package com.ibm.fhir.smart;

import com.auth0.jwt.JWT;
import com.auth0.jwt.interfaces.Claim;
import com.auth0.jwt.interfaces.DecodedJWT;
import com.ibm.fhir.config.FHIRRequestContext;
import com.ibm.fhir.model.resource.Bundle;
import com.ibm.fhir.model.resource.OperationOutcome;
import com.ibm.fhir.model.resource.Provenance;
import com.ibm.fhir.model.resource.Resource;
import com.ibm.fhir.model.resource.SearchParameter;
import com.ibm.fhir.model.type.Reference;
import com.ibm.fhir.model.type.code.CompartmentType;
import com.ibm.fhir.model.type.code.IssueType;
import com.ibm.fhir.model.type.code.ResourceType;
import com.ibm.fhir.model.util.FHIRUtil;
import com.ibm.fhir.model.util.ModelSupport;
import com.ibm.fhir.path.FHIRPathNode;
import com.ibm.fhir.path.evaluator.FHIRPathEvaluator;
import com.ibm.fhir.persistence.FHIRPersistence;
import com.ibm.fhir.persistence.SingleResourceResult;
import com.ibm.fhir.persistence.context.FHIRPersistenceContext;
import com.ibm.fhir.persistence.context.FHIRPersistenceContextFactory;
import com.ibm.fhir.persistence.exception.FHIRPersistenceException;
import com.ibm.fhir.persistence.interceptor.FHIRPersistenceEvent;
import com.ibm.fhir.persistence.interceptor.FHIRPersistenceInterceptor;
import com.ibm.fhir.persistence.interceptor.FHIRPersistenceInterceptorException;
import com.ibm.fhir.search.compartment.CompartmentUtil;
import com.ibm.fhir.search.context.FHIRSearchContext;
import com.ibm.fhir.search.exception.FHIRSearchException;
import com.ibm.fhir.search.parameters.QueryParameter;
import com.ibm.fhir.search.parameters.QueryParameterValue;
import com.ibm.fhir.search.util.ReferenceUtil;
import com.ibm.fhir.search.util.ReferenceValue;
import com.ibm.fhir.search.util.SearchUtil;
import com.ibm.fhir.smart.Scope;
import java.util.Arrays;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.logging.Level;
import java.util.logging.Logger;
import java.util.stream.Collectors;
import java.util.stream.Stream;

/* loaded from: input_file:com/ibm/fhir/smart/AuthzPolicyEnforcementPersistenceInterceptor.class */
public class AuthzPolicyEnforcementPersistenceInterceptor implements FHIRPersistenceInterceptor {
    private static final Logger log = Logger.getLogger(AuthzPolicyEnforcementPersistenceInterceptor.class.getName());
    private static final String BEARER_TOKEN_PREFIX = "Bearer";
    private static final String PATIENT = "Patient";
    private static final String REQUEST_NOT_PERMITTED = "Requested interaction is not permitted by any of the passed scopes.";

    public void beforeRead(FHIRPersistenceEvent fHIRPersistenceEvent) throws FHIRPersistenceInterceptorException {
        enforceDirectPatientAccess(fHIRPersistenceEvent);
    }

    public void beforeVread(FHIRPersistenceEvent fHIRPersistenceEvent) throws FHIRPersistenceInterceptorException {
        enforceDirectPatientAccess(fHIRPersistenceEvent);
    }

    public void beforeHistory(FHIRPersistenceEvent fHIRPersistenceEvent) throws FHIRPersistenceInterceptorException {
        enforceDirectPatientAccess(fHIRPersistenceEvent);
    }

    private void enforceDirectPatientAccess(FHIRPersistenceEvent fHIRPersistenceEvent) throws FHIRPersistenceInterceptorException {
        if (PATIENT.equals(fHIRPersistenceEvent.getFhirResourceType())) {
            List<String> patientIdFromToken = getPatientIdFromToken(JWT.decode(getAccessToken()));
            if (patientIdFromToken.contains(fHIRPersistenceEvent.getFhirResourceId())) {
                return;
            }
            String str = "Interaction with 'Patient/" + fHIRPersistenceEvent.getFhirResourceId() + "' is not permitted under patient context '" + patientIdFromToken + "'.";
            throw new FHIRPersistenceInterceptorException(str).withIssue(new OperationOutcome.Issue[]{FHIRUtil.buildOperationOutcomeIssue(str, IssueType.FORBIDDEN)});
        }
    }

    public void beforeSearch(FHIRPersistenceEvent fHIRPersistenceEvent) throws FHIRPersistenceInterceptorException {
        FHIRSearchContext searchContextImpl = fHIRPersistenceEvent.getSearchContextImpl();
        if (searchContextImpl != null) {
            List<String> patientIdFromToken = getPatientIdFromToken(JWT.decode(getAccessToken()));
            String str = null;
            String str2 = null;
            Iterator it = searchContextImpl.getSearchParameters().iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                QueryParameter queryParameter = (QueryParameter) it.next();
                if (queryParameter.isInclusionCriteria()) {
                    String[] split = ((QueryParameterValue) queryParameter.getValues().get(0)).getValueString().split("/");
                    str = split[0];
                    str2 = split[1];
                    break;
                }
            }
            if (str == null) {
                try {
                    if (CompartmentUtil.getCompartmentResourceTypes(PATIENT).contains(fHIRPersistenceEvent.getFhirResourceType())) {
                        searchContextImpl.getSearchParameters().add(0, SearchUtil.buildInclusionCriteria(PATIENT, patientIdFromToken, fHIRPersistenceEvent.getFhirResourceType()));
                    }
                    return;
                } catch (Exception e) {
                    String str3 = "Unexpected exception converting to Patient compartment search: " + e.getMessage();
                    throw new FHIRPersistenceInterceptorException(str3).withIssue(new OperationOutcome.Issue[]{FHIRUtil.buildOperationOutcomeIssue(str3, IssueType.EXCEPTION)});
                }
            }
            if (!PATIENT.equals(str)) {
                String str4 = "Compartment search with compartment '" + str + "' is not permitted.";
                throw new FHIRPersistenceInterceptorException(str4).withIssue(new OperationOutcome.Issue[]{FHIRUtil.buildOperationOutcomeIssue(str4, IssueType.FORBIDDEN)});
            }
            if (!patientIdFromToken.contains(str2)) {
                String str5 = "Interaction with 'Patient/" + str2 + "' is not permitted under patient context '" + patientIdFromToken + "'.";
                throw new FHIRPersistenceInterceptorException(str5).withIssue(new OperationOutcome.Issue[]{FHIRUtil.buildOperationOutcomeIssue(str5, IssueType.FORBIDDEN)});
            }
            try {
                if (CompartmentUtil.getCompartmentResourceTypes(PATIENT).contains(fHIRPersistenceEvent.getFhirResourceType())) {
                    return;
                }
                String str6 = "Resource type '" + fHIRPersistenceEvent.getFhirResourceType() + "' is not valid for Patient compartment search.";
                throw new FHIRPersistenceInterceptorException(str6).withIssue(new OperationOutcome.Issue[]{FHIRUtil.buildOperationOutcomeIssue(str6, IssueType.INVALID)});
            } catch (FHIRSearchException e2) {
                log.log(Level.WARNING, "Unexpected exception while getting compartment resource types", e2);
            }
        }
    }

    public void beforeCreate(FHIRPersistenceEvent fHIRPersistenceEvent) throws FHIRPersistenceInterceptorException {
        DecodedJWT decode = JWT.decode(getAccessToken());
        enforce(fHIRPersistenceEvent.getFhirResource(), getPatientIdFromToken(decode), Scope.Permission.WRITE, getScopesFromToken(decode));
    }

    public void beforeDelete(FHIRPersistenceEvent fHIRPersistenceEvent) throws FHIRPersistenceInterceptorException {
        DecodedJWT decode = JWT.decode(getAccessToken());
        enforce(fHIRPersistenceEvent.getPrevFhirResource(), getPatientIdFromToken(decode), Scope.Permission.WRITE, getScopesFromToken(decode));
    }

    public void beforeUpdate(FHIRPersistenceEvent fHIRPersistenceEvent) throws FHIRPersistenceInterceptorException {
        DecodedJWT decode = JWT.decode(getAccessToken());
        List<String> patientIdFromToken = getPatientIdFromToken(decode);
        List<Scope> scopesFromToken = getScopesFromToken(decode);
        enforce(fHIRPersistenceEvent.getPrevFhirResource(), patientIdFromToken, Scope.Permission.READ, scopesFromToken);
        enforce(fHIRPersistenceEvent.getFhirResource(), patientIdFromToken, Scope.Permission.WRITE, scopesFromToken);
    }

    public void afterRead(FHIRPersistenceEvent fHIRPersistenceEvent) throws FHIRPersistenceInterceptorException {
        DecodedJWT decode = JWT.decode(getAccessToken());
        Resource fhirResource = fHIRPersistenceEvent.getFhirResource();
        List<String> patientIdFromToken = getPatientIdFromToken(decode);
        List<Scope> scopesFromToken = getScopesFromToken(decode);
        enforceDirectProvenanceAccess(fHIRPersistenceEvent, fhirResource, patientIdFromToken, scopesFromToken);
        enforce(fhirResource, patientIdFromToken, Scope.Permission.READ, scopesFromToken);
    }

    public void afterVread(FHIRPersistenceEvent fHIRPersistenceEvent) throws FHIRPersistenceInterceptorException {
        DecodedJWT decode = JWT.decode(getAccessToken());
        Resource fhirResource = fHIRPersistenceEvent.getFhirResource();
        List<String> patientIdFromToken = getPatientIdFromToken(decode);
        List<Scope> scopesFromToken = getScopesFromToken(decode);
        enforceDirectProvenanceAccess(fHIRPersistenceEvent, fhirResource, patientIdFromToken, scopesFromToken);
        enforce(fhirResource, patientIdFromToken, Scope.Permission.READ, scopesFromToken);
    }

    public void afterHistory(FHIRPersistenceEvent fHIRPersistenceEvent) throws FHIRPersistenceInterceptorException {
        DecodedJWT decode = JWT.decode(getAccessToken());
        List<String> patientIdFromToken = getPatientIdFromToken(decode);
        List<Scope> scopesFromToken = getScopesFromToken(decode);
        if (!(fHIRPersistenceEvent.getFhirResource() instanceof Bundle)) {
            throw new IllegalStateException("Expected event resource of type Bundle but found " + fHIRPersistenceEvent.getFhirResource().getClass().getSimpleName());
        }
        Iterator it = fHIRPersistenceEvent.getFhirResource().getEntry().iterator();
        while (it.hasNext()) {
            Resource resource = ((Bundle.Entry) it.next()).getResource();
            if (resource != null) {
                enforceDirectProvenanceAccess(fHIRPersistenceEvent, resource, patientIdFromToken, scopesFromToken);
                enforce(resource, patientIdFromToken, Scope.Permission.READ, scopesFromToken);
            }
        }
    }

    private void enforceDirectProvenanceAccess(FHIRPersistenceEvent fHIRPersistenceEvent, Resource resource, List<String> list, List<Scope> list2) throws FHIRPersistenceInterceptorException {
        if (!(resource instanceof Provenance) || isAllowed(((Provenance) resource).getTarget(), fHIRPersistenceEvent.getPersistenceImpl(), list, Scope.Permission.READ, list2)) {
            return;
        }
        String str = Scope.Permission.READ + " permission to 'Provenance/" + resource.getId() + "' with context id(s): " + list + " requires access to one or more of its target resources.";
        if (log.isLoggable(Level.FINE)) {
            log.fine(str);
        }
        throw new FHIRPersistenceInterceptorException(str).withIssue(new OperationOutcome.Issue[]{FHIRUtil.buildOperationOutcomeIssue(str, IssueType.FORBIDDEN)});
    }

    private boolean isAllowed(List<Reference> list, FHIRPersistence fHIRPersistence, List<String> list2, Scope.Permission permission, List<Scope> list3) {
        boolean z = false;
        try {
            String serviceBaseUrl = ReferenceUtil.getServiceBaseUrl();
            Iterator<Reference> it = list.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                ReferenceValue createReferenceValueFrom = ReferenceUtil.createReferenceValueFrom(it.next(), serviceBaseUrl);
                if (ReferenceValue.ReferenceType.LITERAL_RELATIVE == createReferenceValueFrom.getType()) {
                    try {
                        SingleResourceResult<? extends Resource> executeRead = executeRead(fHIRPersistence, createReferenceValueFrom, ModelSupport.getResourceType(createReferenceValueFrom.getTargetResourceType()));
                        if (executeRead.isSuccess() && checkCompartment(executeRead.getResource(), CompartmentType.PATIENT, list2)) {
                            z = true;
                            break;
                        }
                        if (!executeRead.isSuccess() && log.isLoggable(Level.FINE)) {
                            log.fine("Skipping target " + createReferenceValueFrom.getTargetResourceType() + "/" + createReferenceValueFrom.getType() + "' during enforcement due to a read failure: " + executeRead.getOutcome());
                        }
                    } catch (FHIRPersistenceException e) {
                        if (log.isLoggable(Level.FINE)) {
                            log.log(Level.FINE, "Skipping target '" + createReferenceValueFrom.getTargetResourceType() + "/" + createReferenceValueFrom.getType() + "' during enforcement due to an error while reading.", e);
                        }
                    }
                } else if (log.isLoggable(Level.FINE)) {
                    log.fine("Skipping target '" + createReferenceValueFrom.getValue() + "' of type '" + createReferenceValueFrom.getType() + "' during enforcement of Provenance access.");
                }
            }
            return z;
        } catch (FHIRSearchException e2) {
            throw new IllegalStateException("Unexpected error while computing the service baseUrl for ");
        }
    }

    private SingleResourceResult<? extends Resource> executeRead(FHIRPersistence fHIRPersistence, ReferenceValue referenceValue, Class<? extends Resource> cls) throws FHIRPersistenceException {
        FHIRPersistenceContext createPersistenceContext = FHIRPersistenceContextFactory.createPersistenceContext((FHIRPersistenceEvent) null);
        return referenceValue.getVersion() == null ? fHIRPersistence.read(createPersistenceContext, cls, referenceValue.getValue()) : fHIRPersistence.vread(createPersistenceContext, cls, referenceValue.getValue(), referenceValue.getVersion().toString());
    }

    public void afterSearch(FHIRPersistenceEvent fHIRPersistenceEvent) throws FHIRPersistenceInterceptorException {
        DecodedJWT decode = JWT.decode(getAccessToken());
        List<String> patientIdFromToken = getPatientIdFromToken(decode);
        List<Scope> scopesFromToken = getScopesFromToken(decode);
        if (!(fHIRPersistenceEvent.getFhirResource() instanceof Bundle)) {
            throw new IllegalStateException("Expected event resource of type Bundle but found " + fHIRPersistenceEvent.getFhirResource().getClass().getSimpleName());
        }
        for (Bundle.Entry entry : fHIRPersistenceEvent.getFhirResource().getEntry()) {
            if (entry.getResource() != null) {
                enforce(entry.getResource(), patientIdFromToken, Scope.Permission.READ, scopesFromToken);
            }
        }
    }

    private void enforce(Resource resource, List<String> list, Scope.Permission permission, List<Scope> list2) throws FHIRPersistenceInterceptorException {
        if (isAllowed(resource, list, permission, list2)) {
            return;
        }
        if (log.isLoggable(Level.FINE)) {
            log.fine(permission.value() + " permission for '" + resource.getClass().getSimpleName() + "/" + resource.getId() + "' is not granted by any of the provided scopes: " + list2 + " with context id(s): " + list);
        }
        throw new FHIRPersistenceInterceptorException(REQUEST_NOT_PERMITTED).withIssue(new OperationOutcome.Issue[]{FHIRUtil.buildOperationOutcomeIssue(REQUEST_NOT_PERMITTED, IssueType.FORBIDDEN)});
    }

    private boolean isAllowed(Resource resource, List<String> list, Scope.Permission permission, List<Scope> list2) throws FHIRPersistenceInterceptorException {
        Objects.requireNonNull(resource, "resource");
        Objects.requireNonNull(list, "contextIds");
        String simpleName = resource.getClass().getSimpleName();
        Map map = (Map) list2.stream().filter(scope -> {
            return scope.getResourceType() == ResourceType.Value.RESOURCE || scope.getResourceType().value().equals(simpleName);
        }).filter(scope2 -> {
            return hasPermission(scope2.getPermission(), permission);
        }).collect(Collectors.groupingBy(scope3 -> {
            return scope3.getContextType();
        }));
        if (!map.containsKey(Scope.ContextType.PATIENT)) {
            if (map.containsKey(Scope.ContextType.USER)) {
                throw new UnsupportedOperationException("SMART scopes with context type 'user' are not yet supported.");
            }
            return false;
        }
        if (!(resource instanceof Provenance)) {
            return checkCompartment(resource, CompartmentType.PATIENT, list);
        }
        if (!log.isLoggable(Level.FINE)) {
            return true;
        }
        log.fine(permission.value() + " permission for 'Provenance/" + resource.getId() + "' is granted via scope " + map.get(Scope.ContextType.PATIENT));
        return true;
    }

    private boolean checkCompartment(Resource resource, CompartmentType compartmentType, List<String> list) {
        String simpleName = resource.getClass().getSimpleName();
        String value = compartmentType.getValue();
        if (compartmentType.getValue().equals(simpleName) && resource.getId() != null && list.contains(resource.getId())) {
            if (!log.isLoggable(Level.FINE)) {
                return true;
            }
            log.fine("Bypassing compartment check for the compartment identity resource " + simpleName + "/" + resource.getId());
            return true;
        }
        try {
            if (!CompartmentUtil.getCompartmentResourceTypes(value).contains(simpleName)) {
                return true;
            }
            List<String> compartmentResourceTypeInclusionCriteria = CompartmentUtil.getCompartmentResourceTypeInclusionCriteria(value, simpleName);
            FHIRPathEvaluator.EvaluationContext evaluationContext = new FHIRPathEvaluator.EvaluationContext(resource);
            for (String str : compartmentResourceTypeInclusionCriteria) {
                try {
                    SearchParameter searchParameter = SearchUtil.getSearchParameter(simpleName, str);
                    if ((searchParameter != null) & (searchParameter.getExpression() != null)) {
                        Iterator it = FHIRPathEvaluator.evaluator().evaluate(evaluationContext, searchParameter.getExpression().getValue()).iterator();
                        while (it.hasNext()) {
                            String patientRefVal = getPatientRefVal((FHIRPathNode) it.next());
                            if (patientRefVal != null && list.contains(patientRefVal)) {
                                if (!log.isLoggable(Level.FINE)) {
                                    return true;
                                }
                                log.fine(simpleName + "/" + resource.getId() + "' is in " + value + " compartment '" + patientRefVal + "'");
                                return true;
                            }
                        }
                    }
                } catch (Exception e) {
                    log.log(Level.WARNING, "Unexpected exception while processing inclusionCriteria '" + str + "' in the " + value + " compartment for resource type " + simpleName, (Throwable) e);
                }
            }
            return false;
        } catch (FHIRSearchException e2) {
            log.log(Level.WARNING, "Unexpected exception while enforcing authorization policy in the " + value + " compartment for resource type " + simpleName, e2);
            return false;
        }
    }

    private String getPatientRefVal(FHIRPathNode fHIRPathNode) throws FHIRSearchException {
        if (!fHIRPathNode.isElementNode() || !fHIRPathNode.asElementNode().element().is(Reference.class)) {
            throw new IllegalStateException("Patient compartment inclusionCriteria expression has returned a non-Reference");
        }
        Reference as = fHIRPathNode.asElementNode().element().as(Reference.class);
        ReferenceValue createReferenceValueFrom = ReferenceUtil.createReferenceValueFrom(as, ReferenceUtil.getServiceBaseUrl());
        if (createReferenceValueFrom.getType() == ReferenceValue.ReferenceType.LITERAL_RELATIVE && PATIENT.equals(createReferenceValueFrom.getTargetResourceType())) {
            return createReferenceValueFrom.getValue();
        }
        if (!log.isLoggable(Level.FINE)) {
            return null;
        }
        log.fine("Skipping non-patient / non-relative reference: '" + as + "'");
        return null;
    }

    private boolean hasPermission(Scope.Permission permission, Scope.Permission permission2) {
        return permission == Scope.Permission.ALL || permission == permission2;
    }

    private String getAccessToken() throws FHIRPersistenceInterceptorException {
        List list = (List) FHIRRequestContext.get().getHttpHeaders().get("Authorization");
        if (list.size() != 1) {
            throw new FHIRPersistenceInterceptorException("Request must contain exactly one Authorization header.").withIssue(new OperationOutcome.Issue[]{FHIRUtil.buildOperationOutcomeIssue("Request must contain exactly one Authorization header.", IssueType.FORBIDDEN)});
        }
        String str = (String) list.get(0);
        if (str.startsWith(BEARER_TOKEN_PREFIX)) {
            return str.substring(BEARER_TOKEN_PREFIX.length()).trim();
        }
        throw new FHIRPersistenceInterceptorException("Authorization header must carry a Bearer token").withIssue(new OperationOutcome.Issue[]{FHIRUtil.buildOperationOutcomeIssue("Authorization header must carry a Bearer token", IssueType.FORBIDDEN)});
    }

    private List<Scope> getScopesFromToken(DecodedJWT decodedJWT) throws FHIRPersistenceInterceptorException {
        List asList;
        Claim claim = decodedJWT.getClaim("scope");
        if (claim.isNull()) {
            throw new FHIRPersistenceInterceptorException("Authorization token is missing 'scope' claim").withIssue(new OperationOutcome.Issue[]{FHIRUtil.buildOperationOutcomeIssue("Authorization token is missing 'scope' claim", IssueType.FORBIDDEN)});
        }
        if (claim.asString() != null) {
            asList = Arrays.asList(claim.asString().split("\\s+"));
        } else {
            log.fine("Found scope claim was expected to be a string but is not; processing as a list");
            asList = claim.asList(String.class);
        }
        return (List) asList.stream().filter(str -> {
            return str.matches(Scope.SCOPE_STRING_REGEX);
        }).map(str2 -> {
            return new Scope(str2);
        }).collect(Collectors.toList());
    }

    private List<String> getPatientIdFromToken(DecodedJWT decodedJWT) throws FHIRPersistenceInterceptorException {
        Claim claim = decodedJWT.getClaim("patient_id");
        if (claim.isNull()) {
            throw new FHIRPersistenceInterceptorException("Authorization token is missing 'patient_id' claim").withIssue(new OperationOutcome.Issue[]{FHIRUtil.buildOperationOutcomeIssue("Authorization token is missing 'patient_id' claim", IssueType.FORBIDDEN)});
        }
        String asString = claim.asString();
        return asString == null ? claim.asList(String.class) : (List) Stream.of((Object[]) asString.split(" ")).map((v0) -> {
            return v0.trim();
        }).filter(str -> {
            return !str.isEmpty();
        }).collect(Collectors.toList());
    }
}
