package org.globus.ogsa.handlers;

import java.io.BufferedReader;
import java.io.IOException;
import java.io.StringReader;
import java.net.URL;
import java.security.cert.X509Certificate;
import javax.xml.parsers.DocumentBuilderFactory;
import org.apache.axis.MessageContext;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.globus.gsi.bc.BouncyCastleUtil;
import org.globus.gsi.proxy.ProxyPathValidatorException;
import org.globus.gsi.proxy.ProxyPolicyHandler;
import org.globus.gsi.proxy.ext.ProxyCertInfo;
import org.globus.ogsa.impl.security.authorization.NoAuthorization;
import org.globus.ogsa.utils.ContextUtils;
import org.gridforum.jgss.ExtendedGSSManager;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.GSSName;
import org.ietf.jgss.Oid;
import org.w3c.dom.Element;
import org.w3c.dom.NodeList;
import org.w3c.dom.Text;
import org.xml.sax.InputSource;

/* loaded from: input_file:org/globus/ogsa/handlers/GrimProxyPolicyHandler.class */
public class GrimProxyPolicyHandler implements ProxyPolicyHandler {
    private static Log logger;
    private boolean called;
    private String identity;
    private String servicePath;
    static Class class$org$globus$ogsa$handlers$GrimProxyPolicyHandler;

    public GrimProxyPolicyHandler() {
        this.called = false;
        this.identity = null;
        this.servicePath = "http://www.globus.org/namespaces/managed_job/managed_job/ManagedJobPortType";
    }

    public GrimProxyPolicyHandler(String str) {
        this.called = false;
        this.identity = null;
        this.servicePath = "http://www.globus.org/namespaces/managed_job/managed_job/ManagedJobPortType";
        this.identity = str;
    }

    private Element parseProxyPolicy(String str) throws Exception {
        return DocumentBuilderFactory.newInstance().newDocumentBuilder().parse(new InputSource(new BufferedReader(new StringReader(str)))).getDocumentElement();
    }

    private boolean assertIdentityMatch(Element element) {
        NodeList elementsByTagName = element.getElementsByTagName("AuthorizedClientId");
        int length = elementsByTagName.getLength();
        boolean z = false;
        logger.debug(new StringBuffer().append("Expected identity: ").append(this.identity).toString());
        for (int i = 0; !z && i < length; i++) {
            String data = ((Text) ((Element) elementsByTagName.item(i)).getFirstChild()).getData();
            logger.debug(new StringBuffer().append("Allowed identity: ").append(data).toString());
            if (this.identity.equals(data)) {
                z = true;
            }
        }
        return z;
    }

    private boolean assertServicePathMatch(Element element) {
        NodeList elementsByTagName = element.getElementsByTagName("AuthorizedPortType");
        int length = elementsByTagName.getLength();
        boolean z = false;
        for (int i = 0; !z && i < length; i++) {
            if (this.servicePath.equals(((Text) ((Element) elementsByTagName.item(i)).getFirstChild()).getData())) {
                z = true;
            }
        }
        return z;
    }

    public boolean isCalled() {
        return this.called;
    }

    public void reset() {
        this.called = false;
    }

    public String getIdentity() {
        return this.identity;
    }

    public void validate(ProxyCertInfo proxyCertInfo, X509Certificate[] x509CertificateArr, int i) throws ProxyPathValidatorException {
        this.called = true;
        MessageContext currentContext = MessageContext.getCurrentContext();
        if (this.identity == null) {
            GSSManager extendedGSSManager = ExtendedGSSManager.getInstance();
            Object property = ContextUtils.getProperty(currentContext, "org.globus.gsi.credentials");
            try {
                this.identity = (property == null ? extendedGSSManager.createCredential(0) : (GSSCredential) property).getName().toString();
            } catch (GSSException e) {
                throw new ProxyPathValidatorException(-1, "Problem getting client identity", e);
            }
        }
        logger.debug(new StringBuffer().append("Identity from handler: ").append(this.identity).toString());
        String policyAsString = proxyCertInfo.getProxyPolicy().getPolicyAsString();
        if (logger.isDebugEnabled()) {
            logger.debug(new StringBuffer().append("Proxy Policy:\n").append(policyAsString).toString());
        }
        try {
            Element parseProxyPolicy = parseProxyPolicy(policyAsString);
            if (!assertIdentityMatch(parseProxyPolicy)) {
                throw new ProxyPathValidatorException(1, (X509Certificate) null, "Client DN not found in policy");
            }
            if (!assertServicePathMatch(parseProxyPolicy)) {
                throw new ProxyPathValidatorException(1, (X509Certificate) null, "Desired service path not found in policy");
            }
            performHostAuthorization((String) currentContext.getProperty("transport.url"), BouncyCastleUtil.getIdentity(x509CertificateArr[i]));
            currentContext.setProperty("org.globus.ogsa.security.authorization", NoAuthorization.getInstance());
        } catch (Exception e2) {
            throw new ProxyPathValidatorException(-1, "Error parsing proxy policy", e2);
        }
    }

    protected void performHostAuthorization(String str, String str2) throws ProxyPathValidatorException {
        GSSManager extendedGSSManager = ExtendedGSSManager.getInstance();
        try {
            GSSName createName = extendedGSSManager.createName(new StringBuffer().append("host@").append(new URL(str).getHost()).toString(), GSSName.NT_HOSTBASED_SERVICE);
            GSSName createName2 = extendedGSSManager.createName(str2, (Oid) null);
            if (createName.equals(createName2)) {
            } else {
                throw new ProxyPathValidatorException(-1, new StringBuffer().append("Host authorization failure. Expected target: '").append(createName).append("'. Target returned: '").append(createName2).append("'").toString(), (Throwable) null);
            }
        } catch (IOException e) {
            throw new ProxyPathValidatorException(-1, "Error performing host authorization", e);
        } catch (GSSException e2) {
            throw new ProxyPathValidatorException(-1, "Error performing host authorization", e2);
        }
    }

    static Class class$(String str) {
        try {
            return Class.forName(str);
        } catch (ClassNotFoundException e) {
            throw new NoClassDefFoundError(e.getMessage());
        }
    }

    static {
        Class cls;
        if (class$org$globus$ogsa$handlers$GrimProxyPolicyHandler == null) {
            cls = class$("org.globus.ogsa.handlers.GrimProxyPolicyHandler");
            class$org$globus$ogsa$handlers$GrimProxyPolicyHandler = cls;
        } else {
            cls = class$org$globus$ogsa$handlers$GrimProxyPolicyHandler;
        }
        logger = LogFactory.getLog(cls.getName());
    }
}
