package xsul.dsig.saml.authorization;

import java.io.ByteArrayInputStream;
import java.io.StringReader;
import java.security.GeneralSecurityException;
import java.security.Principal;
import java.security.cert.X509Certificate;
import java.util.Collection;
import java.util.Iterator;
import java.util.Vector;
import javax.xml.parsers.DocumentBuilderFactory;
import org.apache.xml.security.Init;
import org.apache.xml.security.exceptions.XMLSecurityException;
import org.apache.xml.security.keys.KeyInfo;
import org.apache.xml.security.keys.content.X509Data;
import org.apache.xml.security.signature.XMLSignature;
import org.globus.gsi.CertUtil;
import org.globus.gsi.GlobusCredential;
import org.globus.gsi.GlobusCredentialException;
import org.opensaml.SAMLAction;
import org.opensaml.SAMLAssertion;
import org.opensaml.SAMLAuthorizationDecisionStatement;
import org.opensaml.SAMLException;
import org.opensaml.XML;
import org.w3c.dom.Element;
import org.xmlpull.v1.builder.XmlElement;
import org.xmlpull.v1.builder.XmlInfosetBuilder;
import org.xmlpull.v1.builder.XmlNamespace;
import xsul.MLogger;
import xsul.XmlConstants;
import xsul.dsig.SignatureType;
import xsul.dsig.globus.GlobusCredSOAPEnvelopeVerifier;
import xsul.dsig.globus.security.authentication.wssec.WSConstants;

/* loaded from: input_file:xsul/dsig/saml/authorization/CapabilityAuthorizer.class */
public class CapabilityAuthorizer {
    private static final XmlInfosetBuilder builder = XmlConstants.BUILDER;
    private static final MLogger logger = MLogger.getLogger();
    private static DocumentBuilderFactory dbfNonValidating;
    private String service_identifier;
    private String provider;

    protected CapabilityAuthorizer(String str, String str2) throws CapabilityException {
        this.service_identifier = MLogger.PROPERTY_PREFIX;
        this.provider = MLogger.PROPERTY_PREFIX;
        this.service_identifier = str;
        if (str2 != null) {
            this.provider = CapabilityUtil.canonicalizeSubject(str2);
            return;
        }
        try {
            this.provider = CapabilityUtil.canonicalizeSubject(GlobusCredential.getDefaultCredential().getSubject());
        } catch (GlobusCredentialException e) {
            throw new CapabilityException("could not get credential", e);
        }
    }

    protected CapabilityAuthorizer(String str) throws CapabilityException {
        this.service_identifier = MLogger.PROPERTY_PREFIX;
        this.provider = MLogger.PROPERTY_PREFIX;
        this.service_identifier = str;
        try {
            this.provider = CapabilityUtil.canonicalizeSubject(GlobusCredential.getDefaultCredential().getSubject());
        } catch (GlobusCredentialException e) {
            throw new CapabilityException("could not get credential", e);
        }
    }

    public static CapabilityAuthorizer newInstance(String str, String str2) throws CapabilityException {
        return new CapabilityAuthorizer(str, str2);
    }

    public static CapabilityAuthorizer newInstance(String str) throws CapabilityException {
        return new CapabilityAuthorizer(str);
    }

    public void setProvider(String str) {
        this.provider = str;
    }

    public String getProvider() {
        return this.provider;
    }

    public void setServiceIdentifier(String str) {
        this.service_identifier = str;
    }

    public String getServiceIdentifier() {
        return this.service_identifier;
    }

    public void isAuthorized(String str, Capability capability, XmlElement xmlElement) throws CapabilityException {
        logger.entering();
        if (capability == null) {
            throw new CapabilityException("capability null");
        }
        isAuthorized(capability, new Object[]{this.provider, str, getSoapActions(xmlElement)});
        logger.exiting();
    }

    public void isAuthorized(Principal principal, Capability capability, XmlElement xmlElement) throws CapabilityException {
        isAuthorized(principal.getName(), capability, xmlElement);
    }

    public void isAuthorized(Capability capability, Object[] objArr) throws CapabilityException {
        capability.verify();
        String str = (String) objArr[0];
        String str2 = (String) objArr[1];
        Collection collection = (Collection) objArr[2];
        SAMLAssertion[] allAssertions = capability.getAllAssertions();
        if (allAssertions == null) {
            throw new CapabilityException("no capability available");
        }
        for (int i = 0; i < allAssertions.length; i++) {
            try {
                Element element = (Element) allAssertions[i].toDOM();
                if (element == null) {
                    throw new CapabilityException("could not find corresponding assertion");
                }
                Principal subjectDN = getSubjectDN(element);
                if (subjectDN != null) {
                    logger.finest(new StringBuffer().append("subject DN= ").append(subjectDN.getName()).toString());
                    checkIssuer(str, subjectDN);
                }
                Iterator statements = allAssertions[i].getStatements();
                while (statements.hasNext()) {
                    Object next = statements.next();
                    logger.finest(new StringBuffer().append("class type: ").append(next.getClass()).toString());
                    if (!(next instanceof SAMLAuthorizationDecisionStatement)) {
                        throw new CapabilityException(new StringBuffer().append("unable to process: ").append(next.getClass()).toString());
                    }
                    SAMLAuthorizationDecisionStatement sAMLAuthorizationDecisionStatement = (SAMLAuthorizationDecisionStatement) next;
                    if (sAMLAuthorizationDecisionStatement != null) {
                        checkIdentifier(sAMLAuthorizationDecisionStatement, this.service_identifier);
                        checkUserSubject(sAMLAuthorizationDecisionStatement, str2);
                        checkActions(sAMLAuthorizationDecisionStatement, collection);
                    }
                }
            } catch (SAMLException e) {
                throw new CapabilityException(e.getMessage());
            }
        }
    }

    public void isAuthorized(String str) throws Exception {
        isAuthorized(builder.parseFragmentFromReader(new StringReader(str)));
    }

    public void isAuthorized(XmlElement xmlElement) throws Exception {
        isAuthorized(GlobusCredSOAPEnvelopeVerifier.getInstance(GlobusCredential.getDefaultCredential(), CapabilityUtil.getTrustedCertificates().getCertificates()).verifySoapMessage(xmlElement).getSubjectDn().getName(), getCapability(xmlElement), xmlElement);
    }

    private void checkActions(SAMLAuthorizationDecisionStatement sAMLAuthorizationDecisionStatement, Collection collection) throws CapabilityException {
        Iterator actions = sAMLAuthorizationDecisionStatement.getActions();
        if (actions == null) {
            throw new CapabilityException("no actions!");
        }
        for (Object obj : collection) {
            if (obj instanceof String) {
                logger.finest(new StringBuffer().append("o1 string: ").append((String) obj).toString());
                String str = (String) obj;
                while (actions.hasNext()) {
                    Object next = actions.next();
                    if (next instanceof SAMLAction) {
                        SAMLAction sAMLAction = (SAMLAction) next;
                        logger.finest(new StringBuffer().append("SAMLAction namespace: ").append(sAMLAction.getNamespace()).toString());
                        String data = sAMLAction.getData();
                        logger.finest(new StringBuffer().append("SAMLAction data: ").append(data).toString());
                        if ((!str.equalsIgnoreCase(data) && !str.startsWith(data)) || !sAMLAuthorizationDecisionStatement.getDecision().equals(CapConstants.PERMIT)) {
                            throw new CapabilityException(new StringBuffer().append("action: ").append(data).append(" is not authorized by the capability.\n").toString());
                        }
                    } else {
                        logger.finest(new StringBuffer().append("o2 class type: ").append(next.getClass()).toString());
                    }
                }
            }
        }
    }

    private void checkIdentifier(SAMLAuthorizationDecisionStatement sAMLAuthorizationDecisionStatement, String str) throws CapabilityException {
        if (sAMLAuthorizationDecisionStatement.getResource().equalsIgnoreCase(str) || sAMLAuthorizationDecisionStatement.getResource().indexOf(str) != -1) {
            return;
        }
        logger.finest(new StringBuffer().append("identifier: ").append(sAMLAuthorizationDecisionStatement.getResource()).toString());
        logger.finest(new StringBuffer().append("service uri:").append(str).toString());
        throw new CapabilityException("the identifier doesn't match!");
    }

    private void checkIssuer(String str, Principal principal) throws CapabilityException {
        if (CapabilityUtil.compareSubjects(str, principal.getName())) {
            return;
        }
        logger.finest(new StringBuffer().append("issuer: ").append(str).toString());
        throw new CapabilityException("the capability is not issued by the service owner");
    }

    private void checkUserSubject(SAMLAuthorizationDecisionStatement sAMLAuthorizationDecisionStatement, String str) throws CapabilityException {
        String name = sAMLAuthorizationDecisionStatement.getSubject().getNameIdentifier().getName();
        logger.finest(new StringBuffer().append("subject name: ").append(name).toString());
        if (CapabilityUtil.compareSubjects(str, name)) {
            return;
        }
        logger.finest(new StringBuffer().append("principal name: ").append(str).toString());
        throw new CapabilityException("the subject doesn't match!");
    }

    private Capability getCapability(XmlElement xmlElement) throws Exception {
        return new Capability(builder.serializeToString(xmlElement.element((XmlNamespace) null, "Header").element((XmlNamespace) null, "Security").element(CapConstants.SAML_NS, "Assertion")));
    }

    private Principal getSubjectDN(Element element) throws CapabilityException {
        X509Certificate[] x509CertificateArr = null;
        try {
            KeyInfo keyInfo = new XMLSignature(XML.getFirstChildElement(element, WSConstants.SIG_NS, SignatureType.NAME), (String) null).getKeyInfo();
            if (keyInfo.containsX509Data()) {
                logger.info("keyinfo contains x509 data");
                int lengthX509Data = keyInfo.lengthX509Data();
                if (lengthX509Data != 1) {
                    throw new CapabilityException(new StringBuffer().append("invalidX509Data: length=").append(lengthX509Data).toString());
                }
                X509Data itemX509Data = keyInfo.itemX509Data(0);
                int lengthCertificate = itemX509Data.lengthCertificate();
                if (lengthCertificate <= 0) {
                    throw new CapabilityException(new StringBuffer().append("invalidCertData: length=").append(lengthCertificate).toString());
                }
                x509CertificateArr = new X509Certificate[lengthCertificate];
                for (int i = 0; i < lengthCertificate; i++) {
                    x509CertificateArr[i] = CertUtil.loadCertificate(new ByteArrayInputStream(itemX509Data.itemCertificate(i).getCertificateBytes()));
                }
            } else {
                logger.info("try to get x509 data from security token");
            }
            return x509CertificateArr[0].getSubjectDN();
        } catch (XMLSecurityException e) {
            throw new CapabilityException("xml security problem", e);
        } catch (GeneralSecurityException e2) {
            throw new CapabilityException("general security problem", e2);
        }
    }

    private Vector getSoapActions(XmlElement xmlElement) throws CapabilityException {
        if (xmlElement == null) {
            throw new CapabilityException("SOAP Env null");
        }
        XmlElement element = xmlElement.element((XmlNamespace) null, "Body");
        if (element == null) {
            throw new CapabilityException("no SOAP body can be found");
        }
        Iterator children = element.children();
        if (children == null) {
            throw new CapabilityException("Body has no children");
        }
        Vector vector = new Vector(1);
        while (children.hasNext()) {
            vector.add(((XmlElement) children.next()).getName());
        }
        return vector;
    }

    static {
        Init.init();
        dbfNonValidating = DocumentBuilderFactory.newInstance();
        dbfNonValidating.setNamespaceAware(true);
    }
}
