package com.ibm.fhir.smart;

import com.ibm.fhir.config.FHIRConfigHelper;
import com.ibm.fhir.config.FHIRRequestContext;
import com.ibm.fhir.model.resource.Bundle;
import com.ibm.fhir.model.resource.OperationOutcome;
import com.ibm.fhir.model.resource.Parameters;
import com.ibm.fhir.model.resource.Provenance;
import com.ibm.fhir.model.resource.Resource;
import com.ibm.fhir.model.resource.SearchParameter;
import com.ibm.fhir.model.type.Canonical;
import com.ibm.fhir.model.type.Reference;
import com.ibm.fhir.model.type.code.CompartmentType;
import com.ibm.fhir.model.type.code.HTTPVerb;
import com.ibm.fhir.model.type.code.IssueType;
import com.ibm.fhir.model.type.code.ResourceType;
import com.ibm.fhir.model.util.FHIRUtil;
import com.ibm.fhir.model.util.ModelSupport;
import com.ibm.fhir.path.FHIRPathNode;
import com.ibm.fhir.path.evaluator.FHIRPathEvaluator;
import com.ibm.fhir.persistence.FHIRPersistence;
import com.ibm.fhir.persistence.SingleResourceResult;
import com.ibm.fhir.persistence.context.FHIRPersistenceContext;
import com.ibm.fhir.persistence.context.FHIRPersistenceContextFactory;
import com.ibm.fhir.persistence.context.FHIRPersistenceEvent;
import com.ibm.fhir.persistence.exception.FHIRPersistenceException;
import com.ibm.fhir.persistence.exception.FHIRPersistenceResourceDeletedException;
import com.ibm.fhir.persistence.exception.FHIRPersistenceResourceNotFoundException;
import com.ibm.fhir.search.compartment.CompartmentHelper;
import com.ibm.fhir.search.context.FHIRSearchContext;
import com.ibm.fhir.search.exception.FHIRSearchException;
import com.ibm.fhir.search.parameters.QueryParameter;
import com.ibm.fhir.search.parameters.QueryParameterValue;
import com.ibm.fhir.search.util.ReferenceUtil;
import com.ibm.fhir.search.util.ReferenceValue;
import com.ibm.fhir.search.util.SearchHelper;
import com.ibm.fhir.server.spi.interceptor.FHIRPersistenceInterceptor;
import com.ibm.fhir.server.spi.interceptor.FHIRPersistenceInterceptorException;
import com.ibm.fhir.server.spi.operation.FHIROperationContext;
import com.ibm.fhir.smart.JWT;
import com.ibm.fhir.smart.Scope;
import jakarta.json.Json;
import jakarta.json.JsonObject;
import jakarta.json.JsonReaderFactory;
import jakarta.json.JsonValue;
import java.io.StringReader;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.logging.Level;
import java.util.logging.Logger;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.ws.rs.core.Response;

/* loaded from: input_file:com/ibm/fhir/smart/AuthzPolicyEnforcementPersistenceInterceptor.class */
public class AuthzPolicyEnforcementPersistenceInterceptor implements FHIRPersistenceInterceptor {
    private static final String DAVINCI_DRUG_FORMULARY_COVERAGE_PLAN = "http://hl7.org/fhir/us/davinci-drug-formulary/StructureDefinition/usdf-CoveragePlan";
    private static final String BEARER_TOKEN_PREFIX = "Bearer";
    private static final String PATIENT = "Patient";
    private static final String RESOURCE = "Resource";
    private static final String REQUEST_NOT_PERMITTED = "Requested interaction is not permitted by any of the passed scopes.";
    private final CompartmentHelper compartmentHelper = new CompartmentHelper();
    private final SearchHelper searchHelper = new SearchHelper();
    private static final Logger log = Logger.getLogger(AuthzPolicyEnforcementPersistenceInterceptor.class.getName());
    private static final JsonReaderFactory JSON_READER_FACTORY = Json.createReaderFactory((Map) null);

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: com.ibm.fhir.smart.AuthzPolicyEnforcementPersistenceInterceptor$1, reason: invalid class name */
    /* loaded from: input_file:com/ibm/fhir/smart/AuthzPolicyEnforcementPersistenceInterceptor$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$com$ibm$fhir$server$spi$operation$FHIROperationContext$Type = new int[FHIROperationContext.Type.values().length];

        static {
            try {
                $SwitchMap$com$ibm$fhir$server$spi$operation$FHIROperationContext$Type[FHIROperationContext.Type.INSTANCE.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$com$ibm$fhir$server$spi$operation$FHIROperationContext$Type[FHIROperationContext.Type.RESOURCE_TYPE.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$com$ibm$fhir$server$spi$operation$FHIROperationContext$Type[FHIROperationContext.Type.SYSTEM.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
        }
    }

    public void beforeInvoke(FHIROperationContext fHIROperationContext) throws FHIRPersistenceInterceptorException {
        Scope.Permission permission;
        Set<String> computeExportResourceTypes;
        if ("import".equals(fHIROperationContext.getOperationCode())) {
            permission = Scope.Permission.WRITE;
            computeExportResourceTypes = computeImportResourceTypes(fHIROperationContext);
        } else {
            if (!"export".equals(fHIROperationContext.getOperationCode())) {
                return;
            }
            permission = Scope.Permission.READ;
            computeExportResourceTypes = computeExportResourceTypes(fHIROperationContext);
        }
        if (computeExportResourceTypes.isEmpty()) {
            throw new IllegalStateException("The set of resource types was unexpectedly empty");
        }
        JWT.DecodedJWT decode = JWT.decode(getAccessToken());
        List<Scope> list = getScopesFromToken(decode).get(Scope.ContextType.SYSTEM);
        Iterator<String> it = computeExportResourceTypes.iterator();
        while (it.hasNext()) {
            checkSystemScopes(it.next(), permission, list, decode);
        }
    }

    public void afterInvoke(FHIROperationContext fHIROperationContext) throws FHIRPersistenceInterceptorException {
        Scope.Permission permission = Scope.Permission.READ;
        HashSet hashSet = new HashSet();
        if ("bulkdata-status".equals(fHIROperationContext.getOperationCode())) {
            Parameters parameters = (Parameters) fHIROperationContext.getProperty("REQUEST_PARAMETERS");
            Response response = (Response) fHIROperationContext.getProperty("RESPONSE");
            if (response.hasEntity()) {
                Object entity = response.getEntity();
                if (!(entity instanceof String)) {
                    throw new IllegalStateException("Encountered unexpected response entity of type " + entity.getClass().getName());
                }
                JsonObject readObject = JSON_READER_FACTORY.createReader(new StringReader((String) entity)).readObject();
                String string = readObject.getJsonString("request").getString();
                if (string.contains("$export")) {
                    Iterator it = readObject.getJsonArray("output").iterator();
                    while (it.hasNext()) {
                        hashSet.add(((JsonValue) it.next()).asJsonObject().getString("type"));
                    }
                } else if (!string.contains("$import")) {
                    throw new IllegalStateException("Bulk data request for job '" + ((String) parameters.getParameter().stream().filter(parameter -> {
                        return "job".equals(parameter.getName().getValue());
                    }).map(parameter2 -> {
                        return parameter2.getValue().as(ModelSupport.FHIR_STRING).getValue();
                    }).findFirst().get()) + "' is neither '$import' nor '$export'!");
                }
            }
            JWT.DecodedJWT decode = JWT.decode(getAccessToken());
            List<Scope> list = getScopesFromToken(decode).get(Scope.ContextType.SYSTEM);
            Iterator it2 = hashSet.iterator();
            while (it2.hasNext()) {
                checkSystemScopes((String) it2.next(), permission, list, decode);
            }
        }
    }

    private Set<String> computeImportResourceTypes(FHIROperationContext fHIROperationContext) {
        return Collections.unmodifiableSet((Set) ((Parameters) fHIROperationContext.getProperty("REQUEST_PARAMETERS")).getParameter().stream().filter(parameter -> {
            return "input".equals(parameter.getName().getValue());
        }).map(parameter2 -> {
            return parameter2.getPart();
        }).flatMap(list -> {
            return list.stream().filter(parameter3 -> {
                return "type".equals(parameter3.getName().getValue());
            }).map(parameter4 -> {
                return parameter4.getValue().as(ModelSupport.FHIR_STRING).getValue();
            });
        }).collect(Collectors.toSet()));
    }

    private Set<String> computeExportResourceTypes(FHIROperationContext fHIROperationContext) {
        Set<String> supportedResourceTypes = FHIRConfigHelper.getSupportedResourceTypes();
        Set<String> hashSet = new HashSet();
        Optional findFirst = ((Parameters) fHIROperationContext.getProperty("REQUEST_PARAMETERS")).getParameter().stream().filter(parameter -> {
            return "_type".equals(parameter.getName().getValue());
        }).findFirst();
        switch (AnonymousClass1.$SwitchMap$com$ibm$fhir$server$spi$operation$FHIROperationContext$Type[fHIROperationContext.getType().ordinal()]) {
            case 1:
            case 2:
                try {
                    Set<String> compartmentResourceTypes = this.compartmentHelper.getCompartmentResourceTypes(PATIENT);
                    if (!findFirst.isPresent() || ((Parameters.Parameter) findFirst.get()).getValue() == null) {
                        hashSet = compartmentResourceTypes;
                    } else {
                        for (String str : Arrays.asList(((Parameters.Parameter) findFirst.get()).getValue().as(ModelSupport.FHIR_STRING).getValue().split(","))) {
                            if (!supportedResourceTypes.contains(str)) {
                                throw new IllegalStateException("Requested resource is not configured");
                            }
                            if (!compartmentResourceTypes.contains(str)) {
                                throw new IllegalStateException("Requested resource is outside of the Patient Compartment");
                            }
                            hashSet.add(str);
                        }
                    }
                    break;
                } catch (FHIRSearchException e) {
                    throw new IllegalStateException("Unexpected error while computing the resource types for the export", e);
                }
                break;
            case 3:
                if (!findFirst.isPresent() || ((Parameters.Parameter) findFirst.get()).getValue() == null) {
                    hashSet = supportedResourceTypes;
                    break;
                } else {
                    hashSet = Set.of((Object[]) ((Parameters.Parameter) findFirst.get()).getValue().as(ModelSupport.FHIR_STRING).getValue().split(","));
                    Iterator<String> it = hashSet.iterator();
                    while (it.hasNext()) {
                        if (!supportedResourceTypes.contains(it.next())) {
                            throw new IllegalStateException("Requested resource is not configured");
                        }
                    }
                    break;
                }
                break;
            default:
                log.warning("Unexpected export of type " + fHIROperationContext.getType());
                break;
        }
        return hashSet;
    }

    public void beforeRead(FHIRPersistenceEvent fHIRPersistenceEvent) throws FHIRPersistenceInterceptorException {
        String fhirResourceType = fHIRPersistenceEvent.getFhirResourceType();
        JWT.DecodedJWT decode = JWT.decode(getAccessToken());
        if (PATIENT.equals(fhirResourceType)) {
            enforceDirectPatientAccess(fhirResourceType, fHIRPersistenceEvent.getFhirResourceId(), decode);
        } else if (checkScopes(fhirResourceType, Scope.Permission.READ, getScopesFromToken(decode)) == Scope.ContextType.PATIENT) {
            assertPatientIdClaimIsValued(decode);
        }
    }

    private void assertPatientIdClaimIsValued(JWT.DecodedJWT decodedJWT) throws FHIRPersistenceInterceptorException {
        if (decodedJWT.getClaim("patient_id").isNull()) {
            throw new FHIRPersistenceInterceptorException("Access token is missing 'patient_id' claim").withIssue(new OperationOutcome.Issue[]{FHIRUtil.buildOperationOutcomeIssue("Access token is missing 'patient_id' claim", IssueType.FORBIDDEN)});
        }
    }

    public void beforeVread(FHIRPersistenceEvent fHIRPersistenceEvent) throws FHIRPersistenceInterceptorException {
        String fhirResourceType = fHIRPersistenceEvent.getFhirResourceType();
        JWT.DecodedJWT decode = JWT.decode(getAccessToken());
        if (PATIENT.equals(fhirResourceType)) {
            enforceDirectPatientAccess(fhirResourceType, fHIRPersistenceEvent.getFhirResourceId(), decode);
        } else if (checkScopes(fhirResourceType, Scope.Permission.READ, getScopesFromToken(decode)) == Scope.ContextType.PATIENT) {
            assertPatientIdClaimIsValued(decode);
        }
    }

    public void beforeHistory(FHIRPersistenceEvent fHIRPersistenceEvent) throws FHIRPersistenceInterceptorException {
        String fhirResourceType = fHIRPersistenceEvent.getFhirResourceType();
        JWT.DecodedJWT decode = JWT.decode(getAccessToken());
        if (fHIRPersistenceEvent.getFhirResourceId() == null) {
            enforceSystemLevelAccess(fhirResourceType, fHIRPersistenceEvent.getSystemHistoryContextImpl().getResourceTypes(), decode);
        } else if (PATIENT.equals(fhirResourceType)) {
            enforceDirectPatientAccess(fhirResourceType, fHIRPersistenceEvent.getFhirResourceId(), decode);
        } else if (checkScopes(fhirResourceType, Scope.Permission.READ, getScopesFromToken(decode)) == Scope.ContextType.PATIENT) {
            assertPatientIdClaimIsValued(decode);
        }
    }

    private void enforceDirectPatientAccess(String str, String str2, JWT.DecodedJWT decodedJWT) throws FHIRPersistenceInterceptorException {
        Map<Scope.ContextType, List<Scope>> scopesFromToken = getScopesFromToken(decodedJWT);
        if (isApprovedByScopes(str, Scope.Permission.READ, scopesFromToken.get(Scope.ContextType.USER)) || isApprovedByScopes(str, Scope.Permission.READ, scopesFromToken.get(Scope.ContextType.SYSTEM))) {
            return;
        }
        if (!isApprovedByScopes(str, Scope.Permission.READ, scopesFromToken.get(Scope.ContextType.PATIENT))) {
            String str3 = "Read permission for '" + str + "' is not granted by any of the provided scopes: " + scopesFromToken.values();
            if (log.isLoggable(Level.FINE)) {
                log.fine(str3);
            }
            throw new FHIRPersistenceInterceptorException(str3).withIssue(new OperationOutcome.Issue[]{FHIRUtil.buildOperationOutcomeIssue(str3, IssueType.FORBIDDEN)});
        }
        Set<String> patientIdFromToken = getPatientIdFromToken(decodedJWT);
        if (patientIdFromToken.contains(str2)) {
            return;
        }
        String str4 = "Interaction with 'Patient/" + str2 + "' is not permitted under patient context '" + patientIdFromToken + "'.";
        throw new FHIRPersistenceInterceptorException(str4).withIssue(new OperationOutcome.Issue[]{FHIRUtil.buildOperationOutcomeIssue(str4, IssueType.FORBIDDEN)});
    }

    private void enforceSystemLevelAccess(String str, List<String> list, JWT.DecodedJWT decodedJWT) throws FHIRPersistenceInterceptorException {
        Map<Scope.ContextType, List<Scope>> scopesFromToken = getScopesFromToken(decodedJWT);
        boolean z = (list == null || list.isEmpty()) ? false : true;
        if (!z && RESOURCE.equals(str)) {
            if (isApprovedByScopes(str, Scope.Permission.READ, scopesFromToken.get(Scope.ContextType.USER)) || isApprovedByScopes(str, Scope.Permission.READ, scopesFromToken.get(Scope.ContextType.SYSTEM))) {
                return;
            }
            if (log.isLoggable(Level.FINE)) {
                log.fine("Whole-system interactions require a user or system scope with a wildcard resource type: ('user'|'system') '/' '*' '.' ('read'|'*')");
            }
            throw new FHIRPersistenceInterceptorException("Whole-system interactions require a user or system scope with a wildcard resource type: ('user'|'system') '/' '*' '.' ('read'|'*')").withIssue(new OperationOutcome.Issue[]{FHIRUtil.buildOperationOutcomeIssue("Whole-system interactions require a user or system scope with a wildcard resource type: ('user'|'system') '/' '*' '.' ('read'|'*')", IssueType.FORBIDDEN)});
        }
        for (String str2 : z ? list : Arrays.asList(str)) {
            if (!isApprovedByScopes(str2, Scope.Permission.READ, scopesFromToken.get(Scope.ContextType.USER)) && !isApprovedByScopes(str2, Scope.Permission.READ, scopesFromToken.get(Scope.ContextType.SYSTEM))) {
                if (!isApprovedByScopes(str2, Scope.Permission.READ, scopesFromToken.get(Scope.ContextType.PATIENT))) {
                    String str3 = "Read permission for system-level interaction with type '" + str2 + "' is not granted by any of the provided scopes: " + scopesFromToken.values();
                    if (log.isLoggable(Level.FINE)) {
                        log.fine(str3);
                    }
                    throw new FHIRPersistenceInterceptorException(str3).withIssue(new OperationOutcome.Issue[]{FHIRUtil.buildOperationOutcomeIssue(str3, IssueType.FORBIDDEN)});
                }
                try {
                    if (this.compartmentHelper.getCompartmentResourceTypes(PATIENT).contains(str2)) {
                        String str4 = "'patient' scoped access tokens are not supported for system-level interactions against patient compartment resource types like " + str2;
                        if (log.isLoggable(Level.FINE)) {
                            log.fine(str4);
                        }
                        throw new FHIRPersistenceInterceptorException(str4).withIssue(new OperationOutcome.Issue[]{FHIRUtil.buildOperationOutcomeIssue(str4, IssueType.FORBIDDEN)});
                    }
                } catch (Exception e) {
                    throw new FHIRPersistenceInterceptorException("Unexpected exception while enforcing system level access", e).withIssue(new OperationOutcome.Issue[]{FHIRUtil.buildOperationOutcomeIssue("Unexpected exception while enforcing system level access", IssueType.EXCEPTION)});
                }
            }
        }
    }

    public void beforeSearch(FHIRPersistenceEvent fHIRPersistenceEvent) throws FHIRPersistenceInterceptorException {
        String fhirResourceType = fHIRPersistenceEvent.getFhirResourceType();
        JWT.DecodedJWT decode = JWT.decode(getAccessToken());
        FHIRSearchContext searchContextImpl = fHIRPersistenceEvent.getSearchContextImpl();
        if (RESOURCE.equals(fhirResourceType)) {
            enforceSystemLevelAccess(fhirResourceType, searchContextImpl.getSearchResourceTypes(), decode);
            return;
        }
        Scope.ContextType checkScopes = checkScopes(fHIRPersistenceEvent.getFhirResourceType(), Scope.Permission.READ, getScopesFromToken(decode));
        if (checkScopes == Scope.ContextType.SYSTEM || checkScopes == Scope.ContextType.USER) {
            return;
        }
        assertPatientIdClaimIsValued(decode);
        Set<String> patientIdFromToken = getPatientIdFromToken(decode);
        String str = null;
        String str2 = null;
        Iterator it = searchContextImpl.getSearchParameters().iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            QueryParameter queryParameter = (QueryParameter) it.next();
            if (queryParameter.isInclusionCriteria()) {
                String[] split = ((QueryParameterValue) queryParameter.getValues().get(0)).getValueString().split("/");
                str = split[0];
                str2 = split[1];
                break;
            }
        }
        if (str == null) {
            try {
                if (this.compartmentHelper.getCompartmentResourceTypes(PATIENT).contains(fHIRPersistenceEvent.getFhirResourceType())) {
                    if ("List".equals(fHIRPersistenceEvent.getFhirResourceType())) {
                        return;
                    } else {
                        searchContextImpl.getSearchParameters().add(0, this.searchHelper.buildInclusionCriteria(PATIENT, patientIdFromToken, fHIRPersistenceEvent.getFhirResourceType()));
                    }
                }
                return;
            } catch (Exception e) {
                String str3 = "Unexpected exception converting to Patient compartment search: " + e.getMessage();
                throw new FHIRPersistenceInterceptorException(str3).withIssue(new OperationOutcome.Issue[]{FHIRUtil.buildOperationOutcomeIssue(str3, IssueType.EXCEPTION)});
            }
        }
        String str4 = str;
        boolean z = -1;
        switch (str4.hashCode()) {
            case -766867181:
                if (str4.equals("Encounter")) {
                    z = true;
                    break;
                }
                break;
            case 738893626:
                if (str4.equals("Practitioner")) {
                    z = 3;
                    break;
                }
                break;
            case 846088000:
                if (str4.equals("RelatedPerson")) {
                    z = 4;
                    break;
                }
                break;
            case 873235173:
                if (str4.equals(PATIENT)) {
                    z = false;
                    break;
                }
                break;
            case 2043677302:
                if (str4.equals("Device")) {
                    z = 2;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                if (!patientIdFromToken.contains(str2)) {
                    String str5 = "Interaction with 'Patient/" + str2 + "' is not permitted for patient context " + patientIdFromToken;
                    throw new FHIRPersistenceInterceptorException(str5).withIssue(new OperationOutcome.Issue[]{FHIRUtil.buildOperationOutcomeIssue(str5, IssueType.FORBIDDEN)});
                }
                break;
            case true:
                if (!isInCompartment(str, str2, executeRead(fHIRPersistenceEvent.getPersistenceImpl(), ModelSupport.getResourceType(str), str2), CompartmentType.PATIENT, patientIdFromToken)) {
                    String str6 = "Interaction with 'Encounter/" + str2 + "' is not permitted for patient context " + patientIdFromToken;
                    throw new FHIRPersistenceInterceptorException(str6).withIssue(new OperationOutcome.Issue[]{FHIRUtil.buildOperationOutcomeIssue(str6, IssueType.FORBIDDEN)});
                }
                break;
            case true:
            case true:
            case true:
                String str7 = "Compartment search for compartment type '" + str + "' is not permitted.";
                throw new FHIRPersistenceInterceptorException(str7).withIssue(new OperationOutcome.Issue[]{FHIRUtil.buildOperationOutcomeIssue(str7, IssueType.FORBIDDEN)});
        }
        if (log.isLoggable(Level.FINE)) {
            log.fine("Performing compartment search for compartment '" + str + "/" + str2 + "'.");
        }
    }

    public void beforeCreate(FHIRPersistenceEvent fHIRPersistenceEvent) throws FHIRPersistenceInterceptorException {
        JWT.DecodedJWT decode = JWT.decode(getAccessToken());
        enforce(fHIRPersistenceEvent.getFhirResource(), getPatientIdFromToken(decode), Scope.Permission.WRITE, getScopesFromToken(decode));
    }

    public void beforeDelete(FHIRPersistenceEvent fHIRPersistenceEvent) throws FHIRPersistenceInterceptorException {
        JWT.DecodedJWT decode = JWT.decode(getAccessToken());
        enforce(fHIRPersistenceEvent.getPrevFhirResource(), getPatientIdFromToken(decode), Scope.Permission.WRITE, getScopesFromToken(decode));
    }

    public void beforeUpdate(FHIRPersistenceEvent fHIRPersistenceEvent) throws FHIRPersistenceInterceptorException {
        JWT.DecodedJWT decode = JWT.decode(getAccessToken());
        Set<String> patientIdFromToken = getPatientIdFromToken(decode);
        Map<Scope.ContextType, List<Scope>> scopesFromToken = getScopesFromToken(decode);
        enforce(fHIRPersistenceEvent.getPrevFhirResource(), patientIdFromToken, Scope.Permission.READ, scopesFromToken);
        enforce(fHIRPersistenceEvent.getFhirResource(), patientIdFromToken, Scope.Permission.WRITE, scopesFromToken);
    }

    public void afterRead(FHIRPersistenceEvent fHIRPersistenceEvent) throws FHIRPersistenceInterceptorException {
        Resource fhirResource = fHIRPersistenceEvent.getFhirResource();
        if (fhirResource != null) {
            JWT.DecodedJWT decode = JWT.decode(getAccessToken());
            Set<String> patientIdFromToken = getPatientIdFromToken(decode);
            Map<Scope.ContextType, List<Scope>> scopesFromToken = getScopesFromToken(decode);
            enforceDirectProvenanceAccess(fHIRPersistenceEvent, fhirResource, patientIdFromToken, scopesFromToken);
            enforce(fhirResource, patientIdFromToken, Scope.Permission.READ, scopesFromToken);
        }
    }

    public void afterVread(FHIRPersistenceEvent fHIRPersistenceEvent) throws FHIRPersistenceInterceptorException {
        Resource fhirResource = fHIRPersistenceEvent.getFhirResource();
        if (fhirResource != null) {
            JWT.DecodedJWT decode = JWT.decode(getAccessToken());
            Set<String> patientIdFromToken = getPatientIdFromToken(decode);
            Map<Scope.ContextType, List<Scope>> scopesFromToken = getScopesFromToken(decode);
            enforceDirectProvenanceAccess(fHIRPersistenceEvent, fhirResource, patientIdFromToken, scopesFromToken);
            enforce(fhirResource, patientIdFromToken, Scope.Permission.READ, scopesFromToken);
        }
    }

    public void afterHistory(FHIRPersistenceEvent fHIRPersistenceEvent) throws FHIRPersistenceInterceptorException {
        JWT.DecodedJWT decode = JWT.decode(getAccessToken());
        Set<String> patientIdFromToken = getPatientIdFromToken(decode);
        Map<Scope.ContextType, List<Scope>> scopesFromToken = getScopesFromToken(decode);
        if (!(fHIRPersistenceEvent.getFhirResource() instanceof Bundle)) {
            throw new IllegalStateException("Expected event resource of type Bundle but found " + fHIRPersistenceEvent.getFhirResource().getClass().getSimpleName());
        }
        for (Bundle.Entry entry : fHIRPersistenceEvent.getFhirResource().getEntry()) {
            String resourceType = getResourceType(entry);
            String resourceId = getResourceId(entry);
            Resource resource = entry.getResource();
            enforceDirectProvenanceAccess(fHIRPersistenceEvent, resource, patientIdFromToken, scopesFromToken);
            if (resourceType == null || resourceId == null) {
                throw new FHIRPersistenceInterceptorException("Unable to enforce authorization for history interaction due to failure to compute the resource type and id for one or more response Bundle entries.");
            }
            if (resource != null || entry.getRequest() == null || entry.getRequest().getMethod().getValueAsEnum() != HTTPVerb.Value.DELETE) {
                enforce(resourceType, resourceId, resource, patientIdFromToken, Scope.Permission.READ, scopesFromToken);
            }
        }
    }

    private void enforceDirectProvenanceAccess(FHIRPersistenceEvent fHIRPersistenceEvent, Resource resource, Set<String> set, Map<Scope.ContextType, List<Scope>> map) throws FHIRPersistenceInterceptorException {
        if ((resource instanceof Provenance) && checkScopes("Provenance", Scope.Permission.READ, map) == Scope.ContextType.PATIENT && !isAllowed(((Provenance) resource).getTarget(), fHIRPersistenceEvent.getPersistenceImpl(), set, Scope.Permission.READ, map)) {
            String str = Scope.Permission.READ + " permission to 'Provenance/" + resource.getId() + "' with context id(s): " + set + " requires access to one or more of its target resources.";
            if (log.isLoggable(Level.FINE)) {
                log.fine(str);
            }
            throw new FHIRPersistenceInterceptorException(str).withIssue(new OperationOutcome.Issue[]{FHIRUtil.buildOperationOutcomeIssue(str, IssueType.FORBIDDEN)});
        }
    }

    private boolean isAllowed(List<Reference> list, FHIRPersistence fHIRPersistence, Set<String> set, Scope.Permission permission, Map<Scope.ContextType, List<Scope>> map) {
        boolean z = false;
        try {
            String serviceBaseUrl = ReferenceUtil.getServiceBaseUrl();
            Iterator<Reference> it = list.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                ReferenceValue createReferenceValueFrom = ReferenceUtil.createReferenceValueFrom(it.next(), serviceBaseUrl);
                if (ReferenceValue.ReferenceType.LITERAL_RELATIVE == createReferenceValueFrom.getType()) {
                    try {
                        SingleResourceResult<? extends Resource> executeRead = executeRead(fHIRPersistence, createReferenceValueFrom, ModelSupport.getResourceType(createReferenceValueFrom.getTargetResourceType()));
                        if (executeRead.isSuccess() && isInCompartment(executeRead.getResourceTypeName(), executeRead.getLogicalId(), executeRead.getResource(), CompartmentType.PATIENT, set)) {
                            z = true;
                            break;
                        }
                        if (!executeRead.isSuccess() && log.isLoggable(Level.FINE)) {
                            log.fine("Skipping target " + createReferenceValueFrom.getTargetResourceType() + "/" + createReferenceValueFrom.getType() + "' during enforcement due to a read failure: " + executeRead.getOutcome());
                        }
                    } catch (FHIRPersistenceException e) {
                        if (log.isLoggable(Level.FINE)) {
                            log.log(Level.FINE, "Skipping target '" + createReferenceValueFrom.getTargetResourceType() + "/" + createReferenceValueFrom.getType() + "' during enforcement due to an error while reading.", e);
                        }
                    }
                } else if (log.isLoggable(Level.FINE)) {
                    log.fine("Skipping target '" + createReferenceValueFrom.getValue() + "' of type '" + createReferenceValueFrom.getType() + "' during enforcement of Provenance access.");
                }
            }
            return z;
        } catch (FHIRSearchException e2) {
            throw new IllegalStateException("Unexpected error while computing the service baseUrl");
        }
    }

    private SingleResourceResult<? extends Resource> executeRead(FHIRPersistence fHIRPersistence, ReferenceValue referenceValue, Class<? extends Resource> cls) throws FHIRPersistenceException {
        FHIRPersistenceContext createPersistenceContext = FHIRPersistenceContextFactory.createPersistenceContext((FHIRPersistenceEvent) null);
        return referenceValue.getVersion() == null ? fHIRPersistence.read(createPersistenceContext, cls, referenceValue.getValue()) : fHIRPersistence.vread(createPersistenceContext, cls, referenceValue.getValue(), referenceValue.getVersion().toString());
    }

    private Resource executeRead(FHIRPersistence fHIRPersistence, Class<? extends Resource> cls, String str) throws FHIRPersistenceInterceptorException {
        try {
            SingleResourceResult read = fHIRPersistence.read(FHIRPersistenceContextFactory.createPersistenceContext((FHIRPersistenceEvent) null), cls, str);
            if (read.isSuccess()) {
                return read.getResource();
            }
            throw new FHIRPersistenceInterceptorException("Unexpected error while reading resource " + cls.getSimpleName() + "/" + str).withIssue(read.getOutcome().getIssue());
        } catch (FHIRPersistenceException e) {
            String str2 = "Unexpected error while reading resource " + cls.getSimpleName() + "/" + str;
            log.log(Level.WARNING, str2, e);
            throw new FHIRPersistenceInterceptorException(str2);
        } catch (FHIRPersistenceResourceNotFoundException | FHIRPersistenceResourceDeletedException e2) {
            String str3 = "The resource '" + cls.getSimpleName() + "/" + str + "' does not exist.";
            throw new FHIRPersistenceInterceptorException(str3).withIssue(new OperationOutcome.Issue[]{FHIRUtil.buildOperationOutcomeIssue(str3, IssueType.FORBIDDEN)});
        } catch (FHIRPersistenceInterceptorException e3) {
            throw e3;
        }
    }

    public void afterSearch(FHIRPersistenceEvent fHIRPersistenceEvent) throws FHIRPersistenceInterceptorException {
        JWT.DecodedJWT decode = JWT.decode(getAccessToken());
        Set<String> patientIdFromToken = getPatientIdFromToken(decode);
        Map<Scope.ContextType, List<Scope>> scopesFromToken = getScopesFromToken(decode);
        if (!(fHIRPersistenceEvent.getFhirResource() instanceof Bundle)) {
            throw new IllegalStateException("Expected event resource of type Bundle but found " + fHIRPersistenceEvent.getFhirResource().getClass().getSimpleName());
        }
        for (Bundle.Entry entry : fHIRPersistenceEvent.getFhirResource().getEntry()) {
            String resourceType = getResourceType(entry);
            String resourceId = getResourceId(entry);
            if (resourceType == null || resourceId == null) {
                throw new FHIRPersistenceInterceptorException("Unable to enforce authorization for search interaction due to failure to compute the resource type and id for one or more response Bundle entries.");
            }
            enforce(resourceType, resourceId, entry.getResource(), patientIdFromToken, Scope.Permission.READ, scopesFromToken);
        }
    }

    private Scope.ContextType checkScopes(String str, Scope.Permission permission, Map<Scope.ContextType, List<Scope>> map) throws FHIRPersistenceInterceptorException {
        for (Scope.ContextType contextType : List.of(Scope.ContextType.SYSTEM, Scope.ContextType.USER, Scope.ContextType.PATIENT)) {
            if (isApprovedByScopes(str, permission, map.get(contextType))) {
                return contextType;
            }
        }
        String str2 = permission.value() + " permission for '" + str + "' is not granted by any of the provided scopes: " + map.values();
        if (log.isLoggable(Level.FINE)) {
            log.fine(str2);
        }
        throw new FHIRPersistenceInterceptorException(str2).withIssue(new OperationOutcome.Issue[]{FHIRUtil.buildOperationOutcomeIssue(str2, IssueType.FORBIDDEN)});
    }

    private void checkSystemScopes(String str, Scope.Permission permission, List<Scope> list, JWT.DecodedJWT decodedJWT) throws FHIRPersistenceInterceptorException {
        if (isApprovedByScopes(str, permission, list)) {
            return;
        }
        String str2 = permission.value() + " permission for '" + str + "' not granted by any of the provided scopes that begin with 'system/':" + getScopesFromToken(decodedJWT);
        if (log.isLoggable(Level.FINE)) {
            log.fine(str2);
        }
        throw new FHIRPersistenceInterceptorException(str2).withIssue(new OperationOutcome.Issue[]{FHIRUtil.buildOperationOutcomeIssue(str2, IssueType.FORBIDDEN)});
    }

    private boolean isApprovedByScopes(String str, Scope.Permission permission, List<Scope> list) {
        if (list == null) {
            return false;
        }
        for (Scope scope : list) {
            if (scope.getResourceType() == ResourceType.Value.RESOURCE || scope.getResourceType().value().equals(str)) {
                if (hasPermission(scope.getPermission(), permission)) {
                    if (!log.isLoggable(Level.FINE)) {
                        return true;
                    }
                    log.fine(permission.value() + " permission for '" + str + "' is granted via scope " + scope);
                    return true;
                }
            }
        }
        return false;
    }

    private boolean hasPermission(Scope.Permission permission, Scope.Permission permission2) {
        return permission == Scope.Permission.ALL || permission == permission2;
    }

    private void enforce(Resource resource, Set<String> set, Scope.Permission permission, Map<Scope.ContextType, List<Scope>> map) throws FHIRPersistenceInterceptorException {
        Objects.requireNonNull(resource, "resource");
        enforce(resource.getClass().getSimpleName(), resource.getId(), resource, set, permission, map);
    }

    private void enforce(String str, String str2, Resource resource, Set<String> set, Scope.Permission permission, Map<Scope.ContextType, List<Scope>> map) throws FHIRPersistenceInterceptorException {
        if (isAllowed(str, str2, resource, set, permission, map)) {
            return;
        }
        if (log.isLoggable(Level.FINE)) {
            log.fine(permission.value() + " permission for '" + str + "/" + str2 + "' is not granted by any of the provided scopes: " + map.values() + " with context id(s): " + set);
        }
        throw new FHIRPersistenceInterceptorException(REQUEST_NOT_PERMITTED).withIssue(new OperationOutcome.Issue[]{FHIRUtil.buildOperationOutcomeIssue(REQUEST_NOT_PERMITTED, IssueType.FORBIDDEN)});
    }

    private boolean isAllowed(String str, String str2, Resource resource, Set<String> set, Scope.Permission permission, Map<Scope.ContextType, List<Scope>> map) throws FHIRPersistenceInterceptorException {
        Objects.requireNonNull(str, "resourceType");
        Objects.requireNonNull(str2, "resourceId");
        Objects.requireNonNull(set, "contextIds");
        for (Scope.ContextType contextType : List.of(Scope.ContextType.SYSTEM, Scope.ContextType.USER)) {
            if (map.containsKey(contextType)) {
                Optional<Scope> findAny = map.get(contextType).stream().filter(scope -> {
                    return scope.getResourceType() == ResourceType.Value.RESOURCE || scope.getResourceType().value().equals(str);
                }).filter(scope2 -> {
                    return hasPermission(scope2.getPermission(), permission);
                }).findAny();
                if (findAny.isPresent()) {
                    if (!log.isLoggable(Level.FINE)) {
                        return true;
                    }
                    log.fine(permission.value() + " permission for '" + str + "/" + str2 + "' is granted via scope " + findAny.get());
                    return true;
                }
            }
        }
        if (!map.containsKey(Scope.ContextType.PATIENT)) {
            return false;
        }
        if (set.isEmpty()) {
            throw new FHIRPersistenceInterceptorException("Access token is missing 'patient_id' claim").withIssue(new OperationOutcome.Issue[]{FHIRUtil.buildOperationOutcomeIssue("Access token is missing 'patient_id' claim", IssueType.FORBIDDEN)});
        }
        Optional<Scope> findAny2 = map.get(Scope.ContextType.PATIENT).stream().filter(scope3 -> {
            return scope3.getResourceType() == ResourceType.Value.RESOURCE || scope3.getResourceType().value().equals(str);
        }).filter(scope4 -> {
            return hasPermission(scope4.getPermission(), permission);
        }).findAny();
        if (!findAny2.isPresent()) {
            return false;
        }
        if ("Provenance".equals(str)) {
            if (!log.isLoggable(Level.FINE)) {
                return true;
            }
            log.fine(permission.value() + " permission for 'Provenance/" + resource.getId() + "' is granted via scope " + findAny2.get());
            return true;
        }
        if (!(resource instanceof com.ibm.fhir.model.resource.List) || resource.getMeta() == null || !resource.getMeta().getProfile().contains(Canonical.of(DAVINCI_DRUG_FORMULARY_COVERAGE_PLAN))) {
            return isInCompartment(str, str2, resource, CompartmentType.PATIENT, set);
        }
        if (!log.isLoggable(Level.FINE)) {
            return true;
        }
        log.fine(permission.value() + " permission for 'List/" + resource.getId() + "' is granted via scope " + findAny2.get());
        return true;
    }

    private boolean isInCompartment(String str, String str2, Resource resource, CompartmentType compartmentType, Set<String> set) throws FHIRPersistenceInterceptorException {
        String value = compartmentType.getValue();
        try {
            if (!this.compartmentHelper.getCompartmentResourceTypes(value).contains(str)) {
                return true;
            }
            if (resource == null) {
                String str3 = "Unable to determine compartment membership for one or more resources of type '" + str + "' due to the resource content being absent in the response";
                throw new FHIRPersistenceInterceptorException(str3).withIssue(new OperationOutcome.Issue[]{FHIRUtil.buildOperationOutcomeIssue(str3, IssueType.FORBIDDEN)});
            }
            if (value.equals(str) && set.contains(str2)) {
                if (!log.isLoggable(Level.FINE)) {
                    return true;
                }
                log.fine("Bypassing compartment check for the compartment identity resource " + str + "/" + resource.getId());
                return true;
            }
            Set<String> compartmentResourceTypeInclusionCriteria = this.compartmentHelper.getCompartmentResourceTypeInclusionCriteria(value, str);
            FHIRPathEvaluator.EvaluationContext evaluationContext = new FHIRPathEvaluator.EvaluationContext(resource);
            for (String str4 : compartmentResourceTypeInclusionCriteria) {
                try {
                    SearchParameter searchParameter = this.searchHelper.getSearchParameter(str, str4);
                    if ((searchParameter != null) & (searchParameter.getExpression() != null)) {
                        Iterator it = FHIRPathEvaluator.evaluator().evaluate(evaluationContext, searchParameter.getExpression().getValue()).iterator();
                        while (it.hasNext()) {
                            String patientRefVal = getPatientRefVal((FHIRPathNode) it.next());
                            if (patientRefVal != null && set.contains(patientRefVal)) {
                                if (!log.isLoggable(Level.FINE)) {
                                    return true;
                                }
                                log.fine(str + "/" + resource.getId() + "' is in " + value + " compartment '" + patientRefVal + "'");
                                return true;
                            }
                        }
                    }
                } catch (Exception e) {
                    log.log(Level.WARNING, "Unexpected exception while processing inclusionCriteria '" + str4 + "' in the " + value + " compartment for resource type " + str, (Throwable) e);
                }
            }
            return false;
        } catch (FHIRSearchException e2) {
            log.log(Level.WARNING, "Unexpected exception while enforcing authorization policy in the " + value + " compartment for resource type " + str, e2);
            return false;
        }
    }

    private String getPatientRefVal(FHIRPathNode fHIRPathNode) throws FHIRSearchException {
        if (!fHIRPathNode.isElementNode() || !fHIRPathNode.asElementNode().element().is(Reference.class)) {
            throw new IllegalStateException("Patient compartment inclusionCriteria expression has returned a non-Reference");
        }
        Reference as = fHIRPathNode.asElementNode().element().as(Reference.class);
        ReferenceValue createReferenceValueFrom = ReferenceUtil.createReferenceValueFrom(as, ReferenceUtil.getServiceBaseUrl());
        if (createReferenceValueFrom.getType() == ReferenceValue.ReferenceType.LITERAL_RELATIVE && PATIENT.equals(createReferenceValueFrom.getTargetResourceType())) {
            return createReferenceValueFrom.getValue();
        }
        if (!log.isLoggable(Level.FINE)) {
            return null;
        }
        log.fine("Skipping non-patient / non-relative reference: '" + as + "'");
        return null;
    }

    private String getAccessToken() throws FHIRPersistenceInterceptorException {
        List list = (List) FHIRRequestContext.get().getHttpHeaders().get("Authorization");
        if (list == null || list.size() != 1) {
            throw new FHIRPersistenceInterceptorException("Request must contain exactly one Authorization header.").withIssue(new OperationOutcome.Issue[]{FHIRUtil.buildOperationOutcomeIssue("Request must contain exactly one Authorization header.", IssueType.FORBIDDEN)});
        }
        String str = (String) list.get(0);
        if (str.startsWith(BEARER_TOKEN_PREFIX)) {
            return str.substring(BEARER_TOKEN_PREFIX.length()).trim();
        }
        throw new FHIRPersistenceInterceptorException("Authorization header must carry a Bearer token").withIssue(new OperationOutcome.Issue[]{FHIRUtil.buildOperationOutcomeIssue("Authorization header must carry a Bearer token", IssueType.FORBIDDEN)});
    }

    private Map<Scope.ContextType, List<Scope>> getScopesFromToken(JWT.DecodedJWT decodedJWT) throws FHIRPersistenceInterceptorException {
        List<String> asList;
        JWT.Claim claim = decodedJWT.getClaim("scope");
        if (claim.isNull()) {
            throw new FHIRPersistenceInterceptorException("Authorization token is missing 'scope' claim").withIssue(new OperationOutcome.Issue[]{FHIRUtil.buildOperationOutcomeIssue("Authorization token is missing 'scope' claim", IssueType.FORBIDDEN)});
        }
        if (claim.asString() != null) {
            asList = Arrays.asList(claim.asString().split("\\s+"));
        } else {
            log.fine("Found scope claim was expected to be a string but is not; processing as a list");
            asList = claim.asList();
        }
        return (Map) asList.stream().filter(str -> {
            return str.matches(Scope.SCOPE_STRING_REGEX);
        }).map(str2 -> {
            return new Scope(str2);
        }).collect(Collectors.groupingBy(scope -> {
            return scope.getContextType();
        }));
    }

    private Set<String> getPatientIdFromToken(JWT.DecodedJWT decodedJWT) throws FHIRPersistenceInterceptorException {
        JWT.Claim claim = decodedJWT.getClaim("patient_id");
        if (!claim.isNull()) {
            String asString = claim.asString();
            return asString == null ? new HashSet(claim.asList()) : (Set) Stream.of((Object[]) asString.split(" ")).map((v0) -> {
                return v0.trim();
            }).filter(str -> {
                return !str.isEmpty();
            }).collect(Collectors.toSet());
        }
        if (log.isLoggable(Level.FINE)) {
            log.fine("Authorization token is missing 'patient_id' claim");
        }
        return Collections.emptySet();
    }

    private static String getResourceType(Bundle.Entry entry) {
        Resource resource = entry.getResource();
        if (resource != null) {
            return resource.getClass().getSimpleName();
        }
        if (entry.getFullUrl() == null || entry.getFullUrl().getValue() == null) {
            return null;
        }
        String[] split = entry.getFullUrl().getValue().split("/");
        if (split.length > 1) {
            return split[split.length - 2];
        }
        return null;
    }

    private static String getResourceId(Bundle.Entry entry) {
        Resource resource = entry.getResource();
        if (resource != null) {
            return resource.getId();
        }
        if (entry.getFullUrl() == null || entry.getFullUrl().getValue() == null) {
            return null;
        }
        String[] split = entry.getFullUrl().getValue().split("/");
        if (split.length > 1) {
            return split[split.length - 1];
        }
        return null;
    }
}
