package org.mycore.restapi.v2;

import java.util.List;
import java.util.Optional;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.annotation.Priority;
import javax.ws.rs.ForbiddenException;
import javax.ws.rs.Path;
import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.container.ContainerRequestFilter;
import javax.ws.rs.container.ResourceInfo;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.MultivaluedMap;
import javax.ws.rs.core.Response;
import org.apache.logging.log4j.LogManager;
import org.mycore.access.MCRAccessInterface;
import org.mycore.access.MCRAccessManager;
import org.mycore.access.mcrimpl.MCRAccessControlSystem;
import org.mycore.frontend.jersey.access.MCRRequestScopeACL;
import org.mycore.restapi.converter.MCRDetailLevel;

@Priority(2000)
/* loaded from: input_file:org/mycore/restapi/v2/MCRRestAuthorizationFilter.class */
public class MCRRestAuthorizationFilter implements ContainerRequestFilter {
    public static final String PARAM_CLASSID = "classid";
    public static final String PARAM_MCRID = "mcrid";
    public static final String PARAM_DERID = "derid";
    public static final String PARAM_DER_PATH = "path";

    @Context
    ResourceInfo resourceInfo;

    /* loaded from: input_file:org/mycore/restapi/v2/MCRRestAuthorizationFilter$MCRRestAPIACLPermission.class */
    public enum MCRRestAPIACLPermission {
        READ { // from class: org.mycore.restapi.v2.MCRRestAuthorizationFilter.MCRRestAPIACLPermission.1
            @Override // java.lang.Enum
            public String toString() {
                return "read";
            }
        },
        WRITE { // from class: org.mycore.restapi.v2.MCRRestAuthorizationFilter.MCRRestAPIACLPermission.2
            @Override // java.lang.Enum
            public String toString() {
                return "writedb";
            }
        },
        DELETE { // from class: org.mycore.restapi.v2.MCRRestAuthorizationFilter.MCRRestAPIACLPermission.3
            @Override // java.lang.Enum
            public String toString() {
                return "deletedb";
            }
        }
    }

    private void checkRestAPIAccess(ContainerRequestContext containerRequestContext, MCRRestAPIACLPermission mCRRestAPIACLPermission, String str) throws ForbiddenException {
        MCRRequestScopeACL mCRRequestScopeACL = MCRRequestScopeACL.getInstance(containerRequestContext);
        LogManager.getLogger().warn(str + ": Checking API access: " + mCRRestAPIACLPermission);
        String str2 = str.startsWith("/") ? str : "/" + str;
        MCRAccessInterface instance = MCRAccessControlSystem.instance();
        String mCRRestAPIACLPermission2 = mCRRestAPIACLPermission.toString();
        if (mCRRequestScopeACL.checkPermission("restapi:/", mCRRestAPIACLPermission2)) {
            String str3 = "restapi:" + str2;
            if (!instance.hasRule(str3, mCRRestAPIACLPermission2) || mCRRequestScopeACL.checkPermission(str3, mCRRestAPIACLPermission2)) {
                return;
            }
        }
        throw MCRErrorResponse.fromStatus(Response.Status.FORBIDDEN.getStatusCode()).withErrorCode(MCRErrorCodeConstants.API_NO_PERMISSION).withMessage("REST-API action is not allowed.").withDetail("Check access right '" + mCRRestAPIACLPermission + "' on ACLs 'restapi:/' and 'restapi:" + str + "'!").toException();
    }

    private void checkBaseAccess(ContainerRequestContext containerRequestContext, MCRRestAPIACLPermission mCRRestAPIACLPermission, String str, String str2, String str3) throws ForbiddenException {
        LogManager.getLogger().debug("Permission: {}, Object: {}, Derivate: {}, Path: {}", mCRRestAPIACLPermission, str, str2, str3);
        Optional optional = (Optional) Optional.ofNullable(str2).filter(str4 -> {
            return str3 != null;
        }).map((v0) -> {
            return Optional.of(v0);
        }).orElseGet(() -> {
            return Optional.ofNullable(str);
        });
        optional.ifPresent(str5 -> {
            LogManager.getLogger().info("Checking " + mCRRestAPIACLPermission + " access on " + str5);
        });
        MCRRequestScopeACL mCRRequestScopeACL = MCRRequestScopeACL.getInstance(containerRequestContext);
        if (((Boolean) optional.map(str6 -> {
            return Boolean.valueOf(mCRRequestScopeACL.checkPermission(str6, mCRRestAPIACLPermission.toString()));
        }).orElse(true)).booleanValue()) {
            return;
        }
        if (!((String) optional.get()).equals(str)) {
            throw MCRErrorResponse.fromStatus(Response.Status.FORBIDDEN.getStatusCode()).withErrorCode(MCRErrorCodeConstants.MCRDERIVATE_NO_PERMISSION).withMessage("You do not have " + mCRRestAPIACLPermission + " permission on MCRDerivate " + str2 + ".").toException();
        }
        throw MCRErrorResponse.fromStatus(Response.Status.FORBIDDEN.getStatusCode()).withErrorCode(MCRErrorCodeConstants.MCROBJECT_NO_PERMISSION).withMessage("You do not have " + mCRRestAPIACLPermission + " permission on MCRObject " + str + ".").toException();
    }

    private void checkDetailLevel(ContainerRequestContext containerRequestContext, String... strArr) throws ForbiddenException {
        MCRRequestScopeACL mCRRequestScopeACL = MCRRequestScopeACL.getInstance(containerRequestContext);
        List list = (List) Stream.of((Object[]) strArr).map(str -> {
            return "rest-detail-" + str;
        }).filter(str2 -> {
            return MCRAccessManager.hasRule("POOLPRIVILEGE", str2);
        }).filter(str3 -> {
            return !mCRRequestScopeACL.checkPermission(str3);
        }).collect(Collectors.toList());
        if (!list.isEmpty()) {
            throw MCRErrorResponse.fromStatus(Response.Status.FORBIDDEN.getStatusCode()).withErrorCode(MCRErrorCodeConstants.API_NO_PERMISSION).withMessage("REST-API action is not allowed.").withDetail("Check access right(s) '" + list + "' on POOLPRIVILEGE'!").toException();
        }
    }

    public void filter(ContainerRequestContext containerRequestContext) {
        MCRRestAPIACLPermission mCRRestAPIACLPermission;
        String method = containerRequestContext.getMethod();
        boolean z = -1;
        switch (method.hashCode()) {
            case -531492226:
                if (method.equals("OPTIONS")) {
                    z = false;
                    break;
                }
                break;
            case 70454:
                if (method.equals("GET")) {
                    z = true;
                    break;
                }
                break;
            case 2213344:
                if (method.equals("HEAD")) {
                    z = 2;
                    break;
                }
                break;
            case 2012838315:
                if (method.equals("DELETE")) {
                    z = 3;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                return;
            case true:
            case true:
                mCRRestAPIACLPermission = MCRRestAPIACLPermission.READ;
                break;
            case true:
                mCRRestAPIACLPermission = MCRRestAPIACLPermission.DELETE;
                break;
            default:
                mCRRestAPIACLPermission = MCRRestAPIACLPermission.WRITE;
                break;
        }
        MCRRestAPIACLPermission mCRRestAPIACLPermission2 = mCRRestAPIACLPermission;
        Optional.ofNullable(this.resourceInfo.getResourceClass().getAnnotation(Path.class)).map((v0) -> {
            return v0.value();
        }).ifPresent(str -> {
            checkRestAPIAccess(containerRequestContext, mCRRestAPIACLPermission2, str);
            MultivaluedMap pathParameters = containerRequestContext.getUriInfo().getPathParameters();
            checkBaseAccess(containerRequestContext, mCRRestAPIACLPermission2, (String) pathParameters.getFirst("mcrid"), (String) pathParameters.getFirst("derid"), (String) pathParameters.getFirst("path"));
        });
        checkDetailLevel(containerRequestContext, (String[]) containerRequestContext.getAcceptableMediaTypes().stream().map(mediaType -> {
            return (String) mediaType.getParameters().get(MCRDetailLevel.MEDIA_TYPE_PARAMETER);
        }).toArray(i -> {
            return new String[i];
        }));
    }
}
