (itemIterator.hasNext()) {
                FileItemStream next = itemIterator.next();
                String fieldName = next.getFieldName();
                if (next.isFormField()) {
                    InputStream openStream = next.openStream();
                    try {
                        multivaluedHashMap.add(fieldName, Streams.asString(openStream));
                        if (openStream != null) {
                            openStream.close();
                        }
                    } finally {
                    }
                }
            }
            byteArrayInputStream.reset();
            containerRequestContext.setEntityStream(byteArrayInputStream);
            return multivaluedHashMap;
        } catch (Exception e) {
            throw ErrorUtils.sendError(e, "Could not retrieve form from request: ", Response.Status.INTERNAL_SERVER_ERROR);
        }
    }

    private MultivaluedMap<String, String> getFormDataUrlEncoded(ContainerRequestContext containerRequestContext) {
        try {
            ByteArrayInputStream byteArrayInputStream = Models.toByteArrayInputStream(containerRequestContext.getEntityStream());
            Form form = (Form) this.providers.getMessageBodyReader(Form.class, Form.class, new Annotation[0], MediaType.APPLICATION_FORM_URLENCODED_TYPE).readFrom(Form.class, Form.class, new Annotation[0], MediaType.APPLICATION_FORM_URLENCODED_TYPE, (MultivaluedMap) null, byteArrayInputStream);
            byteArrayInputStream.reset();
            containerRequestContext.setEntityStream(byteArrayInputStream);
            return form.asMap();
        } catch (Exception e) {
            throw ErrorUtils.sendError(e, "Could not retrieve form from request: ", Response.Status.INTERNAL_SERVER_ERROR);
        }
    }

    private boolean typeEqual(MediaType mediaType, MediaType mediaType2) {
        return mediaType != null && mediaType2 != null && mediaType.getSubtype().equalsIgnoreCase(mediaType2.getSubtype()) && mediaType.getType().equalsIgnoreCase(mediaType2.getType());
    }

    private void setAttributes(Map<String, Literal> map, AttributeValue[] attributeValueArr, MultivaluedMap<String, String> multivaluedMap, MultivaluedMap<String, String> multivaluedMap2, ContainerRequestContext containerRequestContext) {
        Stream.of((Object[]) attributeValueArr).forEach(attributeValue -> {
            Literal literal;
            String value = attributeValue.value();
            String datatype = attributeValue.datatype();
            boolean required = attributeValue.required();
            switch (attributeValue.type()) {
                case PATH:
                    literal = validatePathParam(value, multivaluedMap, required) ? getLiteral((String) multivaluedMap.getFirst(value), datatype) : null;
                    break;
                case QUERY:
                    literal = validateQueryParam(value, multivaluedMap2, required) ? getLiteral((String) multivaluedMap2.getFirst(value), datatype) : null;
                    break;
                case BODY:
                    MultivaluedMap<String, String> formData = getFormData(containerRequestContext);
                    literal = validateFormParam(value, formData, required) ? getLiteral((String) formData.getFirst(value), datatype) : null;
                    break;
                case PROP_PATH:
                    IRI propPathStart = getPropPathStart(validatePropPathValue(attributeValue.start()), multivaluedMap, multivaluedMap2, containerRequestContext, required);
                    RepositoryConnection connection = this.repository.getConnection();
                    try {
                        TupleQueryResult propPathResult = getPropPathResult(propPathStart, attributeValue.value(), connection);
                        if (propPathResult.hasNext()) {
                            literal = getLiteral(((Binding) Optional.ofNullable(((BindingSet) propPathResult.next()).getBinding("value")).orElseThrow(() -> {
                                return ErrorUtils.sendError("Property Value binding is not present", Response.Status.INTERNAL_SERVER_ERROR);
                            })).getValue().stringValue(), datatype);
                        } else {
                            if (!required) {
                                throw ErrorUtils.sendError("No results returned for property path", Response.Status.INTERNAL_SERVER_ERROR);
                            }
                            literal = null;
                        }
                        propPathResult.close();
                        if (connection != null) {
                            connection.close();
                            break;
                        }
                    } catch (Throwable th) {
                        if (connection != null) {
                            try {
                                connection.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        }
                        throw th;
                    }
                    break;
                case PRIMITIVE:
                default:
                    literal = getLiteral(value, datatype);
                    break;
            }
            if (literal != null) {
                map.put(attributeValue.id(), literal);
            }
        });
    }

    private IRI getPropPathStart(Value value, MultivaluedMap<String, String> multivaluedMap, MultivaluedMap<String, String> multivaluedMap2, ContainerRequestContext containerRequestContext, boolean z) {
        IRI createIRI;
        String value2 = value.value();
        switch (value.type()) {
            case PATH:
                createIRI = validatePathParam(value2, multivaluedMap, z) ? this.vf.createIRI((String) multivaluedMap.getFirst(value2)) : null;
                break;
            case QUERY:
                createIRI = validateQueryParam(value2, multivaluedMap2, z) ? this.vf.createIRI((String) multivaluedMap2.getFirst(value2)) : null;
                break;
            case BODY:
                MultivaluedMap<String, String> formData = getFormData(containerRequestContext);
                createIRI = validateFormParam(value2, formData, z) ? this.vf.createIRI((String) formData.getFirst(value2)) : null;
                break;
            case PROP_PATH:
                throw ErrorUtils.sendError("Property Path not supported as a property path starting point", Response.Status.INTERNAL_SERVER_ERROR);
            case PRIMITIVE:
            default:
                createIRI = this.vf.createIRI(value.value());
                break;
        }
        return createIRI;
    }

    private TupleQueryResult getPropPathResult(IRI iri, String str, RepositoryConnection repositoryConnection) {
        TupleQuery prepareTupleQuery = repositoryConnection.prepareTupleQuery("select ?value where { ?start " + str + " ?value }");
        prepareTupleQuery.setBinding("start", iri);
        return prepareTupleQuery.evaluate();
    }
}
