package ca.uhn.fhir.rest.server.interceptor.consent;

import ca.uhn.fhir.context.BaseRuntimeChildDefinition;
import ca.uhn.fhir.context.BaseRuntimeElementDefinition;
import ca.uhn.fhir.interceptor.api.Hook;
import ca.uhn.fhir.interceptor.api.Interceptor;
import ca.uhn.fhir.interceptor.api.Pointcut;
import ca.uhn.fhir.rest.api.Constants;
import ca.uhn.fhir.rest.api.server.IPreResourceAccessDetails;
import ca.uhn.fhir.rest.api.server.IPreResourceShowDetails;
import ca.uhn.fhir.rest.api.server.RequestDetails;
import ca.uhn.fhir.rest.api.server.ResponseDetails;
import ca.uhn.fhir.rest.server.exceptions.BaseServerResponseException;
import ca.uhn.fhir.rest.server.exceptions.ForbiddenOperationException;
import ca.uhn.fhir.rest.server.util.ICachedSearchDetails;
import ca.uhn.fhir.util.BundleUtil;
import ca.uhn.fhir.util.IModelVisitor2;
import java.util.IdentityHashMap;
import java.util.List;
import java.util.concurrent.atomic.AtomicInteger;
import org.apache.commons.lang3.Validate;
import org.hl7.fhir.instance.model.api.IBase;
import org.hl7.fhir.instance.model.api.IBaseBundle;
import org.hl7.fhir.instance.model.api.IBaseExtension;
import org.hl7.fhir.instance.model.api.IBaseOperationOutcome;
import org.hl7.fhir.instance.model.api.IBaseResource;

@Interceptor
/* loaded from: input_file:lib/hapi-fhir-server-4.1.0.jar:ca/uhn/fhir/rest/server/interceptor/consent/ConsentInterceptor.class */
public class ConsentInterceptor {
    private static final AtomicInteger ourInstanceCount = new AtomicInteger(0);
    private final int myInstanceIndex;
    private final String myRequestAuthorizedKey;
    private final String myRequestCompletedKey;
    private final String myRequestSeenResourcesKey;
    private IConsentService myConsentService;
    private IConsentContextServices myContextConsentServices;

    public ConsentInterceptor() {
        this.myInstanceIndex = ourInstanceCount.incrementAndGet();
        this.myRequestAuthorizedKey = ConsentInterceptor.class.getName() + "_" + this.myInstanceIndex + "_AUTHORIZED";
        this.myRequestCompletedKey = ConsentInterceptor.class.getName() + "_" + this.myInstanceIndex + "_COMPLETED";
        this.myRequestSeenResourcesKey = ConsentInterceptor.class.getName() + "_" + this.myInstanceIndex + "_SEENRESOURCES";
    }

    public ConsentInterceptor(IConsentService iConsentService) {
        this(iConsentService, IConsentContextServices.NULL_IMPL);
    }

    public ConsentInterceptor(IConsentService iConsentService, IConsentContextServices iConsentContextServices) {
        this.myInstanceIndex = ourInstanceCount.incrementAndGet();
        this.myRequestAuthorizedKey = ConsentInterceptor.class.getName() + "_" + this.myInstanceIndex + "_AUTHORIZED";
        this.myRequestCompletedKey = ConsentInterceptor.class.getName() + "_" + this.myInstanceIndex + "_COMPLETED";
        this.myRequestSeenResourcesKey = ConsentInterceptor.class.getName() + "_" + this.myInstanceIndex + "_SEENRESOURCES";
        setConsentService(iConsentService);
        setContextConsentServices(iConsentContextServices);
    }

    public void setContextConsentServices(IConsentContextServices iConsentContextServices) {
        Validate.notNull(iConsentContextServices, "theContextConsentServices must not be null", new Object[0]);
        this.myContextConsentServices = iConsentContextServices;
    }

    public void setConsentService(IConsentService iConsentService) {
        Validate.notNull(iConsentService, "theConsentService must not be null", new Object[0]);
        this.myConsentService = iConsentService;
    }

    @Hook(Pointcut.SERVER_INCOMING_REQUEST_PRE_HANDLED)
    public void interceptPreHandled(RequestDetails requestDetails) {
        ConsentOutcome startOperation = this.myConsentService.startOperation(requestDetails, this.myContextConsentServices);
        Validate.notNull(startOperation, "Consent service returned null outcome", new Object[0]);
        switch (startOperation.getStatus()) {
            case REJECT:
                throw toForbiddenOperationException(startOperation);
            case PROCEED:
            default:
                return;
            case AUTHORIZED:
                requestDetails.getUserData().put(this.myRequestAuthorizedKey, Boolean.TRUE);
                return;
        }
    }

    @Hook(Pointcut.STORAGE_PRECHECK_FOR_CACHED_SEARCH)
    public boolean interceptPreCheckForCachedSearch(RequestDetails requestDetails) {
        return isRequestAuthorized(requestDetails);
    }

    @Hook(Pointcut.STORAGE_PRESEARCH_REGISTERED)
    public void interceptPreSearchRegistered(RequestDetails requestDetails, ICachedSearchDetails iCachedSearchDetails) {
        if (isRequestAuthorized(requestDetails)) {
            return;
        }
        iCachedSearchDetails.setCannotBeReused();
    }

    @Hook(Pointcut.STORAGE_PREACCESS_RESOURCES)
    public void interceptPreAccess(RequestDetails requestDetails, IPreResourceAccessDetails iPreResourceAccessDetails) {
        if (isRequestAuthorized(requestDetails)) {
            return;
        }
        for (int i = 0; i < iPreResourceAccessDetails.size(); i++) {
            switch (this.myConsentService.canSeeResource(requestDetails, iPreResourceAccessDetails.getResource(i), this.myContextConsentServices).getStatus()) {
                case REJECT:
                    iPreResourceAccessDetails.setDontReturnResourceAtIndex(i);
                    break;
            }
        }
    }

    @Hook(Pointcut.STORAGE_PRESHOW_RESOURCES)
    public void interceptPreShow(RequestDetails requestDetails, IPreResourceShowDetails iPreResourceShowDetails) {
        if (isRequestAuthorized(requestDetails)) {
            return;
        }
        IdentityHashMap<IBaseResource, Boolean> alreadySeenResourcesMap = getAlreadySeenResourcesMap(requestDetails);
        for (int i = 0; i < iPreResourceShowDetails.size(); i++) {
            IBaseResource resource = iPreResourceShowDetails.getResource(i);
            if (alreadySeenResourcesMap.putIfAbsent(resource, Boolean.TRUE) == null) {
                ConsentOutcome willSeeResource = this.myConsentService.willSeeResource(requestDetails, resource, this.myContextConsentServices);
                switch (willSeeResource.getStatus()) {
                    case REJECT:
                        if (willSeeResource.getResource() != null) {
                            IBaseResource resource2 = willSeeResource.getResource();
                            iPreResourceShowDetails.setResource(i, resource2);
                            alreadySeenResourcesMap.put(resource2, true);
                            break;
                        } else if (willSeeResource.getOperationOutcome() != null) {
                            IBaseOperationOutcome operationOutcome = willSeeResource.getOperationOutcome();
                            iPreResourceShowDetails.setResource(i, operationOutcome);
                            alreadySeenResourcesMap.put(operationOutcome, true);
                            break;
                        } else {
                            String value = resource.getIdElement().getValue();
                            iPreResourceShowDetails.setResource(i, null);
                            resource.setId(value);
                            break;
                        }
                    case PROCEED:
                        if (willSeeResource.getResource() != null) {
                            iPreResourceShowDetails.setResource(i, willSeeResource.getResource());
                            break;
                        } else {
                            break;
                        }
                }
            }
        }
    }

    private IdentityHashMap<IBaseResource, Boolean> getAlreadySeenResourcesMap(RequestDetails requestDetails) {
        return getAlreadySeenResourcesMap(requestDetails, this.myRequestSeenResourcesKey);
    }

    @Hook(Pointcut.SERVER_OUTGOING_RESPONSE)
    public void interceptOutgoingResponse(final RequestDetails requestDetails, ResponseDetails responseDetails) {
        if (responseDetails.getResponseResource() == null || isRequestAuthorized(requestDetails)) {
            return;
        }
        final IdentityHashMap<IBaseResource, Boolean> alreadySeenResourcesMap = getAlreadySeenResourcesMap(requestDetails);
        if (alreadySeenResourcesMap.putIfAbsent(responseDetails.getResponseResource(), Boolean.TRUE) == null) {
            ConsentOutcome willSeeResource = this.myConsentService.willSeeResource(requestDetails, responseDetails.getResponseResource(), this.myContextConsentServices);
            if (willSeeResource.getResource() != null) {
                responseDetails.setResponseResource(willSeeResource.getResource());
            }
            switch (willSeeResource.getStatus()) {
                case REJECT:
                    if (willSeeResource.getOperationOutcome() != null) {
                        responseDetails.setResponseResource(willSeeResource.getOperationOutcome());
                        return;
                    } else {
                        responseDetails.setResponseResource(null);
                        responseDetails.setResponseCode(Constants.STATUS_HTTP_204_NO_CONTENT);
                        return;
                    }
                case AUTHORIZED:
                    return;
            }
        }
        final IBaseResource responseResource = responseDetails.getResponseResource();
        requestDetails.getServer().getFhirContext().newTerser().visit(responseResource, new IModelVisitor2() { // from class: ca.uhn.fhir.rest.server.interceptor.consent.ConsentInterceptor.1
            @Override // ca.uhn.fhir.util.IModelVisitor2
            public boolean acceptElement(IBase iBase, List<IBase> list, List<BaseRuntimeChildDefinition> list2, List<BaseRuntimeElementDefinition<?>> list3) {
                if (iBase instanceof IBaseBundle) {
                    BundleUtil.setTotal(requestDetails.getFhirContext(), (IBaseBundle) iBase, null);
                }
                if (iBase == responseResource || !(iBase instanceof IBaseResource) || alreadySeenResourcesMap.putIfAbsent((IBaseResource) iBase, Boolean.TRUE) != null) {
                    return true;
                }
                ConsentOutcome willSeeResource2 = ConsentInterceptor.this.myConsentService.willSeeResource(requestDetails, (IBaseResource) iBase, ConsentInterceptor.this.myContextConsentServices);
                IBaseOperationOutcome iBaseOperationOutcome = null;
                boolean z = false;
                boolean z2 = false;
                switch (AnonymousClass2.$SwitchMap$ca$uhn$fhir$rest$server$interceptor$consent$ConsentOperationStatusEnum[willSeeResource2.getStatus().ordinal()]) {
                    case 1:
                        iBaseOperationOutcome = willSeeResource2.getOperationOutcome();
                        z = true;
                        break;
                    case 2:
                    case 3:
                        iBaseOperationOutcome = willSeeResource2.getResource();
                        z = iBaseOperationOutcome != null;
                        z2 = willSeeResource2.getStatus() == ConsentOperationStatusEnum.PROCEED;
                        break;
                }
                if (z) {
                    list2.get(list2.size() - 1).getMutator().setValue(list.get(list.size() - 2), iBaseOperationOutcome);
                }
                return z2;
            }

            @Override // ca.uhn.fhir.util.IModelVisitor2
            public boolean acceptUndeclaredExtension(IBaseExtension<?, ?> iBaseExtension, List<IBase> list, List<BaseRuntimeChildDefinition> list2, List<BaseRuntimeElementDefinition<?>> list3) {
                return true;
            }
        });
    }

    @Hook(Pointcut.SERVER_HANDLE_EXCEPTION)
    public void requestFailed(RequestDetails requestDetails, BaseServerResponseException baseServerResponseException) {
        requestDetails.getUserData().put(this.myRequestCompletedKey, Boolean.TRUE);
        this.myConsentService.completeOperationFailure(requestDetails, baseServerResponseException, this.myContextConsentServices);
    }

    @Hook(Pointcut.SERVER_PROCESSING_COMPLETED_NORMALLY)
    public void requestSucceeded(RequestDetails requestDetails) {
        if (Boolean.TRUE.equals(requestDetails.getUserData().get(this.myRequestCompletedKey))) {
            return;
        }
        this.myConsentService.completeOperationSuccess(requestDetails, this.myContextConsentServices);
    }

    private boolean isRequestAuthorized(RequestDetails requestDetails) {
        boolean z = false;
        if (requestDetails != null) {
            z = Boolean.TRUE.equals(requestDetails.getUserData().get(this.myRequestAuthorizedKey));
        }
        return z;
    }

    public static IdentityHashMap<IBaseResource, Boolean> getAlreadySeenResourcesMap(RequestDetails requestDetails, String str) {
        IdentityHashMap<IBaseResource, Boolean> identityHashMap = (IdentityHashMap) requestDetails.getUserData().get(str);
        if (identityHashMap == null) {
            identityHashMap = new IdentityHashMap<>();
            requestDetails.getUserData().put(str, identityHashMap);
        }
        return identityHashMap;
    }

    private static ForbiddenOperationException toForbiddenOperationException(ConsentOutcome consentOutcome) {
        IBaseOperationOutcome iBaseOperationOutcome = null;
        if (consentOutcome.getOperationOutcome() != null) {
            iBaseOperationOutcome = consentOutcome.getOperationOutcome();
        }
        return new ForbiddenOperationException("Rejected by consent service", iBaseOperationOutcome);
    }
}
