package org.eaglei.repository;

import java.security.Principal;
import java.util.ArrayList;
import java.util.List;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;
import org.apache.log4j.LogManager;
import org.apache.log4j.Logger;
import org.openrdf.OpenRDFException;
import org.openrdf.model.Literal;
import org.openrdf.model.Resource;
import org.openrdf.model.URI;
import org.openrdf.model.Value;
import org.openrdf.model.impl.URIImpl;
import org.openrdf.model.vocabulary.OWL;
import org.openrdf.model.vocabulary.RDF;
import org.openrdf.model.vocabulary.RDFS;
import org.openrdf.query.BindingSet;
import org.openrdf.query.BooleanQuery;
import org.openrdf.query.QueryLanguage;
import org.openrdf.query.TupleQuery;
import org.openrdf.query.TupleQueryResultHandler;
import org.openrdf.query.TupleQueryResultHandlerBase;
import org.openrdf.query.TupleQueryResultHandlerException;
import org.openrdf.repository.RepositoryConnection;
import org.openrdf.repository.RepositoryException;

/* loaded from: input_file:WEB-INF/classes/org/eaglei/repository/Access.class */
public enum Access {
    READ(REPO.HAS_READ_ACCESS),
    ADD(REPO.HAS_ADD_ACCESS),
    REMOVE(REPO.HAS_REMOVE_ACCESS),
    ADMIN(REPO.HAS_ADMIN_ACCESS);

    private URI uri;
    private static final String S_USER = "org.eaglei.repository.Access.User";
    private static final String S_REMOTE_IP = "org.eaglei.repository.Access.REMOTE_IP";
    private static Logger log = LogManager.getLogger(Access.class);
    private static final String hasPermissionQuery = makeAccessQuery("resource", "ASK", null);
    private static String getGrantsQuery = null;
    private static final String allRolesQuery = "SELECT DISTINCT * WHERE { ?uri <" + RDFS.SUBCLASSOF + "> <" + REPO.ROLE + ">\n OPTIONAL { ?uri <" + RDFS.LABEL + "> ?label } \n FILTER( ?uri != <" + REPO.ROLE + "> && ?uri != <" + REPO.ROLE_SUPERUSER + "> ) }";
    private static final String allAccessesQuery = "SELECT DISTINCT * WHERE { ?uri a <" + OWL.OBJECTPROPERTY + "> ;\n  <" + RDFS.RANGE + "> <" + REPO.AGENT + ">\n OPTIONAL { ?uri <" + RDFS.LABEL + "> ?label } \n FILTER(regex(str(?uri), '/has.*Access$')) }";

    /* loaded from: input_file:WEB-INF/classes/org/eaglei/repository/Access$Grant.class */
    public static class Grant {
        public Term agent;
        public Term agentType;
        public Term access;
        public boolean builtin;

        public Grant(URI uri, String str, URI uri2, String str2, URI uri3, String str3, boolean z) {
            this.agent = null;
            this.agentType = null;
            this.access = null;
            this.builtin = false;
            this.agent = new Term(uri, str);
            this.agentType = new Term(uri2, str2);
            this.access = new Term(uri3, str3);
            this.builtin = z;
        }
    }

    /* loaded from: input_file:WEB-INF/classes/org/eaglei/repository/Access$Term.class */
    public static class Term {
        public URI uri;
        public String label;

        public Term(URI uri, String str) {
            this.uri = null;
            this.label = null;
            this.uri = uri;
            this.label = str == null ? uri.getLocalName() : str;
        }

        public Term(URI uri) {
            this.uri = null;
            this.label = null;
            this.uri = uri;
            this.label = uri.getLocalName();
        }

        public String toString() {
            return this.uri.toString();
        }
    }

    /* loaded from: input_file:WEB-INF/classes/org/eaglei/repository/Access$grantHandler.class */
    private static class grantHandler extends TupleQueryResultHandlerBase {
        private List<Grant> result = new ArrayList();
        private RepositoryConnection rc;
        private URI resource;

        protected grantHandler(RepositoryConnection repositoryConnection, URI uri) {
            this.rc = null;
            this.resource = null;
            this.rc = repositoryConnection;
            this.resource = uri;
        }

        @Override // org.openrdf.query.TupleQueryResultHandlerBase, org.openrdf.query.TupleQueryResultHandler
        public void handleSolution(BindingSet bindingSet) throws TupleQueryResultHandlerException {
            Value value = bindingSet.getValue("agent");
            Value value2 = bindingSet.getValue("agentLabel");
            Value value3 = bindingSet.getValue("agentType");
            Value value4 = bindingSet.getValue("agentTypeLabel");
            Value value5 = bindingSet.getValue("access");
            Value value6 = bindingSet.getValue("accessLabel");
            if (value == null || !(value instanceof URI)) {
                throw new TupleQueryResultHandlerException("The value for 'agent' was null or not a URI type in grantHandler: " + value);
            }
            if (value5 == null || !(value5 instanceof URI)) {
                throw new TupleQueryResultHandlerException("The value for 'access' was null or not a URI type in grantHandler: " + value5);
            }
            if (value3 == null) {
                value3 = REPO.AGENT;
            }
            try {
                boolean hasStatement = this.rc.hasStatement(this.resource, (URI) value5, (URI) value, false, REPO.NG_REPO_ONTOLOGY);
                Access.log.debug("getGrants: Adding Grant(agent=" + value + ", agentLabel=" + value2 + ", agentType=" + value3 + ", agentTypeLabel=" + value4 + ", access=" + value5 + ", accessLabel=" + value6 + ", builtin=" + hasStatement);
                this.result.add(new Grant((URI) value, (value2 == null || !(value2 instanceof Literal)) ? null : ((Literal) value2).getLabel(), (URI) value3, (value4 == null || !(value4 instanceof Literal)) ? null : ((Literal) value4).getLabel(), (URI) value5, (value6 == null || !(value6 instanceof Literal)) ? null : ((Literal) value6).getLabel(), hasStatement));
            } catch (RepositoryException e) {
                Access.log.error(e);
                throw new TupleQueryResultHandlerException("Failed checking for builtin: ", e);
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:WEB-INF/classes/org/eaglei/repository/Access$termHandler.class */
    public static class termHandler extends TupleQueryResultHandlerBase {
        private List<Term> result;

        private termHandler() {
            this.result = new ArrayList();
        }

        @Override // org.openrdf.query.TupleQueryResultHandlerBase, org.openrdf.query.TupleQueryResultHandler
        public void handleSolution(BindingSet bindingSet) throws TupleQueryResultHandlerException {
            Value value = bindingSet.getValue("uri");
            Value value2 = bindingSet.getValue("label");
            if (value == null || !(value instanceof URI)) {
                throw new TupleQueryResultHandlerException("The value for 'uri' was null or not a URI type in termHandler: " + value);
            }
            this.result.add(new Term((URI) value, (value2 == null || !(value2 instanceof Literal)) ? null : ((Literal) value2).getLabel()));
        }
    }

    Access(String str) {
        this.uri = null;
        this.uri = new URIImpl(str);
    }

    Access(URI uri) {
        this.uri = null;
        this.uri = uri;
    }

    public URI getURI() {
        return this.uri;
    }

    public static boolean hasPermission(HttpServletRequest httpServletRequest, Resource resource, URI uri, Access access) {
        if (isSuperuser(httpServletRequest)) {
            log.debug("Superuser elides check: hasPermission(" + resource + ", " + access + ") => true");
            return true;
        }
        try {
            URI principalURI = getPrincipalURI(httpServletRequest);
            BooleanQuery prepareBooleanQuery = ((RepositoryConnection) httpServletRequest.getAttribute(Constants.ATTR_CONNECTION)).prepareBooleanQuery(QueryLanguage.SPARQL, hasPermissionQuery);
            prepareBooleanQuery.setIncludeInferred(true);
            prepareBooleanQuery.setDataset(SPARQL.InternalGraphsAndInferred);
            prepareBooleanQuery.clearBindings();
            prepareBooleanQuery.setBinding("user", principalURI);
            prepareBooleanQuery.setBinding("access", access.uri);
            prepareBooleanQuery.setBinding("resource", resource);
            boolean evaluate = prepareBooleanQuery.evaluate();
            log.debug("hasPermission(" + resource + ", " + access + ", " + principalURI + ") => " + evaluate);
            return evaluate;
        } catch (OpenRDFException e) {
            log.error(e);
            throw new InternalServerErrorException("Failed in access check: ", e);
        }
    }

    public static boolean hasPermissionOnUser(HttpServletRequest httpServletRequest, String str) {
        Principal userPrincipal = httpServletRequest.getUserPrincipal();
        return isSuperuser(httpServletRequest) || !(str == null || userPrincipal == null || !str.equals(userPrincipal.getName()));
    }

    public static void filterByPermission(HttpServletRequest httpServletRequest, String str, String str2, Access access, TupleQueryResultHandler tupleQueryResultHandler) {
        try {
            URI principalURI = getPrincipalURI(httpServletRequest);
            TupleQuery prepareTupleQuery = ((RepositoryConnection) httpServletRequest.getAttribute(Constants.ATTR_CONNECTION)).prepareTupleQuery(QueryLanguage.SPARQL, makeAccessQuery(str, "SELECT ?" + str + " WHERE", str2));
            prepareTupleQuery.setIncludeInferred(true);
            prepareTupleQuery.setDataset(SPARQL.InternalGraphsAndInferred);
            prepareTupleQuery.clearBindings();
            prepareTupleQuery.setBinding("user", principalURI);
            prepareTupleQuery.setBinding("access", access.uri);
            prepareTupleQuery.evaluate(tupleQueryResultHandler);
        } catch (OpenRDFException e) {
            log.error(e);
            throw new InternalServerErrorException("Failed in access check: ", e);
        }
    }

    public static URI getPrincipalURI(HttpServletRequest httpServletRequest) {
        User principalUser = getPrincipalUser(httpServletRequest);
        if (principalUser != null) {
            return principalUser.getURI();
        }
        log.debug("getPrincipalURI: Returning :Anonymous for unauthenticated user.");
        return REPO.ROLE_ANONYMOUS;
    }

    public static void decacheUser(HttpServletRequest httpServletRequest, User user) {
        HttpSession validatedSession = getValidatedSession(httpServletRequest);
        User user2 = (User) validatedSession.getAttribute(S_USER);
        if (user2 == null || !user2.equals(user)) {
            return;
        }
        validatedSession.removeAttribute(S_USER);
    }

    private static synchronized User getPrincipalUser(HttpServletRequest httpServletRequest) {
        Principal userPrincipal = httpServletRequest.getUserPrincipal();
        if (userPrincipal == null) {
            return null;
        }
        String name = userPrincipal.getName();
        HttpSession validatedSession = getValidatedSession(httpServletRequest);
        if (DataRepositoryLifecycle.isSessionStale(validatedSession)) {
            validatedSession.removeAttribute(S_USER);
            log.debug("Invalidating cached user URI in stale session, principal=" + name);
        } else {
            User user = (User) validatedSession.getAttribute(S_USER);
            if (user != null) {
                log.debug("Returning cached user for principal=" + name + " from session context: " + user);
                return user;
            }
        }
        try {
            User findUsername = User.findUsername(httpServletRequest, name);
            if (findUsername != null) {
                if (!findUsername.hasRoleP(REPO.ROLE_SUPERUSER) && httpServletRequest.isUserInRole(Constants.AUTH_SUPERUSER_ROLE)) {
                    findUsername.addRole(httpServletRequest, Role.find(httpServletRequest, REPO.ROLE_SUPERUSER), true);
                }
                validatedSession.setAttribute(S_USER, findUsername);
                return findUsername;
            }
            User create = User.create(httpServletRequest, name, true);
            if (httpServletRequest.isUserInRole(Constants.AUTH_SUPERUSER_ROLE)) {
                create.addRole(httpServletRequest, Role.find(httpServletRequest, REPO.ROLE_SUPERUSER), true);
            }
            create.update(httpServletRequest);
            validatedSession.setAttribute(S_USER, create);
            log.info("Login created new User for principal=" + name + ", as User=" + create.toString());
            return create;
        } catch (ServletException e) {
            throw new InternalServerErrorException(e.getMessage(), e);
        }
    }

    public static boolean isSuperuser(HttpServletRequest httpServletRequest) {
        User principalUser = getPrincipalUser(httpServletRequest);
        if (principalUser == null) {
            return false;
        }
        return principalUser.hasRoleP(REPO.ROLE_SUPERUSER);
    }

    private static HttpSession getValidatedSession(HttpServletRequest httpServletRequest) {
        HttpSession session = httpServletRequest.getSession(false);
        String remoteAddr = httpServletRequest.getRemoteAddr();
        if (session == null) {
            session = httpServletRequest.getSession(true);
            session.setAttribute(S_REMOTE_IP, remoteAddr);
        } else {
            String str = (String) session.getAttribute(S_REMOTE_IP);
            if (str == null) {
                log.debug("Initializing session's record of remote address, IP=" + remoteAddr);
                session.setAttribute(S_REMOTE_IP, remoteAddr);
            } else if (!str.equals(remoteAddr)) {
                log.error("POSSIBLE SESSION HIJACKING: session created by IP=" + str + ", but is being accessed by IP=" + remoteAddr);
                throw new BadRequestException("Authentication denied, this session may only be accessed from the address that created it. Please login again.");
            }
        }
        return session;
    }

    public static void logout(HttpServletRequest httpServletRequest) {
        HttpSession session = httpServletRequest.getSession(false);
        if (session == null) {
            log.debug("Logout finds no session to destroy!");
        } else {
            session.invalidate();
            log.debug("Logout is destroying session ID=" + session.getId());
        }
    }

    private static String makeAccessQuery(String str, String str2, String str3) {
        StringBuilder sb = new StringBuilder();
        sb.append(str2).append(" { ");
        if (str3 != null) {
            sb.append(str3);
        }
        sb.append("{ { ?user <").append(REPO.HAS_ROLE).append("> ?r . ?r a ?ar . ?").append(str).append(" ?access ?ar }\n");
        sb.append(" UNION { ?user a <").append(REPO.PERSON).append("> . ?").append(str).append(" ?access ?ar . <").append(REPO.ROLE_AUTHENTICATED).append("> a ?ar }\n");
        sb.append(" UNION { ?").append(str).append(" ?access ?user } } }");
        return sb.toString();
    }

    public static boolean removeGrant(HttpServletRequest httpServletRequest, URI uri, URI uri2, URI uri3) {
        if (uri == null || uri3 == null || uri2 == null) {
            throw new BadRequestException("removeGrant called with an illegal null URI.");
        }
        if (!hasPermission(httpServletRequest, uri, null, ADMIN)) {
            throw new ForbiddenException("You are not allowed to change access controls on " + uri);
        }
        RepositoryConnection repositoryConnection = (RepositoryConnection) httpServletRequest.getAttribute(Constants.ATTR_CONNECTION);
        try {
            if (!repositoryConnection.hasStatement(uri, uri3, uri2, false, REPO.NG_INTERNAL)) {
                return false;
            }
            repositoryConnection.remove(uri, uri3, uri2, REPO.NG_INTERNAL);
            return true;
        } catch (OpenRDFException e) {
            log.error(e);
            throw new InternalServerErrorException("Failed in remove ACL: ", e);
        }
    }

    public static void addGrant(HttpServletRequest httpServletRequest, URI uri, URI uri2, URI uri3) {
        if (!hasPermission(httpServletRequest, uri, null, ADMIN)) {
            throw new ForbiddenException("You are not allowed to change access controls on " + uri);
        }
        RepositoryConnection repositoryConnection = (RepositoryConnection) httpServletRequest.getAttribute(Constants.ATTR_CONNECTION);
        try {
            if (!repositoryConnection.hasStatement(uri, uri3, uri2, false, REPO.NG_INTERNAL)) {
                repositoryConnection.add(uri, uri3, uri2, REPO.NG_INTERNAL);
            }
        } catch (OpenRDFException e) {
            log.error(e);
            throw new InternalServerErrorException("Failed in add ACL: ", e);
        }
    }

    public static Iterable<Grant> getGrants(HttpServletRequest httpServletRequest, URI uri) {
        if (getGrantsQuery == null) {
            StringBuilder sb = new StringBuilder("SELECT DISTINCT * WHERE { \n?instance ?access ?agent \nOPTIONAL { ?access <" + RDFS.LABEL + "> ?accessLabel }\nOPTIONAL { ?agent <" + RDFS.LABEL + "> ?agentLabel }\nOPTIONAL { ?agent <" + RDF.TYPE + "> ?agentType FILTER (?agentType = <" + REPO.ROLE + "> || ?agentType = <" + REPO.PERSON + ">) \n  OPTIONAL { ?agentType <" + RDFS.LABEL + "> ?agentTypeLabel }}\nFILTER(");
            boolean z = true;
            for (Term term : getAllAccesses(httpServletRequest)) {
                if (z) {
                    z = false;
                } else {
                    sb.append(" || ");
                }
                sb.append("?access = <").append(term.toString()).append(">");
            }
            sb.append(")}");
            getGrantsQuery = sb.toString();
            log.debug("Initializing getGrantsQuery = " + getGrantsQuery);
        }
        RepositoryConnection repositoryConnection = (RepositoryConnection) httpServletRequest.getAttribute(Constants.ATTR_CONNECTION);
        try {
            TupleQuery prepareTupleQuery = repositoryConnection.prepareTupleQuery(QueryLanguage.SPARQL, getGrantsQuery);
            prepareTupleQuery.setBinding("instance", uri);
            prepareTupleQuery.setDataset(SPARQL.InternalGraphsAndInferred);
            grantHandler granthandler = new grantHandler(repositoryConnection, uri);
            prepareTupleQuery.evaluate(granthandler);
            return granthandler.result;
        } catch (OpenRDFException e) {
            log.error(e);
            throw new InternalServerErrorException("Failed in query: ", e);
        }
    }

    public static Iterable<Term> getAllRoles(HttpServletRequest httpServletRequest) {
        log.debug("getAllRolees query = " + allRolesQuery);
        return getAllTermsInternal(httpServletRequest, allRolesQuery);
    }

    public static Iterable<Term> getAllAccesses(HttpServletRequest httpServletRequest) {
        log.debug("getAllAccesses query = " + allAccessesQuery);
        return getAllTermsInternal(httpServletRequest, allAccessesQuery);
    }

    private static Iterable<Term> getAllTermsInternal(HttpServletRequest httpServletRequest, String str) {
        try {
            TupleQuery prepareTupleQuery = ((RepositoryConnection) httpServletRequest.getAttribute(Constants.ATTR_CONNECTION)).prepareTupleQuery(QueryLanguage.SPARQL, str);
            prepareTupleQuery.setDataset(SPARQL.InternalGraphsAndInferred);
            termHandler termhandler = new termHandler();
            prepareTupleQuery.evaluate(termhandler);
            return termhandler.result;
        } catch (OpenRDFException e) {
            log.error(e);
            throw new InternalServerErrorException("Failed in query: ", e);
        }
    }
}
