package com.atomgraph.linkeddatahub.server.filter.request;

import com.atomgraph.client.vocabulary.AC;
import com.atomgraph.client.vocabulary.SPIN;
import com.atomgraph.core.client.SPARQLClient;
import com.atomgraph.core.vocabulary.SD;
import com.atomgraph.linkeddatahub.Application;
import com.atomgraph.linkeddatahub.apps.model.Dataset;
import com.atomgraph.linkeddatahub.apps.model.EndUserApplication;
import com.atomgraph.linkeddatahub.client.SesameProtocolClient;
import com.atomgraph.linkeddatahub.model.Service;
import com.atomgraph.linkeddatahub.model.auth.Agent;
import com.atomgraph.linkeddatahub.server.exception.auth.AuthorizationException;
import com.atomgraph.linkeddatahub.server.security.AuthorizationContext;
import com.atomgraph.linkeddatahub.vocabulary.ACL;
import com.atomgraph.processor.vocabulary.LDT;
import java.io.IOException;
import java.util.Collections;
import java.util.HashMap;
import java.util.Map;
import java.util.Optional;
import javax.annotation.PostConstruct;
import javax.annotation.Priority;
import javax.inject.Inject;
import javax.inject.Provider;
import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.container.ContainerRequestFilter;
import javax.ws.rs.container.PreMatching;
import javax.ws.rs.core.Response;
import org.apache.jena.query.ParameterizedSparqlString;
import org.apache.jena.query.QuerySolutionMap;
import org.apache.jena.rdf.model.Model;
import org.apache.jena.rdf.model.Property;
import org.apache.jena.rdf.model.RDFNode;
import org.apache.jena.rdf.model.ResIterator;
import org.apache.jena.rdf.model.Resource;
import org.apache.jena.rdf.model.ResourceFactory;
import org.apache.jena.vocabulary.RDFS;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Priority(5100)
@PreMatching
/* loaded from: input_file:com/atomgraph/linkeddatahub/server/filter/request/AuthorizationFilter.class */
public class AuthorizationFilter implements ContainerRequestFilter {
    private static final Logger log = LoggerFactory.getLogger(AuthorizationFilter.class);
    public static final Map<String, Resource> ACCESS_MODES;

    @Inject
    Application system;

    @Inject
    Provider<com.atomgraph.linkeddatahub.apps.model.Application> app;

    @Inject
    Provider<Optional<Dataset>> dataset;
    private ParameterizedSparqlString authQuery;
    private ParameterizedSparqlString ownerAuthQuery;

    @PostConstruct
    public void init() {
        this.authQuery = new ParameterizedSparqlString(getSystem().getAuthQuery().toString());
        this.ownerAuthQuery = new ParameterizedSparqlString(getSystem().getOwnerAuthQuery().toString());
    }

    public void filter(ContainerRequestContext containerRequestContext) throws IOException {
        if (containerRequestContext == null) {
            throw new IllegalArgumentException("ContainerRequestContext cannot be null");
        }
        if (log.isDebugEnabled()) {
            log.debug("Authorizing request URI: {}", containerRequestContext.getUriInfo().getRequestUri());
        }
        if (containerRequestContext.getMethod().equals("GET") && containerRequestContext.getUriInfo().getQueryParameters().containsKey(AC.uri.getLocalName())) {
            if (getSystem().getDataManager().isMapped((String) containerRequestContext.getUriInfo().getQueryParameters().getFirst(AC.uri.getLocalName()))) {
                return;
            }
        }
        Resource resource = ACCESS_MODES.get(containerRequestContext.getMethod());
        if (log.isDebugEnabled()) {
            log.debug("Request method: {} ACL access mode: {}", containerRequestContext.getMethod(), resource);
        }
        if (resource == null) {
            if (log.isWarnEnabled()) {
                log.warn("Skipping authentication/authorization, request method not recognized: {}", containerRequestContext.getMethod());
                return;
            }
            return;
        }
        if (getApplication().isReadOnly()) {
            if (!containerRequestContext.getMethod().equals("GET") && !containerRequestContext.getMethod().equals("HEAD")) {
                if (log.isTraceEnabled()) {
                    log.trace("Write access not authorized (app is read-only) for request URI: {}", containerRequestContext.getUriInfo().getAbsolutePath());
                }
                throw new AuthorizationException("Write access not authorized (app is read-only)", containerRequestContext.getUriInfo().getAbsolutePath(), resource);
            }
            if (log.isTraceEnabled()) {
                log.trace("App is read-only, skipping authorization for request URI: {}", containerRequestContext.getUriInfo().getAbsolutePath());
                return;
            }
            return;
        }
        if (getDataset().isPresent()) {
            return;
        }
        Resource authorize = authorize(containerRequestContext, containerRequestContext.getSecurityContext().getUserPrincipal() instanceof Agent ? (Agent) containerRequestContext.getSecurityContext().getUserPrincipal() : null, resource);
        if (authorize != null) {
            containerRequestContext.setProperty(AuthorizationContext.class.getCanonicalName(), new AuthorizationContext(authorize.getModel()));
        } else {
            if (log.isTraceEnabled()) {
                log.trace("Access not authorized for request URI: {} and access mode: {}", containerRequestContext.getUriInfo().getAbsolutePath(), resource);
            }
            throw new AuthorizationException("Access not authorized for request URI", containerRequestContext.getUriInfo().getAbsolutePath(), resource);
        }
    }

    public QuerySolutionMap getAuthorizationParams(Resource resource, Resource resource2, Resource resource3) {
        QuerySolutionMap querySolutionMap = new QuerySolutionMap();
        querySolutionMap.add(SPIN.THIS_VAR_NAME, resource);
        querySolutionMap.add("Mode", resource3);
        querySolutionMap.add(LDT.Ontology.getLocalName(), getApplication().getOntology());
        querySolutionMap.add(LDT.base.getLocalName(), getApplication().getBase());
        if (resource2 != null) {
            querySolutionMap.add("AuthenticatedAgentClass", ACL.AuthenticatedAgent);
            querySolutionMap.add("agent", resource2);
        } else {
            querySolutionMap.add("AuthenticatedAgentClass", RDFS.Resource);
            querySolutionMap.add("agent", RDFS.Resource);
        }
        return querySolutionMap;
    }

    public Resource authorize(ContainerRequestContext containerRequestContext, Resource resource, Resource resource2) {
        return authorize(getAuthorizationParams(ResourceFactory.createResource(containerRequestContext.getUriInfo().getAbsolutePath().toString()), resource, resource2));
    }

    public Resource authorize(QuerySolutionMap querySolutionMap) {
        Model loadAuth = loadAuth(querySolutionMap);
        Resource resourceByPropertyValue = getResourceByPropertyValue(loadAuth, ACL.mode, null);
        if (resourceByPropertyValue == null) {
            resourceByPropertyValue = getResourceByPropertyValue(loadAuth, ResourceFactory.createProperty("https://w3id.org/atomgraph/linkeddatahub/admin/acl#accessProperty"), null);
        }
        return resourceByPropertyValue;
    }

    protected Model loadAuth(QuerySolutionMap querySolutionMap) {
        if (querySolutionMap == null) {
            throw new IllegalArgumentException("QuerySolutionMap cannot be null");
        }
        ParameterizedSparqlString authQuery = getApplication().canAs(EndUserApplication.class) ? getAuthQuery() : getOwnerAuthQuery();
        if (getApplication().canAs(EndUserApplication.class)) {
            authQuery.setIri(SD.endpoint.getLocalName(), getApplication().mo17getService().getSPARQLEndpoint().toString());
        }
        return loadModel(getAdminService(), authQuery, querySolutionMap);
    }

    protected Model loadModel(Service service, ParameterizedSparqlString parameterizedSparqlString, QuerySolutionMap querySolutionMap) {
        if (service == null) {
            throw new IllegalArgumentException("Service cannot be null");
        }
        if (parameterizedSparqlString == null) {
            throw new IllegalArgumentException("ParameterizedSparqlString cannot be null");
        }
        if (querySolutionMap == null) {
            throw new IllegalArgumentException("QuerySolutionMap cannot be null");
        }
        SPARQLClient sPARQLClient = service.getSPARQLClient();
        if (sPARQLClient instanceof SesameProtocolClient) {
            Response query = ((SesameProtocolClient) sPARQLClient).query(parameterizedSparqlString.asQuery(), Model.class, querySolutionMap);
            try {
                Model model = (Model) query.readEntity(Model.class);
                if (query != null) {
                    query.close();
                }
                return model;
            } catch (Throwable th) {
                if (query != null) {
                    try {
                        query.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
                throw th;
            }
        }
        parameterizedSparqlString.setParams(querySolutionMap);
        Response query2 = service.getSPARQLClient().query(parameterizedSparqlString.asQuery(), Model.class);
        try {
            Model model2 = (Model) query2.readEntity(Model.class);
            if (query2 != null) {
                query2.close();
            }
            return model2;
        } catch (Throwable th3) {
            if (query2 != null) {
                try {
                    query2.close();
                } catch (Throwable th4) {
                    th3.addSuppressed(th4);
                }
            }
            throw th3;
        }
    }

    protected Resource getResourceByPropertyValue(Model model, Property property, RDFNode rDFNode) {
        if (model == null) {
            throw new IllegalArgumentException("Model cannot be null");
        }
        if (property == null) {
            throw new IllegalArgumentException("Property cannot be null");
        }
        ResIterator listSubjectsWithProperty = model.listSubjectsWithProperty(property, rDFNode);
        try {
            if (!listSubjectsWithProperty.hasNext()) {
                listSubjectsWithProperty.close();
                return null;
            }
            Resource resource = (Resource) listSubjectsWithProperty.next();
            listSubjectsWithProperty.close();
            return resource;
        } catch (Throwable th) {
            listSubjectsWithProperty.close();
            throw th;
        }
    }

    protected Service getAdminService() {
        return getApplication().canAs(EndUserApplication.class) ? getApplication().as(EndUserApplication.class).getAdminApplication().mo17getService() : getApplication().mo17getService();
    }

    public com.atomgraph.linkeddatahub.apps.model.Application getApplication() {
        return (com.atomgraph.linkeddatahub.apps.model.Application) this.app.get();
    }

    public Optional<Dataset> getDataset() {
        return (Optional) this.dataset.get();
    }

    public Application getSystem() {
        return this.system;
    }

    public ParameterizedSparqlString getAuthQuery() {
        return this.authQuery.copy();
    }

    public ParameterizedSparqlString getOwnerAuthQuery() {
        return this.ownerAuthQuery.copy();
    }

    static {
        HashMap hashMap = new HashMap();
        hashMap.put("GET", ACL.Read);
        hashMap.put("HEAD", ACL.Read);
        hashMap.put("POST", ACL.Append);
        hashMap.put("PUT", ACL.Write);
        hashMap.put("DELETE", ACL.Write);
        hashMap.put("PATCH", ACL.Write);
        ACCESS_MODES = Collections.unmodifiableMap(hashMap);
    }
}
