package de.fzj.unicore.wsrflite.security;

import de.fzj.unicore.wsrflite.security.pdp.ActionDescriptor;
import de.fzj.unicore.wsrflite.security.pdp.PDPResult;
import de.fzj.unicore.wsrflite.security.util.AttributeHandlingCallback;
import de.fzj.unicore.wsrflite.security.util.BaseAttributeSourcesChain;
import de.fzj.unicore.wsrflite.security.util.ResourceDescriptor;
import eu.emi.security.authn.x509.impl.X500NameUtils;
import eu.unicore.security.AuthorisationException;
import eu.unicore.security.Client;
import eu.unicore.security.OperationType;
import eu.unicore.security.Queue;
import eu.unicore.security.Role;
import eu.unicore.security.SecurityTokens;
import eu.unicore.security.SubjectAttributesHolder;
import eu.unicore.security.Xlogin;
import eu.unicore.util.Log;
import java.security.cert.X509Certificate;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import org.apache.log4j.Logger;
import org.apache.log4j.MDC;

/* loaded from: input_file:de/fzj/unicore/wsrflite/security/SecurityManager.class */
public final class SecurityManager {
    public static final String UNKNOWN_ACTION = "___ANY_ACTION___";
    private final IContainerSecurityConfiguration securityConfig;
    private DSignCheck signatureChecker;
    private static final Logger logger = Log.getLogger("unicore.security", SecurityManager.class);
    private static final ThreadLocal<Boolean> localCalls = new ThreadLocal<>();
    private Set<AttributeHandlingCallback> attribHandlingCallbacks = new HashSet();
    private OperationTypesUtil operationTypesUtil = new OperationTypesUtil();

    public SecurityManager(IContainerSecurityConfiguration iContainerSecurityConfiguration) {
        this.securityConfig = iContainerSecurityConfiguration;
        this.signatureChecker = new DSignCheck(iContainerSecurityConfiguration.isSigningRequired());
    }

    public void addCallback(AttributeHandlingCallback attributeHandlingCallback) {
        this.attribHandlingCallbacks.add(attributeHandlingCallback);
    }

    public SubjectAttributesHolder establishAttributes(SecurityTokens securityTokens) throws Exception {
        Map map = (Map) securityTokens.getContext().get(UserAttributeCallback.USER_PREFERENCES_KEY);
        return this.securityConfig.getAip().getAttributes(securityTokens, new SubjectAttributesHolder((map == null || map.get(IAttributeSource.ATTRIBUTE_SELECTED_VO) == null) ? this.securityConfig.getDefaultVOs() : new String[]{((String[]) map.get(IAttributeSource.ATTRIBUTE_SELECTED_VO))[0]}));
    }

    private static void handleXlogin(Client client, Map<String, String[]> map, Map<String, String[]> map2, Map<String, String[]> map3) {
        String[] strArr = map2.get(IAttributeSource.ATTRIBUTE_XLOGIN);
        String[] strArr2 = map3.get(IAttributeSource.ATTRIBUTE_XLOGIN);
        String[] strArr3 = map2.get(IAttributeSource.ATTRIBUTE_GROUP);
        if (strArr3 == null) {
            strArr3 = new String[0];
        }
        String[] strArr4 = map3.get(IAttributeSource.ATTRIBUTE_GROUP);
        if (strArr4 == null) {
            strArr4 = new String[0];
        }
        String[] strArr5 = map2.get(IAttributeSource.ATTRIBUTE_SUPPLEMENTARY_GROUPS);
        if (strArr5 == null) {
            strArr5 = new String[0];
        }
        String[] strArr6 = map3.get(IAttributeSource.ATTRIBUTE_SUPPLEMENTARY_GROUPS);
        if (strArr6 == null) {
            strArr6 = new String[0];
        }
        HashSet hashSet = new HashSet();
        Collections.addAll(hashSet, strArr3);
        Collections.addAll(hashSet, strArr5);
        String[] strArr7 = map3.get(IAttributeSource.ATTRIBUTE_ADD_DEFAULT_GROUPS);
        if (strArr7 == null || strArr7.length == 0) {
            strArr7 = map2.get(IAttributeSource.ATTRIBUTE_ADD_DEFAULT_GROUPS);
        }
        if (strArr == null || strArr.length <= 0) {
            return;
        }
        Xlogin xlogin = new Xlogin(strArr, (String[]) hashSet.toArray(new String[hashSet.size()]));
        if (strArr2 != null && strArr2.length > 0) {
            xlogin.setSelectedLogin(strArr2[0]);
        }
        if (strArr4.length > 0) {
            xlogin.setSelectedGroup(strArr4[0]);
        }
        if (strArr6.length > 0) {
            xlogin.setSelectedSupplementaryGroups(strArr6);
        }
        String[] strArr8 = map.get(IAttributeSource.ATTRIBUTE_XLOGIN);
        if (strArr8 != null && strArr8.length > 0) {
            xlogin.setSelectedLogin(strArr8[0]);
        }
        String[] strArr9 = map.get(IAttributeSource.ATTRIBUTE_GROUP);
        if (strArr9 != null && strArr9.length > 0) {
            xlogin.setSelectedGroup(strArr9[0]);
        }
        String[] strArr10 = map.get(IAttributeSource.ATTRIBUTE_SUPPLEMENTARY_GROUPS);
        if (strArr10 != null && strArr10.length > 0) {
            xlogin.setSelectedSupplementaryGroups(strArr10);
        }
        String[] strArr11 = map.get(IAttributeSource.ATTRIBUTE_ADD_DEFAULT_GROUPS);
        if (strArr11 == null || strArr11.length <= 0) {
            if (strArr7 != null && strArr7.length > 0) {
                if (strArr7[0].equalsIgnoreCase("true")) {
                    xlogin.setAddDefaultGroups(true);
                } else if (strArr7[0].equalsIgnoreCase("false")) {
                    xlogin.setAddDefaultGroups(false);
                }
            }
        } else if (strArr11[0].equalsIgnoreCase("true")) {
            xlogin.setAddDefaultGroups(true);
        } else {
            if (!strArr11[0].equalsIgnoreCase("false")) {
                throw new SecurityException("Requested value <" + strArr11[0] + "> is invalid for " + IAttributeSource.ATTRIBUTE_ADD_DEFAULT_GROUPS + " attribute; use 'true' or 'false'.");
            }
            xlogin.setAddDefaultGroups(false);
        }
        client.setXlogin(xlogin);
    }

    private static void handleRole(Client client, Map<String, String[]> map, Map<String, String[]> map2, Map<String, String[]> map3) {
        Role role;
        String[] strArr = map2.get(IAttributeSource.ATTRIBUTE_ROLE);
        if (strArr == null || strArr.length == 0) {
            role = new Role("anonymous", "default role");
        } else {
            role = new Role(strArr);
            String[] strArr2 = map3.get(IAttributeSource.ATTRIBUTE_ROLE);
            String[] strArr3 = map.get(IAttributeSource.ATTRIBUTE_ROLE);
            if (strArr3 == null || strArr3.length <= 0) {
                if (strArr2 == null || strArr2.length <= 0) {
                    role.setDescription("default role from attribute source");
                } else {
                    role.setName(strArr2[0]);
                    role.setDescription("role from attribute source");
                }
            } else {
                if (!role.isValid(strArr3[0])) {
                    throw new SecurityException("Requested role <" + strArr3[0] + "> is not available.");
                }
                role.setName(strArr3[0]);
                role.setDescription("user's preferred role");
            }
        }
        client.setRole(role);
    }

    private static void handleQueue(Client client, Map<String, String[]> map, Map<String, String[]> map2, Map<String, String[]> map3) {
        Queue queue = new Queue();
        String[] strArr = map2.get(IAttributeSource.ATTRIBUTE_QUEUES);
        String[] strArr2 = map3.get(IAttributeSource.ATTRIBUTE_QUEUES);
        if (strArr != null && strArr.length > 0) {
            queue.setValidQueues(strArr);
            if (strArr2 != null && strArr2.length > 0) {
                queue.setSelectedQueue(strArr2[0]);
            }
        }
        client.setQueue(queue);
    }

    private static void handleVo(String str, Client client, Map<String, String[]> map) {
        String[] strArr = map.get(IAttributeSource.ATTRIBUTE_VOS);
        if (strArr != null) {
            client.setVos(strArr);
        }
        if (str != null) {
            if (strArr == null) {
                logger.fatal("BUG! attribute handlers set a VO for the request, but the user is not member of any VO");
                throw new SecurityException("BUG! attribute handlers set a VO for the request, but the user is not member of any VO");
            }
            int i = 0;
            while (i < strArr.length && !strArr[i].equals(str)) {
                i++;
            }
            if (i == strArr.length) {
                logger.fatal("BUG! attribute handlers set a VO for the request, but the user is not a member of this VO");
                throw new SecurityException("BUG! attribute handlers set a VO for the request, but the user is not a member of this VO");
            }
            client.setVo(str);
        }
    }

    private void assembleClientAttributes(Client client, SecurityTokens securityTokens) {
        if (isServer(client)) {
            client.setRole(new Role("server", "Server self access pseudo-role"));
            return;
        }
        try {
            SubjectAttributesHolder establishAttributes = establishAttributes(securityTokens);
            client.setSubjectAttributes(establishAttributes);
            Map map = (Map) securityTokens.getContext().get(UserAttributeCallback.USER_PREFERENCES_KEY);
            if (map == null) {
                map = Collections.emptyMap();
            }
            Map validIncarnationAttributes = client.getSubjectAttributes().getValidIncarnationAttributes();
            handleRole(client, map, validIncarnationAttributes, client.getSubjectAttributes().getIncarnationAttributes());
            handleVo(establishAttributes.getSelectedVo(), client, validIncarnationAttributes);
            Iterator<AttributeHandlingCallback> it = this.attribHandlingCallbacks.iterator();
            while (it.hasNext()) {
                Map<String, String> extractAttributes = it.next().extractAttributes(securityTokens);
                if (extractAttributes != null) {
                    client.getExtraAttributes().putAll(extractAttributes);
                }
            }
        } catch (Exception e) {
            throw new SecurityException("Exception when getting attributes for the client.", e);
        }
    }

    private Client createSecureClient(SecurityTokens securityTokens) {
        Client client = new Client();
        client.setAuthenticatedClient(securityTokens);
        if (client.getType() == Client.Type.ANONYMOUS) {
            logger.warn("There is no authentication material to create a real client, returning anonymous client.");
            return client;
        }
        assembleClientAttributes(client, securityTokens);
        if (logger.isDebugEnabled()) {
            logger.debug("Client info (after static AIPs):\n" + client.toString());
            try {
                SecurityTokens securityTokens2 = client.getSecurityTokens();
                if (securityTokens2 != null) {
                    logger.debug("TD Chain length=" + securityTokens2.getTrustDelegationTokens().size());
                }
            } catch (Exception e) {
                logger.debug("No TD.");
            }
        }
        return client;
    }

    public Client createClientWithAttributes(SecurityTokens securityTokens) {
        Client createSecureClient;
        if (isLocalCall()) {
            createSecureClient = new Client();
            createSecureClient.setLocalClient();
        } else {
            createSecureClient = this.securityConfig.isAccessControlEnabled() ? createSecureClient(securityTokens) : new Client();
        }
        if (isTrustedAgent(createSecureClient)) {
            if (logger.isDebugEnabled()) {
                logger.debug("Accept trusted-agent " + X500NameUtils.getReadableForm(securityTokens.getConsignorName()) + " to work on selected user's behalf " + X500NameUtils.getReadableForm(securityTokens.getUserName()));
            }
            securityTokens.setConsignorTrusted(true);
        }
        MDC.put("clientName", createSecureClient.getDistinguishedName());
        return createSecureClient;
    }

    public DSignCheck getSignatureChecker() {
        return this.signatureChecker;
    }

    private PDPResult.Decision checkAuthzInternal(Client client, ActionDescriptor actionDescriptor, ResourceDescriptor resourceDescriptor) {
        try {
            PDPResult checkAuthorisation = this.securityConfig.getPdp().checkAuthorisation(client, actionDescriptor, resourceDescriptor);
            if (checkAuthorisation.getDecision().equals(PDPResult.Decision.UNCLEAR)) {
                logger.warn("The UNICORE/X PDP was unable to make a definitive decision, check your policy files and consult other log messages.");
            }
            if (checkAuthorisation.getDecision().equals(PDPResult.Decision.DENY) && logger.isDebugEnabled()) {
                if (checkAuthorisation.getMessage() == null || checkAuthorisation.getMessage().length() <= 0) {
                    logger.debug("The UNICORE/X PDP denied the request");
                } else {
                    logger.debug("The UNICORE/X PDP denied the request: " + checkAuthorisation.getMessage());
                }
            }
            return checkAuthorisation.getDecision();
        } catch (Exception e) {
            throw new AuthorisationException("Access denied due to PDP error: " + e, e);
        }
    }

    public void checkAuthorisation(Client client, ActionDescriptor actionDescriptor, ResourceDescriptor resourceDescriptor) throws AuthorisationException {
        if (checkAuthzInternal(client, actionDescriptor, resourceDescriptor).equals(PDPResult.Decision.PERMIT)) {
            return;
        }
        String str = "Access denied for " + client.getDistinguishedName() + " on resource " + resourceDescriptor;
        logger.info(str);
        throw new AuthorisationException(str);
    }

    public boolean isAccessible(Client client, String str, String str2, String str3, Map<String, Set<OperationType>> map) throws Exception {
        if (this.securityConfig.isAccessControlEnabled() && !isServer(client)) {
            return checkAuthzInternal(client, new ActionDescriptor(UNKNOWN_ACTION, OperationType.read), new ResourceDescriptor(str, str2, str3, map)).equals(PDPResult.Decision.PERMIT);
        }
        return true;
    }

    public void collectDynamicAttributes(Client client) {
        if (isServer(client)) {
            return;
        }
        SecurityTokens securityTokens = client.getSecurityTokens();
        SubjectAttributesHolder subjectAttributes = client.getSubjectAttributes();
        IDynamicAttributeSource dap = this.securityConfig.getDap();
        if (!(dap instanceof NullAttributeSource)) {
            try {
                SubjectAttributesHolder attributes = dap.getAttributes(client, subjectAttributes);
                if (logger.isDebugEnabled()) {
                    logger.debug("Client's dynamic attributes:\n" + attributes);
                }
                new BaseAttributeSourcesChain.MergeLastOverrides().combineAttributes(subjectAttributes, attributes);
            } catch (Exception e) {
                throw new SecurityException("Exception when getting dynamic attributes for the client.", e);
            }
        }
        Map map = (Map) securityTokens.getContext().get(UserAttributeCallback.USER_PREFERENCES_KEY);
        if (map == null) {
            map = Collections.emptyMap();
        }
        Map validIncarnationAttributes = client.getSubjectAttributes().getValidIncarnationAttributes();
        Map incarnationAttributes = client.getSubjectAttributes().getIncarnationAttributes();
        handleXlogin(client, map, validIncarnationAttributes, incarnationAttributes);
        handleQueue(client, map, validIncarnationAttributes, incarnationAttributes);
        if (logger.isDebugEnabled()) {
            logger.debug("Client info (final):\n" + client.toString());
        }
    }

    public static void setLocalCall() {
        localCalls.set(Boolean.TRUE);
    }

    public static void clearLocalCall() {
        localCalls.set(null);
    }

    public static boolean isLocalCall() {
        return Boolean.TRUE.equals(localCalls.get());
    }

    public X509Certificate getServerCert() {
        if (this.securityConfig.getCredential() != null) {
            return this.securityConfig.getCredential().getCertificate();
        }
        return null;
    }

    public String getServerIdentity() {
        if (getServerCert() != null) {
            return getServerCert().getSubjectX500Principal().getName();
        }
        return null;
    }

    public boolean isServer(Client client) {
        if (client == null) {
            throw new IllegalArgumentException("client can not be null");
        }
        X509Certificate serverCert = getServerCert();
        if (serverCert == null) {
            return false;
        }
        String name = serverCert.getSubjectX500Principal().getName();
        if (logger.isTraceEnabled()) {
            logger.trace("Check server=<" + X500NameUtils.getReadableForm(serverCert.getSubjectX500Principal()) + ">  vs client=<" + X500NameUtils.getReadableForm(client.getDistinguishedName()) + ">");
        }
        return X500NameUtils.equal(name, client.getDistinguishedName());
    }

    public boolean isServer(String str) {
        X509Certificate serverCert = getServerCert();
        if (serverCert == null) {
            return false;
        }
        return X500NameUtils.equal(serverCert.getSubjectX500Principal(), str);
    }

    private static boolean isTrustedAgent(Client client) {
        try {
            return IAttributeSource.ROLE_TRUSTED_AGENT.equals(client.getRole().getName());
        } catch (Exception e) {
            Log.logException("Could not check whether client is trusted agent.", e, logger);
            return false;
        }
    }

    public OperationTypesUtil getOperationTypesUtil() {
        return this.operationTypesUtil;
    }
}
