package ca.nrc.cadc.tap.schema;

import ca.nrc.cadc.auth.AuthenticationUtil;
import ca.nrc.cadc.cred.client.CredUtil;
import java.security.Principal;
import java.util.Iterator;
import java.util.Set;
import java.util.TreeSet;
import javax.security.auth.Subject;
import org.apache.log4j.Logger;
import org.opencadc.gms.GroupURI;
import org.opencadc.gms.IvoaGroupClient;

/* loaded from: input_file:ca/nrc/cadc/tap/schema/TapAuthorizer.class */
public class TapAuthorizer {
    protected static Logger log = Logger.getLogger(TapAuthorizer.class);

    public boolean hasReadPermission(TapPermissions tapPermissions) {
        if (tapPermissions == null) {
            log.debug("public: no tap permissions");
            return true;
        }
        if (tapPermissions.owner == null) {
            log.debug("public: no owner in tap permissions");
            return true;
        }
        if (tapPermissions.owner != null && tapPermissions.isPublic != null && tapPermissions.isPublic.booleanValue()) {
            log.debug("public: set as public");
            return true;
        }
        Subject currentSubject = AuthenticationUtil.getCurrentSubject();
        if (currentSubject == null || currentSubject.getPrincipals().isEmpty()) {
            return false;
        }
        if (isOwner(tapPermissions.owner, currentSubject)) {
            log.debug("caller is owner");
            return true;
        }
        try {
            if (tapPermissions.readGroup == null && tapPermissions.readWriteGroup == null) {
                return false;
            }
            return isMember(tapPermissions.readGroup, tapPermissions.readWriteGroup);
        } catch (Exception e) {
            log.error("error getting groups or checking credentials", e);
            throw new RuntimeException(e);
        }
    }

    private boolean isOwner(Subject subject, Subject subject2) {
        Set<Principal> principals = subject.getPrincipals();
        Set<Principal> principals2 = subject2.getPrincipals();
        for (Principal principal : principals) {
            Iterator<Principal> it = principals2.iterator();
            while (it.hasNext()) {
                if (AuthenticationUtil.equals(principal, it.next())) {
                    return true;
                }
            }
        }
        return false;
    }

    private boolean isMember(GroupURI groupURI, GroupURI groupURI2) throws Exception {
        IvoaGroupClient ivoaGroupClient = new IvoaGroupClient();
        try {
            if (!CredUtil.checkCredentials()) {
                log.debug("No CDP credentials available to allow group membership check");
                return false;
            }
            TreeSet treeSet = new TreeSet();
            if (groupURI != null) {
                treeSet.add(groupURI);
            }
            if (groupURI2 != null) {
                treeSet.add(groupURI2);
            }
            return !ivoaGroupClient.getMemberships(treeSet).isEmpty();
        } catch (Exception e) {
            log.debug("Failed to check for valid CDP credentials needed for group membership check");
            throw e;
        }
    }
}
