package org.fcrepo.auth.webac;

import java.net.URI;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
import java.util.function.Function;
import java.util.function.Predicate;
import java.util.stream.Collectors;
import java.util.stream.IntStream;
import java.util.stream.Stream;
import javax.inject.Inject;
import javax.jcr.RepositoryException;
import org.apache.jena.graph.Node;
import org.apache.jena.graph.NodeFactory;
import org.apache.jena.graph.Triple;
import org.apache.jena.rdf.model.Resource;
import org.fcrepo.http.api.FedoraAcl;
import org.fcrepo.http.commons.session.SessionFactory;
import org.fcrepo.kernel.api.FedoraSession;
import org.fcrepo.kernel.api.RequiredRdfContext;
import org.fcrepo.kernel.api.exception.RepositoryRuntimeException;
import org.fcrepo.kernel.api.identifiers.IdentifierConverter;
import org.fcrepo.kernel.api.models.FedoraResource;
import org.fcrepo.kernel.api.services.NodeService;
import org.fcrepo.kernel.modeshape.FedoraSessionImpl;
import org.fcrepo.kernel.modeshape.rdf.impl.DefaultIdentifierTranslator;
import org.fcrepo.kernel.modeshape.utils.FedoraTypesUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/fcrepo/auth/webac/WebACRolesProvider.class */
public class WebACRolesProvider {
    public static final String GROUP_AGENT_BASE_URI_PROPERTY = "fcrepo.auth.webac.groupAgent.baseUri";
    private static final String FEDORA_INTERNAL_PREFIX = "info:fedora";
    private static final String JCR_VERSIONABLE_UUID_PROPERTY = "jcr:versionableUuid";

    @Inject
    private NodeService nodeService;

    @Inject
    private SessionFactory sessionFactory;
    private static final Logger LOGGER = LoggerFactory.getLogger(WebACRolesProvider.class);
    private static final Node RDF_TYPE_NODE = NodeFactory.createURI("http://www.w3.org/1999/02/22-rdf-syntax-ns#type");
    private static final Node VCARD_GROUP_NODE = NodeFactory.createURI(URIConstants.VCARD_GROUP_VALUE);
    private static final Node VCARD_MEMBER_NODE = NodeFactory.createURI(URIConstants.VCARD_MEMBER_VALUE);
    private static final Function<List<String>, Predicate<WebACAuthorization>> accessToClass = list -> {
        return webACAuthorization -> {
            return list.stream().anyMatch(str -> {
                return webACAuthorization.getAccessToClassURIs().contains(str);
            });
        };
    };
    private static final Function<List<String>, Predicate<WebACAuthorization>> accessTo = list -> {
        return webACAuthorization -> {
            return list.stream().anyMatch(str -> {
                return webACAuthorization.getAccessToURIs().contains(str);
            });
        };
    };
    private static final Predicate<Triple> hasAclPredicate = triple -> {
        return triple.getPredicate().getNameSpace().equals(URIConstants.WEBAC_NAMESPACE_VALUE);
    };

    public Map<String, Collection<String>> getRoles(javax.jcr.Node node) {
        try {
            return getAgentRoles((FedoraResource) this.nodeService.find(new FedoraSessionImpl(node.getSession()), node.getPath()));
        } catch (RepositoryException e) {
            throw new RepositoryRuntimeException(e);
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    private Map<String, Collection<String>> getAgentRoles(FedoraResource fedoraResource) {
        LOGGER.debug("Getting agent roles for: {}", fedoraResource.getPath());
        Optional<ACLHandle> effectiveAcl = getEffectiveAcl(fedoraResource, false, this.sessionFactory);
        ArrayList arrayList = new ArrayList();
        arrayList.add(FEDORA_INTERNAL_PREFIX + fedoraResource.getPath());
        List types = fedoraResource.getTypes();
        effectiveAcl.map(aCLHandle -> {
            return aCLHandle.resource;
        }).filter(fedoraResource2 -> {
            return !fedoraResource2.getPath().equals(fedoraResource.getPath());
        }).ifPresent(fedoraResource3 -> {
            arrayList.add(FEDORA_INTERNAL_PREFIX + fedoraResource3.getPath());
            types.addAll(fedoraResource3.getTypes());
        });
        if (!effectiveAcl.isPresent()) {
            arrayList.addAll(getAllPathAncestors(fedoraResource.getPath()));
        }
        Predicate<WebACAuthorization> apply = accessTo.apply(arrayList);
        Predicate<? super WebACAuthorization> predicate = (Predicate) accessToClass.apply(types.stream().map((v0) -> {
            return v0.toString();
        }).collect(Collectors.toList()));
        List list = (List) effectiveAcl.map(aCLHandle2 -> {
            return aCLHandle2.authorizations;
        }).orElseGet(() -> {
            return getDefaultAuthorizations();
        });
        HashMap hashMap = new HashMap();
        list.stream().filter(apply.or(predicate)).forEach(webACAuthorization -> {
            Stream.concat(webACAuthorization.getAgents().stream(), dereferenceAgentGroups(webACAuthorization.getAgentGroups()).stream()).filter(str -> {
                return (str.equals(URIConstants.FOAF_AGENT_VALUE) || str.equals(URIConstants.WEBAC_AUTHENTICATED_AGENT_VALUE)) ? false : true;
            }).forEach(str2 -> {
                ((Collection) hashMap.computeIfAbsent(str2, str2 -> {
                    return new HashSet();
                })).addAll((Collection) webACAuthorization.getModes().stream().map((v0) -> {
                    return v0.toString();
                }).collect(Collectors.toSet()));
            });
            webACAuthorization.getAgentClasses().stream().filter(str3 -> {
                return str3.equals(URIConstants.FOAF_AGENT_VALUE) || str3.equals(URIConstants.WEBAC_AUTHENTICATED_AGENT_VALUE);
            }).forEach(str4 -> {
                ((Collection) hashMap.computeIfAbsent(str4, str4 -> {
                    return new HashSet();
                })).addAll((Collection) webACAuthorization.getModes().stream().map((v0) -> {
                    return v0.toString();
                }).collect(Collectors.toSet()));
            });
        });
        LOGGER.debug("Unfiltered ACL: {}", hashMap);
        return hashMap;
    }

    private static List<String> getAllPathAncestors(String str) {
        List asList = Arrays.asList(str.split("/"));
        return (List) IntStream.range(1, asList.size()).mapToObj(i -> {
            return "info:fedora/" + String.join("/", asList.subList(1, i));
        }).collect(Collectors.toList());
    }

    private List<String> dereferenceAgentGroups(Collection<String> collection) {
        FedoraSession internalSession = this.sessionFactory.getInternalSession();
        DefaultIdentifierTranslator defaultIdentifierTranslator = new DefaultIdentifierTranslator(FedoraSessionImpl.getJcrSession(internalSession));
        List<String> list = (List) collection.stream().flatMap(str -> {
            if (str.startsWith(FEDORA_INTERNAL_PREFIX)) {
                int indexOf = str.indexOf("#");
                return getAgentMembers(defaultIdentifierTranslator, (FedoraResource) this.nodeService.find(internalSession, (indexOf > 0 ? str.substring(0, indexOf) : str).substring(FEDORA_INTERNAL_PREFIX.length())), indexOf > 0 ? str.substring(indexOf) : null);
            }
            if (str.equals(URIConstants.FOAF_AGENT_VALUE)) {
                return Stream.of(str);
            }
            LOGGER.info("Ignoring agentGroup: {}", str);
            return Stream.empty();
        }).collect(Collectors.toList());
        if (LOGGER.isDebugEnabled() && !collection.isEmpty()) {
            LOGGER.debug("Found {} members in {} agentGroups resources", Integer.valueOf(list.size()), Integer.valueOf(collection.size()));
        }
        return list;
    }

    private static Stream<String> getAgentMembers(IdentifierConverter<Resource, FedoraResource> identifierConverter, FedoraResource fedoraResource, String str) {
        List list = (List) fedoraResource.getTriples(identifierConverter, RequiredRdfContext.PROPERTIES).filter(triple -> {
            return str == null || triple.getSubject().getURI().endsWith(str);
        }).collect(Collectors.toList());
        return list.stream().anyMatch(triple2 -> {
            return triple2.matches(triple2.getSubject(), RDF_TYPE_NODE, VCARD_GROUP_NODE);
        }) ? list.stream().filter(triple3 -> {
            return triple3.predicateMatches(VCARD_MEMBER_NODE);
        }).map((v0) -> {
            return v0.getObject();
        }).flatMap(WebACRolesProvider::nodeToStringStream).map(WebACRolesProvider::stripUserAgentBaseURI) : Stream.empty();
    }

    private static String stripUserAgentBaseURI(String str) {
        String property = System.getProperty("fcrepo.auth.webac.userAgent.baseUri");
        return (property == null || !str.startsWith(property)) ? str : str.substring(property.length());
    }

    private static Stream<String> nodeToStringStream(Node node) {
        return node.isURI() ? Stream.of(node.getURI()) : node.isLiteral() ? Stream.of(node.getLiteralValue().toString()) : Stream.empty();
    }

    private static List<WebACAuthorization> getAuthorizations(FedoraResource fedoraResource, boolean z, SessionFactory sessionFactory) {
        FedoraSession internalSession = sessionFactory.getInternalSession();
        ArrayList arrayList = new ArrayList();
        DefaultIdentifierTranslator defaultIdentifierTranslator = new DefaultIdentifierTranslator(FedoraSessionImpl.getJcrSession(internalSession));
        if (LOGGER.isDebugEnabled()) {
            LOGGER.debug("ACL: {}", fedoraResource.getPath());
        }
        if (fedoraResource.isAcl()) {
            List list = (List) fedoraResource.getTriples(defaultIdentifierTranslator, RequiredRdfContext.PROPERTIES).collect(Collectors.toList());
            Set set = (Set) list.stream().filter(triple -> {
                return triple.getPredicate().getURI().equals("http://www.w3.org/1999/02/22-rdf-syntax-ns#type") && triple.getObject().getURI().equals(URIConstants.WEBAC_AUTHORIZATION_VALUE);
            }).map(triple2 -> {
                return triple2.getSubject();
            }).collect(Collectors.toSet());
            HashMap hashMap = new HashMap();
            list.stream().filter(hasAclPredicate).forEach(triple3 -> {
                if (set.contains(triple3.getSubject())) {
                    Map map = (Map) hashMap.computeIfAbsent(triple3.getSubject().getURI(), str -> {
                        return new HashMap();
                    });
                    String uri = triple3.getPredicate().getURI();
                    List list2 = (List) map.computeIfAbsent(uri, str2 -> {
                        return new ArrayList();
                    });
                    Stream<String> nodeToStringStream = nodeToStringStream(triple3.getObject());
                    list2.getClass();
                    nodeToStringStream.forEach((v1) -> {
                        r1.add(v1);
                    });
                    if (uri.equals(URIConstants.WEBAC_AGENT_VALUE)) {
                        Stream<String> additionalAgentValues = additionalAgentValues(triple3.getObject());
                        list2.getClass();
                        additionalAgentValues.forEach((v1) -> {
                            r1.add(v1);
                        });
                    }
                }
            });
            if (LOGGER.isDebugEnabled()) {
                LOGGER.debug("Adding acl:Authorization from {}", fedoraResource.getPath());
            }
            hashMap.values().forEach(map -> {
                WebACAuthorization createAuthorizationFromMap = createAuthorizationFromMap(map);
                if (!z || createAuthorizationFromMap.getDefaults().size() > 0) {
                    arrayList.add(createAuthorizationFromMap);
                }
            });
        }
        return arrayList;
    }

    private static WebACAuthorization createAuthorizationFromMap(Map<String, List<String>> map) {
        return new WebACAuthorization(map.getOrDefault(URIConstants.WEBAC_AGENT_VALUE, Collections.emptyList()), map.getOrDefault(URIConstants.WEBAC_AGENT_CLASS_VALUE, Collections.emptyList()), (Collection) map.getOrDefault(URIConstants.WEBAC_MODE_VALUE, Collections.emptyList()).stream().map(URI::create).collect(Collectors.toList()), map.getOrDefault(URIConstants.WEBAC_ACCESSTO_VALUE, Collections.emptyList()), map.getOrDefault(URIConstants.WEBAC_ACCESSTO_CLASS_VALUE, Collections.emptyList()), map.getOrDefault(URIConstants.WEBAC_AGENT_GROUP_VALUE, Collections.emptyList()), map.getOrDefault(URIConstants.WEBAC_DEFAULT_VALUE, Collections.emptyList()));
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static Optional<ACLHandle> getEffectiveAcl(FedoraResource fedoraResource, boolean z, SessionFactory sessionFactory) {
        try {
            FedoraResource acl = fedoraResource.getAcl();
            if (acl != null) {
                List<WebACAuthorization> authorizations = getAuthorizations(acl, z, sessionFactory);
                if (authorizations.size() > 0) {
                    return Optional.of(new ACLHandle(fedoraResource, authorizations));
                }
            }
            if (FedoraTypesUtils.getJcrNode(fedoraResource).getDepth() == 0) {
                LOGGER.debug("No ACLs defined on this node or in parent hierarchy");
                return Optional.empty();
            }
            LOGGER.trace("Checking parent resource for ACL. No ACL found at {}", fedoraResource.getPath());
            return getEffectiveAcl(fedoraResource.getContainer(), true, sessionFactory);
        } catch (RepositoryException e) {
            LOGGER.debug("Exception finding effective ACL: {}", e.getMessage());
            return Optional.empty();
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static List<WebACAuthorization> getDefaultAuthorizations() {
        HashMap hashMap = new HashMap();
        ArrayList arrayList = new ArrayList();
        FedoraAcl.getDefaultAcl((String) null).listStatements().mapWith((v0) -> {
            return v0.asTriple();
        }).forEachRemaining(triple -> {
            if (hasAclPredicate.test(triple)) {
                String uri = triple.getPredicate().getURI();
                List list = (List) hashMap.computeIfAbsent(uri, str -> {
                    return new ArrayList();
                });
                Stream<String> nodeToStringStream = nodeToStringStream(triple.getObject());
                list.getClass();
                nodeToStringStream.forEach((v1) -> {
                    r1.add(v1);
                });
                if (uri.equals(URIConstants.WEBAC_AGENT_VALUE)) {
                    Stream<String> additionalAgentValues = additionalAgentValues(triple.getObject());
                    list.getClass();
                    additionalAgentValues.forEach((v1) -> {
                        r1.add(v1);
                    });
                }
            }
        });
        arrayList.add(createAuthorizationFromMap(hashMap));
        return arrayList;
    }

    private static Stream<String> additionalAgentValues(Node node) {
        String property = System.getProperty(GROUP_AGENT_BASE_URI_PROPERTY);
        String property2 = System.getProperty("fcrepo.auth.webac.userAgent.baseUri");
        if (node.isURI()) {
            String uri = node.getURI();
            if (property2 != null && uri.startsWith(property2)) {
                return Stream.of(uri.substring(property2.length()));
            }
            if (property != null && uri.startsWith(property)) {
                return Stream.of(uri.substring(property.length()));
            }
        }
        return Stream.empty();
    }
}
