package ca.uhn.fhir.rest.server.interceptor.auth;

import ca.uhn.fhir.context.FhirContext;
import ca.uhn.fhir.context.RuntimeResourceDefinition;
import ca.uhn.fhir.context.RuntimeSearchParam;
import ca.uhn.fhir.context.support.ConceptValidationOptions;
import ca.uhn.fhir.context.support.IValidationSupport;
import ca.uhn.fhir.context.support.ValidationSupportContext;
import ca.uhn.fhir.i18n.Msg;
import ca.uhn.fhir.rest.api.RestOperationTypeEnum;
import ca.uhn.fhir.rest.api.server.RequestDetails;
import ca.uhn.fhir.rest.server.exceptions.InternalErrorException;
import ca.uhn.fhir.rest.server.interceptor.auth.AuthorizationInterceptor;
import ca.uhn.fhir.rest.server.util.ISearchParamRegistry;
import ca.uhn.fhir.util.FhirTerser;
import jakarta.annotation.Nonnull;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.lang3.Validate;
import org.hl7.fhir.instance.model.api.IBase;
import org.hl7.fhir.instance.model.api.IBaseResource;
import org.hl7.fhir.instance.model.api.ICompositeType;
import org.hl7.fhir.instance.model.api.IIdType;
import org.slf4j.Logger;

/* loaded from: input_file:ca/uhn/fhir/rest/server/interceptor/auth/SearchParameterAndValueSetRuleImpl.class */
class SearchParameterAndValueSetRuleImpl extends RuleImplOp {
    private String mySearchParameterName;
    private String myValueSetUrl;
    private boolean myWantCode;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:ca/uhn/fhir/rest/server/interceptor/auth/SearchParameterAndValueSetRuleImpl$CodeMatchCount.class */
    public static class CodeMatchCount {
        private int myMatchingCodeCount;
        private int myOverallCodeCount;
        private boolean myAtLeastOneUnableToValidate;

        CodeMatchCount() {
        }

        public boolean isAtLeastOneUnableToValidate() {
            return this.myAtLeastOneUnableToValidate;
        }

        public void addUnableToValidate() {
            this.myAtLeastOneUnableToValidate = true;
        }

        public void addNonMatchingCode() {
            this.myOverallCodeCount++;
        }

        public void addMatchingCode() {
            this.myMatchingCodeCount++;
            this.myOverallCodeCount++;
        }

        public int getMatchingCodeCount() {
            return this.myMatchingCodeCount;
        }

        public int getOverallCodeCount() {
            return this.myOverallCodeCount;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public SearchParameterAndValueSetRuleImpl(String str) {
        super(str);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void setWantCode(boolean z) {
        this.myWantCode = z;
    }

    public void setSearchParameterName(String str) {
        this.mySearchParameterName = str;
    }

    public void setValueSetUrl(String str) {
        this.myValueSetUrl = str;
    }

    @Override // ca.uhn.fhir.rest.server.interceptor.auth.RuleImplOp
    protected AuthorizationInterceptor.Verdict applyRuleLogic(RestOperationTypeEnum restOperationTypeEnum, RequestDetails requestDetails, IBaseResource iBaseResource, IIdType iIdType, IBaseResource iBaseResource2, Set<AuthorizationFlagsEnum> set, FhirContext fhirContext, RuleTarget ruleTarget, IRuleApplier iRuleApplier) {
        Validate.isTrue(iBaseResource == null || iBaseResource2 == null);
        if (iBaseResource != null) {
            return applyRuleLogic(fhirContext, requestDetails, iBaseResource, restOperationTypeEnum, iBaseResource, iIdType, iBaseResource2, iRuleApplier);
        }
        if (iBaseResource2 != null) {
            return applyRuleLogic(fhirContext, requestDetails, iBaseResource2, restOperationTypeEnum, iBaseResource, iIdType, iBaseResource2, iRuleApplier);
        }
        if (restOperationTypeEnum == RestOperationTypeEnum.READ || restOperationTypeEnum == RestOperationTypeEnum.SEARCH_TYPE) {
            return new AuthorizationInterceptor.Verdict(PolicyEnum.ALLOW, this);
        }
        return null;
    }

    private AuthorizationInterceptor.Verdict applyRuleLogic(FhirContext fhirContext, RequestDetails requestDetails, IBaseResource iBaseResource, RestOperationTypeEnum restOperationTypeEnum, IBaseResource iBaseResource2, IIdType iIdType, IBaseResource iBaseResource3, IRuleApplier iRuleApplier) {
        IValidationSupport validationSupport = iRuleApplier.getValidationSupport();
        if (validationSupport == null) {
            validationSupport = fhirContext.getValidationSupport();
        }
        Logger troubleshootingLog = iRuleApplier.getTroubleshootingLog();
        CodeMatchCount countMatchingCodesInValueSetForSearchParameter = countMatchingCodesInValueSetForSearchParameter(iBaseResource, validationSupport, null, this.myWantCode, this.mySearchParameterName, this.myValueSetUrl, troubleshootingLog, "Authorization Rule");
        if (countMatchingCodesInValueSetForSearchParameter.isAtLeastOneUnableToValidate()) {
            troubleshootingLog.warn("ValueSet {} could not be validated by terminology service - Assuming DENY", this.myValueSetUrl);
            return new AuthorizationInterceptor.Verdict(PolicyEnum.DENY, this);
        }
        if (this.myWantCode && countMatchingCodesInValueSetForSearchParameter.getMatchingCodeCount() > 0) {
            return newVerdict(restOperationTypeEnum, requestDetails, iBaseResource2, iIdType, iBaseResource3, iRuleApplier);
        }
        if (this.myWantCode) {
            return null;
        }
        boolean z = getMode() == PolicyEnum.ALLOW && countMatchingCodesInValueSetForSearchParameter.getMatchingCodeCount() == 0;
        boolean z2 = getMode() == PolicyEnum.DENY && countMatchingCodesInValueSetForSearchParameter.getMatchingCodeCount() < countMatchingCodesInValueSetForSearchParameter.getOverallCodeCount();
        if (!z && !z2) {
            return null;
        }
        AuthorizationInterceptor.Verdict newVerdict = newVerdict(restOperationTypeEnum, requestDetails, iBaseResource2, iIdType, iBaseResource3, iRuleApplier);
        if (z) {
            troubleshootingLog.debug("Code was not found in VS - Verdict: {}", newVerdict);
        } else {
            troubleshootingLog.debug("Code(s) found that are not in VS - Verdict: {}", newVerdict);
        }
        return newVerdict;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Nonnull
    public static CodeMatchCount countMatchingCodesInValueSetForSearchParameter(IBaseResource iBaseResource, IValidationSupport iValidationSupport, ISearchParamRegistry iSearchParamRegistry, boolean z, String str, String str2, Logger logger, String str3) {
        Object[] objArr = new Object[4];
        objArr[0] = str3;
        objArr[1] = str;
        objArr[2] = z ? "in" : "not-in";
        objArr[3] = str2;
        logger.debug("Applying {} {}:{} for valueSet: {}", objArr);
        FhirContext fhirContext = iValidationSupport.getFhirContext();
        FhirTerser newTerser = fhirContext.newTerser();
        ConceptValidationOptions conceptValidationOptions = new ConceptValidationOptions();
        ValidationSupportContext validationSupportContext = new ValidationSupportContext(iValidationSupport);
        RuntimeResourceDefinition resourceDefinition = fhirContext.getResourceDefinition(iBaseResource);
        RuntimeSearchParam searchParam = resourceDefinition.getSearchParam(str);
        if (searchParam == null) {
            throw new InternalErrorException(Msg.code(2025) + "Unknown SearchParameter for resource " + resourceDefinition.getName() + ": " + str);
        }
        List pathsSplitForResourceType = searchParam.getPathsSplitForResourceType(resourceDefinition.getName());
        CodeMatchCount codeMatchCount = new CodeMatchCount();
        Iterator it = pathsSplitForResourceType.iterator();
        while (it.hasNext()) {
            Iterator it2 = fhirContext.newFhirPath().evaluate(iBaseResource, (String) it.next(), ICompositeType.class).iterator();
            while (it2.hasNext()) {
                for (IBase iBase : newTerser.getValues((ICompositeType) it2.next(), "coding")) {
                    String singlePrimitiveValueOrNull = newTerser.getSinglePrimitiveValueOrNull(iBase, "system");
                    String singlePrimitiveValueOrNull2 = newTerser.getSinglePrimitiveValueOrNull(iBase, "code");
                    if (StringUtils.isNotBlank(singlePrimitiveValueOrNull) && StringUtils.isNotBlank(singlePrimitiveValueOrNull2)) {
                        IValidationSupport.CodeValidationResult validateCode = iValidationSupport.validateCode(validationSupportContext, conceptValidationOptions, singlePrimitiveValueOrNull, singlePrimitiveValueOrNull2, (String) null, str2);
                        if (validateCode == null) {
                            logger.debug("Terminology service was unable to validate code {}#{} in ValueSet[{}] - No service was able to handle this request", new Object[]{singlePrimitiveValueOrNull, singlePrimitiveValueOrNull2, str2});
                            codeMatchCount.addUnableToValidate();
                        } else if (validateCode.isOk()) {
                            codeMatchCount.addMatchingCode();
                            logger.debug("Code {}#{} was found in ValueSet[{}] - {}", new Object[]{singlePrimitiveValueOrNull, singlePrimitiveValueOrNull2, str2, validateCode.getMessage()});
                            if (z) {
                                return codeMatchCount;
                            }
                        } else {
                            codeMatchCount.addNonMatchingCode();
                            logger.debug("Code {}#{} was not found in ValueSet[{}]: {}", new Object[]{singlePrimitiveValueOrNull, singlePrimitiveValueOrNull2, str2, validateCode.getMessage()});
                        }
                    }
                }
            }
        }
        return codeMatchCount;
    }
}
