package ca.uhn.fhir.rest.server.interceptor;

import ca.uhn.fhir.model.api.Bundle;
import ca.uhn.fhir.model.api.BundleEntry;
import ca.uhn.fhir.model.api.IResource;
import ca.uhn.fhir.model.dstu.composite.CodingDt;
import ca.uhn.fhir.model.dstu.composite.IdentifierDt;
import ca.uhn.fhir.model.dstu.composite.ResourceReferenceDt;
import ca.uhn.fhir.model.dstu.resource.SecurityEvent;
import ca.uhn.fhir.model.dstu.valueset.RestfulOperationTypeEnum;
import ca.uhn.fhir.model.dstu.valueset.SecurityEventActionEnum;
import ca.uhn.fhir.model.dstu.valueset.SecurityEventObjectLifecycleEnum;
import ca.uhn.fhir.model.dstu.valueset.SecurityEventOutcomeEnum;
import ca.uhn.fhir.model.dstu.valueset.SecurityEventParticipantNetworkTypeEnum;
import ca.uhn.fhir.model.dstu.valueset.SecurityEventSourceTypeEnum;
import ca.uhn.fhir.model.primitive.StringDt;
import ca.uhn.fhir.rest.client.interceptor.UserInfoInterceptor;
import ca.uhn.fhir.rest.method.RequestDetails;
import ca.uhn.fhir.rest.server.audit.IResourceAuditor;
import ca.uhn.fhir.rest.server.exceptions.AuthenticationException;
import ca.uhn.fhir.rest.server.exceptions.InternalErrorException;
import ca.uhn.fhir.rest.server.exceptions.InvalidRequestException;
import ca.uhn.fhir.store.IAuditDataStore;
import java.io.UnsupportedEncodingException;
import java.util.ArrayList;
import java.util.Date;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang3.NotImplementedException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/hapi-fhir-structures-dstu-0.8.jar:ca/uhn/fhir/rest/server/interceptor/AuditingInterceptor.class */
public class AuditingInterceptor extends InterceptorAdapter {
    private static final Logger log = LoggerFactory.getLogger(AuditingInterceptor.class);
    private IAuditDataStore myDataStore;
    private Map<String, Class<? extends IResourceAuditor<? extends IResource>>> myAuditableResources;
    private boolean myClientParamsOptional;
    protected String mySiteId;

    public AuditingInterceptor() {
        this.myDataStore = null;
        this.myAuditableResources = new HashMap();
        this.myClientParamsOptional = false;
        this.mySiteId = "NONE";
        this.myClientParamsOptional = false;
    }

    public AuditingInterceptor(String str) {
        this.myDataStore = null;
        this.myAuditableResources = new HashMap();
        this.myClientParamsOptional = false;
        this.mySiteId = str;
        this.myClientParamsOptional = false;
    }

    public AuditingInterceptor(String str, boolean z) {
        this.myDataStore = null;
        this.myAuditableResources = new HashMap();
        this.myClientParamsOptional = false;
        this.mySiteId = str;
        this.myClientParamsOptional = z;
    }

    @Override // ca.uhn.fhir.rest.server.interceptor.InterceptorAdapter, ca.uhn.fhir.rest.server.interceptor.IServerInterceptor
    public boolean outgoingResponse(RequestDetails requestDetails, Bundle bundle, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws AuthenticationException {
        if (this.myClientParamsOptional && this.myDataStore == null) {
            log.debug("No auditing configured.");
            return true;
        }
        try {
            log.info("Auditing bundle: " + bundle + " from request " + requestDetails);
            SecurityEvent securityEvent = new SecurityEvent();
            securityEvent.setEvent(getEventInfo(requestDetails));
            SecurityEvent.Participant participant = getParticipant(httpServletRequest);
            if (participant == null) {
                log.debug("No participant to audit");
                return true;
            }
            ArrayList arrayList = new ArrayList(1);
            arrayList.add(participant);
            securityEvent.setParticipant(arrayList);
            SecurityEventObjectLifecycleEnum mapResourceTypeToSecurityLifecycle = mapResourceTypeToSecurityLifecycle(requestDetails.getResourceOperationType());
            byte[] queryFromRequestDetails = getQueryFromRequestDetails(requestDetails);
            ArrayList arrayList2 = new ArrayList();
            Iterator<BundleEntry> it = bundle.getEntries().iterator();
            while (it.hasNext()) {
                SecurityEvent.ObjectElement objectElement = getObjectElement(it.next().getResource(), mapResourceTypeToSecurityLifecycle, queryFromRequestDetails);
                if (objectElement != null) {
                    arrayList2.add(objectElement);
                }
            }
            if (arrayList2.isEmpty()) {
                log.debug("No auditable resources to audit.");
                return true;
            }
            log.debug("Auditing " + arrayList2.size() + " resources.");
            securityEvent.setObject(arrayList2);
            securityEvent.setSource(getSourceElement(httpServletRequest));
            store(securityEvent);
            return true;
        } catch (Exception e) {
            log.error("Unable to audit resource: " + bundle + " from request: " + requestDetails, (Throwable) e);
            throw new InternalErrorException("Auditing failed, unable to complete request", e);
        }
    }

    @Override // ca.uhn.fhir.rest.server.interceptor.InterceptorAdapter, ca.uhn.fhir.rest.server.interceptor.IServerInterceptor
    public boolean outgoingResponse(RequestDetails requestDetails, IResource iResource, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws AuthenticationException {
        if (this.myClientParamsOptional && this.myDataStore == null) {
            log.debug("No auditing configured.");
            return true;
        }
        try {
            log.info("Auditing resource: " + iResource + " from request: " + requestDetails);
            SecurityEvent securityEvent = new SecurityEvent();
            securityEvent.setEvent(getEventInfo(requestDetails));
            SecurityEvent.Participant participant = getParticipant(httpServletRequest);
            if (participant == null) {
                log.debug("No participant to audit");
                return true;
            }
            ArrayList arrayList = new ArrayList(1);
            arrayList.add(participant);
            securityEvent.setParticipant(arrayList);
            SecurityEvent.ObjectElement objectElement = getObjectElement(iResource, mapResourceTypeToSecurityLifecycle(requestDetails.getResourceOperationType()), getQueryFromRequestDetails(requestDetails));
            if (objectElement == null) {
                log.debug("No auditable resources to audit");
                return true;
            }
            ArrayList arrayList2 = new ArrayList(1);
            arrayList2.add(objectElement);
            securityEvent.setObject(arrayList2);
            securityEvent.setSource(getSourceElement(httpServletRequest));
            log.debug("Auditing one resource.");
            store(securityEvent);
            return true;
        } catch (Exception e) {
            log.error("Unable to audit resource: " + iResource + " from request: " + requestDetails, (Throwable) e);
            throw new InternalErrorException("Auditing failed, unable to complete request", e);
        }
    }

    protected void store(SecurityEvent securityEvent) throws Exception {
        if (this.myDataStore == null) {
            throw new InternalErrorException("No data store provided to persist audit events");
        }
        this.myDataStore.store(securityEvent);
    }

    protected SecurityEvent.Event getEventInfo(RequestDetails requestDetails) {
        SecurityEvent.Event event = new SecurityEvent.Event();
        event.setAction(mapResourceTypeToSecurityEventAction(requestDetails.getResourceOperationType()));
        event.setDateTimeWithMillisPrecision(new Date());
        event.setOutcome(SecurityEventOutcomeEnum.SUCCESS);
        return event;
    }

    protected byte[] getQueryFromRequestDetails(RequestDetails requestDetails) {
        byte[] bytes;
        try {
            bytes = requestDetails.getCompleteUrl().getBytes("UTF-8");
        } catch (UnsupportedEncodingException e) {
            log.warn("Unable to encode URL to bytes in UTF-8, defaulting to platform default charset.", (Throwable) e);
            bytes = requestDetails.getCompleteUrl().getBytes();
        }
        return bytes;
    }

    protected SecurityEvent.ObjectElement getObjectElement(IResource iResource, SecurityEventObjectLifecycleEnum securityEventObjectLifecycleEnum, byte[] bArr) throws InstantiationException, IllegalAccessException {
        String resourceName = iResource.getResourceName();
        if (!this.myAuditableResources.containsKey(resourceName)) {
            log.debug("No auditor configured for resource type " + resourceName);
            return null;
        }
        log.debug("Found auditable resource of type: " + resourceName);
        IResourceAuditor<? extends IResource> newInstance = this.myAuditableResources.get(resourceName).newInstance();
        newInstance.setResource(iResource);
        if (!newInstance.isAuditable()) {
            log.debug("Resource is not auditable");
            return null;
        }
        SecurityEvent.ObjectElement objectElement = new SecurityEvent.ObjectElement();
        objectElement.setReference(new ResourceReferenceDt(iResource.getId()));
        objectElement.setLifecycle(securityEventObjectLifecycleEnum);
        objectElement.setQuery(bArr);
        objectElement.setName(newInstance.getName());
        objectElement.setIdentifier((IdentifierDt) newInstance.getIdentifier());
        objectElement.setType(newInstance.getType());
        objectElement.setDescription(newInstance.getDescription());
        Map<String, String> detail = newInstance.getDetail();
        if (detail != null && !detail.isEmpty()) {
            ArrayList arrayList = new ArrayList();
            for (Map.Entry<String, String> entry : detail.entrySet()) {
                arrayList.add(makeObjectDetail(entry.getKey(), entry.getValue()));
            }
            objectElement.setDetail(arrayList);
        }
        objectElement.setSensitivity(newInstance.getSensitivity());
        return objectElement;
    }

    protected SecurityEvent.ObjectDetail makeObjectDetail(String str, String str2) {
        SecurityEvent.ObjectDetail objectDetail = new SecurityEvent.ObjectDetail();
        if (str != null) {
            objectDetail.setType(str);
        }
        if (str2 != null) {
            objectDetail.setValue(str2.getBytes());
        }
        return objectDetail;
    }

    protected SecurityEvent.Participant getParticipant(HttpServletRequest httpServletRequest) throws InvalidRequestException, NotImplementedException {
        if (httpServletRequest.getHeader("Authorization") != null && httpServletRequest.getHeader("Authorization").startsWith("OAuth")) {
            if (!this.myClientParamsOptional) {
                throw new NotImplementedException("OAuth user auditing not yet implemented.");
            }
            log.debug("OAuth request received but no auditing required.");
            return null;
        }
        String header = httpServletRequest.getHeader(UserInfoInterceptor.HEADER_USER_ID);
        if (header == null) {
            if (this.myClientParamsOptional) {
                return null;
            }
            throw new InvalidRequestException("fhir-user-id must be specified as an HTTP header to access PHI.");
        }
        String header2 = httpServletRequest.getHeader(UserInfoInterceptor.HEADER_USER_NAME);
        if (header2 == null) {
            header2 = "Anonymous";
        }
        String remoteAddr = httpServletRequest.getRemoteAddr();
        SecurityEvent.Participant participant = new SecurityEvent.Participant();
        participant.setUserId(header);
        participant.setName(header2);
        SecurityEvent.ParticipantNetwork network = participant.getNetwork();
        network.setType(SecurityEventParticipantNetworkTypeEnum.IP_ADDRESS);
        network.setIdentifier(remoteAddr);
        return participant;
    }

    protected SecurityEvent.Source getSourceElement(HttpServletRequest httpServletRequest) throws NotImplementedException {
        if (httpServletRequest.getHeader("Authorization") != null && httpServletRequest.getHeader("Authorization").startsWith("OAuth")) {
            if (this.myClientParamsOptional) {
                return null;
            }
            throw new NotImplementedException("OAuth auditing not yet implemented.");
        }
        String header = httpServletRequest.getHeader(UserInfoInterceptor.HEADER_APPLICATION_NAME);
        SecurityEvent.Source source = new SecurityEvent.Source();
        source.setIdentifier(header);
        source.setType(getAccessType(httpServletRequest));
        source.setSite(getSiteId(httpServletRequest));
        return source;
    }

    protected StringDt getSiteId(HttpServletRequest httpServletRequest) {
        return new StringDt(this.mySiteId);
    }

    protected List<CodingDt> getAccessType(HttpServletRequest httpServletRequest) {
        ArrayList arrayList = new ArrayList();
        if (httpServletRequest.getHeader("Authorization") == null || !httpServletRequest.getHeader("Authorization").startsWith("OAuth")) {
            String header = httpServletRequest.getHeader(UserInfoInterceptor.HEADER_USER_ID);
            String header2 = httpServletRequest.getHeader(UserInfoInterceptor.HEADER_APPLICATION_NAME);
            if (header != null || header2 == null) {
                arrayList.add(new CodingDt(SecurityEventSourceTypeEnum.USER_DEVICE.getSystem(), SecurityEventSourceTypeEnum.USER_DEVICE.getCode()));
            } else {
                arrayList.add(new CodingDt(SecurityEventSourceTypeEnum.APPLICATION_SERVER.getSystem(), SecurityEventSourceTypeEnum.APPLICATION_SERVER.getCode()));
            }
        } else {
            arrayList.add(new CodingDt(SecurityEventSourceTypeEnum.USER_DEVICE.getSystem(), SecurityEventSourceTypeEnum.USER_DEVICE.getCode()));
        }
        return arrayList;
    }

    protected SecurityEventActionEnum mapResourceTypeToSecurityEventAction(RestfulOperationTypeEnum restfulOperationTypeEnum) {
        if (restfulOperationTypeEnum == null) {
            return null;
        }
        switch (restfulOperationTypeEnum) {
            case READ:
                return SecurityEventActionEnum.READ_VIEW_PRINT;
            case CREATE:
                return SecurityEventActionEnum.CREATE;
            case DELETE:
                return SecurityEventActionEnum.DELETE;
            case HISTORY_INSTANCE:
                return SecurityEventActionEnum.READ_VIEW_PRINT;
            case HISTORY_TYPE:
                return SecurityEventActionEnum.READ_VIEW_PRINT;
            case SEARCH_TYPE:
                return SecurityEventActionEnum.READ_VIEW_PRINT;
            case UPDATE:
                return SecurityEventActionEnum.UPDATE;
            case VALIDATE:
                return SecurityEventActionEnum.READ_VIEW_PRINT;
            case VREAD:
                return SecurityEventActionEnum.READ_VIEW_PRINT;
            default:
                return SecurityEventActionEnum.READ_VIEW_PRINT;
        }
    }

    protected SecurityEventObjectLifecycleEnum mapResourceTypeToSecurityLifecycle(RestfulOperationTypeEnum restfulOperationTypeEnum) {
        if (restfulOperationTypeEnum == null) {
            return null;
        }
        switch (restfulOperationTypeEnum) {
            case READ:
                return SecurityEventObjectLifecycleEnum.ACCESS_OR_USE;
            case CREATE:
                return SecurityEventObjectLifecycleEnum.ORIGINATION_OR_CREATION;
            case DELETE:
                return SecurityEventObjectLifecycleEnum.LOGICAL_DELETION;
            case HISTORY_INSTANCE:
                return SecurityEventObjectLifecycleEnum.ACCESS_OR_USE;
            case HISTORY_TYPE:
                return SecurityEventObjectLifecycleEnum.ACCESS_OR_USE;
            case SEARCH_TYPE:
                return SecurityEventObjectLifecycleEnum.ACCESS_OR_USE;
            case UPDATE:
                return SecurityEventObjectLifecycleEnum.AMENDMENT;
            case VALIDATE:
                return SecurityEventObjectLifecycleEnum.VERIFICATION;
            case VREAD:
                return SecurityEventObjectLifecycleEnum.ACCESS_OR_USE;
            default:
                return SecurityEventObjectLifecycleEnum.ACCESS_OR_USE;
        }
    }

    public void setDataStore(IAuditDataStore iAuditDataStore) {
        this.myDataStore = iAuditDataStore;
    }

    public Map<String, Class<? extends IResourceAuditor<? extends IResource>>> getAuditableResources() {
        return this.myAuditableResources;
    }

    public void setAuditableResources(Map<String, Class<? extends IResourceAuditor<? extends IResource>>> map) {
        this.myAuditableResources = map;
    }

    public void addAuditableResource(String str, Class<? extends IResourceAuditor<? extends IResource>> cls) {
        if (this.myAuditableResources == null) {
            this.myAuditableResources = new HashMap();
        }
        this.myAuditableResources.put(str, cls);
    }
}
