package ca.uhn.fhir.rest.server.interceptor.auth;

import ca.uhn.fhir.context.FhirContext;
import ca.uhn.fhir.context.RuntimeResourceDefinition;
import ca.uhn.fhir.context.RuntimeSearchParam;
import ca.uhn.fhir.context.support.IValidationSupport;
import ca.uhn.fhir.context.support.ValidationSupportContext;
import ca.uhn.fhir.context.support.ValueSetExpansionOptions;
import ca.uhn.fhir.i18n.Msg;
import ca.uhn.fhir.interceptor.api.Hook;
import ca.uhn.fhir.interceptor.api.Pointcut;
import ca.uhn.fhir.rest.api.QualifiedParamList;
import ca.uhn.fhir.rest.api.RestOperationTypeEnum;
import ca.uhn.fhir.rest.api.server.RequestDetails;
import ca.uhn.fhir.rest.param.ParameterUtil;
import ca.uhn.fhir.rest.server.exceptions.AuthenticationException;
import ca.uhn.fhir.rest.server.exceptions.ForbiddenOperationException;
import ca.uhn.fhir.rest.server.servlet.ServletRequestDetails;
import ca.uhn.fhir.rest.server.servlet.ServletSubRequestDetails;
import ca.uhn.fhir.rest.server.util.ServletRequestUtil;
import ca.uhn.fhir.util.BundleUtil;
import ca.uhn.fhir.util.UrlUtil;
import ca.uhn.fhir.util.ValidateUtil;
import ca.uhn.fhir.util.bundle.ModifiableBundleEntry;
import com.google.common.collect.ArrayListMultimap;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
import java.util.function.Consumer;
import java.util.stream.Collectors;
import javax.annotation.Nullable;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.collections4.ListUtils;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.lang3.Validate;
import org.hl7.fhir.instance.model.api.IBaseBundle;

/* loaded from: input_file:ca/uhn/fhir/rest/server/interceptor/auth/SearchNarrowingInterceptor.class */
public class SearchNarrowingInterceptor {
    public static final String POST_FILTERING_LIST_ATTRIBUTE_NAME = SearchNarrowingInterceptor.class.getName() + "_POST_FILTERING_LIST";
    private IValidationSupport myValidationSupport;
    private int myPostFilterLargeValueSetThreshold = 500;

    /* loaded from: input_file:ca/uhn/fhir/rest/server/interceptor/auth/SearchNarrowingInterceptor$BundleEntryUrlProcessor.class */
    private class BundleEntryUrlProcessor implements Consumer<ModifiableBundleEntry> {
        private final FhirContext myFhirContext;
        private final ServletRequestDetails myRequestDetails;
        private final HttpServletRequest myRequest;
        private final HttpServletResponse myResponse;

        public BundleEntryUrlProcessor(FhirContext fhirContext, ServletRequestDetails servletRequestDetails, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
            this.myFhirContext = fhirContext;
            this.myRequestDetails = servletRequestDetails;
            this.myRequest = httpServletRequest;
            this.myResponse = httpServletResponse;
        }

        @Override // java.util.function.Consumer
        public void accept(ModifiableBundleEntry modifiableBundleEntry) {
            ArrayListMultimap create = ArrayListMultimap.create();
            String requestUrl = modifiableBundleEntry.getRequestUrl();
            ServletSubRequestDetails servletSubRequestDetails = ServletRequestUtil.getServletSubRequestDetails(this.myRequestDetails, requestUrl, create);
            servletSubRequestDetails.setRestOperationType(servletSubRequestDetails.getServer().determineResourceMethod(servletSubRequestDetails, requestUrl).getRestOperationType());
            SearchNarrowingInterceptor.this.hookIncomingRequestPostProcessed(servletSubRequestDetails, this.myRequest, this.myResponse);
            modifiableBundleEntry.setRequestUrl(this.myFhirContext, ServletRequestUtil.extractUrl(servletSubRequestDetails));
        }
    }

    public void setPostFilterLargeValueSetThreshold(int i) {
        Validate.isTrue(i > 0, "thePostFilterLargeValueSetThreshold must be a positive integer", new Object[0]);
        this.myPostFilterLargeValueSetThreshold = i;
    }

    public SearchNarrowingInterceptor setValidationSupport(IValidationSupport iValidationSupport) {
        this.myValidationSupport = iValidationSupport;
        return this;
    }

    protected AuthorizedList buildAuthorizedList(RequestDetails requestDetails) {
        return null;
    }

    @Hook(Pointcut.SERVER_INCOMING_REQUEST_POST_PROCESSED)
    public boolean hookIncomingRequestPostProcessed(RequestDetails requestDetails, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws AuthenticationException {
        Validate.isTrue(requestDetails.getRestOperationType() != RestOperationTypeEnum.SEARCH_SYSTEM);
        AuthorizedList buildAuthorizedList = buildAuthorizedList(requestDetails);
        if (buildAuthorizedList == null) {
            return true;
        }
        List<AllowedCodeInValueSet> postFilteringList = getPostFilteringList(requestDetails);
        if (buildAuthorizedList.getAllowedCodeInValueSets() != null) {
            postFilteringList.addAll(buildAuthorizedList.getAllowedCodeInValueSets());
        }
        if (requestDetails.getRestOperationType() != RestOperationTypeEnum.SEARCH_TYPE) {
            return true;
        }
        RuntimeResourceDefinition resourceDefinition = requestDetails.getServer().getFhirContext().getResourceDefinition(requestDetails.getResourceName());
        List<String> allowedCompartments = buildAuthorizedList.getAllowedCompartments();
        if (allowedCompartments != null) {
            applyParametersToRequestDetails(requestDetails, processResourcesOrCompartments(requestDetails, resourceDefinition, allowedCompartments, true), true);
        }
        List<String> allowedInstances = buildAuthorizedList.getAllowedInstances();
        if (allowedInstances != null) {
            applyParametersToRequestDetails(requestDetails, processResourcesOrCompartments(requestDetails, resourceDefinition, allowedInstances, false), true);
        }
        List<AllowedCodeInValueSet> allowedCodeInValueSets = buildAuthorizedList.getAllowedCodeInValueSets();
        if (allowedCodeInValueSets == null) {
            return true;
        }
        applyParametersToRequestDetails(requestDetails, processAllowedCodes(resourceDefinition, allowedCodeInValueSets), false);
        return true;
    }

    @Hook(Pointcut.SERVER_INCOMING_REQUEST_PRE_HANDLED)
    public void hookIncomingRequestPreHandled(ServletRequestDetails servletRequestDetails, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws AuthenticationException {
        if (servletRequestDetails.getRestOperationType() != RestOperationTypeEnum.TRANSACTION) {
            return;
        }
        IBaseBundle resource = servletRequestDetails.getResource();
        FhirContext fhirContext = servletRequestDetails.getFhirContext();
        BundleUtil.processEntries(fhirContext, resource, new BundleEntryUrlProcessor(fhirContext, servletRequestDetails, httpServletRequest, httpServletResponse));
    }

    private void applyParametersToRequestDetails(RequestDetails requestDetails, @Nullable Map<String, List<String>> map, boolean z) {
        if (map != null) {
            HashMap hashMap = new HashMap(requestDetails.getParameters());
            for (Map.Entry<String, List<String>> entry : map.entrySet()) {
                String key = entry.getKey();
                List<String> value = entry.getValue();
                if (hashMap.containsKey(key)) {
                    String[] strArr = hashMap.get(key);
                    if (z) {
                        List list = (List) value.stream().map(str -> {
                            return str.lastIndexOf("/") > -1 ? str.substring(str.lastIndexOf("/") + 1) : str;
                        }).collect(Collectors.toList());
                        boolean z2 = false;
                        for (int i = 0; i < strArr.length; i++) {
                            QualifiedParamList splitQueryStringByCommasIgnoreEscape = QualifiedParamList.splitQueryStringByCommasIgnoreEscape((String) null, strArr[i]);
                            List union = ListUtils.union(ListUtils.intersection(splitQueryStringByCommasIgnoreEscape, value), ListUtils.intersection(splitQueryStringByCommasIgnoreEscape, list));
                            if (union.size() > 0) {
                                z2 = true;
                                strArr[i] = ParameterUtil.escapeAndJoinOrList(union);
                            }
                        }
                        if (!z2) {
                            throw new ForbiddenOperationException(Msg.code(2026) + "Value not permitted for parameter " + UrlUtil.escapeUrlParam(key));
                        }
                    } else {
                        int length = strArr.length;
                        String[] strArr2 = (String[]) Arrays.copyOf(strArr, length + value.size());
                        for (int i2 = 0; i2 < value.size(); i2++) {
                            strArr2[length + i2] = value.get(i2);
                        }
                        hashMap.put(key, strArr2);
                    }
                } else {
                    hashMap.put(key, new String[]{ParameterUtil.escapeAndJoinOrList(value)});
                }
            }
            requestDetails.setParameters(hashMap);
        }
    }

    @Nullable
    private Map<String, List<String>> processResourcesOrCompartments(RequestDetails requestDetails, RuntimeResourceDefinition runtimeResourceDefinition, Collection<String> collection, boolean z) {
        HashMap hashMap = null;
        String str = null;
        String str2 = null;
        for (String str3 : collection) {
            Validate.isTrue(StringUtils.countMatches(str3, '/') == 1, "Invalid compartment name (must be in form \"ResourceType/xxx\": %s", new Object[]{str3});
            String substring = str3.substring(0, str3.indexOf(47));
            String str4 = null;
            if (substring.equalsIgnoreCase(str)) {
                str4 = str2;
            } else {
                if (substring.equalsIgnoreCase(requestDetails.getResourceName())) {
                    str4 = "_id";
                } else if (z) {
                    str4 = selectBestSearchParameterForCompartment(requestDetails, runtimeResourceDefinition, substring);
                }
                str = substring;
                str2 = str4;
            }
            if (str4 != null) {
                if (hashMap == null) {
                    hashMap = new HashMap();
                }
                hashMap.computeIfAbsent(str4, str5 -> {
                    return new ArrayList();
                }).add(str3);
            }
        }
        return hashMap;
    }

    @Nullable
    private Map<String, List<String>> processAllowedCodes(RuntimeResourceDefinition runtimeResourceDefinition, List<AllowedCodeInValueSet> list) {
        HashMap hashMap = null;
        for (AllowedCodeInValueSet allowedCodeInValueSet : list) {
            String resourceName = allowedCodeInValueSet.getResourceName();
            String valueSetUrl = allowedCodeInValueSet.getValueSetUrl();
            ValidateUtil.isNotBlankOrThrowIllegalArgument(resourceName, "Resource name supplied by SearchNarrowingInterceptor must not be null");
            ValidateUtil.isNotBlankOrThrowIllegalArgument(valueSetUrl, "ValueSet URL supplied by SearchNarrowingInterceptor must not be null");
            if (resourceName.equals(runtimeResourceDefinition.getName()) && !shouldHandleThroughConsentService(valueSetUrl)) {
                String str = allowedCodeInValueSet.isNegate() ? allowedCodeInValueSet.getSearchParameterName() + ":not-in" : allowedCodeInValueSet.getSearchParameterName() + ":in";
                if (hashMap == null) {
                    hashMap = new HashMap();
                }
                hashMap.computeIfAbsent(str, str2 -> {
                    return new ArrayList();
                }).add(valueSetUrl);
            }
        }
        return hashMap;
    }

    private boolean shouldHandleThroughConsentService(String str) {
        if (this.myValidationSupport == null || this.myPostFilterLargeValueSetThreshold == -1) {
            return false;
        }
        ValidationSupportContext validationSupportContext = new ValidationSupportContext(this.myValidationSupport);
        ValueSetExpansionOptions valueSetExpansionOptions = new ValueSetExpansionOptions();
        valueSetExpansionOptions.setCount(this.myPostFilterLargeValueSetThreshold);
        valueSetExpansionOptions.setIncludeHierarchy(false);
        IValidationSupport.ValueSetExpansionOutcome expandValueSet = this.myValidationSupport.expandValueSet(validationSupportContext, valueSetExpansionOptions, str);
        return (expandValueSet == null || expandValueSet.getValueSet() == null || this.myValidationSupport.getFhirContext().newTerser().getValues(expandValueSet.getValueSet(), "ValueSet.expansion.contains").size() < this.myPostFilterLargeValueSetThreshold) ? false : true;
    }

    private String selectBestSearchParameterForCompartment(RequestDetails requestDetails, RuntimeResourceDefinition runtimeResourceDefinition, String str) {
        String str2 = null;
        Set<String> keySet = requestDetails.getParameters().keySet();
        List<RuntimeSearchParam> searchParamsForCompartmentName = runtimeResourceDefinition.getSearchParamsForCompartmentName(str);
        if (searchParamsForCompartmentName.size() > 0) {
            Optional<RuntimeSearchParam> findFirst = searchParamsForCompartmentName.stream().filter(runtimeSearchParam -> {
                return runtimeSearchParam.getName().equalsIgnoreCase(str);
            }).findFirst();
            if (findFirst.isPresent()) {
                String name = findFirst.get().getName();
                if (keySet.contains(name)) {
                    str2 = name;
                } else {
                    Optional<RuntimeSearchParam> findFirst2 = findSynonyms(searchParamsForCompartmentName, findFirst.get()).stream().filter(runtimeSearchParam2 -> {
                        return keySet.contains(runtimeSearchParam2.getName());
                    }).findFirst();
                    str2 = findFirst2.isPresent() ? findFirst2.get().getName() : name;
                }
            } else {
                str2 = searchParamsForCompartmentName.get(0).getName();
            }
        }
        return str2;
    }

    private List<RuntimeSearchParam> findSynonyms(List<RuntimeSearchParam> list, RuntimeSearchParam runtimeSearchParam) {
        String basePath = getBasePath(runtimeSearchParam);
        return (List) list.stream().filter(runtimeSearchParam2 -> {
            return basePath.equals(getBasePath(runtimeSearchParam2));
        }).collect(Collectors.toList());
    }

    private String getBasePath(RuntimeSearchParam runtimeSearchParam) {
        int indexOf = runtimeSearchParam.getPath().indexOf(".where");
        return indexOf == -1 ? runtimeSearchParam.getPath() : runtimeSearchParam.getPath().substring(0, indexOf);
    }

    static List<AllowedCodeInValueSet> getPostFilteringList(RequestDetails requestDetails) {
        List<AllowedCodeInValueSet> postFilteringListOrNull = getPostFilteringListOrNull(requestDetails);
        if (postFilteringListOrNull == null) {
            postFilteringListOrNull = new ArrayList();
            requestDetails.setAttribute(POST_FILTERING_LIST_ATTRIBUTE_NAME, postFilteringListOrNull);
        }
        return postFilteringListOrNull;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static List<AllowedCodeInValueSet> getPostFilteringListOrNull(RequestDetails requestDetails) {
        return (List) requestDetails.getAttribute(POST_FILTERING_LIST_ATTRIBUTE_NAME);
    }
}
