package org.opensciencegrid.authz.service;

import java.rmi.RemoteException;
import java.util.ArrayList;
import java.util.Calendar;
import java.util.Collection;
import java.util.Iterator;
import org.apache.axis.message.MessageElement;
import org.apache.log4j.Category;
import org.opensaml.QName;
import org.opensaml.SAMLAction;
import org.opensaml.SAMLAssertion;
import org.opensaml.SAMLAttribute;
import org.opensaml.SAMLAttributeStatement;
import org.opensaml.SAMLAuthorizationDecisionQuery;
import org.opensaml.SAMLAuthorizationDecisionStatement;
import org.opensaml.SAMLException;
import org.opensaml.SAMLRequest;
import org.opensaml.SAMLResponse;
import org.opensaml.SAMLSubject;
import org.opensciencegrid.authz.common.OSGAuthorizationConstants;
import org.opensciencegrid.authz.saml.OSGXML;
import org.opensciencegrid.authz.saml.ObligatedAuthorizationDecisionStatement;
import org.opensciencegrid.authz.saml.SAMLExtensionInit;
import org.opensciencegrid.authz.saml.SAMLUtil;
import org.opensciencegrid.authz.saml.XACMLObligation;
import org.opensciencegrid.authz.stubs.SAMLRequestPortType;
import org.opensciencegrid.authz.stubs.SAMLRequestType;
import org.opensciencegrid.authz.stubs.SAMLResponseType;
import org.w3c.dom.Element;

/* loaded from: input_file:org/opensciencegrid/authz/service/SAMLAuthZServiceBase.class */
public abstract class SAMLAuthZServiceBase implements SAMLRequestPortType {
    private static final QName AUTHZ_DECISION_STMT = new QName("urn:oasis:names:tc:SAML:1.0:assertion", "AuthorizationDecisionStatement");
    private static final QName OBLIG_DECISION_STMT = new QName(OSGXML.SAML_EXT_NS, "ObligatedAuthorizationDecisionStatement");
    private static final int ASSERTION_VALIDITY_IN_MINUTES = 10;
    static Category log;
    static Class class$org$opensciencegrid$authz$service$SAMLAuthZServiceBase;

    /* loaded from: input_file:org/opensciencegrid/authz/service/SAMLAuthZServiceBase$AuthzDecision.class */
    public class AuthzDecision {
        public String decision = "Indeterminate";
        public ArrayList actions;
        public ArrayList obligations;
        public String issuer;
        private final SAMLAuthZServiceBase this$0;

        public AuthzDecision(SAMLAuthZServiceBase sAMLAuthZServiceBase) {
            this.this$0 = sAMLAuthZServiceBase;
        }

        public String toString() {
            String concat;
            String concat2;
            String concat3 = new StringBuffer().append("Decision: ").append(this.decision).toString().concat(", Actions: ");
            if (this.actions == null) {
                concat3 = concat3.concat("null");
            } else if (this.actions.isEmpty()) {
                concat3 = concat3.concat("empty");
            } else {
                for (int i = 0; i < this.actions.size(); i++) {
                    Object obj = this.actions.get(i);
                    if (obj instanceof SAMLAction) {
                        SAMLAction sAMLAction = (SAMLAction) obj;
                        concat = concat3.concat(new StringBuffer().append(sAMLAction.getNamespace()).append(" ").append(sAMLAction.getData()).append(" | ").toString());
                    } else {
                        concat = concat3.concat(new StringBuffer().append(this.actions.get(i).toString()).append(" | ").toString());
                    }
                    concat3 = concat;
                }
            }
            String concat4 = concat3.concat(", Obligations: ");
            if (this.obligations == null) {
                concat4 = concat4.concat("null");
            } else if (this.obligations.isEmpty()) {
                concat4 = concat4.concat("empty");
            } else {
                for (int i2 = 0; i2 < this.obligations.size(); i2++) {
                    Object obj2 = this.obligations.get(i2);
                    if (obj2 instanceof XACMLObligation) {
                        XACMLObligation xACMLObligation = (XACMLObligation) obj2;
                        concat2 = new StringBuffer().append(concat4.concat(new StringBuffer().append(xACMLObligation.getObligationId()).append(" ").append(xACMLObligation.getAttributeId()).append("=").append(xACMLObligation.getValue()).toString())).append(" | ").toString();
                    } else {
                        concat2 = concat4.concat("Unsupported Obligation | ");
                    }
                    concat4 = concat2;
                }
            }
            return concat4.concat(new StringBuffer().append(", Issuer: ").append(this.issuer).toString());
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    /* loaded from: input_file:org/opensciencegrid/authz/service/SAMLAuthZServiceBase$FQAN.class */
    public class FQAN {
        String issuer;
        String data;
        private final SAMLAuthZServiceBase this$0;

        protected FQAN(SAMLAuthZServiceBase sAMLAuthZServiceBase) {
            this.this$0 = sAMLAuthZServiceBase;
        }
    }

    protected abstract AuthzDecision authorize(SAMLSubject sAMLSubject, String str, Iterator it, Iterator it2) throws SAMLException;

    @Override // org.opensciencegrid.authz.stubs.SAMLRequestPortType
    public SAMLResponseType SAMLRequest(SAMLRequestType sAMLRequestType) throws RemoteException {
        SAMLRequest sAMLRequest = null;
        SAMLAuthorizationDecisionQuery sAMLAuthorizationDecisionQuery = null;
        AuthzDecision authzDecision = null;
        try {
            SAMLExtensionInit.init();
            String retrieveClientDN = SecurityUtil.retrieveClientDN();
            log.debug(new StringBuffer().append("Processing incoming SAMLRequest from ").append(retrieveClientDN).toString());
            SAMLRequest processSAMLRequest = processSAMLRequest(sAMLRequestType);
            boolean checkRespondWith = checkRespondWith(processSAMLRequest);
            SAMLAuthorizationDecisionQuery extractAuthorizationDecisionQuery = extractAuthorizationDecisionQuery(processSAMLRequest);
            boolean z = false;
            if (extractAuthorizationDecisionQuery != null) {
                String replaceAll = extractAuthorizationDecisionQuery.getResource().replaceAll("%20", " ");
                if (!extractAuthorizationDecisionQuery.getResource().equals(replaceAll)) {
                    z = true;
                    extractAuthorizationDecisionQuery.setResource(replaceAll);
                }
            }
            if (extractAuthorizationDecisionQuery != null) {
                log.debug("Extracted authorization decision query");
            }
            log.debug("Calling implementation of authorize method in the authoirzation service subclass");
            AuthzDecision authorize = authorize(extractAuthorizationDecisionQuery.getSubject(), extractAuthorizationDecisionQuery.getResource(), extractAuthorizationDecisionQuery.getActions(), extractAuthorizationDecisionQuery.getEvidence());
            log.debug(new StringBuffer().append("Authorize method returned:").append(authorize.toString()).toString());
            if (authorize.decision == null || (!authorize.decision.equals("Permit") && !authorize.decision.equals("Deny") && !authorize.decision.equals("Indeterminate"))) {
                throw new Exception("Authorize method did not return valid decision value");
            }
            if (authorize.actions == null || authorize.actions.isEmpty()) {
                throw new Exception("Authorize method did not return any actions");
            }
            if (authorize.issuer == null || authorize.issuer.length() == 0) {
                throw new Exception("Authorize method did not return issuer value");
            }
            if (authorize.obligations != null && !authorize.obligations.isEmpty() && !checkRespondWith) {
                authorize.obligations = null;
                log.warn("Response requires obligations, but the set of client-requested response formats did not include ObligatedAuthoirzationDecisionStatement");
                log.warn("Must return INDETERMINATE, as obligations cannot be conveyed with standard response");
                authorize.decision = "Indeterminate";
            }
            log.debug(new StringBuffer().append("returning AuthorizationDecisionStatement with decision= ").append(authorize.decision).toString());
            if (z) {
                extractAuthorizationDecisionQuery.setResource(extractAuthorizationDecisionQuery.getResource().replaceAll(" ", "%20"));
            }
            SAMLResponseType createSAMLResponse = createSAMLResponse(processSAMLRequest.getId(), retrieveClientDN, createAssertions(authorize.issuer, createAuthzDecisionStmt(extractAuthorizationDecisionQuery, authorize.decision, authorize.actions, authorize.obligations)), null);
            log.debug("Returning response");
            return createSAMLResponse;
        } catch (Exception e) {
            log.error(new StringBuffer().append("ABORT: ").append(e).toString());
            log.debug("Exception trace: ", e);
            try {
                log.debug("Attempting to construct a SAML AuthoirzationDecisionStatement with decision = INDETERMINATE");
                if (0 == 0) {
                    authzDecision = new AuthzDecision(this);
                }
                if (authzDecision.actions == null) {
                    authzDecision.actions = new ArrayList(1);
                    log.debug("don't have actions set so we will duplicate requested actions");
                    Iterator actions = sAMLAuthorizationDecisionQuery.getActions();
                    while (actions.hasNext()) {
                        authzDecision.actions.add(actions.next());
                    }
                }
                if (authzDecision.issuer == null) {
                    authzDecision.issuer = "Unknown";
                }
                SAMLResponseType createSAMLResponse2 = createSAMLResponse(sAMLRequest.getId(), null, createAssertions(authzDecision.issuer, createAuthzDecisionStmt(null, "Indeterminate", authzDecision.actions, null)), null);
                log.error("Responding with SAML AuthorizationDecisionSatement with decision = INDETERMINATE");
                return createSAMLResponse2;
            } catch (Exception e2) {
                log.error("Unable to create a SAML AuthorizationDecisionStatement with decision = INDETERMINATE");
                log.error(new StringBuffer().append("Caught exception was: ").append(e2).toString(), e2);
                try {
                    SAMLResponseType createSAMLResponse3 = createSAMLResponse(sAMLRequest.getId(), null, null, new SAMLException(new QName("urn:oasis:names:tc:SAML:1.0:protocol", "RequestDenied"), "Please contact the system administrator of this authorization service for more information"));
                    log.error("Responding with SAML-Exception response: RequestDenied");
                    return createSAMLResponse3;
                } catch (Exception e3) {
                    log.error("Unable to respond to request");
                    log.error(new StringBuffer().append("Caught exception was: ").append(e2).toString(), e2);
                    throw new RemoteException("Service unable to respond to request!");
                }
            }
        }
    }

    private SAMLRequest processSAMLRequest(SAMLRequestType sAMLRequestType) throws RemoteException, SAMLException {
        log.debug("Validating request type");
        if (sAMLRequestType == null) {
            throw new RemoteException("Received a null request");
        }
        log.debug("Extracting SAMLRequest");
        try {
            SAMLRequest sAMLRequest = new SAMLRequest(sAMLRequestType.get_any()[0].getAsDOM());
            if (sAMLRequest == null) {
                throw new RemoteException("SAMLRequest returned null");
            }
            return sAMLRequest;
        } catch (Exception e) {
            throw new RemoteException(new StringBuffer().append("Error extracting SAML Request object: ").append(e).toString());
        }
    }

    private boolean checkRespondWith(SAMLRequest sAMLRequest) throws RemoteException, SAMLException {
        boolean z = false;
        boolean z2 = false;
        Iterator respondWiths = sAMLRequest.getRespondWiths();
        if (respondWiths == null) {
            log.debug("No respondWith elements found in request, enabling ObligatedAuthorizationDecisionStatement");
            z2 = true;
        } else {
            while (respondWiths.hasNext()) {
                QName qName = (QName) respondWiths.next();
                if (qName.equals(AUTHZ_DECISION_STMT)) {
                    z = true;
                    log.debug(new StringBuffer().append("Supported respondWith: ").append(qName.toString()).toString());
                } else if (qName.equals(OBLIG_DECISION_STMT)) {
                    z2 = true;
                    log.debug(new StringBuffer().append("Supported respondWith: ").append(qName.toString()).toString());
                } else {
                    log.debug(new StringBuffer().append("Found unrecognized respondWith: ").append(qName.toString()).toString());
                }
            }
            if (!z) {
                log.debug("Standard SAML AuthorizationDecisionStatement is not supported by client, aborting");
                throw new RemoteException("Standard SAML AuthorizationDecisionStatement is not supported by client.");
            }
        }
        return z2;
    }

    private SAMLAuthorizationDecisionQuery extractAuthorizationDecisionQuery(SAMLRequest sAMLRequest) throws RemoteException, SAMLException {
        SAMLAuthorizationDecisionQuery query = sAMLRequest.getQuery();
        if (query instanceof SAMLAuthorizationDecisionQuery) {
            log.debug(new StringBuffer().append("FOUND SAMLAuthorizationDecisionQuery: ").append(query).toString());
            return query;
        }
        log.error(new StringBuffer().append("Request not supported: ").append(query).toString());
        throw new RemoteException("Request not supported.");
    }

    private String getRequestUser(SAMLSubject sAMLSubject) throws SAMLException {
        return sAMLSubject.getName().getName();
    }

    private ArrayList createAuthzDecisionStmt(SAMLAuthorizationDecisionQuery sAMLAuthorizationDecisionQuery, String str, ArrayList arrayList, ArrayList arrayList2) throws SAMLException {
        ArrayList arrayList3 = new ArrayList(1);
        arrayList3.add((arrayList2 == null || arrayList2.isEmpty()) ? new SAMLAuthorizationDecisionStatement(sAMLAuthorizationDecisionQuery.getSubject(), sAMLAuthorizationDecisionQuery.getResource(), str, arrayList, (Collection) null) : new ObligatedAuthorizationDecisionStatement(sAMLAuthorizationDecisionQuery.getSubject(), sAMLAuthorizationDecisionQuery.getResource(), str, arrayList, null, arrayList2));
        return arrayList3;
    }

    private ArrayList createAssertions(String str, ArrayList arrayList) throws SAMLException {
        ArrayList arrayList2 = new ArrayList(1);
        Calendar calendar = Calendar.getInstance();
        Calendar calendar2 = Calendar.getInstance();
        calendar2.add(12, ASSERTION_VALIDITY_IN_MINUTES);
        arrayList2.add(new SAMLAssertion(str, calendar.getTime(), calendar2.getTime(), (Collection) null, (Collection) null, arrayList));
        return arrayList2;
    }

    private SAMLResponseType createSAMLResponse(String str, String str2, ArrayList arrayList, SAMLException sAMLException) throws SAMLException {
        SAMLResponse sAMLResponse = new SAMLResponse(str, str2 == null ? null : str2.replaceAll("\\s", "%20"), arrayList, sAMLException);
        log.debug(new StringBuffer().append("Created SAMLResponse: ").append(sAMLResponse).toString());
        SAMLResponseType sAMLResponseType = new SAMLResponseType();
        sAMLResponseType.set_any(new MessageElement[]{new MessageElement((Element) sAMLResponse.toDOM())});
        return sAMLResponseType;
    }

    protected String getFQAN(SAMLAttributeStatement sAMLAttributeStatement) throws SAMLException {
        String str = null;
        Iterator attributes = sAMLAttributeStatement.getAttributes();
        while (attributes.hasNext()) {
            Object next = attributes.next();
            if (next instanceof SAMLAttribute) {
                String name = ((SAMLAttribute) next).getName();
                String namespace = ((SAMLAttribute) next).getNamespace();
                log.debug(new StringBuffer().append("Found Evidence Attribute:  ").append(name).append(" with namespace: ").append(namespace).toString());
                if (name.equals("FQAN") && namespace.equals(OSGAuthorizationConstants.AUTHZ_NS)) {
                    str = getAttributeValue((SAMLAttribute) next);
                }
            }
        }
        if (str != null) {
            log.debug(new StringBuffer().append("Found FQAN Attribute: ").append(str).toString());
        } else {
            log.warn("Found unsupported FQAN Attribute (it had no string value!!!)");
        }
        return str;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public FQAN findFQANinSubjectEvidence(Iterator it, SAMLSubject sAMLSubject) throws SAMLException {
        FQAN fqan = new FQAN(this);
        while (it.hasNext()) {
            Object next = it.next();
            if (next instanceof SAMLAssertion) {
                fqan.issuer = ((SAMLAssertion) next).getIssuer();
                Iterator statements = ((SAMLAssertion) next).getStatements();
                while (statements.hasNext()) {
                    Object next2 = statements.next();
                    if ((next2 instanceof SAMLAttributeStatement) && SAMLUtil.samlSubjectMatch(sAMLSubject, ((SAMLAttributeStatement) next2).getSubject())) {
                        fqan.data = getFQAN((SAMLAttributeStatement) next2);
                        if (fqan.data != null) {
                            return fqan;
                        }
                    }
                }
            }
        }
        return null;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public ArrayList locatePermissibleActions(Iterator it, ArrayList arrayList) {
        ArrayList arrayList2 = new ArrayList(1);
        log.debug("Locating permissible actions");
        while (it.hasNext()) {
            SAMLAction sAMLAction = (SAMLAction) it.next();
            int i = 0;
            while (true) {
                if (i >= arrayList.size()) {
                    break;
                }
                if (SAMLUtil.samlActionMatch((SAMLAction) arrayList.get(i), sAMLAction)) {
                    log.debug(new StringBuffer().append("requested action matched permissible action: ").append(sAMLAction).toString());
                    arrayList2.add(sAMLAction);
                    arrayList.remove(i);
                    break;
                }
                i++;
            }
        }
        if (arrayList2.isEmpty()) {
            return null;
        }
        return arrayList2;
    }

    private String getAttributeValue(SAMLAttribute sAMLAttribute) throws SAMLException {
        String str = null;
        Iterator values = sAMLAttribute.getValues();
        while (true) {
            if (!values.hasNext()) {
                break;
            }
            Object next = values.next();
            if (next instanceof String) {
                str = (String) next;
                break;
            }
        }
        return str;
    }

    static Class class$(String str) {
        try {
            return Class.forName(str);
        } catch (ClassNotFoundException e) {
            throw new NoClassDefFoundError().initCause(e);
        }
    }

    static {
        Class cls;
        if (class$org$opensciencegrid$authz$service$SAMLAuthZServiceBase == null) {
            cls = class$("org.opensciencegrid.authz.service.SAMLAuthZServiceBase");
            class$org$opensciencegrid$authz$service$SAMLAuthZServiceBase = cls;
        } else {
            cls = class$org$opensciencegrid$authz$service$SAMLAuthZServiceBase;
        }
        log = Category.getInstance(cls.getName());
    }
}
