package ca.uhn.fhir.rest.server.interceptor.auth;

import ca.uhn.fhir.context.FhirContext;
import ca.uhn.fhir.model.api.Bundle;
import ca.uhn.fhir.model.api.TagList;
import ca.uhn.fhir.rest.api.RestOperationTypeEnum;
import ca.uhn.fhir.rest.method.RequestDetails;
import ca.uhn.fhir.rest.server.exceptions.AuthenticationException;
import ca.uhn.fhir.rest.server.exceptions.ForbiddenOperationException;
import ca.uhn.fhir.rest.server.interceptor.IServerInterceptor;
import ca.uhn.fhir.rest.server.interceptor.IServerOperationInterceptor;
import ca.uhn.fhir.rest.server.interceptor.InterceptorAdapter;
import ca.uhn.fhir.util.BundleUtil;
import ca.uhn.fhir.util.CoverageIgnore;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import org.a.a.c.g;
import org.a.a.c.i;
import org.d.a.a.a.a.f;
import org.d.a.a.a.a.v;
import org.e.b;
import org.e.c;

/* loaded from: classes.dex */
public class AuthorizationInterceptor extends InterceptorAdapter implements IServerOperationInterceptor, IRuleApplier {
    private static final b ourLog = c.a((Class<?>) AuthorizationInterceptor.class);
    private PolicyEnum myDefaultPolicy;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: classes.dex */
    public enum OperationExamineDirection {
        IN,
        NONE,
        OUT,
        BOTH
    }

    /* loaded from: classes.dex */
    public static class Verdict {
        private final IAuthRule myDecidingRule;
        private final PolicyEnum myDecision;

        public Verdict(PolicyEnum policyEnum, IAuthRule iAuthRule) {
            this.myDecision = policyEnum;
            this.myDecidingRule = iAuthRule;
        }

        public IAuthRule getDecidingRule() {
            return this.myDecidingRule;
        }

        public PolicyEnum getDecision() {
            return this.myDecision;
        }
    }

    public AuthorizationInterceptor() {
        this.myDefaultPolicy = PolicyEnum.DENY;
    }

    public AuthorizationInterceptor(PolicyEnum policyEnum) {
        this();
        setDefaultPolicy(policyEnum);
    }

    private void applyRulesAndFailIfDeny(RestOperationTypeEnum restOperationTypeEnum, RequestDetails requestDetails, v vVar, v vVar2) {
        Verdict applyRulesAndReturnDecision = applyRulesAndReturnDecision(restOperationTypeEnum, requestDetails, vVar, vVar2);
        if (applyRulesAndReturnDecision.getDecision() == PolicyEnum.ALLOW) {
            return;
        }
        handleDeny(applyRulesAndReturnDecision);
    }

    private OperationExamineDirection determineOperationDirection(RestOperationTypeEnum restOperationTypeEnum) {
        switch (restOperationTypeEnum) {
            case ADD_TAGS:
            case DELETE_TAGS:
            case GET_TAGS:
                return OperationExamineDirection.NONE;
            case EXTENDED_OPERATION_INSTANCE:
            case EXTENDED_OPERATION_SERVER:
            case EXTENDED_OPERATION_TYPE:
            case METADATA:
                return OperationExamineDirection.IN;
            case DELETE:
                return OperationExamineDirection.NONE;
            case CREATE:
            case UPDATE:
                return OperationExamineDirection.IN;
            case META:
            case META_ADD:
            case META_DELETE:
                return OperationExamineDirection.NONE;
            case GET_PAGE:
            case HISTORY_INSTANCE:
            case HISTORY_SYSTEM:
            case HISTORY_TYPE:
            case READ:
            case SEARCH_SYSTEM:
            case SEARCH_TYPE:
            case VREAD:
                return OperationExamineDirection.OUT;
            case TRANSACTION:
                return OperationExamineDirection.BOTH;
            case VALIDATE:
                return OperationExamineDirection.NONE;
            default:
                throw new IllegalStateException("Unable to apply security to event of type " + restOperationTypeEnum);
        }
    }

    private static UnsupportedOperationException failForDstu1() {
        return new UnsupportedOperationException("Use of this interceptor on DSTU1 servers is not supportd");
    }

    private void handleUserOperation(RequestDetails requestDetails, v vVar, RestOperationTypeEnum restOperationTypeEnum) {
        applyRulesAndFailIfDeny(restOperationTypeEnum, requestDetails, vVar, null);
    }

    private List<v> toListOfResources(FhirContext fhirContext, f fVar) {
        List<v> listOfResources = BundleUtil.toListOfResources(fhirContext, fVar);
        int i = 0;
        while (true) {
            int i2 = i;
            if (i2 >= listOfResources.size()) {
                return listOfResources;
            }
            v vVar = listOfResources.get(i2);
            if (vVar instanceof f) {
                listOfResources.addAll(BundleUtil.toListOfResources(fhirContext, (f) vVar));
                listOfResources.remove(i2);
                i2--;
            }
            i = i2 + 1;
        }
    }

    @Override // ca.uhn.fhir.rest.server.interceptor.auth.IRuleApplier
    public Verdict applyRulesAndReturnDecision(RestOperationTypeEnum restOperationTypeEnum, RequestDetails requestDetails, v vVar, v vVar2) {
        List<IAuthRule> buildRuleList = buildRuleList(requestDetails);
        ourLog.a("Applying {} rules to render an auth decision for operation {}", Integer.valueOf(buildRuleList.size()), restOperationTypeEnum);
        Iterator<IAuthRule> it = buildRuleList.iterator();
        Verdict verdict = null;
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            IAuthRule next = it.next();
            Verdict applyRule = next.applyRule(restOperationTypeEnum, requestDetails, vVar, vVar2, this);
            if (applyRule != null) {
                ourLog.a("Rule {} returned decision {}", next, applyRule.getDecision());
                verdict = applyRule;
                break;
            }
            verdict = applyRule;
        }
        if (verdict != null) {
            return verdict;
        }
        ourLog.a("No rules returned a decision, applying default {}", this.myDefaultPolicy);
        return new Verdict(this.myDefaultPolicy, null);
    }

    public List<IAuthRule> buildRuleList(RequestDetails requestDetails) {
        return new ArrayList();
    }

    public PolicyEnum getDefaultPolicy() {
        return this.myDefaultPolicy;
    }

    protected void handleDeny(Verdict verdict) {
        if (verdict.getDecidingRule() == null) {
            throw new ForbiddenOperationException("Access denied by default policy (no applicable rules)");
        }
        throw new ForbiddenOperationException("Access denied by rule: " + g.a(verdict.getDecidingRule().getName(), "(unnamed rule)"));
    }

    @Override // ca.uhn.fhir.rest.server.interceptor.InterceptorAdapter, ca.uhn.fhir.rest.server.interceptor.IServerInterceptor
    public void incomingRequestPreHandled(RestOperationTypeEnum restOperationTypeEnum, IServerInterceptor.ActionRequestDetails actionRequestDetails) {
        switch (determineOperationDirection(restOperationTypeEnum)) {
            case IN:
            case BOTH:
            default:
                applyRulesAndFailIfDeny(restOperationTypeEnum, actionRequestDetails.getRequestDetails(), actionRequestDetails.getResource(), null);
                return;
            case NONE:
            case OUT:
                return;
        }
    }

    @Override // ca.uhn.fhir.rest.server.interceptor.InterceptorAdapter, ca.uhn.fhir.rest.server.interceptor.IServerInterceptor
    @CoverageIgnore
    public boolean outgoingResponse(RequestDetails requestDetails, Bundle bundle) {
        throw failForDstu1();
    }

    @Override // ca.uhn.fhir.rest.server.interceptor.InterceptorAdapter, ca.uhn.fhir.rest.server.interceptor.IServerInterceptor
    @CoverageIgnore
    public boolean outgoingResponse(RequestDetails requestDetails, Bundle bundle, b.b.a.b bVar, b.b.a.c cVar) throws AuthenticationException {
        throw failForDstu1();
    }

    @Override // ca.uhn.fhir.rest.server.interceptor.InterceptorAdapter, ca.uhn.fhir.rest.server.interceptor.IServerInterceptor
    @CoverageIgnore
    public boolean outgoingResponse(RequestDetails requestDetails, TagList tagList) {
        throw failForDstu1();
    }

    @Override // ca.uhn.fhir.rest.server.interceptor.InterceptorAdapter, ca.uhn.fhir.rest.server.interceptor.IServerInterceptor
    @CoverageIgnore
    public boolean outgoingResponse(RequestDetails requestDetails, TagList tagList, b.b.a.b bVar, b.b.a.c cVar) throws AuthenticationException {
        throw failForDstu1();
    }

    @Override // ca.uhn.fhir.rest.server.interceptor.InterceptorAdapter, ca.uhn.fhir.rest.server.interceptor.IServerInterceptor
    public boolean outgoingResponse(RequestDetails requestDetails, v vVar) {
        switch (determineOperationDirection(requestDetails.getRestOperationType())) {
            case BOTH:
            default:
                FhirContext fhirContext = requestDetails.getServer().getFhirContext();
                buildRuleList(requestDetails);
                List<v> emptyList = Collections.emptyList();
                switch (requestDetails.getRestOperationType()) {
                    case HISTORY_INSTANCE:
                    case HISTORY_SYSTEM:
                    case HISTORY_TYPE:
                    case SEARCH_SYSTEM:
                    case SEARCH_TYPE:
                    case TRANSACTION:
                        if (vVar != null) {
                            emptyList = toListOfResources(fhirContext, (f) vVar);
                            break;
                        }
                        break;
                    case READ:
                    case VREAD:
                    default:
                        if (vVar != null) {
                            emptyList = Collections.singletonList(vVar);
                            break;
                        }
                        break;
                }
                Iterator<v> it = emptyList.iterator();
                while (it.hasNext()) {
                    applyRulesAndFailIfDeny(requestDetails.getRestOperationType(), requestDetails, null, it.next());
                }
            case IN:
            case NONE:
                return true;
        }
    }

    @Override // ca.uhn.fhir.rest.server.interceptor.IServerOperationInterceptor
    public void resourceCreated(RequestDetails requestDetails, v vVar) {
        handleUserOperation(requestDetails, vVar, RestOperationTypeEnum.CREATE);
    }

    @Override // ca.uhn.fhir.rest.server.interceptor.IServerOperationInterceptor
    public void resourceDeleted(RequestDetails requestDetails, v vVar) {
        handleUserOperation(requestDetails, vVar, RestOperationTypeEnum.DELETE);
    }

    @Override // ca.uhn.fhir.rest.server.interceptor.IServerOperationInterceptor
    public void resourceUpdated(RequestDetails requestDetails, v vVar) {
        handleUserOperation(requestDetails, vVar, RestOperationTypeEnum.UPDATE);
    }

    public void setDefaultPolicy(PolicyEnum policyEnum) {
        i.a(policyEnum, "theDefaultPolicy must not be null", new Object[0]);
        this.myDefaultPolicy = policyEnum;
    }
}
