package edu.internet2.middleware.shibboleth.aap.provider;

import edu.internet2.middleware.shibboleth.aap.AAP;
import edu.internet2.middleware.shibboleth.aap.AttributeRule;
import edu.internet2.middleware.shibboleth.common.PluggableConfigurationComponent;
import edu.internet2.middleware.shibboleth.metadata.EntitiesDescriptor;
import edu.internet2.middleware.shibboleth.metadata.RoleDescriptor;
import edu.internet2.middleware.shibboleth.metadata.ScopedRoleDescriptor;
import java.util.ArrayList;
import java.util.Collection;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;
import java.util.SortedMap;
import java.util.TreeMap;
import java.util.regex.PatternSyntaxException;
import org.apache.log4j.Logger;
import org.opensaml.MalformedException;
import org.opensaml.SAMLAttribute;
import org.opensaml.SAMLException;
import org.opensaml.XML;
import org.w3c.dom.Element;
import org.w3c.dom.Node;
import org.w3c.dom.NodeList;

/* loaded from: input_file:edu/internet2/middleware/shibboleth/aap/provider/XMLAAPProvider.class */
public class XMLAAPProvider implements AAP, PluggableConfigurationComponent {
    private static Logger log;
    private SortedMap attrmap = new TreeMap();
    private SortedMap aliasmap = new TreeMap();
    private boolean anyAttribute = false;
    static Class class$0;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:edu/internet2/middleware/shibboleth/aap/provider/XMLAAPProvider$XMLAttributeRule.class */
    public class XMLAttributeRule implements AttributeRule {
        private String name;
        private String namespace;
        private String alias;
        private String header;
        private boolean caseSensitive;
        private boolean scoped;
        private SiteRule anySiteRule = new SiteRule(this);
        private Map siteMap = new HashMap();
        final XMLAAPProvider this$0;

        /* JADX INFO: Access modifiers changed from: package-private */
        /* loaded from: input_file:edu/internet2/middleware/shibboleth/aap/provider/XMLAAPProvider$XMLAttributeRule$Rule.class */
        public class Rule {
            static final int LITERAL = 0;
            static final int REGEXP = 1;
            static final int XPATH = 2;
            int type;
            String expression;
            final XMLAttributeRule this$1;

            Rule(XMLAttributeRule xMLAttributeRule, int i, String str) {
                this.this$1 = xMLAttributeRule;
                this.type = i;
                this.expression = str;
            }
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        /* loaded from: input_file:edu/internet2/middleware/shibboleth/aap/provider/XMLAAPProvider$XMLAttributeRule$SiteRule.class */
        public class SiteRule {
            boolean anyValue = false;
            ArrayList valueDenials = new ArrayList();
            ArrayList valueAccepts = new ArrayList();
            ArrayList scopeDenials = new ArrayList();
            ArrayList scopeAccepts = new ArrayList();
            final XMLAttributeRule this$1;

            SiteRule(XMLAttributeRule xMLAttributeRule) {
                this.this$1 = xMLAttributeRule;
            }
        }

        XMLAttributeRule(XMLAAPProvider xMLAAPProvider, Element element) throws MalformedException {
            this.this$0 = xMLAAPProvider;
            this.name = null;
            this.namespace = null;
            this.alias = null;
            this.header = null;
            this.caseSensitive = true;
            this.scoped = false;
            this.alias = XML.assign(element.getAttributeNS(null, "Alias"));
            this.header = XML.assign(element.getAttributeNS(null, "Header"));
            this.name = XML.assign(element.getAttributeNS(null, "Name"));
            this.namespace = XML.assign(element.getAttributeNS(null, "Namespace"));
            if (this.namespace == null) {
                this.namespace = "urn:mace:shibboleth:1.0:attributeNamespace:uri";
            }
            String assign = XML.assign(element.getAttributeNS(null, "Scoped"));
            this.scoped = XML.safeCompare(assign, "1") || XML.safeCompare(assign, "true");
            String assign2 = XML.assign(element.getAttributeNS(null, "CaseSensitive"));
            this.caseSensitive = XML.isEmpty(assign2) || XML.safeCompare(assign2, "1") || XML.safeCompare(assign2, "true");
            Element firstChildElement = XML.getFirstChildElement(element);
            if (firstChildElement != null && XML.isElementNamed(firstChildElement, edu.internet2.middleware.shibboleth.common.XML.SHIB_NS, "AnySite")) {
                NodeList elementsByTagNameNS = firstChildElement.getElementsByTagNameNS(edu.internet2.middleware.shibboleth.common.XML.SHIB_NS, "Scope");
                for (int i = 0; i < elementsByTagNameNS.getLength(); i++) {
                    this.scoped = true;
                    Element element2 = (Element) elementsByTagNameNS.item(i);
                    Node firstChild = element2.getFirstChild();
                    if (firstChild != null && firstChild.getNodeType() == 3) {
                        if (XML.isEmpty(element2.getAttributeNS(null, "Accept")) || XML.safeCompare(assign2, "1") || XML.safeCompare(assign2, "true")) {
                            this.anySiteRule.scopeAccepts.add(new Rule(this, toValueType(element2), firstChild.getNodeValue()));
                        } else {
                            this.anySiteRule.scopeDenials.add(new Rule(this, toValueType(element2), firstChild.getNodeValue()));
                        }
                    }
                }
                if (firstChildElement.getElementsByTagNameNS(edu.internet2.middleware.shibboleth.common.XML.SHIB_NS, "AnyValue").getLength() > 0) {
                    this.anySiteRule.anyValue = true;
                } else {
                    NodeList elementsByTagNameNS2 = firstChildElement.getElementsByTagNameNS(edu.internet2.middleware.shibboleth.common.XML.SHIB_NS, "Value");
                    for (int i2 = 0; i2 < elementsByTagNameNS2.getLength(); i2++) {
                        Element element3 = (Element) elementsByTagNameNS2.item(i2);
                        Node firstChild2 = element3.getFirstChild();
                        if (firstChild2 != null && firstChild2.getNodeType() == 3) {
                            if (XML.isEmpty(element3.getAttributeNS(null, "Accept")) || XML.safeCompare(assign2, "1") || XML.safeCompare(assign2, "true")) {
                                this.anySiteRule.valueAccepts.add(new Rule(this, toValueType(element3), firstChild2.getNodeValue()));
                            } else {
                                this.anySiteRule.valueDenials.add(new Rule(this, toValueType(element3), firstChild2.getNodeValue()));
                            }
                        }
                    }
                }
            }
            NodeList elementsByTagNameNS3 = element.getElementsByTagNameNS(edu.internet2.middleware.shibboleth.common.XML.SHIB_NS, "SiteRule");
            for (int i3 = 0; i3 < elementsByTagNameNS3.getLength(); i3++) {
                String attributeNS = ((Element) elementsByTagNameNS3.item(i3)).getAttributeNS(null, "Name");
                SiteRule siteRule = new SiteRule(this);
                this.siteMap.put(attributeNS, siteRule);
                NodeList elementsByTagNameNS4 = ((Element) elementsByTagNameNS3.item(i3)).getElementsByTagNameNS(edu.internet2.middleware.shibboleth.common.XML.SHIB_NS, "Scope");
                for (int i4 = 0; i4 < elementsByTagNameNS4.getLength(); i4++) {
                    this.scoped = true;
                    Element element4 = (Element) elementsByTagNameNS4.item(i4);
                    Node firstChild3 = element4.getFirstChild();
                    if (firstChild3 != null && firstChild3.getNodeType() == 3) {
                        if (XML.isEmpty(element4.getAttributeNS(null, "Accept")) || XML.safeCompare(assign2, "1") || XML.safeCompare(assign2, "true")) {
                            siteRule.scopeAccepts.add(new Rule(this, toValueType(element4), firstChild3.getNodeValue()));
                        } else {
                            siteRule.scopeDenials.add(new Rule(this, toValueType(element4), firstChild3.getNodeValue()));
                        }
                    }
                }
                if (((Element) elementsByTagNameNS3.item(i3)).getElementsByTagNameNS(edu.internet2.middleware.shibboleth.common.XML.SHIB_NS, "AnyValue").getLength() > 0) {
                    siteRule.anyValue = true;
                } else {
                    NodeList elementsByTagNameNS5 = ((Element) elementsByTagNameNS3.item(i3)).getElementsByTagNameNS(edu.internet2.middleware.shibboleth.common.XML.SHIB_NS, "Value");
                    for (int i5 = 0; i5 < elementsByTagNameNS5.getLength(); i5++) {
                        Element element5 = (Element) elementsByTagNameNS5.item(i5);
                        Node firstChild4 = element5.getFirstChild();
                        if (firstChild4 != null && firstChild4.getNodeType() == 3) {
                            if (XML.isEmpty(element5.getAttributeNS(null, "Accept")) || XML.safeCompare(assign2, "1") || XML.safeCompare(assign2, "true")) {
                                siteRule.valueAccepts.add(new Rule(this, toValueType(element5), firstChild4.getNodeValue()));
                            } else {
                                siteRule.valueDenials.add(new Rule(this, toValueType(element5), firstChild4.getNodeValue()));
                            }
                        }
                    }
                }
            }
        }

        private int toValueType(Element element) throws MalformedException {
            if (!element.hasAttributeNS(null, "Type") || XML.safeCompare("literal", element.getAttributeNS(null, "Type"))) {
                return 0;
            }
            if (XML.safeCompare("regexp", element.getAttributeNS(null, "Type"))) {
                return 1;
            }
            if (XML.safeCompare("xpath", element.getAttributeNS(null, "Type"))) {
                return 2;
            }
            throw new MalformedException("Found an invalid value or scope rule type.");
        }

        @Override // edu.internet2.middleware.shibboleth.aap.AttributeRule
        public String getName() {
            return this.name;
        }

        @Override // edu.internet2.middleware.shibboleth.aap.AttributeRule
        public String getNamespace() {
            return this.namespace;
        }

        @Override // edu.internet2.middleware.shibboleth.aap.AttributeRule
        public String getAlias() {
            return this.alias;
        }

        @Override // edu.internet2.middleware.shibboleth.aap.AttributeRule
        public String getHeader() {
            return this.header;
        }

        @Override // edu.internet2.middleware.shibboleth.aap.AttributeRule
        public boolean getCaseSensitive() {
            return this.caseSensitive;
        }

        @Override // edu.internet2.middleware.shibboleth.aap.AttributeRule
        public boolean getScoped() {
            return this.scoped;
        }

        @Override // edu.internet2.middleware.shibboleth.aap.AttributeRule
        public void apply(SAMLAttribute sAMLAttribute, RoleDescriptor roleDescriptor) throws SAMLException {
            ScopedRoleDescriptor scopedRoleDescriptor = roleDescriptor instanceof ScopedRoleDescriptor ? (ScopedRoleDescriptor) roleDescriptor : null;
            int i = 0;
            NodeList valueElements = sAMLAttribute.getValueElements();
            for (int i2 = 0; i2 < valueElements.getLength(); i2++) {
                if (accept((Element) valueElements.item(i2), scopedRoleDescriptor)) {
                    i++;
                } else {
                    sAMLAttribute.removeValue(i);
                }
            }
        }

        /* JADX WARN: Unreachable blocks removed: 1, instructions: 1 */
        boolean match(String str, String str2) {
            try {
                return str2.matches(str);
            } catch (PatternSyntaxException e) {
                XMLAAPProvider.log.error("caught exception while parsing regular expression ()");
                return false;
            }
        }

        public boolean scopeCheck(Element element, ScopedRoleDescriptor scopedRoleDescriptor, Collection collection) {
            String assign = XML.assign(element.getAttributeNS(null, "Scope"));
            if (assign == null) {
                if (this.scoped) {
                    XMLAAPProvider.log.warn(new StringBuffer("attribute (").append(this.name).append(") is scoped, no scope supplied, rejecting it").toString());
                }
                return !this.scoped;
            }
            Iterator it = collection.iterator();
            while (it.hasNext()) {
                SiteRule siteRule = (SiteRule) it.next();
                Iterator it2 = siteRule.scopeDenials.iterator();
                while (it2.hasNext()) {
                    Rule rule = (Rule) it2.next();
                    if ((rule.type == 0 && XML.safeCompare(rule.expression, assign)) || (rule.type == 1 && match(rule.expression, assign))) {
                        XMLAAPProvider.log.warn(new StringBuffer("attribute (").append(this.name).append(") scope {").append(assign).append("} denied by site rule, rejecting it").toString());
                        return false;
                    }
                    if (rule.type == 2) {
                        XMLAAPProvider.log.warn("scope checking does not permit XPath rules");
                    }
                }
                Iterator it3 = siteRule.scopeAccepts.iterator();
                while (it3.hasNext()) {
                    Rule rule2 = (Rule) it3.next();
                    if ((rule2.type == 0 && XML.safeCompare(rule2.expression, assign)) || (rule2.type == 1 && match(rule2.expression, assign))) {
                        XMLAAPProvider.log.debug("matching site rule, scope match");
                        return true;
                    }
                    if (rule2.type == 2) {
                        XMLAAPProvider.log.warn("scope checking does not permit XPath rules");
                    }
                }
            }
            if (scopedRoleDescriptor != null) {
                Iterator scopes = scopedRoleDescriptor.getScopes();
                while (scopes.hasNext()) {
                    ScopedRoleDescriptor.Scope scope = (ScopedRoleDescriptor.Scope) scopes.next();
                    if ((scope.regexp && match(scope.scope, assign)) || XML.safeCompare(scope.scope, assign)) {
                        XMLAAPProvider.log.debug("scope match via site metadata");
                        return true;
                    }
                }
            }
            XMLAAPProvider.log.warn(new StringBuffer("attribute (").append(this.name).append(") scope {").append(assign).append("} not accepted").toString());
            return false;
        }

        boolean accept(Element element, ScopedRoleDescriptor scopedRoleDescriptor) {
            XMLAAPProvider.log.debug(new StringBuffer("evaluating value for attribute (").append(this.name).append(") from site (").append(scopedRoleDescriptor != null ? scopedRoleDescriptor.getEntityDescriptor().getId() : "<unspecified>").append(")").toString());
            ArrayList arrayList = new ArrayList();
            if (scopedRoleDescriptor != null) {
                SiteRule siteRule = (SiteRule) this.siteMap.get(scopedRoleDescriptor.getEntityDescriptor().getId());
                if (siteRule != null) {
                    arrayList.add(siteRule);
                }
                EntitiesDescriptor entitiesDescriptor = scopedRoleDescriptor.getEntityDescriptor().getEntitiesDescriptor();
                while (true) {
                    EntitiesDescriptor entitiesDescriptor2 = entitiesDescriptor;
                    if (entitiesDescriptor2 == null) {
                        break;
                    }
                    SiteRule siteRule2 = (SiteRule) this.siteMap.get(entitiesDescriptor2.getName());
                    if (siteRule2 != null) {
                        arrayList.add(siteRule2);
                    }
                    entitiesDescriptor = entitiesDescriptor2.getEntitiesDescriptor();
                }
            }
            arrayList.add(this.anySiteRule);
            Node firstChild = element.getFirstChild();
            boolean z = firstChild != null && firstChild.getNodeType() == 3;
            Iterator it = arrayList.iterator();
            while (it.hasNext()) {
                SiteRule siteRule3 = (SiteRule) it.next();
                if (!siteRule3.anyValue) {
                    Iterator it2 = siteRule3.valueDenials.iterator();
                    while (z && it2.hasNext()) {
                        Rule rule = (Rule) it2.next();
                        switch (rule.type) {
                            case 0:
                                if ((this.caseSensitive && !XML.safeCompare(rule.expression, firstChild.getNodeValue())) || (!this.caseSensitive && rule.expression.equalsIgnoreCase(firstChild.getNodeValue()))) {
                                    XMLAAPProvider.log.warn(new StringBuffer("attribute (").append(this.name).append(") value explicitly denied by site rule, rejecting it").toString());
                                    return false;
                                }
                                break;
                            case 1:
                                if (!match(rule.expression, firstChild.getNodeValue())) {
                                    break;
                                } else {
                                    XMLAAPProvider.log.warn(new StringBuffer("attribute (").append(this.name).append(") value explicitly denied by site rule, rejecting it").toString());
                                    return false;
                                }
                            case 2:
                                XMLAAPProvider.log.warn("implementation does not support XPath value rules");
                                break;
                        }
                    }
                    Iterator it3 = siteRule3.valueAccepts.iterator();
                    while (z && it3.hasNext()) {
                        Rule rule2 = (Rule) it3.next();
                        switch (rule2.type) {
                            case 0:
                                if ((this.caseSensitive && !XML.safeCompare(rule2.expression, firstChild.getNodeValue())) || (!this.caseSensitive && rule2.expression.equalsIgnoreCase(firstChild.getNodeValue()))) {
                                    XMLAAPProvider.log.debug("site rule, value match");
                                    return scopeCheck(element, scopedRoleDescriptor, arrayList);
                                }
                                break;
                            case 1:
                                if (!match(rule2.expression, firstChild.getNodeValue())) {
                                    break;
                                } else {
                                    XMLAAPProvider.log.debug("site rule, value match");
                                    return scopeCheck(element, scopedRoleDescriptor, arrayList);
                                }
                            case 2:
                                XMLAAPProvider.log.warn("implementation does not support XPath value rules");
                                break;
                        }
                    }
                } else {
                    XMLAAPProvider.log.debug("matching site rule, any value match");
                    return scopeCheck(element, scopedRoleDescriptor, arrayList);
                }
            }
            XMLAAPProvider.log.warn(new StringBuffer(String.valueOf(z ? "" : "complex ")).append("attribute (").append(this.name).append(") value {").append(firstChild.getNodeValue()).append(") could not be validated by policy, rejecting it").toString());
            return false;
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r1v2, types: [java.lang.Throwable] */
    static {
        Class<?> cls = class$0;
        if (cls == null) {
            try {
                cls = Class.forName("edu.internet2.middleware.shibboleth.aap.provider.XMLAAPProvider");
                class$0 = cls;
            } catch (ClassNotFoundException unused) {
                throw new NoClassDefFoundError(cls.getMessage());
            }
        }
        log = Logger.getLogger(cls.getName());
    }

    public XMLAAPProvider(Element element) throws MalformedException {
        initialize(element);
    }

    public XMLAAPProvider() {
    }

    @Override // edu.internet2.middleware.shibboleth.common.PluggableConfigurationComponent
    public void initialize(Element element) throws MalformedException {
        if (!XML.isElementNamed(element, edu.internet2.middleware.shibboleth.common.XML.SHIB_NS, "AttributeAcceptancePolicy")) {
            log.error("Construction requires a valid AAP file: (shib:AttributeAcceptancePolicy as root element)");
            throw new MalformedException("Construction requires a valid AAP file: (shib:AttributeAcceptancePolicy as root element)");
        }
        if (XML.getFirstChildElement(element, edu.internet2.middleware.shibboleth.common.XML.SHIB_NS, "AnyAttribute") != null) {
            this.anyAttribute = true;
            log.warn("<AnyAttribute> found, will short-circuit all attribute value and scope filtering");
        }
        NodeList elementsByTagNameNS = element.getElementsByTagNameNS(edu.internet2.middleware.shibboleth.common.XML.SHIB_NS, "AttributeRule");
        for (int i = 0; i < elementsByTagNameNS.getLength(); i++) {
            XMLAttributeRule xMLAttributeRule = new XMLAttributeRule(this, (Element) elementsByTagNameNS.item(i));
            this.attrmap.put(new StringBuffer(String.valueOf(xMLAttributeRule.getName())).append("!!").append(xMLAttributeRule.getNamespace() != null ? xMLAttributeRule.getNamespace() : "urn:mace:shibboleth:1.0:attributeNamespace:uri").toString(), xMLAttributeRule);
            if (xMLAttributeRule.getAlias() != null) {
                this.aliasmap.put(xMLAttributeRule.getAlias(), xMLAttributeRule);
            }
        }
    }

    @Override // edu.internet2.middleware.shibboleth.aap.AAP
    public boolean anyAttribute() {
        return this.anyAttribute;
    }

    @Override // edu.internet2.middleware.shibboleth.aap.AAP
    public AttributeRule lookup(String str, String str2) {
        if (str2 != null) {
            return (AttributeRule) this.attrmap.get(new StringBuffer(String.valueOf(str)).append("!!").append(str2).toString());
        }
        String str3 = (String) this.attrmap.tailMap(str).firstKey();
        if (str3.startsWith(new StringBuffer(String.valueOf(str)).append("!!").toString())) {
            return (AttributeRule) this.attrmap.get(str3);
        }
        return null;
    }

    @Override // edu.internet2.middleware.shibboleth.aap.AAP
    public AttributeRule lookup(String str) {
        return (AttributeRule) this.aliasmap.get(str);
    }

    @Override // edu.internet2.middleware.shibboleth.aap.AAP
    public Iterator getAttributeRules() {
        return this.attrmap.values().iterator();
    }
}
