package ca.uhn.fhir.rest.server.interceptor.auth;

import ca.uhn.fhir.context.FhirContext;
import ca.uhn.fhir.context.RuntimeResourceDefinition;
import ca.uhn.fhir.rest.api.RequestTypeEnum;
import ca.uhn.fhir.rest.api.RestOperationTypeEnum;
import ca.uhn.fhir.rest.method.RequestDetails;
import ca.uhn.fhir.rest.server.exceptions.InvalidRequestException;
import ca.uhn.fhir.rest.server.interceptor.auth.AuthorizationInterceptor;
import ca.uhn.fhir.util.BundleUtil;
import ca.uhn.fhir.util.FhirTerser;
import java.util.Collection;
import java.util.Iterator;
import java.util.Set;
import org.hl7.fhir.instance.model.api.IBaseBundle;
import org.hl7.fhir.instance.model.api.IBaseResource;
import org.hl7.fhir.instance.model.api.IIdType;

/* loaded from: input_file:ca/uhn/fhir/rest/server/interceptor/auth/RuleImplOp.class */
class RuleImplOp extends BaseRule implements IAuthRule {
    private AppliesTypeEnum myAppliesTo;
    private Set<?> myAppliesToTypes;
    private String myClassifierCompartmentName;
    private Collection<? extends IIdType> myClassifierCompartmentOwners;
    private ClassifierTypeEnum myClassifierType;
    private RuleOpEnum myOp;
    private TransactionAppliesToEnum myTransactionAppliesToOp;

    public RuleImplOp(String str) {
        super(str);
    }

    @Override // ca.uhn.fhir.rest.server.interceptor.auth.IAuthRule
    public AuthorizationInterceptor.Verdict applyRule(RestOperationTypeEnum restOperationTypeEnum, RequestDetails requestDetails, IBaseResource iBaseResource, IIdType iIdType, IBaseResource iBaseResource2, IRuleApplier iRuleApplier) {
        AuthorizationInterceptor.Verdict applyRulesAndReturnDecision;
        RestOperationTypeEnum restOperationTypeEnum2;
        IBaseResource iBaseResource3;
        FhirContext fhirContext = requestDetails.getServer().getFhirContext();
        IIdType iIdType2 = null;
        switch (this.myOp) {
            case READ:
                if (iBaseResource2 == null) {
                    return null;
                }
                iBaseResource3 = iBaseResource2;
                break;
            case WRITE:
                if (iBaseResource != null || iIdType != null) {
                    iBaseResource3 = iBaseResource;
                    iIdType2 = iIdType;
                    break;
                } else {
                    return null;
                }
            case DELETE:
                if (restOperationTypeEnum != RestOperationTypeEnum.DELETE) {
                    return null;
                }
                if (iBaseResource == null) {
                    return newVerdict();
                }
                iBaseResource3 = iBaseResource;
                break;
            case BATCH:
            case TRANSACTION:
                if (iBaseResource == null || !requestAppliesToTransaction(fhirContext, this.myOp, iBaseResource)) {
                    if (iBaseResource2 == null) {
                        return null;
                    }
                    AuthorizationInterceptor.Verdict verdict = null;
                    for (BundleUtil.BundleEntryParts bundleEntryParts : BundleUtil.toListOfEntries(fhirContext, (IBaseBundle) iBaseResource)) {
                        if (bundleEntryParts.getResource() != null && (applyRulesAndReturnDecision = iRuleApplier.applyRulesAndReturnDecision(RestOperationTypeEnum.READ, requestDetails, null, null, bundleEntryParts.getResource())) != null) {
                            if (verdict == null) {
                                verdict = applyRulesAndReturnDecision;
                            } else if (verdict.getDecision() == PolicyEnum.ALLOW && applyRulesAndReturnDecision.getDecision() == PolicyEnum.DENY) {
                                verdict = applyRulesAndReturnDecision;
                            }
                        }
                    }
                    return verdict;
                }
                if (getMode() == PolicyEnum.DENY) {
                    return new AuthorizationInterceptor.Verdict(PolicyEnum.DENY, this);
                }
                AuthorizationInterceptor.Verdict verdict2 = null;
                for (BundleUtil.BundleEntryParts bundleEntryParts2 : BundleUtil.toListOfEntries(fhirContext, (IBaseBundle) iBaseResource)) {
                    IBaseResource resource = bundleEntryParts2.getResource();
                    if (bundleEntryParts2.getRequestType() != RequestTypeEnum.GET) {
                        if (bundleEntryParts2.getRequestType() == RequestTypeEnum.POST) {
                            restOperationTypeEnum2 = RestOperationTypeEnum.CREATE;
                        } else {
                            if (bundleEntryParts2.getRequestType() != RequestTypeEnum.PUT) {
                                throw new InvalidRequestException("Can not handle transaction with operation of type " + bundleEntryParts2.getRequestType());
                            }
                            restOperationTypeEnum2 = RestOperationTypeEnum.UPDATE;
                        }
                        RuntimeResourceDefinition resourceDefinition = fhirContext.getResourceDefinition(bundleEntryParts2.getResource());
                        if ("Parameters".equals(resourceDefinition.getName()) || "Bundle".equals(resourceDefinition.getName())) {
                            throw new InvalidRequestException("Can not handle transaction with nested resource of type " + resourceDefinition.getName());
                        }
                        AuthorizationInterceptor.Verdict applyRulesAndReturnDecision2 = iRuleApplier.applyRulesAndReturnDecision(restOperationTypeEnum2, requestDetails, resource, null, null);
                        if (applyRulesAndReturnDecision2 != null) {
                            if (verdict2 == null) {
                                verdict2 = applyRulesAndReturnDecision2;
                            } else if (verdict2.getDecision() == PolicyEnum.ALLOW && applyRulesAndReturnDecision2.getDecision() == PolicyEnum.DENY) {
                                verdict2 = applyRulesAndReturnDecision2;
                            }
                        }
                    }
                }
                return verdict2;
            case ALLOW_ALL:
                return new AuthorizationInterceptor.Verdict(PolicyEnum.ALLOW, this);
            case DENY_ALL:
                return new AuthorizationInterceptor.Verdict(PolicyEnum.DENY, this);
            case METADATA:
                if (restOperationTypeEnum == RestOperationTypeEnum.METADATA) {
                    return newVerdict();
                }
                return null;
            default:
                throw new IllegalStateException("Unable to apply security to event of type " + restOperationTypeEnum);
        }
        switch (this.myAppliesTo) {
            case ALL_RESOURCES:
                break;
            case TYPES:
                if (iBaseResource3 != null && !this.myAppliesToTypes.contains(iBaseResource3.getClass())) {
                    return null;
                }
                if (iIdType2 != null) {
                    if (!this.myAppliesToTypes.contains(requestDetails.getServer().getFhirContext().getResourceDefinition(iIdType2.getResourceType()).getImplementingClass())) {
                        return null;
                    }
                }
                break;
            default:
                throw new IllegalStateException("Unable to apply security to event of applies to type " + this.myAppliesTo);
        }
        switch (this.myClassifierType) {
            case ANY_ID:
                break;
            case IN_COMPARTMENT:
                FhirTerser newTerser = fhirContext.newTerser();
                boolean z = false;
                Iterator<? extends IIdType> it = this.myClassifierCompartmentOwners.iterator();
                while (true) {
                    if (it.hasNext()) {
                        IIdType next = it.next();
                        if (iBaseResource3 != null && newTerser.isSourceInCompartmentForTarget(this.myClassifierCompartmentName, iBaseResource3, next)) {
                            z = true;
                        } else if (iIdType2 != null && iIdType2.hasResourceType() && iIdType2.hasIdPart() && iIdType2.toUnqualifiedVersionless().getValue().equals(next.toUnqualifiedVersionless().getValue())) {
                            z = true;
                        }
                    }
                }
                if (!z) {
                    return null;
                }
                break;
            default:
                throw new IllegalStateException("Unable to apply security to event of applies to type " + this.myAppliesTo);
        }
        return newVerdict();
    }

    private boolean requestAppliesToTransaction(FhirContext fhirContext, RuleOpEnum ruleOpEnum, IBaseResource iBaseResource) {
        if (!"Bundle".equals(fhirContext.getResourceDefinition(iBaseResource).getName())) {
            return false;
        }
        String bundleType = BundleUtil.getBundleType(fhirContext, (IBaseBundle) iBaseResource);
        switch (ruleOpEnum) {
            case BATCH:
                return "batch".equals(bundleType);
            case TRANSACTION:
                return "transaction".equals(bundleType);
            default:
                return false;
        }
    }

    public TransactionAppliesToEnum getTransactionAppliesToOp() {
        return this.myTransactionAppliesToOp;
    }

    public void setAppliesTo(AppliesTypeEnum appliesTypeEnum) {
        this.myAppliesTo = appliesTypeEnum;
    }

    public void setAppliesToTypes(Set<?> set) {
        this.myAppliesToTypes = set;
    }

    public void setClassifierCompartmentName(String str) {
        this.myClassifierCompartmentName = str;
    }

    public void setClassifierCompartmentOwners(Collection<? extends IIdType> collection) {
        this.myClassifierCompartmentOwners = collection;
    }

    public void setClassifierType(ClassifierTypeEnum classifierTypeEnum) {
        this.myClassifierType = classifierTypeEnum;
    }

    public RuleImplOp setOp(RuleOpEnum ruleOpEnum) {
        this.myOp = ruleOpEnum;
        return this;
    }

    public void setTransactionAppliesToOp(TransactionAppliesToEnum transactionAppliesToEnum) {
        this.myTransactionAppliesToOp = transactionAppliesToEnum;
    }
}
