package ca.nrc.cadc.ac.server;

import ca.nrc.cadc.ac.Group;
import ca.nrc.cadc.ac.Role;
import ca.nrc.cadc.ac.User;
import ca.nrc.cadc.ac.UserNotFoundException;
import ca.nrc.cadc.ac.client.GroupMemberships;
import ca.nrc.cadc.auth.AuthMethod;
import ca.nrc.cadc.auth.AuthenticationUtil;
import ca.nrc.cadc.auth.DNPrincipal;
import ca.nrc.cadc.auth.HttpPrincipal;
import ca.nrc.cadc.auth.IdentityManager;
import ca.nrc.cadc.auth.NumericPrincipal;
import ca.nrc.cadc.auth.PosixPrincipal;
import ca.nrc.cadc.auth.TokenValidator;
import ca.nrc.cadc.profiler.Profiler;
import ca.nrc.cadc.reg.Standards;
import java.net.URI;
import java.security.AccessControlException;
import java.security.Principal;
import java.util.Collections;
import java.util.Iterator;
import java.util.Set;
import java.util.TreeSet;
import javax.security.auth.Subject;
import javax.security.auth.x500.X500Principal;
import org.apache.log4j.Logger;

/* loaded from: input_file:ca/nrc/cadc/ac/server/IdentityManagerImpl.class */
public class IdentityManagerImpl implements IdentityManager {
    private static final Logger log = Logger.getLogger(IdentityManagerImpl.class);
    private static final Set<URI> SEC_METHODS;

    public Set<URI> getSecurityMethods() {
        return SEC_METHODS;
    }

    public Subject validate(Subject subject) throws AccessControlException {
        return TokenValidator.validateTokens(subject);
    }

    public Subject augment(Subject subject) {
        Profiler profiler = new Profiler(IdentityManagerImpl.class);
        log.debug("ac augment subject: " + subject);
        AuthMethod authMethod = AuthenticationUtil.getAuthMethod(subject);
        if (authMethod == null || AuthMethod.ANON.equals(authMethod)) {
            log.debug("returning anon subject");
            return subject;
        }
        if (subject != null && subject.getPrincipals().size() > 0) {
            Profiler profiler2 = new Profiler(IdentityManagerImpl.class);
            augmentSubject(subject);
            profiler2.checkpoint("userDAO.augmentSubject()");
            if (subject.getPrincipals(NumericPrincipal.class).isEmpty()) {
                log.debug("NumericPrincipal not found - dropping to anon: " + subject);
                subject = AuthenticationUtil.getAnonSubject();
            }
        }
        profiler.checkpoint("getSubject");
        return subject;
    }

    public void augmentSubject(Subject subject) {
        try {
            Profiler profiler = new Profiler(IdentityManagerImpl.class);
            UserPersistence createUserPersistence = new PluginFactory().createUserPersistence();
            Principal ldapPrincipal = getLdapPrincipal(subject);
            subject.getPrincipals().removeAll(subject.getPrincipals(HttpPrincipal.class));
            User augmentedUser = createUserPersistence.getAugmentedUser(ldapPrincipal, true);
            if (augmentedUser.getIdentities() != null) {
                log.debug("Found " + augmentedUser.getIdentities().size() + " principals after argument");
            } else {
                log.debug("Null identities after augment");
            }
            subject.getPrincipals().addAll(augmentedUser.getIdentities());
            if (augmentedUser.appData == null) {
                throw new RuntimeException("BUG: expected getAugmentedUser to return GroupMembership cache");
            }
            log.debug("found: " + augmentedUser.appData.getClass().getName());
            try {
                GroupMemberships groupMemberships = (GroupMemberships) augmentedUser.appData;
                Iterator it = groupMemberships.getMemberships(Role.ADMIN).iterator();
                while (it.hasNext()) {
                    log.debug("GroupMemberships admin: " + ((Group) it.next()).getID());
                }
                Iterator it2 = groupMemberships.getMemberships(Role.MEMBER).iterator();
                while (it2.hasNext()) {
                    log.debug("GroupMemberships member: " + ((Group) it2.next()).getID());
                }
                subject.getPrivateCredentials().add(groupMemberships);
                augmentedUser.appData = null;
                profiler.checkpoint("augmentSubject");
            } catch (Exception e) {
                throw new RuntimeException("BUG: found User.appData but could not store in Subject as GroupMemberships cache", e);
            }
        } catch (UserNotFoundException e2) {
            log.debug("could not find user for augmenting", e2);
        } catch (Exception e3) {
            throw new IllegalStateException("Internal error", e3);
        }
    }

    public Subject toSubject(Object obj) {
        throw new UnsupportedOperationException();
    }

    public Object toOwner(Subject subject) {
        throw new UnsupportedOperationException();
    }

    public String toDisplayString(Subject subject) {
        if (subject == null) {
            return null;
        }
        Set principals = subject.getPrincipals(HttpPrincipal.class);
        if (!principals.isEmpty()) {
            return ((HttpPrincipal) principals.iterator().next()).getName();
        }
        Set<Principal> principals2 = subject.getPrincipals();
        if (principals2.isEmpty()) {
            return null;
        }
        return principals2.iterator().next().getName();
    }

    private static Principal getLdapPrincipal(Subject subject) {
        Principal principal = null;
        for (Principal principal2 : subject.getPrincipals()) {
            principal = principal2;
            if ((principal2 instanceof HttpPrincipal) || (principal2 instanceof X500Principal) || (principal2 instanceof NumericPrincipal) || (principal2 instanceof DNPrincipal) || (principal2 instanceof PosixPrincipal)) {
                return principal;
            }
        }
        return principal;
    }

    static {
        TreeSet treeSet = new TreeSet();
        treeSet.add(Standards.SECURITY_METHOD_ANON);
        treeSet.add(Standards.SECURITY_METHOD_CERT);
        treeSet.add(Standards.SECURITY_METHOD_COOKIE);
        treeSet.add(Standards.SECURITY_METHOD_TOKEN);
        SEC_METHODS = Collections.unmodifiableSet(treeSet);
    }
}
