package org.dataconservancy.pass.authz.acl;

import java.net.URI;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Set;
import java.util.function.BiConsumer;
import java.util.function.Predicate;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.dataconservancy.pass.client.fedora.FedoraConfig;
import org.dataconservancy.pass.client.fedora.RepositoryCrawler;
import org.dataconservancy.pass.client.util.ConfigUtil;
import org.fcrepo.client.FcrepoClient;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/dataconservancy/pass/authz/acl/ACLManager.class */
public class ACLManager {
    static final Logger LOG = LoggerFactory.getLogger(ACLManager.class);
    public static final String PROPERTY_ACL_BASE = "acl.base";
    public static final String URI_ACL_AGENT = "http://www.w3.org/ns/auth/acl#agent";
    public static final String URI_ACL_ACCESS_TO = "http://www.w3.org/ns/auth/acl#accessTo";
    public static final String URI_ACL_MODE = "http://www.w3.org/ns/auth/acl#mode";
    private static final String TEMPLATE_AUTHORIZATION = "@prefix acl: <http://www.w3.org/ns/auth/acl#> .\n\n<> a acl:Authorization .\n<> acl:accessTo <%s> .\n";
    AclDriver driver;
    RepositoryCrawler crawler;

    /* loaded from: input_file:org/dataconservancy/pass/authz/acl/ACLManager$Builder.class */
    public class Builder {
        final URI resource;
        final Set<URI> read = new HashSet();
        final Set<URI> write = new HashSet();
        final BiConsumer<Builder, URI> action;

        Builder(URI uri, BiConsumer<Builder, URI> biConsumer) {
            this.resource = uri;
            this.action = biConsumer;
        }

        public Builder grantRead(Collection<URI> collection) {
            this.read.addAll(collection);
            return this;
        }

        public Builder grantWrite(Collection<URI> collection) {
            this.write.addAll(collection);
            this.read.addAll(collection);
            return this;
        }

        public Builder grantAppend(Collection<URI> collection) {
            this.write.addAll(collection);
            this.read.addAll(collection);
            return this;
        }

        public URI perform() {
            try {
                Acl findOrCreateACL = ACLManager.this.driver.findOrCreateACL(this.resource);
                this.action.accept(this, findOrCreateACL.uri);
                if (findOrCreateACL.isNew) {
                    ACLManager.this.driver.linkAcl(findOrCreateACL.uri, this.resource);
                }
                return findOrCreateACL.uri;
            } catch (Exception e) {
                throw new RuntimeException("Error communicating with repository", e);
            }
        }

        Set<URI> getRolesForPermission(Permission permission) {
            switch (permission) {
                case Read:
                    Stream<URI> stream = this.read.stream();
                    Set<URI> set = this.write;
                    set.getClass();
                    return (Set) stream.filter(ACLManager.not((v1) -> {
                        return r1.contains(v1);
                    })).collect(Collectors.toSet());
                case Write:
                    return this.write;
                default:
                    return Collections.emptySet();
            }
        }

        Set<Permission> allPermissions() {
            HashSet hashSet = new HashSet();
            if (!this.read.isEmpty()) {
                hashSet.add(Permission.Read);
            }
            if (!this.write.isEmpty()) {
                hashSet.add(Permission.Write);
            }
            return hashSet;
        }
    }

    public ACLManager() {
        this.driver = new AclDriver(getAclBase(), getFcrepoClient());
        this.crawler = new RepositoryCrawler();
    }

    public ACLManager(FcrepoClient fcrepoClient, RepositoryCrawler repositoryCrawler) {
        this.driver = new AclDriver(getAclBase(), fcrepoClient);
        this.crawler = repositoryCrawler;
    }

    public static URI getAclBase() {
        return URI.create(FedoraConfig.getBaseUrl() + ConfigUtil.getSystemProperty(PROPERTY_ACL_BASE, "acls"));
    }

    public Builder addPermissions(URI uri) {
        LOG.debug("Adding permissions to " + uri);
        return new Builder(uri, (builder, uri2) -> {
            for (Permission permission : builder.allPermissions()) {
                URI authorizationResourceForPermission = getAuthorizationResourceForPermission(uri2, permission);
                Set<URI> rolesForPermission = builder.getRolesForPermission(permission);
                if (this.driver.exists(authorizationResourceForPermission)) {
                    this.driver.patchAuthzBody(authorizationResourceForPermission, patchInsert(uri, permission, rolesForPermission));
                } else {
                    this.driver.putAuthzBody(authorizationResourceForPermission, getAclBody(uri, permission, rolesForPermission));
                }
            }
        });
    }

    public Builder setPermissions(URI uri) {
        LOG.debug("Setting permissions of " + uri);
        return new Builder(uri, (builder, uri2) -> {
            for (Permission permission : Permission.values()) {
                this.driver.putAuthzBody(getAuthorizationResourceForPermission(uri2, permission), getAclBody(uri, permission, builder.getRolesForPermission(permission)));
            }
            Collection<URI> authzResourcesForAcl = authzResourcesForAcl(uri2);
            this.crawler.visit(uri2, uri2 -> {
                if (authzResourcesForAcl.contains(uri2)) {
                    return;
                }
                this.driver.deleteCompletely(uri2);
            }, RepositoryCrawler.Ignore.IGNORE_ROOT, RepositoryCrawler.Skip.depth(1));
        });
    }

    FcrepoClient getFcrepoClient() {
        return new FcrepoClient.FcrepoClientBuilder().credentials(FedoraConfig.getUserName(), FedoraConfig.getPassword()).build();
    }

    public URI getAuthorizationResource(URI uri, Permission permission) {
        try {
            return getAuthorizationResourceForPermission(this.driver.findOrCreateACL(uri).uri, permission);
        } catch (Exception e) {
            throw new RuntimeException("Could not find ACL", e);
        }
    }

    public URI getAclResource(URI uri) {
        try {
            return this.driver.findOrCreateACL(uri).uri;
        } catch (Exception e) {
            throw new RuntimeException("Could not find ACL", e);
        }
    }

    private static String getAclBody(URI uri, Permission permission, Collection<URI> collection) {
        StringBuilder sb = new StringBuilder(String.format(TEMPLATE_AUTHORIZATION, uri));
        Iterator<URI> it = collection.iterator();
        while (it.hasNext()) {
            sb.append(String.format("<> acl:agent <%s> .\n", it.next()));
        }
        sb.append(permission.rdf);
        return sb.toString();
    }

    private static String patchInsert(URI uri, Permission permission, Collection<URI> collection) {
        StringBuilder sb = new StringBuilder("PREFIX acl: <http://www.w3.org/ns/auth/acl#>\n\nINSERT {\n");
        sb.append(String.format("<> <%s> <%s> .\n", URI_ACL_ACCESS_TO, uri));
        sb.append(permission.rdf);
        collection.forEach(uri2 -> {
            sb.append(String.format("<> <%s> <%s> .\n", URI_ACL_AGENT, uri2));
        });
        sb.append("} WHERE {}");
        return sb.toString();
    }

    private static URI getAuthorizationResourceForPermission(URI uri, Permission permission) {
        return uri.toString().endsWith("/") ? URI.create(uri.toString() + permission.toString()) : URI.create(uri.toString() + "/" + permission.toString());
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static <T> Predicate<T> not(Predicate<T> predicate) {
        return obj -> {
            return !predicate.test(obj);
        };
    }

    private static Collection<URI> authzResourcesForAcl(URI uri) {
        return Arrays.asList(getAuthorizationResourceForPermission(uri, Permission.Read), getAuthorizationResourceForPermission(uri, Permission.Write));
    }
}
