package org.xdi.oxauth.uma.service;

import com.google.common.collect.Lists;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import javax.ejb.Stateless;
import javax.inject.Inject;
import javax.inject.Named;
import javax.ws.rs.core.Response;
import org.slf4j.Logger;
import org.xdi.oxauth.model.error.ErrorResponseFactory;
import org.xdi.oxauth.model.uma.JsonLogic;
import org.xdi.oxauth.model.uma.JsonLogicNode;
import org.xdi.oxauth.model.uma.JsonLogicNodeParser;
import org.xdi.oxauth.model.uma.UmaErrorResponseType;
import org.xdi.oxauth.model.uma.persistence.UmaPermission;
import org.xdi.oxauth.model.uma.persistence.UmaResource;
import org.xdi.oxauth.model.util.Util;
import org.xdi.oxauth.service.external.ExternalUmaRptPolicyService;
import org.xdi.oxauth.uma.authorization.UmaAuthorizationContext;
import org.xdi.oxauth.uma.authorization.UmaScriptByScope;
import org.xdi.oxauth.uma.authorization.UmaWebException;
import org.xdi.util.StringHelper;

@Stateless
@Named
/* loaded from: input_file:org/xdi/oxauth/uma/service/UmaExpressionService.class */
public class UmaExpressionService {

    @Inject
    private Logger log;

    @Inject
    private ExternalUmaRptPolicyService policyService;

    @Inject
    private ErrorResponseFactory errorResponseFactory;

    @Inject
    private UmaResourceService resourceService;

    @Inject
    private UmaPermissionService permissionService;

    public boolean isExpressionValid(String str) {
        return JsonLogicNodeParser.isNodeValid(str);
    }

    public void evaluate(Map<UmaScriptByScope, UmaAuthorizationContext> map, List<UmaPermission> list) {
        for (UmaPermission umaPermission : list) {
            UmaResource resourceById = this.resourceService.getResourceById(umaPermission.getResourceId());
            if (StringHelper.isNotEmpty(resourceById.getScopeExpression())) {
                evaluateScopeExpression(map, umaPermission, resourceById);
            } else if (!evaluateByScopes(filterByScopeDns(map, umaPermission.getScopeDns()))) {
                this.log.trace("Regular evaluation returns false, access FORBIDDEN.");
                throw new UmaWebException(Response.Status.FORBIDDEN, this.errorResponseFactory, UmaErrorResponseType.FORBIDDEN_BY_POLICY);
            }
        }
    }

    private boolean evaluateByScopes(Map<UmaScriptByScope, UmaAuthorizationContext> map) {
        for (Map.Entry<UmaScriptByScope, UmaAuthorizationContext> entry : map.entrySet()) {
            boolean authorize = this.policyService.authorize(entry.getKey().getScript(), entry.getValue());
            this.log.trace("Policy script inum: '{}' result: '{}'", entry.getKey().getScript().getInum(), Boolean.valueOf(authorize));
            if (!authorize) {
                this.log.trace("Stop authorization scriptMap execution, current script returns false, script inum: " + entry.getKey().getScript().getInum() + ", scope: " + entry.getKey().getScope());
                return false;
            }
        }
        return true;
    }

    private void evaluateScopeExpression(Map<UmaScriptByScope, UmaAuthorizationContext> map, UmaPermission umaPermission, UmaResource umaResource) {
        String scopeExpression = umaResource.getScopeExpression();
        JsonLogicNode parseNode = JsonLogicNodeParser.parseNode(scopeExpression);
        if (parseNode != null) {
            this.log.trace("Evaluating scope expression ...");
            List<String> dataCopy = parseNode.getDataCopy();
            Map<String, String> scopeIdToDnMap = scopeIdToDnMap(map, umaPermission.getScopeDns());
            if (dataCopy.size() == scopeIdToDnMap.size()) {
                try {
                    ArrayList arrayList = new ArrayList();
                    for (String str : dataCopy) {
                        this.log.trace("Evaluating scope result for scope: " + str + " ...");
                        boolean evaluateByScopes = evaluateByScopes(filterByScopeDns(map, Lists.newArrayList(new String[]{scopeIdToDnMap.get(str)})));
                        this.log.trace("Evaluated scope result: " + evaluateByScopes + ", scope: " + str);
                        arrayList.add(Boolean.valueOf(evaluateByScopes));
                    }
                    String jsonNode = parseNode.getRule().toString();
                    boolean apply = arrayList.isEmpty() ? JsonLogic.apply(jsonNode) : JsonLogic.apply(jsonNode, Util.asJsonSilently(arrayList));
                    this.log.trace("JsonLogic evaluation result: " + apply + ", rule: " + jsonNode + ", data:" + Util.asJsonSilently(arrayList));
                    if (apply) {
                        removeFalseScopesFromPermission(umaPermission, dataCopy, scopeIdToDnMap, arrayList);
                        return;
                    }
                } catch (Exception e) {
                    this.log.error("Failed to evaluate jsonlogic expression. Expression: " + scopeExpression + ", resourceDn: " + umaResource.getDn());
                }
            } else {
                this.log.error("Scope size in JsonLogic object 'data' and in permission differs which is forbidden. Node data: " + parseNode + ", permissionDns: " + umaPermission.getScopeDns() + ", result scopeIds: " + scopeIdToDnMap);
            }
        } else {
            this.log.error("Failed to parse JsonLogic object, invalid expression: " + scopeExpression);
        }
        throw new UmaWebException(Response.Status.FORBIDDEN, this.errorResponseFactory, UmaErrorResponseType.FORBIDDEN_BY_POLICY);
    }

    private void removeFalseScopesFromPermission(UmaPermission umaPermission, List<String> list, Map<String, String> map, List<Boolean> list2) {
        if (list2.isEmpty() || umaPermission.getScopeDns() == null) {
            return;
        }
        ArrayList arrayList = new ArrayList(umaPermission.getScopeDns());
        for (int i = 0; i < list2.size(); i++) {
            if (!list2.get(i).booleanValue()) {
                arrayList.remove(map.get(list.get(i)));
            }
        }
        if (arrayList.size() < umaPermission.getScopeDns().size()) {
            umaPermission.setScopeDns(arrayList);
            this.permissionService.mergeSilently(umaPermission);
        }
    }

    private static Map<String, String> scopeIdToDnMap(Map<UmaScriptByScope, UmaAuthorizationContext> map, List<String> list) {
        HashMap hashMap = new HashMap();
        for (Map.Entry<UmaScriptByScope, UmaAuthorizationContext> entry : map.entrySet()) {
            if (list.contains(entry.getKey().getScope().getDn())) {
                hashMap.put(entry.getKey().getScope().getId(), entry.getKey().getScope().getDn());
            }
        }
        return hashMap;
    }

    private static Map<UmaScriptByScope, UmaAuthorizationContext> filterByScopeDns(Map<UmaScriptByScope, UmaAuthorizationContext> map, List<String> list) {
        HashMap hashMap = new HashMap();
        for (Map.Entry<UmaScriptByScope, UmaAuthorizationContext> entry : map.entrySet()) {
            if (list.contains(entry.getKey().getScope().getDn())) {
                hashMap.put(entry.getKey(), entry.getValue());
            }
        }
        return hashMap;
    }

    private static Map<UmaScriptByScope, UmaAuthorizationContext> filterByScopeId(Map<UmaScriptByScope, UmaAuthorizationContext> map, String str) {
        HashMap hashMap = new HashMap();
        for (Map.Entry<UmaScriptByScope, UmaAuthorizationContext> entry : map.entrySet()) {
            if (entry.getKey().getScope().getId().equals(str)) {
                hashMap.put(entry.getKey(), entry.getValue());
            }
        }
        return hashMap;
    }
}
