package io.jans.as.server.uma.service;

import com.google.common.collect.Lists;
import io.jans.as.model.error.ErrorResponseFactory;
import io.jans.as.model.uma.JsonLogic;
import io.jans.as.model.uma.JsonLogicNode;
import io.jans.as.model.uma.JsonLogicNodeParser;
import io.jans.as.model.uma.UmaErrorResponseType;
import io.jans.as.model.uma.persistence.UmaPermission;
import io.jans.as.model.uma.persistence.UmaResource;
import io.jans.as.model.util.Util;
import io.jans.as.server.service.external.ExternalUmaRptPolicyService;
import io.jans.as.server.uma.authorization.UmaAuthorizationContext;
import io.jans.as.server.uma.authorization.UmaScriptByScope;
import io.jans.util.StringHelper;
import jakarta.ejb.Stateless;
import jakarta.inject.Inject;
import jakarta.inject.Named;
import jakarta.ws.rs.core.Response;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import org.apache.commons.lang3.BooleanUtils;
import org.slf4j.Logger;

@Named
@Stateless
/* loaded from: input_file:io/jans/as/server/uma/service/UmaExpressionService.class */
public class UmaExpressionService {

    @Inject
    private Logger log;

    @Inject
    private ExternalUmaRptPolicyService policyService;

    @Inject
    private ErrorResponseFactory errorResponseFactory;

    @Inject
    private UmaResourceService resourceService;

    @Inject
    private UmaPermissionService permissionService;

    private static Map<String, String> scopeIdToDnMap(Map<UmaScriptByScope, UmaAuthorizationContext> map, List<String> list) {
        HashMap hashMap = new HashMap();
        for (Map.Entry<UmaScriptByScope, UmaAuthorizationContext> entry : map.entrySet()) {
            if (list.contains(entry.getKey().getScope().getDn())) {
                hashMap.put(entry.getKey().getScope().getId(), entry.getKey().getScope().getDn());
            }
        }
        return hashMap;
    }

    private static Map<UmaScriptByScope, UmaAuthorizationContext> filterByScopeDns(Map<UmaScriptByScope, UmaAuthorizationContext> map, List<String> list) {
        HashMap hashMap = new HashMap();
        for (Map.Entry<UmaScriptByScope, UmaAuthorizationContext> entry : map.entrySet()) {
            if (list.contains(entry.getKey().getScope().getDn())) {
                hashMap.put(entry.getKey(), entry.getValue());
            }
        }
        return hashMap;
    }

    public boolean isExpressionValid(String str) {
        return JsonLogicNodeParser.isNodeValid(str);
    }

    public void evaluate(Map<UmaScriptByScope, UmaAuthorizationContext> map, List<UmaPermission> list) {
        for (UmaPermission umaPermission : list) {
            UmaResource resourceById = this.resourceService.getResourceById(umaPermission.getResourceId());
            if (StringHelper.isNotEmpty(resourceById.getScopeExpression())) {
                evaluateScopeExpression(map, umaPermission, resourceById);
            } else if (!evaluateByScopes(filterByScopeDns(map, umaPermission.getScopeDns()))) {
                this.log.trace("Regular evaluation returns false, access FORBIDDEN.");
                throw this.errorResponseFactory.createWebApplicationException(Response.Status.FORBIDDEN, UmaErrorResponseType.FORBIDDEN_BY_POLICY, "Regular evaluation returns false, access FORBIDDEN.");
            }
        }
    }

    private boolean evaluateByScopes(Map<UmaScriptByScope, UmaAuthorizationContext> map) {
        for (Map.Entry<UmaScriptByScope, UmaAuthorizationContext> entry : map.entrySet()) {
            boolean authorize = this.policyService.authorize(entry.getKey().getScript(), entry.getValue());
            this.log.trace("Policy script inum: '{}' result: '{}'", entry.getKey().getScript().getInum(), Boolean.valueOf(authorize));
            if (!authorize) {
                this.log.trace("Stop authorization scriptMap execution, current script returns false, script inum: {}, scope: {}", entry.getKey().getScript().getInum(), entry.getKey().getScope());
                return false;
            }
        }
        return true;
    }

    private void evaluateScopeExpression(Map<UmaScriptByScope, UmaAuthorizationContext> map, UmaPermission umaPermission, UmaResource umaResource) {
        String scopeExpression = umaResource.getScopeExpression();
        JsonLogicNode parseNode = JsonLogicNodeParser.parseNode(scopeExpression);
        if (parseNode == null) {
            this.log.error("Failed to parse JsonLogic object, invalid expression: {}", scopeExpression);
            throw this.errorResponseFactory.createWebApplicationException(Response.Status.FORBIDDEN, UmaErrorResponseType.FORBIDDEN_BY_POLICY, "Failed to parse JsonLogic object, invalid expression: " + scopeExpression);
        }
        this.log.trace("Evaluating scope expression ...");
        List<String> dataCopy = parseNode.getDataCopy();
        Map<String, String> scopeIdToDnMap = scopeIdToDnMap(map, umaPermission.getScopeDns());
        if (dataCopy.size() != scopeIdToDnMap.size()) {
            this.log.error("Scope size in JsonLogic object 'data' and in permission differs which is forbidden. Node data: {}, permissionDns: {}, result scopeIds: {}", new Object[]{parseNode, umaPermission.getScopeDns(), scopeIdToDnMap});
            throw this.errorResponseFactory.createWebApplicationException(Response.Status.FORBIDDEN, UmaErrorResponseType.FORBIDDEN_BY_POLICY, "Scope size in JsonLogic object 'data' and in permission differs which is forbidden.");
        }
        if (!evaluateScopeExpressionInternal(map, umaPermission, umaResource, scopeExpression, parseNode, dataCopy, scopeIdToDnMap)) {
            throw this.errorResponseFactory.createWebApplicationException(Response.Status.FORBIDDEN, UmaErrorResponseType.FORBIDDEN_BY_POLICY, "Unknown");
        }
    }

    private boolean evaluateScopeExpressionInternal(Map<UmaScriptByScope, UmaAuthorizationContext> map, UmaPermission umaPermission, UmaResource umaResource, String str, JsonLogicNode jsonLogicNode, List<String> list, Map<String, String> map2) {
        try {
            ArrayList arrayList = new ArrayList();
            for (String str2 : list) {
                this.log.trace("Evaluating scope result for scope: {}...", str2);
                boolean evaluateByScopes = evaluateByScopes(filterByScopeDns(map, Lists.newArrayList(new String[]{map2.get(str2)})));
                this.log.trace("Evaluated scope result: {}, scope: {}", Boolean.valueOf(evaluateByScopes), str2);
                arrayList.add(Boolean.valueOf(evaluateByScopes));
            }
            String jsonNode = jsonLogicNode.getRule().toString();
            boolean apply = arrayList.isEmpty() ? JsonLogic.apply(jsonNode) : JsonLogic.apply(jsonNode, Util.asJsonSilently(arrayList));
            if (this.log.isTraceEnabled()) {
                this.log.trace("JsonLogic evaluation result: {}, rule: {}, data: {}", new Object[]{Boolean.valueOf(apply), jsonNode, Util.asJsonSilently(arrayList)});
            }
            if (!apply) {
                return false;
            }
            removeFalseScopesFromPermission(umaPermission, list, map2, arrayList);
            return true;
        } catch (Exception e) {
            this.log.error("Failed to evaluate jsonlogic expression. Expression: " + str + ", resourceDn: " + umaResource.getDn(), e);
            throw this.errorResponseFactory.createWebApplicationException(Response.Status.FORBIDDEN, UmaErrorResponseType.FORBIDDEN_BY_POLICY, "Failed to evaluate jsonlogic expression.");
        }
    }

    private void removeFalseScopesFromPermission(UmaPermission umaPermission, List<String> list, Map<String, String> map, List<Boolean> list2) {
        if (list2.isEmpty() || umaPermission.getScopeDns() == null) {
            return;
        }
        ArrayList arrayList = new ArrayList(umaPermission.getScopeDns());
        for (int i = 0; i < list2.size(); i++) {
            if (BooleanUtils.isFalse(list2.get(i))) {
                arrayList.remove(map.get(list.get(i)));
            }
        }
        if (arrayList.size() < umaPermission.getScopeDns().size()) {
            umaPermission.setScopeDns(arrayList);
            this.permissionService.mergeSilently(umaPermission);
        }
    }
}
