package ch.elexis.core.jaxrs.filter;

import ch.elexis.core.eenv.AccessToken;
import ch.elexis.core.model.IRole;
import ch.elexis.core.model.IUser;
import ch.elexis.core.model.RoleConstants;
import ch.elexis.core.model.builder.IContactBuilder;
import ch.elexis.core.model.builder.IUserBuilder;
import ch.elexis.core.services.IAccessControlService;
import ch.elexis.core.services.IContextService;
import ch.elexis.core.services.IModelService;
import ch.elexis.core.services.IUserService;
import ch.elexis.core.time.TimeUtil;
import ch.elexis.core.types.Gender;
import ch.elexis.core.utils.OsgiServiceUtil;
import com.google.gson.JsonArray;
import com.google.gson.JsonElement;
import io.curity.oauth.AuthenticatedUser;
import jakarta.servlet.Filter;
import jakarta.servlet.FilterChain;
import jakarta.servlet.FilterConfig;
import jakarta.servlet.ServletException;
import jakarta.servlet.ServletRequest;
import jakarta.servlet.ServletResponse;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.lang.invoke.MethodHandles;
import java.lang.invoke.MethodType;
import java.lang.runtime.ObjectMethods;
import java.time.LocalDate;
import java.util.HashSet;
import java.util.LinkedHashMap;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.stream.Collectors;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:ch/elexis/core/jaxrs/filter/ContextSettingFilter.class */
public class ContextSettingFilter implements Filter {
    private final boolean IS_DISABLED_WEB_SECURITY;
    private IContextService contextService;
    private IModelService coreModelService;
    private IAccessControlService accessControlService;
    private IUser disabledWebSecurityContextUser;
    private Logger logger = LoggerFactory.getLogger(getClass());
    private LimitedLinkedHashMap<String, CacheEntry> verificationCache = new LimitedLinkedHashMap<>(100);

    /* loaded from: input_file:ch/elexis/core/jaxrs/filter/ContextSettingFilter$CacheEntry.class */
    private static final class CacheEntry extends Record {
        private final IUser user;
        private final AccessToken accessToken;

        private CacheEntry(IUser iUser, AccessToken accessToken) {
            this.user = iUser;
            this.accessToken = accessToken;
        }

        public IUser user() {
            return this.user;
        }

        public AccessToken accessToken() {
            return this.accessToken;
        }

        @Override // java.lang.Record
        public final String toString() {
            return (String) ObjectMethods.bootstrap(MethodHandles.lookup(), "toString", MethodType.methodType(String.class, CacheEntry.class), CacheEntry.class, "user;accessToken", "FIELD:Lch/elexis/core/jaxrs/filter/ContextSettingFilter$CacheEntry;->user:Lch/elexis/core/model/IUser;", "FIELD:Lch/elexis/core/jaxrs/filter/ContextSettingFilter$CacheEntry;->accessToken:Lch/elexis/core/eenv/AccessToken;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final int hashCode() {
            return (int) ObjectMethods.bootstrap(MethodHandles.lookup(), "hashCode", MethodType.methodType(Integer.TYPE, CacheEntry.class), CacheEntry.class, "user;accessToken", "FIELD:Lch/elexis/core/jaxrs/filter/ContextSettingFilter$CacheEntry;->user:Lch/elexis/core/model/IUser;", "FIELD:Lch/elexis/core/jaxrs/filter/ContextSettingFilter$CacheEntry;->accessToken:Lch/elexis/core/eenv/AccessToken;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final boolean equals(Object obj) {
            return (boolean) ObjectMethods.bootstrap(MethodHandles.lookup(), "equals", MethodType.methodType(Boolean.TYPE, CacheEntry.class, Object.class), CacheEntry.class, "user;accessToken", "FIELD:Lch/elexis/core/jaxrs/filter/ContextSettingFilter$CacheEntry;->user:Lch/elexis/core/model/IUser;", "FIELD:Lch/elexis/core/jaxrs/filter/ContextSettingFilter$CacheEntry;->accessToken:Lch/elexis/core/eenv/AccessToken;").dynamicInvoker().invoke(this, obj) /* invoke-custom */;
        }
    }

    /* loaded from: input_file:ch/elexis/core/jaxrs/filter/ContextSettingFilter$LimitedLinkedHashMap.class */
    private class LimitedLinkedHashMap<K, V> extends LinkedHashMap<K, V> {
        private static final long serialVersionUID = -4811170640063577667L;
        private final int maxSize;

        public LimitedLinkedHashMap(int i) {
            super(16, 0.75f, false);
            this.maxSize = i;
        }

        @Override // java.util.LinkedHashMap
        protected boolean removeEldestEntry(Map.Entry<K, V> entry) {
            return size() > this.maxSize;
        }
    }

    public ContextSettingFilter(boolean z) {
        this.IS_DISABLED_WEB_SECURITY = z;
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        if (this.contextService == null) {
            this.logger.debug("Initializing");
            initializeConsumedServices();
        }
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        clearContext();
        AuthenticatedUser authenticatedUser = (AuthenticatedUser) ((HttpServletRequest) servletRequest).getAttribute("principal");
        if (authenticatedUser != null) {
            String asString = authenticatedUser.getClaim("jti").getAsString();
            if (!this.verificationCache.containsKey(asString)) {
                Long valueOf = Long.valueOf(authenticatedUser.getClaim("exp").getAsLong());
                String asString2 = authenticatedUser.getClaim("preferred_username").getAsString();
                String asString3 = authenticatedUser.getClaim("email").getAsString();
                JsonArray asJsonArray = authenticatedUser.getClaim("realm_access").getAsJsonObject().get("roles").getAsJsonArray();
                HashSet hashSet = new HashSet(asJsonArray.size());
                asJsonArray.forEach(jsonElement -> {
                    hashSet.add(jsonElement.getAsString());
                });
                AccessToken accessToken = new AccessToken(null, TimeUtil.toDate(valueOf), asString2, null, null);
                this.accessControlService.doPrivileged(() -> {
                    JsonElement claim;
                    Optional load = this.coreModelService.load(asString2, IUser.class);
                    if (load.isEmpty() && (claim = authenticatedUser.getClaim("elexisContactId")) != null) {
                        load = Optional.ofNullable(new ContextSettingFilterUtil().performDynamicUserCreationIfApplicable(this.coreModelService, this.logger, this.contextService.getStationIdentifier(), asString2, claim.getAsString(), asString3));
                    }
                    load.ifPresent(iUser -> {
                        this.verificationCache.put(asString, new CacheEntry(iUser, accessToken));
                    });
                });
                CacheEntry cacheEntry = this.verificationCache.get(asString);
                if (cacheEntry == null || cacheEntry.user == null) {
                    this.logger.warn("User [{}] not found in local database. Access denied.\"", asString2);
                    httpServletResponse.sendError(401, "No matching local user");
                    return;
                } else {
                    if (cacheEntry.user.getAssignedContact() == null) {
                        this.logger.warn("User [{}] has no assigned contact. Access denied.", asString2);
                        httpServletResponse.sendError(401, "No assigned user contact");
                        return;
                    }
                    assertRoles(this.accessControlService, cacheEntry.user, hashSet);
                }
            }
            CacheEntry cacheEntry2 = this.verificationCache.get(asString);
            this.contextService.setActiveUser(cacheEntry2.user);
            this.contextService.setTyped(cacheEntry2.accessToken);
        } else {
            if (!this.IS_DISABLED_WEB_SECURITY) {
                throw new IllegalStateException("Web security enabled. No Authentication Info found.");
            }
            activateDisabledWebSecurityUserContext();
        }
        filterChain.doFilter(servletRequest, servletResponse);
    }

    private void clearContext() {
        this.contextService.setActiveCoverage(null);
        this.contextService.setActiveMandator(null);
        this.contextService.setActiveUser(null);
        this.contextService.setActivePatient(null);
        this.contextService.removeTyped(AccessToken.class);
    }

    private void initializeConsumedServices() {
        this.coreModelService = (IModelService) OsgiServiceUtil.getService(IModelService.class, "(service.model.name=ch.elexis.core.model)").get();
        this.contextService = (IContextService) OsgiServiceUtil.getService(IContextService.class).get();
        this.accessControlService = (IAccessControlService) OsgiServiceUtil.getService(IAccessControlService.class).get();
    }

    private synchronized void activateDisabledWebSecurityUserContext() {
        if (this.disabledWebSecurityContextUser == null) {
            this.accessControlService.doPrivileged(() -> {
                this.disabledWebSecurityContextUser = (IUser) this.coreModelService.load("disabled-web-sec-user", IUser.class).orElse(null);
                if (this.disabledWebSecurityContextUser == null) {
                    this.disabledWebSecurityContextUser = new IUserBuilder(this.coreModelService, "disabled-web-sec-user", new IContactBuilder.PersonBuilder(this.coreModelService, "disabled-web-sec-user", "delete-me", LocalDate.now(), Gender.MALE).buildAndSave()).build();
                    Optional load = this.coreModelService.load(RoleConstants.ACCESSCONTROLE_ROLE_MEDICAL_USER, IRole.class);
                    IUser iUser = this.disabledWebSecurityContextUser;
                    iUser.getClass();
                    load.ifPresent(iUser::addRole);
                    this.coreModelService.save(this.disabledWebSecurityContextUser);
                }
            });
        }
        this.contextService.setActiveUser(this.disabledWebSecurityContextUser);
    }

    private void assertRoles(IAccessControlService iAccessControlService, IUser iUser, Set<String> set) {
        iAccessControlService.doPrivileged(() -> {
            HashSet hashSet = new HashSet((Set) this.coreModelService.getQuery(IRole.class).execute().stream().map(iRole -> {
                return iRole.getId();
            }).collect(Collectors.toSet()));
            hashSet.retainAll(set);
            if (Objects.equals((Set) iUser.getRoles().stream().map(iRole2 -> {
                return iRole2.getId();
            }).collect(Collectors.toSet()), hashSet)) {
                return;
            }
            Set<String> userRoles = ((IUserService) OsgiServiceUtil.getService(IUserService.class).get()).setUserRoles(iUser, hashSet);
            iAccessControlService.refresh(iUser);
            this.logger.warn("[{}] Updated user/bot role set to {}", iUser, userRoles);
        });
    }

    public void destroy() {
    }

    public void init(FilterConfig filterConfig) throws ServletException {
    }
}
