package org.opensciencegrid.authz.service;

import com.sun.xacml.Indenter;
import com.sun.xacml.Obligation;
import com.sun.xacml.PDP;
import com.sun.xacml.PDPConfig;
import com.sun.xacml.attr.DateTimeAttribute;
import com.sun.xacml.attr.StringAttribute;
import com.sun.xacml.attr.X500NameAttribute;
import com.sun.xacml.ctx.Attribute;
import com.sun.xacml.ctx.RequestCtx;
import com.sun.xacml.ctx.ResponseCtx;
import com.sun.xacml.ctx.Result;
import com.sun.xacml.ctx.Subject;
import com.sun.xacml.finder.AttributeFinder;
import com.sun.xacml.finder.PolicyFinder;
import com.sun.xacml.finder.ResourceFinder;
import com.sun.xacml.finder.impl.CurrentEnvModule;
import com.sun.xacml.finder.impl.FilePolicyModule;
import com.sun.xacml.finder.impl.SelectorModule;
import java.io.ByteArrayOutputStream;
import java.io.File;
import java.net.URI;
import java.net.URL;
import java.util.ArrayList;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import java.util.logging.Handler;
import java.util.logging.Level;
import java.util.logging.LogRecord;
import java.util.logging.Logger;
import java.util.logging.SimpleFormatter;
import javax.security.auth.x500.X500Principal;
import org.apache.log4j.Category;
import org.opensaml.SAMLAction;
import org.opensaml.SAMLException;
import org.opensaml.SAMLSubject;
import org.opensciencegrid.authz.client.GRIDIdentityMappingServiceClient;
import org.opensciencegrid.authz.common.GridId;
import org.opensciencegrid.authz.common.LocalId;
import org.opensciencegrid.authz.common.OSGAuthorizationConstants;
import org.opensciencegrid.authz.saml.XACMLObligation;
import org.opensciencegrid.authz.service.SAMLAuthZServiceBase;

/* loaded from: input_file:org/opensciencegrid/authz/service/PRIMAAuthorizationServiceImpl.class */
public class PRIMAAuthorizationServiceImpl extends SAMLAuthZServiceBase {
    static Category log;
    private PDP pdp;
    private String policyDir = "/etc/grid-security/prima-policies";
    protected String serviceIdentity = "PRIMA Authorization Service";
    private String identityMappingServiceContact = "https://fledgling09.fnal.gov:8448/gums/services/GUMSAuthorizationServicePort";
    private String sslKey = "/etc/grid-security/hostkey.pem";
    private String sslCertfile = "/etc/grid-security/hostcert.pem";
    private String sslCAFiles = "/etc/grid-security/certificates/*.0";
    private String sslKeyPasswd;
    static Class class$org$opensciencegrid$authz$service$PRIMAAuthorizationServiceImpl;

    /* renamed from: org.opensciencegrid.authz.service.PRIMAAuthorizationServiceImpl$1, reason: invalid class name */
    /* loaded from: input_file:org/opensciencegrid/authz/service/PRIMAAuthorizationServiceImpl$1.class */
    static class AnonymousClass1 {
    }

    /* loaded from: input_file:org/opensciencegrid/authz/service/PRIMAAuthorizationServiceImpl$PRIMALogHandler.class */
    private class PRIMALogHandler extends Handler {
        Category log;
        private final PRIMAAuthorizationServiceImpl this$0;

        private PRIMALogHandler(PRIMAAuthorizationServiceImpl pRIMAAuthorizationServiceImpl) {
            Class cls;
            this.this$0 = pRIMAAuthorizationServiceImpl;
            if (PRIMAAuthorizationServiceImpl.class$org$opensciencegrid$authz$service$PRIMAAuthorizationServiceImpl == null) {
                cls = PRIMAAuthorizationServiceImpl.class$("org.opensciencegrid.authz.service.PRIMAAuthorizationServiceImpl");
                PRIMAAuthorizationServiceImpl.class$org$opensciencegrid$authz$service$PRIMAAuthorizationServiceImpl = cls;
            } else {
                cls = PRIMAAuthorizationServiceImpl.class$org$opensciencegrid$authz$service$PRIMAAuthorizationServiceImpl;
            }
            this.log = Category.getInstance(cls.getName());
        }

        @Override // java.util.logging.Handler
        public void close() {
        }

        @Override // java.util.logging.Handler
        public void flush() {
        }

        @Override // java.util.logging.Handler
        public void publish(LogRecord logRecord) {
            if (logRecord.getLevel() == Level.SEVERE) {
                this.log.error(new StringBuffer().append("XACML-PDP: ").append(logRecord.getMessage()).toString());
                return;
            }
            if (logRecord.getLevel() == Level.WARNING) {
                this.log.warn(new StringBuffer().append("XACML-PDP: ").append(logRecord.getMessage()).toString());
            } else if (logRecord.getLevel() == Level.INFO) {
                this.log.info(new StringBuffer().append("XACML-PDP: ").append(logRecord.getMessage()).toString());
            } else {
                this.log.debug(new StringBuffer().append("XACML-PDP: ").append(logRecord.getMessage()).toString());
            }
        }

        PRIMALogHandler(PRIMAAuthorizationServiceImpl pRIMAAuthorizationServiceImpl, AnonymousClass1 anonymousClass1) {
            this(pRIMAAuthorizationServiceImpl);
        }
    }

    public PRIMAAuthorizationServiceImpl() {
        this.pdp = null;
        try {
            PRIMALogHandler pRIMALogHandler = new PRIMALogHandler(this, null);
            pRIMALogHandler.setFormatter(new SimpleFormatter());
            Logger.getLogger("com.sun.xacml").addHandler(pRIMALogHandler);
            Logger.getLogger("com.sun.xacml").setLevel(Level.FINEST);
            FilePolicyModule filePolicyModule = new FilePolicyModule();
            File file = new File(this.policyDir);
            if (file.isDirectory()) {
                String[] list = file.list();
                if (list == null || list.length <= 0) {
                    log.debug(new StringBuffer().append("No policy files found at: ").append(this.policyDir).toString());
                } else {
                    for (int i = 0; i < list.length; i++) {
                        filePolicyModule.addPolicy(new StringBuffer().append(this.policyDir).append("/").append(list[i]).toString());
                        log.debug(new StringBuffer().append("Loading XACML Policy file: ").append(this.policyDir).append("/").append(list[i]).toString());
                    }
                }
            } else {
                log.error(new StringBuffer().append("No policy file directory found at: ").append(this.policyDir).toString());
            }
            PolicyFinder policyFinder = new PolicyFinder();
            HashSet hashSet = new HashSet();
            hashSet.add(filePolicyModule);
            policyFinder.setModules(hashSet);
            CurrentEnvModule currentEnvModule = new CurrentEnvModule();
            SelectorModule selectorModule = new SelectorModule();
            AttributeFinder attributeFinder = new AttributeFinder();
            ArrayList arrayList = new ArrayList();
            arrayList.add(currentEnvModule);
            arrayList.add(selectorModule);
            attributeFinder.setModules(arrayList);
            this.pdp = new PDP(new PDPConfig(attributeFinder, policyFinder, (ResourceFinder) null));
        } catch (Exception e) {
            log.error(new StringBuffer().append("Error instantiating XACML PDP ").append(e.getMessage()).toString());
            log.error(e);
        }
    }

    @Override // org.opensciencegrid.authz.service.SAMLAuthZServiceBase
    public SAMLAuthZServiceBase.AuthzDecision authorize(SAMLSubject sAMLSubject, String str, Iterator it, Iterator it2) throws SAMLException {
        log.debug(new StringBuffer().append("entered authorize method of: ").append(this.serviceIdentity).toString());
        LocalId localId = null;
        GridId gridId = new GridId();
        SAMLAuthZServiceBase.AuthzDecision authzDecision = new SAMLAuthZServiceBase.AuthzDecision(this);
        authzDecision.issuer = this.serviceIdentity;
        authzDecision.decision = "Indeterminate";
        log.debug("Checking if VOMS attribute (FQAN) is present in Subject Evidence");
        SAMLAuthZServiceBase.FQAN findFQANinSubjectEvidence = findFQANinSubjectEvidence(it2, sAMLSubject);
        if (findFQANinSubjectEvidence != null) {
            log.debug(new StringBuffer().append("found VOMS attribute with data \"").append(findFQANinSubjectEvidence.data).append("\" from \"").append(findFQANinSubjectEvidence.issuer).append("\"").toString());
        } else {
            log.debug("no VOMS attribute found in Subject evidence");
        }
        gridId.setUserDN(sAMLSubject.getName().getName());
        gridId.setHostDN(str);
        if (findFQANinSubjectEvidence != null) {
            gridId.setUserFQAN(findFQANinSubjectEvidence.data);
            gridId.setUserFQANIssuer(findFQANinSubjectEvidence.issuer);
        }
        log.debug(new StringBuffer().append("extracted from SAML Request: ").append(gridId.toString()).toString());
        ArrayList arrayList = new ArrayList(1);
        arrayList.add(new SAMLAction(OSGAuthorizationConstants.AUTHZ_NS, OSGAuthorizationConstants.ACCESS_AS_LOCAL_ID));
        authzDecision.actions = new ArrayList();
        while (it.hasNext()) {
            authzDecision.actions.add((SAMLAction) it.next());
        }
        ArrayList locatePermissibleActions = locatePermissibleActions(authzDecision.actions.iterator(), arrayList);
        authzDecision.actions = locatePermissibleActions;
        if (locatePermissibleActions != null) {
            log.debug("At least one of the requested actions requires a local userid mapping, thus querying GUMS");
            log.debug("Request mapping from mapping service");
            try {
                log.debug(new StringBuffer().append("Identity mapping service contact: ").append(this.identityMappingServiceContact).toString());
                setSslProperties();
                localId = new GRIDIdentityMappingServiceClient(new URL(this.identityMappingServiceContact)).mapCredentials(gridId);
                if (localId == null || localId.getUserName() == null) {
                    log.debug("Received no mapping from mapping service --> DENY");
                    authzDecision.decision = "Deny";
                } else {
                    authzDecision.obligations = createObligations(localId);
                }
            } catch (Exception e) {
                log.error(new StringBuffer().append("Error contacting mapping service at ").append(this.identityMappingServiceContact).toString());
                log.error(e.getMessage());
                throw new SAMLException(new StringBuffer().append("Error contacting mapping service at ").append(this.identityMappingServiceContact).toString());
            }
        }
        if (!authzDecision.decision.equals("Deny")) {
            try {
                log.debug("Creating XACML request context");
                HashSet hashSet = new HashSet();
                hashSet.add(new Attribute(new URI(OSGAuthorizationConstants.USERIDATTRIBUTE), (String) null, (DateTimeAttribute) null, new StringAttribute(localId.getUserName())));
                hashSet.add(new Attribute(new URI("opensciencegrid:authorization:attribute:UserDN"), (String) null, (DateTimeAttribute) null, new X500NameAttribute(new X500Principal(gridId.getUserDN().replaceFirst("/", "").replaceAll("/", ", ")))));
                HashSet hashSet2 = new HashSet();
                hashSet2.add(new Subject(hashSet));
                HashSet hashSet3 = new HashSet();
                hashSet3.add(new Attribute(new URI("urn:oasis:names:tc:xacml:1.0:resource:resource-id"), (String) null, (DateTimeAttribute) null, new X500NameAttribute(new X500Principal(gridId.getHostDN().replaceFirst("/", "").replaceAll("/", ", ")))));
                HashSet hashSet4 = new HashSet();
                URI uri = new URI("urn:oasis:names:tc:xacml:1.0:action:action-id");
                for (int i = 0; i < authzDecision.actions.size(); i++) {
                    hashSet4.add(new Attribute(uri, (String) null, (DateTimeAttribute) null, new StringAttribute(((SAMLAction) authzDecision.actions.get(i)).getData())));
                }
                RequestCtx requestCtx = new RequestCtx(hashSet2, hashSet3, hashSet4, new HashSet());
                ResponseCtx evaluate = this.pdp.evaluate(requestCtx);
                ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
                requestCtx.encode(byteArrayOutputStream, new Indenter());
                evaluate.encode(byteArrayOutputStream, new Indenter());
                log.debug(new StringBuffer().append("Request/Response: ").append(byteArrayOutputStream.toString()).toString());
                Result result = (Result) evaluate.getResults().iterator().next();
                if (result != null) {
                    log.debug(new StringBuffer().append("XACML policy decision is: ").append(Result.DECISIONS[result.getDecision()]).toString());
                    if (result.getDecision() == 1) {
                        authzDecision.decision = "Deny";
                    } else if (result.getDecision() == 0) {
                        authzDecision.decision = "Permit";
                    } else {
                        authzDecision.decision = "Indeterminate";
                    }
                    Set<Obligation> obligations = result.getObligations();
                    if (obligations != null) {
                        log.debug("Including obligations from XACML PDP response in SAML response");
                        for (Obligation obligation : obligations) {
                            List assignments = obligation.getAssignments();
                            for (int i2 = 0; i2 < assignments.size(); i2++) {
                                Attribute attribute = (Attribute) assignments.get(i2);
                                if (authzDecision.obligations == null) {
                                    authzDecision.obligations = new ArrayList();
                                }
                                authzDecision.obligations.add(new XACMLObligation(obligation.getId().toString(), Result.DECISIONS[obligation.getFulfillOn()], attribute.getId().toString(), attribute.getType().toString(), attribute.getValue().encode()));
                            }
                        }
                    }
                }
            } catch (Exception e2) {
                log.error(new StringBuffer().append("Error querying XACML PDP engine: ").append(e2.getMessage()).toString());
                log.error(e2.getStackTrace()[0].toString());
                log.error(e2);
                authzDecision.decision = "Indeterminate";
            }
        }
        if (authzDecision.decision.equals("Indeterminate")) {
            log.debug("XACML PDP could not produce a decision, responding with indeterminate");
            if (authzDecision.actions == null) {
                log.debug("Setting actions to mapping action to avoid empty action field");
                authzDecision.actions = new ArrayList(1);
                authzDecision.actions.add(new SAMLAction(OSGAuthorizationConstants.AUTHZ_NS, OSGAuthorizationConstants.ACCESS_AS_LOCAL_ID));
            }
        }
        return authzDecision;
    }

    private ArrayList createObligations(LocalId localId) throws SAMLException {
        ArrayList arrayList = new ArrayList();
        String userName = localId.getUserName();
        if (userName != null) {
            arrayList.add(new XACMLObligation(OSGAuthorizationConstants.USERIDOBLIGATION, "Permit", OSGAuthorizationConstants.USERIDATTRIBUTE, OSGAuthorizationConstants.STRINGDATATYPE, userName));
        }
        String groupName = localId.getGroupName();
        if (groupName != null) {
            arrayList.add(new XACMLObligation(OSGAuthorizationConstants.GROUPIDOBLIGATION, "Permit", OSGAuthorizationConstants.GROUPIDATTRIBUTE, OSGAuthorizationConstants.STRINGDATATYPE, groupName));
        }
        String[] supplementalGroupNames = localId.getSupplementalGroupNames();
        if (supplementalGroupNames != null) {
            String str = supplementalGroupNames[0];
            for (int i = 1; i < supplementalGroupNames.length; i++) {
                str.concat(new StringBuffer().append(" ").append(supplementalGroupNames[i]).toString());
            }
            arrayList.add(new XACMLObligation(OSGAuthorizationConstants.SUPGROUPIDSOBLIGATION, "Permit", OSGAuthorizationConstants.SUPGROUPIDSATTRIBUTE, OSGAuthorizationConstants.STRINGDATATYPE, str));
        }
        if (arrayList.isEmpty()) {
            return null;
        }
        return arrayList;
    }

    private void setSslProperties() {
        System.setProperty("axis.socketSecureFactory", "org.glite.security.trustmanager.axis.AXISSocketFactory");
        log.debug(new StringBuffer().append("SSL properties (old): sslCAFiles='").append(getSslCAFiles()).append("' sslCertfile='").append(getSslCertfile()).append("' sslKey='").append(getSslKey()).append("' sslKeyPasswd set:").append(getSslKeyPasswd() != null).append("'").toString());
        if (getSslCAFiles() != null) {
            System.setProperty("sslCAFiles", getSslCAFiles());
        }
        if (getSslCertfile() != null) {
            System.setProperty("sslCertfile", getSslCertfile());
        }
        if (getSslKey() != null) {
            System.setProperty("sslKey", getSslKey());
        }
        if (getSslKeyPasswd() != null) {
            System.setProperty("sslKeyPasswd", getSslKeyPasswd());
        }
        log.debug(new StringBuffer().append("SSL properties (new): sslCAFiles='").append(getSslCAFiles()).append("' sslCertfile='").append(getSslCertfile()).append("' sslKey='").append(getSslKey()).append("' sslKeyPasswd set:").append(getSslKeyPasswd() != null).append("'").toString());
    }

    public String getSslKey() {
        return this.sslKey;
    }

    public void setSslKey(String str) {
        this.sslKey = str;
    }

    public String getSslCertfile() {
        return this.sslCertfile;
    }

    public void setSslCertfile(String str) {
        this.sslCertfile = str;
    }

    public String getSslCAFiles() {
        return this.sslCAFiles;
    }

    public void setSslCAFiles(String str) {
        this.sslCAFiles = str;
    }

    public String getSslKeyPasswd() {
        return this.sslKeyPasswd;
    }

    public void setSslKeyPasswd(String str) {
        this.sslKeyPasswd = str;
    }

    static Class class$(String str) {
        try {
            return Class.forName(str);
        } catch (ClassNotFoundException e) {
            throw new NoClassDefFoundError().initCause(e);
        }
    }

    static {
        Class cls;
        if (class$org$opensciencegrid$authz$service$PRIMAAuthorizationServiceImpl == null) {
            cls = class$("org.opensciencegrid.authz.service.PRIMAAuthorizationServiceImpl");
            class$org$opensciencegrid$authz$service$PRIMAAuthorizationServiceImpl = cls;
        } else {
            cls = class$org$opensciencegrid$authz$service$PRIMAAuthorizationServiceImpl;
        }
        log = Category.getInstance(cls.getName());
    }
}
