package org.opensciencegrid.authz.client;

import java.net.URL;
import java.rmi.RemoteException;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Date;
import java.util.Iterator;
import javax.xml.rpc.ServiceException;
import org.apache.axis.client.Stub;
import org.apache.axis.message.MessageElement;
import org.apache.log4j.Category;
import org.globus.gsi.gssapi.GlobusGSSCredentialImpl;
import org.globus.wsrf.impl.security.authorization.NoAuthorization;
import org.opensaml.QName;
import org.opensaml.SAMLAction;
import org.opensaml.SAMLAssertion;
import org.opensaml.SAMLAttribute;
import org.opensaml.SAMLAttributeStatement;
import org.opensaml.SAMLAuthorizationDecisionQuery;
import org.opensaml.SAMLAuthorizationDecisionStatement;
import org.opensaml.SAMLException;
import org.opensaml.SAMLNameIdentifier;
import org.opensaml.SAMLRequest;
import org.opensaml.SAMLResponse;
import org.opensaml.SAMLSubject;
import org.opensciencegrid.authz.common.LocalId;
import org.opensciencegrid.authz.common.OSGAuthorizationConstants;
import org.opensciencegrid.authz.saml.ObligatedAuthorizationDecisionStatement;
import org.opensciencegrid.authz.saml.SAMLExtensionInit;
import org.opensciencegrid.authz.saml.SAMLUtil;
import org.opensciencegrid.authz.saml.XACMLObligation;
import org.opensciencegrid.authz.stubs.AuthorizationServiceLocator;
import org.opensciencegrid.authz.stubs.SAMLRequestType;
import org.opensciencegrid.authz.stubs.SAMLResponseType;
import org.w3c.dom.Element;

/* loaded from: input_file:org/opensciencegrid/authz/client/SAMLAuthZClientBase.class */
public class SAMLAuthZClientBase {
    static Category log;
    private GlobusGSSCredentialImpl globusCredentials;
    static Class class$org$opensciencegrid$authz$client$SAMLAuthZClientBase;

    public SAMLSubject getSAMLSubjectFromString(String str) throws SAMLException {
        if (str == null || str.length() == 0) {
            log.error("The subjectName parameter must not be null or empty");
            return null;
        }
        log.debug(new StringBuffer().append("Creating SAMLSubject from string: ").append(str).toString());
        SAMLNameIdentifier sAMLNameIdentifier = new SAMLNameIdentifier(str, "", "urn:osasis:names:tc:SAML:1.1nameid-format:X509SubjectName");
        ArrayList arrayList = new ArrayList(1);
        arrayList.add("urn:oasis:names:tc:SAML:1.0:am:X509-PKI");
        log.debug(new StringBuffer().append("Subject name ").append(str).append(" nameQualifier ").append("").append(" format ").append("urn:osasis:names:tc:SAML:1.1nameid-format:X509SubjectName").toString());
        return new SAMLSubject(sAMLNameIdentifier, arrayList, (Element) null, (Object) null);
    }

    public SAMLSubject getSAMLSubjectFromGSS(String str) throws SAMLException {
        log.debug(new StringBuffer().append("Creating SAMLSubject from peer certificate subject (not implemented): ").append("/CN=Dummy Subject").toString());
        SAMLNameIdentifier sAMLNameIdentifier = new SAMLNameIdentifier("/CN=Dummy Subject", "", "urn:osasis:names:tc:SAML:1.1nameid-format:X509SubjectName");
        ArrayList arrayList = new ArrayList(1);
        arrayList.add("urn:oasis:names:tc:SAML:1.0:am:X509-PKI");
        log.debug(new StringBuffer().append("Subject name ").append("/CN=Dummy Subject").append(" nameQualifier ").append("").append(" format ").append("urn:osasis:names:tc:SAML:1.1nameid-format:X509SubjectName").toString());
        return new SAMLSubject(sAMLNameIdentifier, arrayList, (Element) null, (Object) null);
    }

    public ArrayList createMappingActions() throws SAMLException {
        ArrayList arrayList = new ArrayList();
        arrayList.add(new SAMLAction(OSGAuthorizationConstants.AUTHZ_NS, OSGAuthorizationConstants.ACCESS_AS_LOCAL_ID));
        return arrayList;
    }

    public ArrayList createFQANEvidenceFromString(SAMLSubject sAMLSubject, String str, String str2) throws SAMLException, CloneNotSupportedException {
        ArrayList arrayList = null;
        if (str2 == null || str2.length() == 0 || str == null || str.length() == 0) {
            log.warn("fqan and fqanIssuer information must be provided for evidence element to be created");
        } else {
            arrayList = new ArrayList(1);
            log.debug(new StringBuffer().append("Creating Evidence based on FQAN String: ").append(str2).append(" from: ").append(str).toString());
            ArrayList arrayList2 = new ArrayList(1);
            arrayList2.add(str2);
            SAMLAttribute sAMLAttribute = new SAMLAttribute("FQAN", OSGAuthorizationConstants.AUTHZ_NS, (QName) null, 0L, arrayList2);
            ArrayList arrayList3 = new ArrayList(1);
            arrayList3.add(sAMLAttribute);
            SAMLAttributeStatement sAMLAttributeStatement = new SAMLAttributeStatement((SAMLSubject) sAMLSubject.clone(), arrayList3);
            ArrayList arrayList4 = new ArrayList(1);
            arrayList4.add(sAMLAttributeStatement);
            arrayList.add(new SAMLAssertion(str, new Date(), new Date(), (Collection) null, (Collection) null, arrayList4));
        }
        return arrayList;
    }

    public ArrayList createFQANEvidenceFromGSS(String str) {
        return null;
    }

    public SAMLAuthorizationDecisionStatement queryAuthZService(SAMLSubject sAMLSubject, ArrayList arrayList, ArrayList arrayList2, String str, URL url) throws SAMLException, ServiceException, RemoteException, Exception {
        SAMLExtensionInit.init();
        SAMLAuthorizationDecisionQuery sAMLAuthorizationDecisionQuery = new SAMLAuthorizationDecisionQuery(sAMLSubject, str, arrayList2, arrayList);
        ArrayList arrayList3 = new ArrayList();
        arrayList3.add(OSGAuthorizationConstants.AUTHZDECISIONSTATEMENT);
        arrayList3.add(OSGAuthorizationConstants.OBLIGATEDAUTHZDECISIONSTATEMENT);
        SAMLRequest sAMLRequest = new SAMLRequest(arrayList3, sAMLAuthorizationDecisionQuery, (Collection) null, (Collection) null);
        SAMLRequestType sAMLRequestType = new SAMLRequestType();
        sAMLRequestType.set_any(new MessageElement[]{new MessageElement((Element) sAMLRequest.toDOM())});
        AuthorizationServiceLocator authorizationServiceLocator = new AuthorizationServiceLocator();
        log.debug(new StringBuffer().append("Sending SAML query/request to ").append(url).append(" ").append(sAMLRequest).toString());
        Stub authorizationServicePort = authorizationServiceLocator.getAuthorizationServicePort(url);
        if (getGlobusCredentials() != null) {
            Stub stub = authorizationServicePort;
            log.debug("Setting Globus GSI credentials on the WS stub.");
            stub._setProperty("org.globus.gsi.credentials", getGlobusCredentials());
            stub._setProperty("org.globus.security.authorization", NoAuthorization.getInstance());
        }
        SAMLResponseType SAMLRequest = authorizationServicePort.SAMLRequest(sAMLRequestType);
        if (SAMLRequest == null) {
            log.error("Authorization query/request failed - received a null response");
            return null;
        }
        SAMLResponse sAMLResponse = new SAMLResponse(SAMLRequest.get_any()[0].getAsDOM());
        String inResponseTo = sAMLResponse.getInResponseTo();
        if (inResponseTo == null || !inResponseTo.equals(sAMLRequest.getId())) {
            log.error("Authorization query/request failed - received a bad inResponseTo");
            return null;
        }
        log.debug(new StringBuffer().append("Received response corresponding to our request: ").append(sAMLResponse).toString());
        log.debug("Extracting authorization decision statements from response");
        Iterator assertions = sAMLResponse.getAssertions();
        if (assertions == null || !assertions.hasNext()) {
            log.error("Received response did not contain a SAML Assertion");
            return null;
        }
        Iterator statements = ((SAMLAssertion) assertions.next()).getStatements();
        if (statements == null || !statements.hasNext()) {
            log.error("Received assertion did not contain a SAML statement");
            return null;
        }
        Object next = statements.next();
        if ((next instanceof ObligatedAuthorizationDecisionStatement) || (next instanceof SAMLAuthorizationDecisionStatement)) {
            log.debug("Received and returning Authorization Decision Statement");
            return (SAMLAuthorizationDecisionStatement) next;
        }
        log.error("Received statement was not an Authorization Decison Statement");
        return null;
    }

    public LocalId processAuthzStmt(SAMLAuthorizationDecisionStatement sAMLAuthorizationDecisionStatement, String str, ArrayList arrayList, SAMLSubject sAMLSubject) {
        log.debug("Processing Authorization Decision Statement");
        LocalId localId = null;
        if (sAMLAuthorizationDecisionStatement.getDecision().equals("Permit") && sAMLAuthorizationDecisionStatement.getResource().equals(str)) {
            log.debug("Authorization decision is Permit and Resource matches");
            if (SAMLUtil.samlSubjectMatch(sAMLSubject, sAMLAuthorizationDecisionStatement.getSubject())) {
                log.debug("Response subject name matches request subject name");
                Iterator actions = sAMLAuthorizationDecisionStatement.getActions();
                ArrayList arrayList2 = new ArrayList();
                while (actions.hasNext()) {
                    SAMLAction sAMLAction = (SAMLAction) actions.next();
                    arrayList2.add(sAMLAction);
                    log.debug(new StringBuffer().append("Authorized action: ").append(sAMLAction.getNamespace()).append("    ").append(sAMLAction.getData()).toString());
                }
                boolean z = false;
                for (int i = 0; i < arrayList.size(); i++) {
                    z = false;
                    int i2 = 0;
                    while (true) {
                        if (i2 >= arrayList2.size()) {
                            break;
                        }
                        if (SAMLUtil.samlActionMatch((SAMLAction) arrayList.get(i), (SAMLAction) arrayList2.get(i2))) {
                            z = true;
                            break;
                        }
                        i2++;
                    }
                    if (!z) {
                        break;
                    }
                }
                if (z) {
                    log.debug("Authorized actions include requested actions");
                    localId = new LocalId();
                } else {
                    log.warn("Authorization decision did not permit requested actions");
                }
            } else {
                log.warn("Response subject does not match request subject");
                log.debug(new StringBuffer().append("Request  Subject Name ").append(sAMLSubject.getName()).toString());
                log.debug(new StringBuffer().append("Response Subject Name ").append(sAMLAuthorizationDecisionStatement.getSubject().getName()).toString());
                if (sAMLSubject.getName().equals(sAMLAuthorizationDecisionStatement.getSubject().getName())) {
                    log.debug("The name is equal");
                } else {
                    log.debug("The name is not equal");
                }
                log.debug(new StringBuffer().append("Request  Subject Name Qualifier ").append(sAMLSubject.getName().getNameQualifier()).toString());
                log.debug(new StringBuffer().append("Response Subject Name Qualifier ").append(sAMLAuthorizationDecisionStatement.getSubject().getName().getNameQualifier()).toString());
                if (sAMLSubject.getName().getNameQualifier().equals(sAMLAuthorizationDecisionStatement.getSubject().getName().getNameQualifier())) {
                    log.debug("The name qualifier is equal");
                } else {
                    log.debug("The name qualifier is not equal");
                }
                log.debug(new StringBuffer().append("Request  Subject Name Format ").append(sAMLSubject.getName().getFormat()).toString());
                log.debug(new StringBuffer().append("Response Subject Name Format ").append(sAMLAuthorizationDecisionStatement.getSubject().getName().getFormat()).toString());
                if (sAMLSubject.getName().getFormat().equals(sAMLAuthorizationDecisionStatement.getSubject().getName().getFormat())) {
                    log.debug("The format is equal");
                } else {
                    log.debug("The format is not equal");
                }
            }
        }
        if (localId == null) {
            return null;
        }
        if (sAMLAuthorizationDecisionStatement instanceof ObligatedAuthorizationDecisionStatement) {
            log.debug("Processing Obligations");
            Iterator xACMLObligations = ((ObligatedAuthorizationDecisionStatement) sAMLAuthorizationDecisionStatement).getXACMLObligations();
            while (xACMLObligations.hasNext()) {
                XACMLObligation xACMLObligation = (XACMLObligation) xACMLObligations.next();
                if (xACMLObligation.getObligationId().equals(OSGAuthorizationConstants.USERIDOBLIGATION) && xACMLObligation.getFullfillOn().equals("Permit")) {
                    log.debug("Found UserId obligation");
                    if (localId.getUserName() != null) {
                        log.warn("Warning multiple UserId Obligations, overriding previous");
                    }
                    if (!xACMLObligation.getAttributeId().equals(OSGAuthorizationConstants.USERIDATTRIBUTE) || !xACMLObligation.getDatatype().equals(OSGAuthorizationConstants.STRINGDATATYPE)) {
                        log.error("Obligation has unexpected attributeId or datatype");
                        return null;
                    }
                    localId.setUserName(xACMLObligation.getValue());
                } else if (xACMLObligation.getObligationId().equals(OSGAuthorizationConstants.GROUPIDOBLIGATION) && xACMLObligation.getFullfillOn().equals("Permit")) {
                    log.debug("Found GroupId obligation");
                    if (localId.getGroupName() != null) {
                        log.warn("Warning multiple GroupId Obligations, overriding previous");
                    }
                    if (!xACMLObligation.getAttributeId().equals(OSGAuthorizationConstants.GROUPIDATTRIBUTE) || !xACMLObligation.getDatatype().equals(OSGAuthorizationConstants.STRINGDATATYPE)) {
                        log.error("Obligation has unexpected attributeId or datatype");
                        return null;
                    }
                    localId.setGroupName(xACMLObligation.getValue());
                } else if (xACMLObligation.getObligationId().equals(OSGAuthorizationConstants.SUPGROUPIDSOBLIGATION) && xACMLObligation.getFullfillOn().equals("Permit")) {
                    log.debug("Found SupplementalGroupId obligation");
                    if (localId.getGroupName() != null) {
                        log.warn("Warning multiple SupplementalGroupIds Obligations, overriding previous");
                    }
                    if (!xACMLObligation.getAttributeId().equals(OSGAuthorizationConstants.SUPGROUPIDSATTRIBUTE) || !xACMLObligation.getDatatype().equals(OSGAuthorizationConstants.STRINGDATATYPE)) {
                        log.error("Obligation has unexpected attributeId or datatype");
                        return null;
                    }
                    localId.setSupplementalGroupNames(xACMLObligation.getValue().split("\\s"));
                } else if (xACMLObligation.getObligationId().equals(OSGAuthorizationConstants.ROOTPATHOBLIGATION) && xACMLObligation.getFullfillOn().equals("Permit")) {
                    log.debug("Found Root Path obligation");
                    if (localId.getGroupName() != null) {
                        log.warn("Warning multiple Root Path Obligations, overriding previous");
                    }
                    if (!xACMLObligation.getAttributeId().equals(OSGAuthorizationConstants.ROOTPATHATTRIBUTE) || !xACMLObligation.getDatatype().equals(OSGAuthorizationConstants.STRINGDATATYPE)) {
                        log.error("Obligation has unexpected attributeId or datatype");
                        return null;
                    }
                    localId.setRootPath(xACMLObligation.getValue());
                } else if (xACMLObligation.getObligationId().equals(OSGAuthorizationConstants.RELHOMEPATHOBLIGATION) && xACMLObligation.getFullfillOn().equals("Permit")) {
                    log.debug("Found Relative Home Path obligation");
                    if (localId.getRelativeHomePath() != null) {
                        log.warn("Warning multiple Relative Home Path Obligations, overriding previous");
                    }
                    if (!xACMLObligation.getAttributeId().equals(OSGAuthorizationConstants.RELHOMEPATHATTRIBUTE) || !xACMLObligation.getDatatype().equals(OSGAuthorizationConstants.STRINGDATATYPE)) {
                        log.error("Obligation has unexpected attributeId or datatype");
                        return null;
                    }
                    localId.setRelativeHomePath(xACMLObligation.getValue());
                } else if (xACMLObligation.getObligationId().equals(OSGAuthorizationConstants.FSROOTPATHOBLIGATION) && xACMLObligation.getFullfillOn().equals("Permit")) {
                    log.debug("Found FS Root Path obligation");
                    if (localId.getFSRootPath() != null) {
                        log.warn("Warning multiple FS Root Path Obligations, overriding previous");
                    }
                    if (!xACMLObligation.getAttributeId().equals(OSGAuthorizationConstants.FSROOTPATHATTRIBUTE) || !xACMLObligation.getDatatype().equals(OSGAuthorizationConstants.STRINGDATATYPE)) {
                        log.error("Obligation has unexpected attributeId or datatype");
                        return null;
                    }
                    localId.setFSRootPath(xACMLObligation.getValue());
                } else if (xACMLObligation.getObligationId().equals(OSGAuthorizationConstants.PRIORITYOBLIGATION) && xACMLObligation.getFullfillOn().equals("Permit")) {
                    log.debug("Found Priority obligation");
                    if (localId.getPriority() != null) {
                        log.warn("Warning multiple Priority Obligations, overriding previous");
                    }
                    if (!xACMLObligation.getAttributeId().equals(OSGAuthorizationConstants.PRIORITYATTRIBUTE) || !xACMLObligation.getDatatype().equals(OSGAuthorizationConstants.STRINGDATATYPE)) {
                        log.error("Obligation has unexpected attributeId or datatype");
                        return null;
                    }
                    localId.setPriority(xACMLObligation.getValue());
                } else if (xACMLObligation.getObligationId().equals(OSGAuthorizationConstants.UIDOBLIGATION) && xACMLObligation.getFullfillOn().equals("Permit")) {
                    log.debug("Found UID obligation");
                    if (localId.getUID() != null) {
                        log.warn("Warning multiple UID Obligations, overriding previous");
                    }
                    if (!xACMLObligation.getAttributeId().equals(OSGAuthorizationConstants.UIDATTRIBUTE) || !xACMLObligation.getDatatype().equals(OSGAuthorizationConstants.INTDATATYPE)) {
                        log.error("Obligation has unexpected attributeId or datatype");
                        return null;
                    }
                    localId.setUID(new Integer(xACMLObligation.getValue()));
                } else if (xACMLObligation.getObligationId().equals(OSGAuthorizationConstants.GIDOBLIGATION) && xACMLObligation.getFullfillOn().equals("Permit")) {
                    log.debug("Found GID obligation");
                    if (localId.getGID() != null) {
                        log.warn("Warning multiple GID Obligations, overriding previous");
                    }
                    if (!xACMLObligation.getAttributeId().equals(OSGAuthorizationConstants.GIDATTRIBUTE) || !xACMLObligation.getDatatype().equals(OSGAuthorizationConstants.INTDATATYPE)) {
                        log.error("Obligation has unexpected attributeId or datatype");
                        return null;
                    }
                    localId.setGID(new Integer(xACMLObligation.getValue()));
                } else {
                    if (!xACMLObligation.getObligationId().equals(OSGAuthorizationConstants.READONLYOBLIGATION) || !xACMLObligation.getFullfillOn().equals("Permit")) {
                        log.error("Found unsupported obligation - mapping denied");
                        return null;
                    }
                    log.debug("Found ReadOnly obligation");
                    if (localId.getReadOnlyFlag()) {
                        log.warn("Warning multiple ReadOnly Obligations");
                    }
                    if (!xACMLObligation.getAttributeId().equals(OSGAuthorizationConstants.READONLYATTRIBUTE) || !xACMLObligation.getDatatype().equals(OSGAuthorizationConstants.BOOLDATATYPE)) {
                        log.error("Obligation has unexpected attributeId or datatype");
                        return null;
                    }
                    if (xACMLObligation.getValue().compareToIgnoreCase("true") == 0) {
                        log.debug("ReadOnly obligation = true");
                        localId.setReadOnlyFlag(true);
                    } else {
                        log.debug("ReadOnly obligation = false");
                        localId.setReadOnlyFlag(false);
                    }
                }
            }
        }
        return localId;
    }

    public GlobusGSSCredentialImpl getGlobusCredentials() {
        return this.globusCredentials;
    }

    public void setGlobusCredentials(GlobusGSSCredentialImpl globusGSSCredentialImpl) {
        this.globusCredentials = globusGSSCredentialImpl;
    }

    static Class class$(String str) {
        try {
            return Class.forName(str);
        } catch (ClassNotFoundException e) {
            throw new NoClassDefFoundError().initCause(e);
        }
    }

    static {
        Class cls;
        if (class$org$opensciencegrid$authz$client$SAMLAuthZClientBase == null) {
            cls = class$("org.opensciencegrid.authz.client.SAMLAuthZClientBase");
            class$org$opensciencegrid$authz$client$SAMLAuthZClientBase = cls;
        } else {
            cls = class$org$opensciencegrid$authz$client$SAMLAuthZClientBase;
        }
        log = Category.getInstance(cls.getName());
    }
}
