package ca.uhn.fhir.rest.server.interceptor.binary;

import ca.uhn.fhir.context.FhirContext;
import ca.uhn.fhir.i18n.Msg;
import ca.uhn.fhir.interceptor.api.Hook;
import ca.uhn.fhir.interceptor.api.Interceptor;
import ca.uhn.fhir.interceptor.api.Pointcut;
import ca.uhn.fhir.rest.api.server.IPreResourceShowDetails;
import ca.uhn.fhir.rest.api.server.RequestDetails;
import ca.uhn.fhir.rest.api.server.SystemRequestDetails;
import ca.uhn.fhir.rest.server.exceptions.ForbiddenOperationException;
import ca.uhn.fhir.util.FhirTerser;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.lang3.Validate;
import org.hl7.fhir.instance.model.api.IBaseBinary;
import org.hl7.fhir.instance.model.api.IBaseResource;

@Interceptor(order = 150)
/* loaded from: input_file:ca/uhn/fhir/rest/server/interceptor/binary/BinarySecurityContextInterceptor.class */
public class BinarySecurityContextInterceptor {
    private final FhirContext myFhirContext;

    public BinarySecurityContextInterceptor(FhirContext fhirContext) {
        Validate.notNull(fhirContext, "theFhirContext must not be null", new Object[0]);
        this.myFhirContext = fhirContext;
    }

    @Hook(Pointcut.STORAGE_PRESHOW_RESOURCES)
    public void preShowResources(IPreResourceShowDetails iPreResourceShowDetails, RequestDetails requestDetails) {
        for (IBaseResource iBaseResource : iPreResourceShowDetails.getAllResources()) {
            if (iBaseResource instanceof IBaseBinary) {
                applyAccessControl((IBaseBinary) iBaseResource, requestDetails);
            }
        }
    }

    @Hook(Pointcut.STORAGE_PRECOMMIT_RESOURCE_UPDATED)
    public void preShowResources(IBaseResource iBaseResource, IBaseResource iBaseResource2, RequestDetails requestDetails) {
        if (iBaseResource instanceof IBaseBinary) {
            applyAccessControl((IBaseBinary) iBaseResource, requestDetails);
        }
    }

    protected void applyAccessControl(IBaseBinary iBaseBinary, RequestDetails requestDetails) {
        FhirTerser newTerser = this.myFhirContext.newTerser();
        String singlePrimitiveValueOrNull = newTerser.getSinglePrimitiveValueOrNull(iBaseBinary, "securityContext.identifier.system");
        String singlePrimitiveValueOrNull2 = newTerser.getSinglePrimitiveValueOrNull(iBaseBinary, "securityContext.identifier.value");
        if (StringUtils.isNotBlank(singlePrimitiveValueOrNull) || StringUtils.isNotBlank(singlePrimitiveValueOrNull2)) {
            applyAccessControl(iBaseBinary, singlePrimitiveValueOrNull, singlePrimitiveValueOrNull2, requestDetails);
        }
    }

    protected void applyAccessControl(IBaseBinary iBaseBinary, String str, String str2, RequestDetails requestDetails) {
        if ((requestDetails instanceof SystemRequestDetails) || securityContextIdentifierAllowed(str, str2, requestDetails)) {
            return;
        }
        handleForbidden(iBaseBinary);
    }

    protected void handleForbidden(IBaseBinary iBaseBinary) {
        throw new ForbiddenOperationException(Msg.code(2369) + "Security context not permitted");
    }

    protected boolean securityContextIdentifierAllowed(String str, String str2, RequestDetails requestDetails) {
        return false;
    }
}
