package ca.nrc.cadc.log;

import ca.nrc.cadc.auth.AuthenticationUtil;
import ca.nrc.cadc.auth.Authorizer;
import ca.nrc.cadc.cred.client.CredUtil;
import ca.nrc.cadc.net.TransientException;
import ca.nrc.cadc.util.Log4jInit;
import ca.nrc.cadc.util.PropertiesReader;
import ca.nrc.cadc.util.StringUtil;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.io.PrintWriter;
import java.net.URI;
import java.net.URISyntaxException;
import java.security.AccessControlException;
import java.security.Principal;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.ArrayList;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import java.util.StringTokenizer;
import javax.security.auth.Subject;
import javax.security.auth.x500.X500Principal;
import javax.servlet.ServletConfig;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.log4j.Level;
import org.apache.log4j.Logger;
import org.opencadc.gms.GroupClient;
import org.opencadc.gms.GroupURI;
import org.opencadc.gms.GroupUtil;

/* loaded from: input_file:ca/nrc/cadc/log/LogControlServlet.class */
public class LogControlServlet extends HttpServlet {
    private static final long serialVersionUID = 200909091014L;
    private static final Logger logger = Logger.getLogger(LogControlServlet.class);
    private static final Level DEFAULT_LEVEL = Level.INFO;
    private static final String LOG_LEVEL_PARAM = "logLevel";
    private static final String PACKAGES_PARAM = "logLevelPackages";
    private static final String GROUP_PARAM = "logAccessGroup";
    private static final String GROUP_AUTHORIZER = "groupAuthorizer";
    private static final String LOG_CONTROL_PROPERTIES = "logControlProperties";
    static final String USER_DNS_PROPERTY = "users";
    static final String GROUP_URIS_PROPERTY = "groups";
    private Level level = null;
    private List<String> packages;
    private String authorizerClassName;
    private String accessGroup;
    private String logControlProperties;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:ca/nrc/cadc/log/LogControlServlet$GroupAuthorizationAction.class */
    public static class GroupAuthorizationAction implements PrivilegedExceptionAction<Object> {
        private Authorizer authorizer;
        private boolean readOnly;

        GroupAuthorizationAction(Authorizer authorizer, boolean z) {
            this.authorizer = authorizer;
            this.readOnly = z;
        }

        @Override // java.security.PrivilegedExceptionAction
        public Object run() throws Exception {
            try {
                if (this.readOnly) {
                    this.authorizer.getReadPermission((URI) null);
                } else {
                    this.authorizer.getWritePermission((URI) null);
                }
                return null;
            } catch (FileNotFoundException e) {
                throw new IllegalStateException("UnexpectedException", e);
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:ca/nrc/cadc/log/LogControlServlet$GroupMemberAction.class */
    public static class GroupMemberAction implements PrivilegedExceptionAction<Object> {
        private GroupClient groupClient;
        private GroupURI groupURI;

        GroupMemberAction(GroupClient groupClient, GroupURI groupURI) {
            this.groupClient = groupClient;
            this.groupURI = groupURI;
        }

        @Override // java.security.PrivilegedExceptionAction
        public Object run() throws Exception {
            try {
                if (this.groupClient.isMember(this.groupURI)) {
                    return null;
                }
                throw new AccessControlException("not a member of " + this.groupURI);
            } catch (RuntimeException e) {
                throw new AccessControlException(e.getMessage());
            }
        }
    }

    public void init(ServletConfig servletConfig) throws ServletException {
        super.init(servletConfig);
        this.packages = new ArrayList();
        String initParameter = servletConfig.getInitParameter(LOG_LEVEL_PARAM);
        if (initParameter == null) {
            this.level = DEFAULT_LEVEL;
        } else if (initParameter.equalsIgnoreCase(Level.TRACE.toString())) {
            this.level = Level.TRACE;
        } else if (initParameter.equalsIgnoreCase(Level.DEBUG.toString())) {
            this.level = Level.DEBUG;
        } else if (initParameter.equalsIgnoreCase(Level.INFO.toString())) {
            this.level = Level.INFO;
        } else if (initParameter.equalsIgnoreCase(Level.WARN.toString())) {
            this.level = Level.WARN;
        } else if (initParameter.equalsIgnoreCase(Level.ERROR.toString())) {
            this.level = Level.ERROR;
        } else if (initParameter.equalsIgnoreCase(Level.FATAL.toString())) {
            this.level = Level.FATAL;
        } else {
            this.level = DEFAULT_LEVEL;
        }
        String servletContextName = servletConfig.getServletContext().getServletContextName();
        if (servletContextName == null) {
            servletContextName = "[?]";
        }
        String name = LogControlServlet.class.getPackage().getName();
        Log4jInit.setLevel(servletContextName, name, Level.WARN);
        this.packages.add(name);
        logger.warn("log level: " + name + " =  " + Level.WARN);
        String initParameter2 = servletConfig.getInitParameter(PACKAGES_PARAM);
        if (initParameter2 != null) {
            StringTokenizer stringTokenizer = new StringTokenizer(initParameter2, " \n\t\r", false);
            while (stringTokenizer.hasMoreTokens()) {
                String nextToken = stringTokenizer.nextToken();
                if (nextToken.length() > 0) {
                    logger.warn(nextToken + ": " + this.level);
                    Log4jInit.setLevel(servletContextName, nextToken, this.level);
                    if (!this.packages.contains(nextToken)) {
                        this.packages.add(nextToken);
                    }
                }
            }
        }
        this.accessGroup = servletConfig.getInitParameter(GROUP_PARAM);
        this.authorizerClassName = servletConfig.getInitParameter(GROUP_AUTHORIZER);
        this.logControlProperties = servletConfig.getInitParameter(LOG_CONTROL_PROPERTIES);
        logger.warn("init complete");
        logger.info("init: YOU SHOULD NEVER SEE THIS MESSAGE -- " + name + " should not be included in " + PACKAGES_PARAM);
    }

    public void doGet(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException, IOException {
        try {
            authorize(httpServletRequest, true);
            httpServletResponse.setStatus(200);
            httpServletResponse.setContentType("text/plain");
            PrintWriter writer = httpServletResponse.getWriter();
            for (String str : this.packages) {
                writer.println(str + " " + Logger.getLogger(str).getLevel());
            }
            writer.close();
        } catch (TransientException e) {
            logger.error("Error calling group authorizer", e);
            httpServletResponse.setStatus(503);
        } catch (AccessControlException e2) {
            logger.debug("Forbidden");
            httpServletResponse.setStatus(403);
        } catch (Throwable th) {
            logger.error("Error calling group authorizer", th);
            httpServletResponse.setStatus(500);
        }
    }

    public void doPost(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException, IOException {
        try {
            authorize(httpServletRequest, false);
            String[] parameterValues = httpServletRequest.getParameterValues("level");
            String str = null;
            if (parameterValues != null && parameterValues.length > 0) {
                str = parameterValues[0];
            }
            if (str != null) {
                if (str == null) {
                    this.level = DEFAULT_LEVEL;
                } else if (str.equalsIgnoreCase(Level.TRACE.toString())) {
                    this.level = Level.TRACE;
                } else if (str.equalsIgnoreCase(Level.DEBUG.toString())) {
                    this.level = Level.DEBUG;
                } else if (str.equalsIgnoreCase(Level.INFO.toString())) {
                    this.level = Level.INFO;
                } else if (str.equalsIgnoreCase(Level.WARN.toString())) {
                    this.level = Level.WARN;
                } else if (str.equalsIgnoreCase(Level.ERROR.toString())) {
                    this.level = Level.ERROR;
                } else if (str.equalsIgnoreCase(Level.FATAL.toString())) {
                    this.level = Level.FATAL;
                } else {
                    httpServletResponse.setStatus(400);
                    httpServletResponse.setContentType("text/plain");
                    PrintWriter writer = httpServletResponse.getWriter();
                    writer.println("unrecognised value for level: " + str);
                    writer.close();
                }
            }
            String[] parameterValues2 = httpServletRequest.getParameterValues("package");
            if (parameterValues2 != null) {
                boolean z = httpServletRequest.getParameter("notrack") == null;
                for (String str2 : parameterValues2) {
                    logger.warn("setLevel: " + str2 + " -> " + this.level);
                    Log4jInit.setLevel(str2, this.level);
                    if (!this.packages.contains(str2) && z) {
                        this.packages.add(str2);
                    }
                }
            } else {
                for (String str3 : this.packages) {
                    logger.warn("setLevel: " + str3 + " -> " + this.level);
                    Log4jInit.setLevel(str3, this.level);
                }
            }
            httpServletResponse.setStatus(303);
            httpServletResponse.setHeader("Location", httpServletRequest.getRequestURI());
        } catch (TransientException e) {
            logger.error("Authorization error", e);
            httpServletResponse.setStatus(503);
        } catch (AccessControlException e2) {
            logger.debug("Forbidden");
            httpServletResponse.setStatus(403);
        } catch (Throwable th) {
            logger.error("Authorization error", th);
            httpServletResponse.setStatus(500);
        }
    }

    private void authorize(HttpServletRequest httpServletRequest, boolean z) throws AccessControlException, TransientException {
        Subject subject;
        try {
            subject = AuthenticationUtil.getSubject(httpServletRequest);
        } catch (Exception e) {
            logger.error("Augment subject failed, using non-augmented subject: " + e.getMessage());
            subject = AuthenticationUtil.getSubject(httpServletRequest, false);
        }
        logger.debug(subject.toString());
        PropertiesReader logControlProperties = getLogControlProperties();
        Set<Principal> authorizedUserPrincipals = getAuthorizedUserPrincipals(logControlProperties);
        if (isAuthorizedUser(subject, authorizedUserPrincipals)) {
            logger.info(subject.getPrincipals(X500Principal.class) + " is an authorized user");
            return;
        }
        Set<GroupURI> authorizedGroupUris = getAuthorizedGroupUris(logControlProperties);
        if (authorizedUserPrincipals.isEmpty() && authorizedGroupUris.isEmpty() && this.accessGroup == null) {
            logger.info("Authorization not configured, log control is public.");
            return;
        }
        try {
            if (CredUtil.checkCredentials(subject)) {
                URI uri = null;
                GroupClient groupClient = null;
                for (GroupURI groupURI : authorizedGroupUris) {
                    if (!groupURI.getServiceID().equals(uri)) {
                        uri = groupURI.getServiceID();
                        groupClient = GroupUtil.getGroupClient(uri);
                    }
                    if (isAuthorizedGroup(new GroupMemberAction(groupClient, groupURI), subject)) {
                        logger.info(subject.getPrincipals(X500Principal.class) + " is a member of " + groupURI);
                        return;
                    }
                }
            }
        } catch (Exception e2) {
            logger.warn("Credential check failed: " + e2.getMessage());
        }
        Authorizer authorizer = getAuthorizer(this.accessGroup);
        if (authorizer == null || !isAuthorizedGroup(new GroupAuthorizationAction(authorizer, z), subject)) {
            throw new AccessControlException("User and group authorization failed.");
        }
        logger.info(subject.getPrincipals(X500Principal.class) + " is member of " + this.accessGroup);
    }

    private Authorizer getAuthorizer(String str) {
        Authorizer authorizer = null;
        if (this.authorizerClassName != null) {
            try {
                Class<?> cls = Class.forName(this.authorizerClassName);
                if (str != null) {
                    try {
                        authorizer = (Authorizer) cls.getConstructor(String.class).newInstance(str);
                    } catch (NoSuchMethodException e) {
                        logger.warn("authorizer " + this.authorizerClassName + " has no constructor(String), ignoring groupURI=" + str);
                        authorizer = (Authorizer) cls.newInstance();
                    }
                } else {
                    authorizer = (Authorizer) cls.newInstance();
                }
            } catch (Exception e2) {
                logger.error("Could not load group authorizer for groupURI=" + str, e2);
            }
        }
        return authorizer;
    }

    private boolean isAuthorizedUser(Subject subject, Set<Principal> set) {
        if (set.isEmpty()) {
            logger.debug("Authorized users not configured.");
            return false;
        }
        for (Principal principal : subject.getPrincipals(X500Principal.class)) {
            Iterator<Principal> it = set.iterator();
            while (it.hasNext()) {
                if (AuthenticationUtil.equals(it.next(), principal)) {
                    return true;
                }
            }
        }
        return false;
    }

    private boolean isAuthorizedGroup(PrivilegedExceptionAction privilegedExceptionAction, Subject subject) throws TransientException {
        try {
            if (subject == null) {
                privilegedExceptionAction.run();
                return true;
            }
            try {
                Subject.doAs(subject, privilegedExceptionAction);
                return true;
            } catch (PrivilegedActionException e) {
                throw e.getException();
            }
        } catch (Exception e2) {
            if (e2 instanceof AccessControlException) {
                logger.debug("Group authorization failed: " + e2.getMessage());
                return false;
            }
            if (e2 instanceof TransientException) {
                throw e2;
            }
            throw new IllegalStateException((Throwable) e2);
        }
    }

    Set<Principal> getAuthorizedUserPrincipals(PropertiesReader propertiesReader) {
        HashSet hashSet = new HashSet();
        if (propertiesReader != null) {
            try {
                List<String> propertyValues = propertiesReader.getPropertyValues(USER_DNS_PROPERTY);
                if (propertyValues != null) {
                    for (String str : propertyValues) {
                        if (!str.isEmpty()) {
                            hashSet.add(new X500Principal(str));
                        }
                    }
                }
            } catch (IllegalArgumentException e) {
                logger.debug("No authorized users configured");
            }
        }
        return hashSet;
    }

    Set<GroupURI> getAuthorizedGroupUris(PropertiesReader propertiesReader) {
        HashSet hashSet = new HashSet();
        if (propertiesReader != null) {
            try {
                List<String> propertyValues = propertiesReader.getPropertyValues(GROUP_URIS_PROPERTY);
                if (propertyValues != null) {
                    for (String str : propertyValues) {
                        if (StringUtil.hasLength(str)) {
                            try {
                                hashSet.add(new GroupURI(new URI(str)));
                            } catch (IllegalArgumentException | URISyntaxException e) {
                                logger.error("invalid GroupURI: " + str, e);
                            }
                        }
                    }
                }
            } catch (IllegalArgumentException e2) {
                logger.info("No authorized groupURI's configured");
            }
        }
        return hashSet;
    }

    private PropertiesReader getLogControlProperties() {
        PropertiesReader propertiesReader = null;
        if (this.logControlProperties != null) {
            propertiesReader = new PropertiesReader(this.logControlProperties);
            if (!propertiesReader.canRead()) {
                propertiesReader = null;
            }
        }
        return propertiesReader;
    }
}
