package org.opencadc.auth;

import ca.nrc.cadc.auth.AuthMethod;
import ca.nrc.cadc.auth.AuthenticationUtil;
import ca.nrc.cadc.auth.AuthorizationToken;
import ca.nrc.cadc.auth.AuthorizationTokenPrincipal;
import ca.nrc.cadc.auth.HttpPrincipal;
import ca.nrc.cadc.auth.IdentityManager;
import ca.nrc.cadc.auth.NotAuthenticatedException;
import ca.nrc.cadc.auth.NumericPrincipal;
import ca.nrc.cadc.auth.PosixPrincipal;
import ca.nrc.cadc.net.HttpGet;
import ca.nrc.cadc.reg.Standards;
import ca.nrc.cadc.reg.client.LocalAuthority;
import ca.nrc.cadc.reg.client.RegistryClient;
import ca.nrc.cadc.util.InvalidConfigException;
import ca.nrc.cadc.util.StringUtil;
import java.net.MalformedURLException;
import java.net.URI;
import java.net.URL;
import java.security.Principal;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import java.util.NoSuchElementException;
import java.util.Set;
import java.util.UUID;
import javax.security.auth.Subject;
import org.apache.log4j.Logger;
import org.json.JSONObject;

/* loaded from: input_file:org/opencadc/auth/StandardIdentityManager.class */
public class StandardIdentityManager implements IdentityManager {
    private static final Logger log = Logger.getLogger(StandardIdentityManager.class);
    private final URI oidcIssuer;
    private RegistryClient reg = new RegistryClient();
    private final List<String> oidcDomains = new ArrayList();
    private URI oidcScope;

    public StandardIdentityManager() {
        LocalAuthority localAuthority = new LocalAuthority();
        String aSCIIString = Standards.SECURITY_METHOD_OPENID.toASCIIString();
        this.oidcIssuer = localAuthority.getServiceURI(aSCIIString);
        try {
            this.oidcDomains.add(this.oidcIssuer.toURL().getHost());
            String providerHostname = getProviderHostname(localAuthority, Standards.GMS_SEARCH_10);
            if (providerHostname != null) {
                this.oidcDomains.add(providerHostname);
            }
            Iterator<String> it = this.oidcDomains.iterator();
            while (it.hasNext()) {
                log.debug("OIDC domain: " + it.next());
            }
        } catch (MalformedURLException e) {
            throw new InvalidConfigException("found " + aSCIIString + " = " + this.oidcIssuer + " - expected valid URL", e);
        }
    }

    private String getProviderHostname(LocalAuthority localAuthority, URI uri) {
        try {
            URI serviceURI = localAuthority.getServiceURI(uri.toASCIIString());
            if (serviceURI != null) {
                URL serviceURL = this.reg.getServiceURL(serviceURI, uri, AuthMethod.TOKEN);
                if (serviceURL != null) {
                    return serviceURL.getHost();
                }
                log.debug("found: " + serviceURI + " not found: " + uri + " + " + AuthMethod.TOKEN);
            }
            return null;
        } catch (NoSuchElementException e) {
            log.debug("not found: " + uri);
            return null;
        }
    }

    public Subject validate(Subject subject) throws NotAuthenticatedException {
        validateOidcAccessToken(subject);
        return subject;
    }

    public Subject augment(Subject subject) {
        PosixMapperClient posixMapperClient;
        boolean z = !subject.getPrincipals(PosixPrincipal.class).isEmpty();
        boolean z2 = !subject.getPrincipals(HttpPrincipal.class).isEmpty();
        if ((z2 && !z) || (z && !z2)) {
            try {
                LocalAuthority localAuthority = new LocalAuthority();
                URI serviceURI = localAuthority.getServiceURI(Standards.POSIX_USERMAP.toASCIIString());
                if (serviceURI != null) {
                    String str = null;
                    if ("ivo".equals(serviceURI.getScheme())) {
                        posixMapperClient = new PosixMapperClient(serviceURI);
                    } else {
                        if (!"https".equals(serviceURI.getScheme()) && !"http".equals(serviceURI.getScheme())) {
                            throw new RuntimeException("CONFIG: unsupported posix-mapping identifier scheme: " + serviceURI);
                        }
                        URL url = serviceURI.toURL();
                        str = url.getHost();
                        posixMapperClient = new PosixMapperClient(url);
                    }
                    Subject currentSubject = AuthenticationUtil.getCurrentSubject();
                    if (currentSubject != null || !z2 || z) {
                        if (currentSubject != null) {
                            return posixMapperClient.augment(subject);
                        }
                        throw new RuntimeException("BUG: did not call PosixMapperClient.augment(Subject)");
                    }
                    Iterator it = subject.getPublicCredentials(AuthorizationToken.class).iterator();
                    if (it.hasNext()) {
                        AuthorizationToken authorizationToken = (AuthorizationToken) it.next();
                        if (str == null) {
                            str = getProviderHostname(localAuthority, Standards.POSIX_USERMAP);
                        }
                        authorizationToken.getDomains().add(str);
                    }
                    PosixMapperClient posixMapperClient2 = posixMapperClient;
                    return (Subject) Subject.doAs(subject, () -> {
                        return posixMapperClient2.augment(subject);
                    });
                }
                log.debug("did not call PosixMapperClient.augment(Subject): no service configured to provide " + Standards.POSIX_USERMAP.toASCIIString());
            } catch (NoSuchElementException e) {
                log.debug("did not call PosixMapperClient.augment(Subject): no service configured to provide " + Standards.POSIX_USERMAP.toASCIIString());
            } catch (Exception e2) {
                throw new RuntimeException("FAIL: PosixMapperClient.augment(Subject)", e2);
            }
        }
        return subject;
    }

    public Subject toSubject(Object obj) {
        UUID fromString;
        Subject subject = new Subject();
        if (obj != null) {
            if (obj instanceof UUID) {
                fromString = (UUID) obj;
            } else {
                if (!(obj instanceof String)) {
                    throw new RuntimeException("unexpected owner type: " + obj.getClass().getName() + " value: " + obj);
                }
                fromString = UUID.fromString((String) obj);
            }
            NumericPrincipal numericPrincipal = new NumericPrincipal(fromString);
            Subject currentSubject = AuthenticationUtil.getCurrentSubject();
            if (currentSubject != null) {
                Iterator<Principal> it = currentSubject.getPrincipals().iterator();
                while (it.hasNext()) {
                    if (AuthenticationUtil.equals(numericPrincipal, it.next())) {
                        log.debug("[cache hit] caller Subject matches " + numericPrincipal + ": " + currentSubject);
                        subject.getPrincipals().addAll(currentSubject.getPrincipals());
                        return subject;
                    }
                }
            }
            subject.getPrincipals().add(numericPrincipal);
        }
        return subject;
    }

    public Object toOwner(Subject subject) {
        Set principals = subject.getPrincipals(NumericPrincipal.class);
        if (principals.isEmpty()) {
            return null;
        }
        return ((NumericPrincipal) principals.iterator().next()).getUUID().toString();
    }

    public String toDisplayString(Subject subject) {
        if (subject == null) {
            return null;
        }
        Set principals = subject.getPrincipals(HttpPrincipal.class);
        if (!principals.isEmpty()) {
            return ((HttpPrincipal) principals.iterator().next()).getName();
        }
        Set<Principal> principals2 = subject.getPrincipals();
        if (principals2.isEmpty()) {
            return null;
        }
        return principals2.iterator().next().getName();
    }

    private void validateOidcAccessToken(Subject subject) {
        log.debug("validateOidcAccessToken - START");
        Set<AuthorizationTokenPrincipal> principals = subject.getPrincipals(AuthorizationTokenPrincipal.class);
        log.debug("token issuer: " + this.oidcIssuer + " rawTokens: " + principals.size());
        if (this.oidcIssuer != null && !principals.isEmpty()) {
            URL userEndpoint = getUserEndpoint();
            for (AuthorizationTokenPrincipal authorizationTokenPrincipal : principals) {
                String str = null;
                String str2 = null;
                log.debug("header key: " + authorizationTokenPrincipal.getHeaderKey());
                log.debug("header val: " + authorizationTokenPrincipal.getHeaderValue());
                if ("Authorization".equalsIgnoreCase(authorizationTokenPrincipal.getHeaderKey())) {
                    String[] split = authorizationTokenPrincipal.getHeaderValue().split(" ");
                    if (split.length != 2) {
                        throw new NotAuthenticatedException((String) null, NotAuthenticatedException.AuthError.INVALID_REQUEST, "invalid authorization");
                    }
                    str2 = split[0];
                    str = split[1];
                }
                log.debug("challenge type: " + str2);
                log.debug("credentials: " + str);
                if (str2 != null && str != null) {
                    try {
                        HttpGet httpGet = new HttpGet(userEndpoint, true);
                        httpGet.setRequestProperty("authorization", authorizationTokenPrincipal.getHeaderValue());
                        httpGet.prepare();
                        JSONObject jSONObject = new JSONObject(StringUtil.readFromInputStream(httpGet.getInputStream(), "UTF-8"));
                        String string = jSONObject.getString("sub");
                        String string2 = jSONObject.getString("preferred_username");
                        NumericPrincipal numericPrincipal = new NumericPrincipal(UUID.fromString(string));
                        HttpPrincipal httpPrincipal = new HttpPrincipal(string2);
                        subject.getPrincipals().remove(authorizationTokenPrincipal);
                        subject.getPrincipals().add(numericPrincipal);
                        subject.getPrincipals().add(httpPrincipal);
                        subject.getPublicCredentials().add(new AuthorizationToken(str2, str, this.oidcDomains, this.oidcScope));
                    } catch (Exception e) {
                        throw new NotAuthenticatedException(str2, NotAuthenticatedException.AuthError.INVALID_TOKEN, e.getMessage(), e);
                    }
                }
            }
        }
        log.debug("validateOidcAccessToken - DONE");
    }

    private URL getUserEndpoint() {
        try {
            StringBuilder sb = new StringBuilder(this.oidcIssuer.toASCIIString());
            if (sb.charAt(sb.length() - 1) != '/') {
                sb.append("/");
            }
            sb.append("userinfo");
            URL url = new URL(sb.toString());
            log.debug("oidc.userinfo: " + url);
            return url;
        } catch (MalformedURLException e) {
            throw new RuntimeException("BUG: failed to create valid oidc userinfo url", e);
        }
    }
}
