package ca.nrc.cadc.log;

import ca.nrc.cadc.auth.AuthenticationUtil;
import ca.nrc.cadc.auth.HttpPrincipal;
import ca.nrc.cadc.cred.client.CredUtil;
import ca.nrc.cadc.net.TransientException;
import ca.nrc.cadc.util.Log4jInit;
import ca.nrc.cadc.util.MultiValuedProperties;
import ca.nrc.cadc.util.PropertiesReader;
import ca.nrc.cadc.util.StringUtil;
import java.io.IOException;
import java.io.PrintWriter;
import java.net.URI;
import java.net.URISyntaxException;
import java.security.AccessControlException;
import java.security.Principal;
import java.util.ArrayList;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import java.util.StringTokenizer;
import javax.security.auth.Subject;
import javax.security.auth.x500.X500Principal;
import javax.servlet.ServletConfig;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.log4j.Level;
import org.apache.log4j.Logger;
import org.opencadc.gms.GroupURI;
import org.opencadc.gms.IvoaGroupClient;

/* loaded from: input_file:ca/nrc/cadc/log/LogControlServlet.class */
public class LogControlServlet extends HttpServlet {
    private static final long serialVersionUID = 200909091014L;
    private static final Logger logger = Logger.getLogger(LogControlServlet.class);
    private static final Level DEFAULT_LEVEL = Level.INFO;
    private static final String LOG_LEVEL_PARAM = "logLevel";
    private static final String PACKAGES_PARAM = "logLevelPackages";
    private static final String LOG_CONTROL_CONFIG = "cadc-log.properties";
    static final String USER_X509_PROPERTY = "user";
    static final String GROUP_URIS_PROPERTY = "group";
    static final String USERNAME_PROPERTY = "username";
    static final String SECRET_PROPERTY = "secret";
    private Level level = null;
    private List<String> packages;

    public void init(ServletConfig servletConfig) throws ServletException {
        super.init(servletConfig);
        this.packages = new ArrayList();
        String initParameter = servletConfig.getInitParameter(LOG_LEVEL_PARAM);
        if (initParameter == null) {
            this.level = DEFAULT_LEVEL;
        } else if (initParameter.equalsIgnoreCase(Level.TRACE.toString())) {
            this.level = Level.TRACE;
        } else if (initParameter.equalsIgnoreCase(Level.DEBUG.toString())) {
            this.level = Level.DEBUG;
        } else if (initParameter.equalsIgnoreCase(Level.INFO.toString())) {
            this.level = Level.INFO;
        } else if (initParameter.equalsIgnoreCase(Level.WARN.toString())) {
            this.level = Level.WARN;
        } else if (initParameter.equalsIgnoreCase(Level.ERROR.toString())) {
            this.level = Level.ERROR;
        } else if (initParameter.equalsIgnoreCase(Level.FATAL.toString())) {
            this.level = Level.FATAL;
        } else {
            this.level = DEFAULT_LEVEL;
        }
        String servletContextName = servletConfig.getServletContext().getServletContextName();
        if (servletContextName == null) {
            servletContextName = "[?]";
        }
        try {
            String name = LogControlServlet.class.getPackage().getName();
            Log4jInit.setLevel(servletContextName, name, Level.WARN);
            logger.warn("log level: " + name + " =  " + Level.WARN);
            String initParameter2 = servletConfig.getInitParameter(PACKAGES_PARAM);
            if (initParameter2 != null) {
                StringTokenizer stringTokenizer = new StringTokenizer(initParameter2, " \n\t\r", false);
                while (stringTokenizer.hasMoreTokens()) {
                    String nextToken = stringTokenizer.nextToken();
                    if (nextToken.length() > 0) {
                        logger.warn(nextToken + ": " + this.level);
                        Log4jInit.setLevel(servletContextName, nextToken, this.level);
                        if (!this.packages.contains(nextToken)) {
                            this.packages.add(nextToken);
                        }
                    }
                }
            }
            logger.warn("init complete");
            logger.info("init: YOU SHOULD NEVER SEE THIS MESSAGE -- " + name + " should not be included in " + PACKAGES_PARAM);
        } catch (Throwable th) {
            System.out.println("FAIL: cannot initialize log4j");
            th.printStackTrace();
            throw new RuntimeException("FAIL: cannot initialize log4j", th);
        }
    }

    public void doGet(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException, IOException {
        try {
            authorize(httpServletRequest, true);
            httpServletResponse.setStatus(200);
            httpServletResponse.setContentType("text/plain");
            PrintWriter writer = httpServletResponse.getWriter();
            for (String str : this.packages) {
                writer.println(str + " " + Logger.getLogger(str).getLevel());
            }
            writer.close();
        } catch (TransientException e) {
            logger.error("Error calling group authorizer", e);
            httpServletResponse.setStatus(503);
        } catch (AccessControlException e2) {
            logger.debug("Forbidden");
            httpServletResponse.setStatus(403);
        } catch (Throwable th) {
            logger.error("Error calling group authorizer", th);
            httpServletResponse.setStatus(500);
        }
    }

    public void doPost(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException, IOException {
        try {
            authorize(httpServletRequest, false);
            String[] parameterValues = httpServletRequest.getParameterValues("level");
            String str = null;
            if (parameterValues != null && parameterValues.length > 0) {
                str = parameterValues[0];
            }
            if (str != null) {
                if (str == null) {
                    this.level = DEFAULT_LEVEL;
                } else if (str.equalsIgnoreCase(Level.TRACE.toString())) {
                    this.level = Level.TRACE;
                } else if (str.equalsIgnoreCase(Level.DEBUG.toString())) {
                    this.level = Level.DEBUG;
                } else if (str.equalsIgnoreCase(Level.INFO.toString())) {
                    this.level = Level.INFO;
                } else if (str.equalsIgnoreCase(Level.WARN.toString())) {
                    this.level = Level.WARN;
                } else if (str.equalsIgnoreCase(Level.ERROR.toString())) {
                    this.level = Level.ERROR;
                } else if (str.equalsIgnoreCase(Level.FATAL.toString())) {
                    this.level = Level.FATAL;
                } else {
                    httpServletResponse.setStatus(400);
                    httpServletResponse.setContentType("text/plain");
                    PrintWriter writer = httpServletResponse.getWriter();
                    writer.println("unrecognised value for level: " + str);
                    writer.close();
                }
            }
            String[] parameterValues2 = httpServletRequest.getParameterValues("package");
            if (parameterValues2 != null) {
                boolean z = httpServletRequest.getParameter("notrack") == null;
                for (String str2 : parameterValues2) {
                    logger.warn("setLevel: " + str2 + " -> " + this.level);
                    Log4jInit.setLevel(str2, this.level);
                    if (!this.packages.contains(str2) && z) {
                        this.packages.add(str2);
                    }
                }
            } else {
                for (String str3 : this.packages) {
                    logger.warn("setLevel: " + str3 + " -> " + this.level);
                    Log4jInit.setLevel(str3, this.level);
                }
            }
            httpServletResponse.setStatus(303);
            String requestURI = httpServletRequest.getRequestURI();
            String parameter = httpServletRequest.getParameter(SECRET_PROPERTY);
            if (StringUtil.hasLength(parameter)) {
                requestURI = requestURI + "?" + SECRET_PROPERTY + "=" + parameter;
            }
            httpServletResponse.setHeader("Location", requestURI);
        } catch (TransientException e) {
            logger.error("Authorization error", e);
            httpServletResponse.setStatus(503);
        } catch (AccessControlException e2) {
            logger.debug("Forbidden");
            httpServletResponse.setStatus(403);
        } catch (Throwable th) {
            logger.error("Authorization error", th);
            httpServletResponse.setStatus(500);
        }
    }

    private void authorize(HttpServletRequest httpServletRequest, boolean z) throws AccessControlException, TransientException {
        Subject subject;
        MultiValuedProperties logControlProperties = getLogControlProperties();
        if (isAuthorizedSecret(httpServletRequest, logControlProperties)) {
            logger.warn("Secret authorized.");
            return;
        }
        try {
            subject = AuthenticationUtil.getSubject(httpServletRequest, true);
        } catch (Exception e) {
            logger.error("Augment subject failed, using non-augmented subject: " + e.getMessage());
            subject = AuthenticationUtil.getSubject(httpServletRequest, false);
        }
        logger.debug("caller: " + subject);
        String displayString = AuthenticationUtil.getIdentityManager().toDisplayString(subject);
        if (isAuthorizedUser(subject, getAuthorizedUserPrincipals(logControlProperties))) {
            logger.warn(displayString + " is an authorized user");
            return;
        }
        Set<GroupURI> authorizedGroupUris = getAuthorizedGroupUris(logControlProperties);
        if (!authorizedGroupUris.isEmpty()) {
            try {
                if (CredUtil.checkCredentials(subject)) {
                    IvoaGroupClient ivoaGroupClient = new IvoaGroupClient();
                    Set set = (Set) Subject.doAs(subject, () -> {
                        return ivoaGroupClient.getMemberships(authorizedGroupUris);
                    });
                    if (!set.isEmpty()) {
                        StringBuilder sb = new StringBuilder();
                        sb.append(displayString).append(" is a member of:");
                        Iterator it = set.iterator();
                        while (it.hasNext()) {
                            sb.append(" ").append(((GroupURI) it.next()).getURI().toASCIIString());
                        }
                        logger.warn(sb.toString());
                        return;
                    }
                }
            } catch (Exception e2) {
                throw new AccessControlException("permission denied, reason: credential check failed: " + e2.getMessage());
            }
        }
        throw new AccessControlException("permission denied");
    }

    private boolean isAuthorizedSecret(HttpServletRequest httpServletRequest, MultiValuedProperties multiValuedProperties) {
        String parameter = httpServletRequest.getParameter(SECRET_PROPERTY);
        Iterator it = multiValuedProperties.getProperty(SECRET_PROPERTY).iterator();
        while (it.hasNext()) {
            if (((String) it.next()).equals(parameter)) {
                return true;
            }
        }
        return false;
    }

    private boolean isAuthorizedUser(Subject subject, Set<Principal> set) {
        if (set.isEmpty()) {
            logger.debug("Authorized users not configured.");
            return false;
        }
        for (Principal principal : subject.getPrincipals(Principal.class)) {
            Iterator<Principal> it = set.iterator();
            while (it.hasNext()) {
                if (AuthenticationUtil.equals(it.next(), principal)) {
                    return true;
                }
            }
        }
        return false;
    }

    Set<Principal> getAuthorizedUserPrincipals(MultiValuedProperties multiValuedProperties) {
        HashSet hashSet = new HashSet();
        if (multiValuedProperties != null) {
            try {
                List<String> property = multiValuedProperties.getProperty(USER_X509_PROPERTY);
                if (property != null) {
                    for (String str : property) {
                        if (!str.isEmpty()) {
                            hashSet.add(new X500Principal(str));
                        }
                    }
                }
                Iterator it = multiValuedProperties.getProperty(USERNAME_PROPERTY).iterator();
                while (it.hasNext()) {
                    hashSet.add(new HttpPrincipal((String) it.next()));
                }
            } catch (IllegalArgumentException e) {
                logger.debug("No authorized users configured");
            }
        }
        return hashSet;
    }

    Set<GroupURI> getAuthorizedGroupUris(MultiValuedProperties multiValuedProperties) {
        HashSet hashSet = new HashSet();
        if (multiValuedProperties != null) {
            try {
                List<String> property = multiValuedProperties.getProperty(GROUP_URIS_PROPERTY);
                if (property != null) {
                    for (String str : property) {
                        if (StringUtil.hasLength(str)) {
                            try {
                                hashSet.add(new GroupURI(new URI(str)));
                            } catch (IllegalArgumentException | URISyntaxException e) {
                                logger.error("invalid GroupURI: " + str, e);
                            }
                        }
                    }
                }
            } catch (IllegalArgumentException e2) {
                logger.info("No authorized groupURI's configured");
            }
        }
        return hashSet;
    }

    private MultiValuedProperties getLogControlProperties() {
        PropertiesReader propertiesReader = new PropertiesReader(LOG_CONTROL_CONFIG);
        return propertiesReader.canRead() ? propertiesReader.getAllProperties() : new MultiValuedProperties();
    }
}
