package ca.uhn.fhir.rest.server.interceptor.auth;

import ca.uhn.fhir.context.FhirContext;
import ca.uhn.fhir.model.api.Bundle;
import ca.uhn.fhir.model.api.TagList;
import ca.uhn.fhir.rest.api.RestOperationTypeEnum;
import ca.uhn.fhir.rest.method.RequestDetails;
import ca.uhn.fhir.rest.server.exceptions.AuthenticationException;
import ca.uhn.fhir.rest.server.exceptions.ForbiddenOperationException;
import ca.uhn.fhir.rest.server.interceptor.IServerInterceptor;
import ca.uhn.fhir.rest.server.interceptor.IServerOperationInterceptor;
import ca.uhn.fhir.rest.server.interceptor.InterceptorAdapter;
import ca.uhn.fhir.util.CoverageIgnore;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.lang3.Validate;
import org.hl7.fhir.instance.model.api.IBaseBundle;
import org.hl7.fhir.instance.model.api.IBaseParameters;
import org.hl7.fhir.instance.model.api.IBaseResource;
import org.hl7.fhir.instance.model.api.IIdType;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/hapi-fhir-base-2.1.jar:ca/uhn/fhir/rest/server/interceptor/auth/AuthorizationInterceptor.class */
public class AuthorizationInterceptor extends InterceptorAdapter implements IServerOperationInterceptor, IRuleApplier {
    private static final Logger ourLog = LoggerFactory.getLogger((Class<?>) AuthorizationInterceptor.class);
    private PolicyEnum myDefaultPolicy;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:WEB-INF/lib/hapi-fhir-base-2.1.jar:ca/uhn/fhir/rest/server/interceptor/auth/AuthorizationInterceptor$OperationExamineDirection.class */
    public enum OperationExamineDirection {
        IN,
        NONE,
        OUT,
        BOTH
    }

    /* loaded from: input_file:WEB-INF/lib/hapi-fhir-base-2.1.jar:ca/uhn/fhir/rest/server/interceptor/auth/AuthorizationInterceptor$Verdict.class */
    public static class Verdict {
        private final IAuthRule myDecidingRule;
        private final PolicyEnum myDecision;

        public Verdict(PolicyEnum policyEnum, IAuthRule iAuthRule) {
            this.myDecision = policyEnum;
            this.myDecidingRule = iAuthRule;
        }

        public IAuthRule getDecidingRule() {
            return this.myDecidingRule;
        }

        public PolicyEnum getDecision() {
            return this.myDecision;
        }
    }

    public AuthorizationInterceptor() {
        this.myDefaultPolicy = PolicyEnum.DENY;
    }

    public AuthorizationInterceptor(PolicyEnum policyEnum) {
        this();
        setDefaultPolicy(policyEnum);
    }

    private void applyRulesAndFailIfDeny(RestOperationTypeEnum restOperationTypeEnum, RequestDetails requestDetails, IBaseResource iBaseResource, IIdType iIdType, IBaseResource iBaseResource2) {
        Verdict applyRulesAndReturnDecision = applyRulesAndReturnDecision(restOperationTypeEnum, requestDetails, iBaseResource, iIdType, iBaseResource2);
        if (applyRulesAndReturnDecision.getDecision() == PolicyEnum.ALLOW) {
            return;
        }
        handleDeny(applyRulesAndReturnDecision);
    }

    @Override // ca.uhn.fhir.rest.server.interceptor.auth.IRuleApplier
    public Verdict applyRulesAndReturnDecision(RestOperationTypeEnum restOperationTypeEnum, RequestDetails requestDetails, IBaseResource iBaseResource, IIdType iIdType, IBaseResource iBaseResource2) {
        List<IAuthRule> buildRuleList = buildRuleList(requestDetails);
        ourLog.trace("Applying {} rules to render an auth decision for operation {}", Integer.valueOf(buildRuleList.size()), restOperationTypeEnum);
        Verdict verdict = null;
        Iterator<IAuthRule> it = buildRuleList.iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            IAuthRule next = it.next();
            verdict = next.applyRule(restOperationTypeEnum, requestDetails, iBaseResource, iIdType, iBaseResource2, this);
            if (verdict != null) {
                ourLog.trace("Rule {} returned decision {}", next, verdict.getDecision());
                break;
            }
        }
        if (verdict != null) {
            return verdict;
        }
        ourLog.trace("No rules returned a decision, applying default {}", this.myDefaultPolicy);
        return new Verdict(this.myDefaultPolicy, null);
    }

    public List<IAuthRule> buildRuleList(RequestDetails requestDetails) {
        return new ArrayList();
    }

    private OperationExamineDirection determineOperationDirection(RestOperationTypeEnum restOperationTypeEnum, IBaseResource iBaseResource) {
        switch (restOperationTypeEnum) {
            case ADD_TAGS:
            case DELETE_TAGS:
            case GET_TAGS:
                return OperationExamineDirection.NONE;
            case EXTENDED_OPERATION_INSTANCE:
            case EXTENDED_OPERATION_SERVER:
            case EXTENDED_OPERATION_TYPE:
                return OperationExamineDirection.BOTH;
            case METADATA:
                return OperationExamineDirection.IN;
            case DELETE:
                return OperationExamineDirection.NONE;
            case CREATE:
            case UPDATE:
                return OperationExamineDirection.IN;
            case META:
            case META_ADD:
            case META_DELETE:
                return OperationExamineDirection.NONE;
            case GET_PAGE:
            case HISTORY_INSTANCE:
            case HISTORY_SYSTEM:
            case HISTORY_TYPE:
            case READ:
            case SEARCH_SYSTEM:
            case SEARCH_TYPE:
            case VREAD:
                return OperationExamineDirection.OUT;
            case TRANSACTION:
                return OperationExamineDirection.BOTH;
            case VALIDATE:
                return OperationExamineDirection.NONE;
            default:
                throw new IllegalStateException("Unable to apply security to event of type " + restOperationTypeEnum);
        }
    }

    public PolicyEnum getDefaultPolicy() {
        return this.myDefaultPolicy;
    }

    protected void handleDeny(Verdict verdict) {
        if (verdict.getDecidingRule() == null) {
            throw new ForbiddenOperationException("Access denied by default policy (no applicable rules)");
        }
        throw new ForbiddenOperationException("Access denied by rule: " + StringUtils.defaultString(verdict.getDecidingRule().getName(), "(unnamed rule)"));
    }

    private void handleUserOperation(RequestDetails requestDetails, IBaseResource iBaseResource, RestOperationTypeEnum restOperationTypeEnum) {
        applyRulesAndFailIfDeny(restOperationTypeEnum, requestDetails, iBaseResource, iBaseResource.getIdElement(), null);
    }

    @Override // ca.uhn.fhir.rest.server.interceptor.InterceptorAdapter, ca.uhn.fhir.rest.server.interceptor.IServerInterceptor
    public void incomingRequestPreHandled(RestOperationTypeEnum restOperationTypeEnum, IServerInterceptor.ActionRequestDetails actionRequestDetails) {
        IBaseResource iBaseResource = null;
        IIdType iIdType = null;
        switch (determineOperationDirection(restOperationTypeEnum, actionRequestDetails.getResource())) {
            case IN:
            case BOTH:
                iBaseResource = actionRequestDetails.getResource();
                iIdType = actionRequestDetails.getId();
                break;
            case OUT:
                iBaseResource = null;
                iIdType = actionRequestDetails.getId();
                break;
            case NONE:
                return;
        }
        applyRulesAndFailIfDeny(restOperationTypeEnum, actionRequestDetails.getRequestDetails(), iBaseResource, iIdType, null);
    }

    @Override // ca.uhn.fhir.rest.server.interceptor.InterceptorAdapter, ca.uhn.fhir.rest.server.interceptor.IServerInterceptor
    @CoverageIgnore
    public boolean outgoingResponse(RequestDetails requestDetails, Bundle bundle) {
        throw failForDstu1();
    }

    @Override // ca.uhn.fhir.rest.server.interceptor.InterceptorAdapter, ca.uhn.fhir.rest.server.interceptor.IServerInterceptor
    @CoverageIgnore
    public boolean outgoingResponse(RequestDetails requestDetails, Bundle bundle, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws AuthenticationException {
        throw failForDstu1();
    }

    @Override // ca.uhn.fhir.rest.server.interceptor.InterceptorAdapter, ca.uhn.fhir.rest.server.interceptor.IServerInterceptor
    public boolean outgoingResponse(RequestDetails requestDetails, IBaseResource iBaseResource) {
        switch (determineOperationDirection(requestDetails.getRestOperationType(), null)) {
            case IN:
            case NONE:
                return true;
            case BOTH:
            case OUT:
            default:
                FhirContext fhirContext = requestDetails.getServer().getFhirContext();
                List<IBaseResource> emptyList = Collections.emptyList();
                switch (requestDetails.getRestOperationType()) {
                    case EXTENDED_OPERATION_INSTANCE:
                    case EXTENDED_OPERATION_SERVER:
                    case EXTENDED_OPERATION_TYPE:
                    case HISTORY_INSTANCE:
                    case HISTORY_SYSTEM:
                    case HISTORY_TYPE:
                    case SEARCH_SYSTEM:
                    case SEARCH_TYPE:
                    case TRANSACTION:
                        if (iBaseResource != null) {
                            if (!(iBaseResource instanceof IBaseBundle)) {
                                if (iBaseResource instanceof IBaseParameters) {
                                    emptyList = toListOfResourcesAndExcludeContainer(iBaseResource, fhirContext);
                                    break;
                                }
                            } else {
                                emptyList = toListOfResourcesAndExcludeContainer(iBaseResource, fhirContext);
                                break;
                            }
                        }
                        break;
                    case METADATA:
                    case DELETE:
                    case CREATE:
                    case UPDATE:
                    case META:
                    case META_ADD:
                    case META_DELETE:
                    case GET_PAGE:
                    case READ:
                    case VREAD:
                    default:
                        if (iBaseResource != null) {
                            emptyList = Collections.singletonList(iBaseResource);
                            break;
                        }
                        break;
                }
                Iterator<IBaseResource> it = emptyList.iterator();
                while (it.hasNext()) {
                    applyRulesAndFailIfDeny(requestDetails.getRestOperationType(), requestDetails, null, null, it.next());
                }
                return true;
        }
    }

    private List<IBaseResource> toListOfResourcesAndExcludeContainer(IBaseResource iBaseResource, FhirContext fhirContext) {
        List<IBaseResource> allPopulatedChildElementsOfType = fhirContext.newTerser().getAllPopulatedChildElementsOfType(iBaseResource, IBaseResource.class);
        if (allPopulatedChildElementsOfType.size() > 0 && allPopulatedChildElementsOfType.get(0) == iBaseResource) {
            allPopulatedChildElementsOfType = allPopulatedChildElementsOfType.subList(1, allPopulatedChildElementsOfType.size());
        }
        return allPopulatedChildElementsOfType;
    }

    @Override // ca.uhn.fhir.rest.server.interceptor.InterceptorAdapter, ca.uhn.fhir.rest.server.interceptor.IServerInterceptor
    @CoverageIgnore
    public boolean outgoingResponse(RequestDetails requestDetails, TagList tagList) {
        throw failForDstu1();
    }

    @Override // ca.uhn.fhir.rest.server.interceptor.InterceptorAdapter, ca.uhn.fhir.rest.server.interceptor.IServerInterceptor
    @CoverageIgnore
    public boolean outgoingResponse(RequestDetails requestDetails, TagList tagList, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws AuthenticationException {
        throw failForDstu1();
    }

    @Override // ca.uhn.fhir.rest.server.interceptor.IServerOperationInterceptor
    public void resourceCreated(RequestDetails requestDetails, IBaseResource iBaseResource) {
        handleUserOperation(requestDetails, iBaseResource, RestOperationTypeEnum.CREATE);
    }

    @Override // ca.uhn.fhir.rest.server.interceptor.IServerOperationInterceptor
    public void resourceDeleted(RequestDetails requestDetails, IBaseResource iBaseResource) {
        handleUserOperation(requestDetails, iBaseResource, RestOperationTypeEnum.DELETE);
    }

    @Override // ca.uhn.fhir.rest.server.interceptor.IServerOperationInterceptor
    public void resourceUpdated(RequestDetails requestDetails, IBaseResource iBaseResource) {
        handleUserOperation(requestDetails, iBaseResource, RestOperationTypeEnum.UPDATE);
    }

    public void setDefaultPolicy(PolicyEnum policyEnum) {
        Validate.notNull(policyEnum, "theDefaultPolicy must not be null", new Object[0]);
        this.myDefaultPolicy = policyEnum;
    }

    private static UnsupportedOperationException failForDstu1() {
        return new UnsupportedOperationException("Use of this interceptor on DSTU1 servers is not supportd");
    }
}
