package org.fcrepo.auth.webac;

import java.io.IOException;
import java.net.URI;
import java.nio.charset.StandardCharsets;
import java.security.Principal;
import javax.inject.Inject;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.UriBuilder;
import org.apache.commons.io.IOUtils;
import org.apache.jena.query.QueryParseException;
import org.apache.jena.rdf.model.ModelFactory;
import org.apache.jena.sparql.modify.request.UpdateDataDelete;
import org.apache.jena.sparql.modify.request.UpdateModify;
import org.apache.jena.update.UpdateFactory;
import org.apache.jena.update.UpdateRequest;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.subject.PrincipalCollection;
import org.apache.shiro.subject.SimplePrincipalCollection;
import org.apache.shiro.subject.Subject;
import org.fcrepo.http.api.FedoraLdp;
import org.fcrepo.http.commons.api.rdf.HttpResourceConverter;
import org.fcrepo.http.commons.session.HttpSession;
import org.fcrepo.http.commons.session.SessionFactory;
import org.fcrepo.kernel.api.FedoraSession;
import org.fcrepo.kernel.api.models.FedoraResource;
import org.fcrepo.kernel.api.services.NodeService;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/fcrepo/auth/webac/WebACFilter.class */
public class WebACFilter implements Filter {
    private FedoraSession session;
    private static Subject FOAF_AGENT_SUBJECT;

    @Inject
    private NodeService nodeService;

    @Inject
    private SessionFactory sessionFactory;
    private static final Logger log = LoggerFactory.getLogger(WebACFilter.class);
    private static final MediaType sparqlUpdate = MediaType.valueOf("application/sparql-update");
    private static final Principal FOAF_AGENT_PRINCIPAL = new Principal() { // from class: org.fcrepo.auth.webac.WebACFilter.1
        @Override // java.security.Principal
        public String getName() {
            return URIConstants.FOAF_AGENT_VALUE;
        }

        @Override // java.security.Principal
        public String toString() {
            return getName();
        }
    };
    private static final PrincipalCollection FOAF_AGENT_PRINCIPAL_COLLECTION = new SimplePrincipalCollection(FOAF_AGENT_PRINCIPAL, WebACAuthorizingRealm.class.getCanonicalName());

    public void init(FilterConfig filterConfig) {
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        Subject subject = SecurityUtils.getSubject();
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        if (isSparqlUpdate(httpServletRequest)) {
            httpServletRequest = new CachedSparqlRequest(httpServletRequest);
        }
        if (subject.isAuthenticated()) {
            log.debug("User is authenticated");
            if (subject.hasRole("fedoraAdmin")) {
                log.debug("User has fedoraAdmin role");
            } else if (!subject.hasRole("fedoraUser")) {
                log.debug("User has no recognized servlet container role");
                ((HttpServletResponse) servletResponse).sendError(403);
                return;
            } else {
                log.debug("User has fedoraUser role");
                if (!isAuthorized(subject, httpServletRequest)) {
                    ((HttpServletResponse) servletResponse).sendError(403);
                    return;
                }
            }
        } else {
            log.debug("User is NOT authenticated");
            if (!isAuthorized(getFoafAgentSubject(), httpServletRequest)) {
                ((HttpServletResponse) servletResponse).sendError(403);
                return;
            }
        }
        filterChain.doFilter(httpServletRequest, servletResponse);
    }

    private Subject getFoafAgentSubject() {
        if (FOAF_AGENT_SUBJECT == null) {
            FOAF_AGENT_SUBJECT = new Subject.Builder().principals(FOAF_AGENT_PRINCIPAL_COLLECTION).buildSubject();
        }
        return FOAF_AGENT_SUBJECT;
    }

    public void destroy() {
    }

    private FedoraSession session() {
        if (this.session == null) {
            this.session = this.sessionFactory.getInternalSession();
        }
        return this.session;
    }

    private String getBaseURL(HttpServletRequest httpServletRequest) {
        String stringBuffer = httpServletRequest.getRequestURL().toString();
        String str = stringBuffer;
        String pathInfo = httpServletRequest.getPathInfo();
        if (pathInfo != null) {
            str = stringBuffer.substring(0, stringBuffer.lastIndexOf(pathInfo));
        }
        log.debug("Base URL determined from servlet request is {}", str);
        return str;
    }

    private FedoraResource resource(HttpServletRequest httpServletRequest) {
        return (FedoraResource) this.nodeService.find(session(), getRepoPath(httpServletRequest));
    }

    private boolean resourceExists(HttpServletRequest httpServletRequest) {
        return this.nodeService.exists(session(), getRepoPath(httpServletRequest));
    }

    private String getRepoPath(HttpServletRequest httpServletRequest) {
        String stringBuffer = httpServletRequest.getRequestURL().toString();
        String asString = new HttpResourceConverter(new HttpSession(session()), UriBuilder.fromUri(getBaseURL(httpServletRequest)).path(FedoraLdp.class)).asString(ModelFactory.createDefaultModel().createResource(stringBuffer));
        log.debug("Converted request URI {} to repo path {}", stringBuffer, asString);
        return asString;
    }

    private boolean isAuthorized(Subject subject, HttpServletRequest httpServletRequest) throws IOException {
        String stringBuffer = httpServletRequest.getRequestURL().toString();
        boolean endsWith = stringBuffer.endsWith("fcr:acl");
        URI create = URI.create(stringBuffer);
        log.debug("Request URI is {}", create);
        WebACPermission webACPermission = new WebACPermission(URIConstants.WEBAC_MODE_READ, create);
        WebACPermission webACPermission2 = new WebACPermission(URIConstants.WEBAC_MODE_WRITE, create);
        WebACPermission webACPermission3 = new WebACPermission(URIConstants.WEBAC_MODE_APPEND, create);
        WebACPermission webACPermission4 = new WebACPermission(URIConstants.WEBAC_MODE_CONTROL, create);
        String method = httpServletRequest.getMethod();
        boolean z = -1;
        switch (method.hashCode()) {
            case -531492226:
                if (method.equals("OPTIONS")) {
                    z = false;
                    break;
                }
                break;
            case 70454:
                if (method.equals("GET")) {
                    z = 2;
                    break;
                }
                break;
            case 79599:
                if (method.equals("PUT")) {
                    z = 3;
                    break;
                }
                break;
            case 2213344:
                if (method.equals("HEAD")) {
                    z = true;
                    break;
                }
                break;
            case 2461856:
                if (method.equals("POST")) {
                    z = 4;
                    break;
                }
                break;
            case 75900968:
                if (method.equals("PATCH")) {
                    z = 6;
                    break;
                }
                break;
            case 2012838315:
                if (method.equals("DELETE")) {
                    z = 5;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
            case true:
            case true:
                if (!endsWith) {
                    return subject.isPermitted(webACPermission);
                }
                if (subject.isPermitted(webACPermission4)) {
                    log.debug("GET allowed by {} permission", webACPermission4);
                    return true;
                }
                log.debug("GET prohibited without {} permission", webACPermission4);
                return false;
            case true:
                if (endsWith) {
                    if (subject.isPermitted(webACPermission4)) {
                        log.debug("PUT allowed by {} permission", webACPermission4);
                        return true;
                    }
                    log.debug("PUT prohibited without {} permission", webACPermission4);
                    return false;
                }
                if (subject.isPermitted(webACPermission2)) {
                    log.debug("PUT allowed by {} permission", webACPermission2);
                    return true;
                }
                if (resourceExists(httpServletRequest)) {
                    log.debug("PUT prohibited to existing resource without {} permission", webACPermission2);
                    return false;
                }
                log.debug("Resource doesn't exist; checking parent resources for acl:Append permission");
                if (subject.isPermitted(webACPermission3)) {
                    log.debug("PUT allowed for new resource by inherited {} permission", webACPermission3);
                    return true;
                }
                log.debug("PUT prohibited for new resource without inherited {} permission", webACPermission3);
                return false;
            case true:
                if (subject.isPermitted(webACPermission2)) {
                    log.debug("POST allowed by {} permission", webACPermission2);
                    return true;
                }
                if (!resourceExists(httpServletRequest)) {
                    log.debug("POST prohibited to non-existent resource without {} permission", webACPermission2);
                    return false;
                }
                if (resource(httpServletRequest).hasType("fedora:Binary")) {
                    log.debug("POST prohibited to binary resource without {} permission", webACPermission2);
                    return false;
                }
                if (subject.isPermitted(webACPermission3)) {
                    log.debug("POST allowed to container by {} permission", webACPermission3);
                    return true;
                }
                log.debug("POST prohibited to container without {} permission", webACPermission3);
                return false;
            case true:
                if (!endsWith) {
                    return subject.isPermitted(webACPermission2);
                }
                if (subject.isPermitted(webACPermission4)) {
                    log.debug("DELETE allowed by {} permission", webACPermission4);
                    return true;
                }
                log.debug("DELETE prohibited without {} permission", webACPermission4);
                return false;
            case true:
                if (endsWith) {
                    if (subject.isPermitted(webACPermission4)) {
                        log.debug("PATCH allowed by {} permission", webACPermission4);
                        return true;
                    }
                    log.debug("PATCH prohibited without {} permission", webACPermission4);
                    return false;
                }
                if (subject.isPermitted(webACPermission2)) {
                    return true;
                }
                if (subject.isPermitted(webACPermission3)) {
                    return isPatchContentPermitted(httpServletRequest);
                }
                return false;
            default:
                return false;
        }
    }

    private boolean isPatchContentPermitted(HttpServletRequest httpServletRequest) throws IOException {
        if (!isSparqlUpdate(httpServletRequest)) {
            log.debug("Cannot verify authorization on NON-SPARQL Patch request.");
            return false;
        }
        if (httpServletRequest.getInputStream() == null) {
            log.debug("Authorizing SPARQL request with no content.");
            return true;
        }
        boolean z = false;
        try {
            z = !hasDeleteClause(IOUtils.toString(httpServletRequest.getInputStream(), StandardCharsets.UTF_8));
        } catch (QueryParseException e) {
            log.error("Cannot verify authorization! Exception while inspecting SPARQL query!", e);
        }
        return z;
    }

    private boolean hasDeleteClause(String str) {
        UpdateRequest create = UpdateFactory.create(str);
        return create.getOperations().stream().filter(update -> {
            return update instanceof UpdateDataDelete;
        }).map(update2 -> {
            return (UpdateDataDelete) update2;
        }).anyMatch(updateDataDelete -> {
            return updateDataDelete.getQuads().size() > 0;
        }) || create.getOperations().stream().filter(update3 -> {
            return update3 instanceof UpdateModify;
        }).peek(update4 -> {
            log.debug("Inspecting update statement for DELETE clause: {}", update4.toString());
        }).map(update5 -> {
            return (UpdateModify) update5;
        }).filter((v0) -> {
            return v0.hasDeleteClause();
        }).anyMatch(updateModify -> {
            return updateModify.getDeleteQuads().size() > 0;
        });
    }

    private boolean isSparqlUpdate(HttpServletRequest httpServletRequest) {
        try {
            if (httpServletRequest.getMethod().equals("PATCH")) {
                if (sparqlUpdate.isCompatible(MediaType.valueOf(httpServletRequest.getContentType()))) {
                    return true;
                }
            }
            return false;
        } catch (IllegalArgumentException e) {
            return false;
        }
    }
}
