package org.phenotips.security.authorization.remote.internal;

import java.io.IOException;
import java.net.URI;
import java.net.URISyntaxException;
import java.text.MessageFormat;
import javax.inject.Inject;
import javax.inject.Named;
import javax.inject.Singleton;
import net.sf.json.JSONObject;
import org.apache.commons.lang3.StringUtils;
import org.apache.http.Header;
import org.apache.http.HeaderElement;
import org.apache.http.HttpResponse;
import org.apache.http.client.methods.CloseableHttpResponse;
import org.apache.http.client.methods.HttpPost;
import org.apache.http.entity.ContentType;
import org.apache.http.entity.StringEntity;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClients;
import org.phenotips.data.Patient;
import org.phenotips.data.PatientRepository;
import org.phenotips.security.authorization.AuthorizationModule;
import org.slf4j.Logger;
import org.xwiki.cache.Cache;
import org.xwiki.cache.CacheException;
import org.xwiki.cache.CacheFactory;
import org.xwiki.cache.config.LRUCacheConfiguration;
import org.xwiki.component.annotation.Component;
import org.xwiki.component.phase.Initializable;
import org.xwiki.component.phase.InitializationException;
import org.xwiki.configuration.ConfigurationSource;
import org.xwiki.model.reference.DocumentReference;
import org.xwiki.security.authorization.Right;
import org.xwiki.users.User;

@Singleton
@Component
@Named("remote-json")
/* loaded from: input_file:org/phenotips/security/authorization/remote/internal/RemoteAuthorizationModule.class */
public class RemoteAuthorizationModule implements AuthorizationModule, Initializable {
    public static final String CONFIGURATION_KEY = "phenotips.security.authorization.remote.url";
    private static final byte GRANTED = 1;
    private static final byte DENIED = 2;
    private static final byte UNKNWON = 0;
    private static final byte ERROR = -1;
    private final CloseableHttpClient client = HttpClients.createSystem();

    @Inject
    private Logger logger;

    @Inject
    @Named("infinispan")
    private CacheFactory factory;
    private Cache<Boolean> cache;

    @Inject
    @Named("restricted")
    private ConfigurationSource configuration;

    @Inject
    private PatientRepository patientRepository;
    private URI remoteServiceURL;

    public int getPriority() {
        return 500;
    }

    public Boolean hasAccess(User user, Right right, DocumentReference documentReference) {
        Patient patientById;
        if (user == null || right == null || documentReference == null || (patientById = this.patientRepository.getPatientById(documentReference.toString())) == null) {
            return null;
        }
        String name = right.getName();
        String username = user.getUsername();
        String id = patientById.getId();
        String externalId = patientById.getExternalId();
        Boolean bool = (Boolean) this.cache.get(getCacheKey(username, name, id));
        if (bool != null) {
            return bool;
        }
        Boolean bool2 = UNKNWON;
        byte remoteCheck = remoteCheck(name, username, id, externalId);
        if (remoteCheck == GRANTED) {
            bool2 = Boolean.TRUE;
        } else if (remoteCheck == DENIED) {
            bool2 = Boolean.FALSE;
        }
        return bool2;
    }

    public void initialize() throws InitializationException {
        String str = (String) this.configuration.getProperty(CONFIGURATION_KEY);
        if (StringUtils.isBlank(str)) {
            throw new InitializationException(getClass().getSimpleName() + " requires a valid URL to be configured in xwiki.properties under the " + CONFIGURATION_KEY + " key");
        }
        try {
            this.remoteServiceURL = new URI(str);
            try {
                this.cache = this.factory.newCache(new LRUCacheConfiguration("RemoteAuthorizationService", 1000, 60));
            } catch (CacheException e) {
                throw new InitializationException("Failed to create authorization cache: " + e.getMessage(), e);
            }
        } catch (URISyntaxException e2) {
            throw new InitializationException("Invalid URL configured for " + getClass().getSimpleName() + ": " + str, e2);
        }
    }

    private byte remoteCheck(String str, String str2, String str3, String str4) {
        HttpPost httpPost = new HttpPost(this.remoteServiceURL);
        JSONObject jSONObject = new JSONObject();
        jSONObject.element("access", str);
        jSONObject.element("username", str2);
        jSONObject.element("patient-id", str3);
        jSONObject.element("patient-eid", str4);
        httpPost.setEntity(new StringEntity(jSONObject.toString(), ContentType.APPLICATION_JSON));
        CloseableHttpResponse closeableHttpResponse = null;
        try {
            try {
                CloseableHttpResponse execute = this.client.execute(httpPost);
                if (execute.getStatusLine().getStatusCode() == 200) {
                    cacheResponse(getCacheKey(str2, str, str3), Boolean.TRUE, execute);
                    if (execute != null) {
                        try {
                            execute.close();
                        } catch (IOException e) {
                        }
                    }
                    return (byte) 1;
                }
                if (execute.getStatusLine().getStatusCode() == 403) {
                    cacheResponse(getCacheKey(str2, str, str3), Boolean.FALSE, execute);
                    if (execute != null) {
                        try {
                            execute.close();
                        } catch (IOException e2) {
                        }
                    }
                    return (byte) 2;
                }
                if (execute == null) {
                    return (byte) 0;
                }
                try {
                    execute.close();
                    return (byte) 0;
                } catch (IOException e3) {
                    return (byte) 0;
                }
            } catch (IOException e4) {
                this.logger.warn("Failed to communicate with the authorization server: {}", e4.getMessage(), e4);
                if (UNKNWON != 0) {
                    try {
                        closeableHttpResponse.close();
                    } catch (IOException e5) {
                    }
                }
                return (byte) -1;
            }
        } catch (Throwable th) {
            if (UNKNWON != 0) {
                try {
                    closeableHttpResponse.close();
                } catch (IOException e6) {
                }
            }
            throw th;
        }
    }

    private void cacheResponse(String str, Boolean bool, HttpResponse httpResponse) {
        Header lastHeader = httpResponse.getLastHeader("Cache-Control");
        if (lastHeader != null) {
            HeaderElement[] elements = lastHeader.getElements();
            int length = elements.length;
            for (int i = UNKNWON; i < length; i += GRANTED) {
                HeaderElement headerElement = elements[i];
                if (StringUtils.equals("no-cache", headerElement.getName()) || StringUtils.equals("no-store", headerElement.getName())) {
                    this.cache.remove(str);
                    return;
                }
            }
        }
        this.cache.set(str, bool);
    }

    private String getCacheKey(String str, String str2, String str3) {
        return MessageFormat.format("{0}::{1}::{2}", str, str2, str3);
    }
}
