package org.opensciencegrid.authz.service;

import gplazma.gplazmalite.storageauthzdbService.DCacheSRMauthzRecordsService;
import gplazma.gplazmalite.storageauthzdbService.StorageAuthorizationRecord;
import java.io.IOException;
import java.net.URL;
import java.util.ArrayList;
import java.util.Iterator;
import org.apache.axis.MessageContext;
import org.apache.log4j.Category;
import org.opensaml.SAMLAction;
import org.opensaml.SAMLException;
import org.opensaml.SAMLSubject;
import org.opensciencegrid.authz.client.GRIDIdentityMappingServiceClient;
import org.opensciencegrid.authz.common.GridId;
import org.opensciencegrid.authz.common.LocalId;
import org.opensciencegrid.authz.common.OSGAuthorizationConstants;
import org.opensciencegrid.authz.saml.XACMLObligation;
import org.opensciencegrid.authz.service.SAMLAuthZServiceBase;

/* loaded from: input_file:org/opensciencegrid/authz/service/StorageAuthorizationServiceImpl.class */
public class StorageAuthorizationServiceImpl extends SAMLAuthZServiceBase {
    static Category log;
    protected String serviceIdentity = "Simple Storage Authorization Service";
    private String identityMappingServiceContact = null;
    private String storagePolicyFile = "/etc/grid-security/storage-authzdb";
    private String sslKey = "/etc/grid-security/hostkey.pem";
    private String sslCertfile = "/etc/grid-security/hostcert.pem";
    private String sslCAFiles = "/etc/grid-security/certificates/*.0";
    private String sslKeyPasswd;
    private DCacheSRMauthzRecordsService dcacheSrmRecords;
    static Class class$org$opensciencegrid$authz$service$StorageAuthorizationServiceImpl;

    public StorageAuthorizationServiceImpl() {
        try {
            this.dcacheSrmRecords = new DCacheSRMauthzRecordsService(this.storagePolicyFile);
        } catch (IOException e) {
            log.error(new StringBuffer().append("Unable to load DCache Storage Policy from ").append(this.storagePolicyFile).append(" Exception: ").append(e).toString());
        }
    }

    @Override // org.opensciencegrid.authz.service.SAMLAuthZServiceBase
    protected SAMLAuthZServiceBase.AuthzDecision authorize(SAMLSubject sAMLSubject, String str, Iterator it, Iterator it2) throws SAMLException {
        log.debug(new StringBuffer().append("entered authorize method of: ").append(this.serviceIdentity).toString());
        SAMLAuthZServiceBase.AuthzDecision authzDecision = new SAMLAuthZServiceBase.AuthzDecision(this);
        authzDecision.issuer = this.serviceIdentity;
        ArrayList arrayList = new ArrayList(1);
        arrayList.add(new SAMLAction(OSGAuthorizationConstants.AUTHZ_NS, OSGAuthorizationConstants.ACCESS_AS_LOCAL_ID));
        log.debug("This service supports only the following action: access_as_local_identity");
        ArrayList locatePermissibleActions = locatePermissibleActions(it, arrayList);
        authzDecision.actions = locatePermissibleActions;
        if (locatePermissibleActions != null) {
            log.debug("Supported action is requested");
            log.debug("Checking if VOMS attribute (FQAN) is present in Subject Evidence");
            SAMLAuthZServiceBase.FQAN findFQANinSubjectEvidence = findFQANinSubjectEvidence(it2, sAMLSubject);
            if (findFQANinSubjectEvidence != null) {
                log.debug(new StringBuffer().append("found VOMS attribute with data \"").append(findFQANinSubjectEvidence.data).append("\" from \"").append(findFQANinSubjectEvidence.issuer).append("\"").toString());
            } else {
                log.debug("no VOMS attribute found in Subject evidence");
            }
            GridId gridId = new GridId();
            gridId.setUserDN(sAMLSubject.getName().getName());
            gridId.setHostDN(str);
            if (findFQANinSubjectEvidence != null) {
                gridId.setUserFQAN(findFQANinSubjectEvidence.data);
                gridId.setUserFQANIssuer(findFQANinSubjectEvidence.issuer);
            }
            log.debug("Request mapping from mapping service");
            try {
                log.debug(new StringBuffer().append("Identity mapping service contact: ").append(this.identityMappingServiceContact).toString());
                setSslProperties();
                this.identityMappingServiceContact = (String) MessageContext.getCurrentContext().getAxisEngine().getService("StorageAuthorizationServicePort").getOption("gumsurl");
                LocalId mapCredentials = new GRIDIdentityMappingServiceClient(new URL(this.identityMappingServiceContact)).mapCredentials(gridId);
                if (mapCredentials != null) {
                    log.debug("Received PERMIT decision from mapping service");
                    authzDecision.decision = "Permit";
                    try {
                        StorageAuthorizationRecord storageUserRecord = this.dcacheSrmRecords.getStorageUserRecord(mapCredentials.getUserName());
                        if (storageUserRecord != null) {
                            log.debug("Local username found in storage system policy -  overriding prima response");
                            mapCredentials.setRootPath(storageUserRecord.Root);
                            mapCredentials.setRelativeHomePath(storageUserRecord.Home);
                            mapCredentials.setFSRootPath(storageUserRecord.FsRoot);
                            mapCredentials.setReadOnlyFlag(storageUserRecord.ReadOnly);
                            mapCredentials.setUID(new Integer(storageUserRecord.UID));
                            mapCredentials.setGID(new Integer(storageUserRecord.GID));
                        }
                        mapCredentials.setPriority("default");
                        log.debug(new StringBuffer().append("Storage policy attributes/obligations are: ").append(mapCredentials.toString()).toString());
                    } catch (Exception e) {
                        log.error(new StringBuffer().append("Error evaluating storage policy, storage-authzdb exists but could not be read, exception: ").append(e).toString());
                        authzDecision.decision = "Indeterminate";
                    }
                    authzDecision.obligations = createObligations(mapCredentials);
                } else {
                    log.debug("Received DENY decision from mapping service");
                    authzDecision.decision = "Deny";
                }
            } catch (Exception e2) {
                log.error(new StringBuffer().append("Error contacting mapping service at ").append(this.identityMappingServiceContact).toString());
                log.error(e2.getMessage());
                throw new SAMLException(new StringBuffer().append("Error contacting mapping service at ").append(this.identityMappingServiceContact).toString());
            }
        } else {
            log.debug("No supported action was requested, responding with indeterminate");
            authzDecision.decision = "Indeterminate";
            log.debug("Setting actions to mapping action, obligations to null");
            authzDecision.actions = new ArrayList(1);
            authzDecision.actions.add(new SAMLAction(OSGAuthorizationConstants.AUTHZ_NS, OSGAuthorizationConstants.ACCESS_AS_LOCAL_ID));
            authzDecision.obligations = null;
        }
        return authzDecision;
    }

    public LocalId authorize_local_id(SAMLSubject sAMLSubject, String str, Iterator it, Iterator it2, URL url) throws SAMLException {
        log.debug(new StringBuffer().append("entered authorize_local_id method of: ").append(this.serviceIdentity).toString());
        new ArrayList(1).add(new SAMLAction(OSGAuthorizationConstants.AUTHZ_NS, OSGAuthorizationConstants.ACCESS_AS_LOCAL_ID));
        log.debug("This service supports only the following action: access_as_local_identity");
        log.debug("Checking if VOMS attribute (FQAN) is present in Subject Evidence");
        SAMLAuthZServiceBase.FQAN findFQANinSubjectEvidence = findFQANinSubjectEvidence(it2, sAMLSubject);
        if (findFQANinSubjectEvidence != null) {
            log.debug(new StringBuffer().append("found VOMS attribute with data \"").append(findFQANinSubjectEvidence.data).append("\" from \"").append(findFQANinSubjectEvidence.issuer).append("\"").toString());
        } else {
            log.debug("no VOMS attribute found in Subject evidence");
        }
        GridId gridId = new GridId();
        gridId.setUserDN(sAMLSubject.getName().getName());
        gridId.setHostDN(str);
        if (findFQANinSubjectEvidence != null) {
            gridId.setUserFQAN(findFQANinSubjectEvidence.data);
            gridId.setUserFQANIssuer(findFQANinSubjectEvidence.issuer);
        }
        log.debug("Request mapping from mapping service");
        try {
            log.debug(new StringBuffer().append("Identity mapping service contact: ").append(url).toString());
            setSslProperties();
            LocalId mapCredentials = new GRIDIdentityMappingServiceClient(url).mapCredentials(gridId);
            if (mapCredentials == null) {
                log.debug("Received DENY decision from mapping service");
                return null;
            }
            log.debug("Received PERMIT decision from mapping service");
            try {
                StorageAuthorizationRecord storageUserRecord = this.dcacheSrmRecords.getStorageUserRecord(mapCredentials.getUserName());
                if (storageUserRecord != null) {
                    log.debug("Local username found in storage system policy -  overriding prima response");
                    mapCredentials.setRootPath(storageUserRecord.Root);
                    mapCredentials.setRelativeHomePath(storageUserRecord.Home);
                    mapCredentials.setFSRootPath(storageUserRecord.FsRoot);
                    mapCredentials.setReadOnlyFlag(storageUserRecord.ReadOnly);
                    mapCredentials.setUID(new Integer(storageUserRecord.UID));
                    mapCredentials.setGID(new Integer(storageUserRecord.GID));
                }
                mapCredentials.setPriority("default");
                log.debug(new StringBuffer().append("Storage policy attributes/obligations are: ").append(mapCredentials.toString()).toString());
                return mapCredentials;
            } catch (Exception e) {
                log.error(new StringBuffer().append("Error evaluating storage policy, storage-authzdb exists but could not be read, exception: ").append(e).toString());
                return null;
            }
        } catch (Exception e2) {
            throw new SAMLException(new StringBuffer().append("Error contacting mapping service at ").append(url).append(" ").append(e2.getMessage()).toString());
        }
    }

    private ArrayList createObligations(LocalId localId) throws SAMLException {
        ArrayList arrayList = new ArrayList();
        String userName = localId.getUserName();
        if (userName != null) {
            arrayList.add(new XACMLObligation(OSGAuthorizationConstants.USERIDOBLIGATION, "Permit", OSGAuthorizationConstants.USERIDATTRIBUTE, OSGAuthorizationConstants.STRINGDATATYPE, userName));
        }
        String groupName = localId.getGroupName();
        if (groupName != null) {
            arrayList.add(new XACMLObligation(OSGAuthorizationConstants.GROUPIDOBLIGATION, "Permit", OSGAuthorizationConstants.GROUPIDATTRIBUTE, OSGAuthorizationConstants.STRINGDATATYPE, groupName));
        }
        String[] supplementalGroupNames = localId.getSupplementalGroupNames();
        if (supplementalGroupNames != null) {
            String str = supplementalGroupNames[0];
            for (int i = 1; i < supplementalGroupNames.length; i++) {
                str.concat(new StringBuffer().append(" ").append(supplementalGroupNames[i]).toString());
            }
            arrayList.add(new XACMLObligation(OSGAuthorizationConstants.SUPGROUPIDSOBLIGATION, "Permit", OSGAuthorizationConstants.SUPGROUPIDSATTRIBUTE, OSGAuthorizationConstants.STRINGDATATYPE, str));
        }
        String rootPath = localId.getRootPath();
        if (rootPath != null) {
            arrayList.add(new XACMLObligation(OSGAuthorizationConstants.ROOTPATHOBLIGATION, "Permit", OSGAuthorizationConstants.ROOTPATHATTRIBUTE, OSGAuthorizationConstants.STRINGDATATYPE, rootPath));
        }
        String relativeHomePath = localId.getRelativeHomePath();
        if (relativeHomePath != null) {
            arrayList.add(new XACMLObligation(OSGAuthorizationConstants.RELHOMEPATHOBLIGATION, "Permit", OSGAuthorizationConstants.RELHOMEPATHATTRIBUTE, OSGAuthorizationConstants.STRINGDATATYPE, relativeHomePath));
        }
        String fSRootPath = localId.getFSRootPath();
        if (fSRootPath != null) {
            arrayList.add(new XACMLObligation(OSGAuthorizationConstants.FSROOTPATHOBLIGATION, "Permit", OSGAuthorizationConstants.FSROOTPATHATTRIBUTE, OSGAuthorizationConstants.STRINGDATATYPE, fSRootPath));
        }
        String priority = localId.getPriority();
        if (priority != null) {
            arrayList.add(new XACMLObligation(OSGAuthorizationConstants.PRIORITYOBLIGATION, "Permit", OSGAuthorizationConstants.PRIORITYATTRIBUTE, OSGAuthorizationConstants.STRINGDATATYPE, priority));
        }
        if (localId.getReadOnlyFlag()) {
            arrayList.add(new XACMLObligation(OSGAuthorizationConstants.READONLYOBLIGATION, "Permit", OSGAuthorizationConstants.READONLYATTRIBUTE, OSGAuthorizationConstants.BOOLDATATYPE, "true"));
        }
        Integer uid = localId.getUID();
        if (uid != null) {
            arrayList.add(new XACMLObligation(OSGAuthorizationConstants.UIDOBLIGATION, "Permit", OSGAuthorizationConstants.UIDATTRIBUTE, OSGAuthorizationConstants.INTDATATYPE, uid.toString()));
        }
        Integer gid = localId.getGID();
        if (gid != null) {
            arrayList.add(new XACMLObligation(OSGAuthorizationConstants.GIDOBLIGATION, "Permit", OSGAuthorizationConstants.GIDATTRIBUTE, OSGAuthorizationConstants.INTDATATYPE, gid.toString()));
        }
        if (arrayList.isEmpty()) {
            return null;
        }
        return arrayList;
    }

    private void setSslProperties() {
        System.setProperty("axis.socketSecureFactory", "org.glite.security.trustmanager.axis.AXISSocketFactory");
        log.debug(new StringBuffer().append("SSL properties (old): sslCAFiles='").append(getSslCAFiles()).append("' sslCertfile='").append(getSslCertfile()).append("' sslKey='").append(getSslKey()).append("' sslKeyPasswd set:").append(getSslKeyPasswd() != null).append("'").toString());
        if (getSslCAFiles() != null) {
            System.setProperty("sslCAFiles", getSslCAFiles());
        }
        if (getSslCertfile() != null) {
            System.setProperty("sslCertfile", getSslCertfile());
        }
        if (getSslKey() != null) {
            System.setProperty("sslKey", getSslKey());
        }
        if (getSslKeyPasswd() != null) {
            System.setProperty("sslKeyPasswd", getSslKeyPasswd());
        }
        log.debug(new StringBuffer().append("SSL properties (new): sslCAFiles='").append(getSslCAFiles()).append("' sslCertfile='").append(getSslCertfile()).append("' sslKey='").append(getSslKey()).append("' sslKeyPasswd set:").append(getSslKeyPasswd() != null).append("'").toString());
    }

    public String getSslKey() {
        return this.sslKey;
    }

    public void setSslKey(String str) {
        this.sslKey = str;
    }

    public String getSslCertfile() {
        return this.sslCertfile;
    }

    public void setSslCertfile(String str) {
        this.sslCertfile = str;
    }

    public String getSslCAFiles() {
        return this.sslCAFiles;
    }

    public void setSslCAFiles(String str) {
        this.sslCAFiles = str;
    }

    public String getSslKeyPasswd() {
        return this.sslKeyPasswd;
    }

    public void setSslKeyPasswd(String str) {
        this.sslKeyPasswd = str;
    }

    static Class class$(String str) {
        try {
            return Class.forName(str);
        } catch (ClassNotFoundException e) {
            throw new NoClassDefFoundError().initCause(e);
        }
    }

    static {
        Class cls;
        if (class$org$opensciencegrid$authz$service$StorageAuthorizationServiceImpl == null) {
            cls = class$("org.opensciencegrid.authz.service.StorageAuthorizationServiceImpl");
            class$org$opensciencegrid$authz$service$StorageAuthorizationServiceImpl = cls;
        } else {
            cls = class$org$opensciencegrid$authz$service$StorageAuthorizationServiceImpl;
        }
        log = Category.getInstance(cls.getName());
    }
}
