package ca.nrc.cadc.vos.server.auth;

import ca.nrc.cadc.ac.Role;
import ca.nrc.cadc.ac.UserNotFoundException;
import ca.nrc.cadc.ac.client.GMSClient;
import ca.nrc.cadc.auth.AuthenticationUtil;
import ca.nrc.cadc.auth.Authorizer;
import ca.nrc.cadc.auth.SSLUtil;
import ca.nrc.cadc.auth.SignedToken;
import ca.nrc.cadc.cred.client.CredUtil;
import ca.nrc.cadc.net.TransientException;
import ca.nrc.cadc.profiler.Profiler;
import ca.nrc.cadc.vos.ContainerNode;
import ca.nrc.cadc.vos.Node;
import ca.nrc.cadc.vos.NodeLockedException;
import ca.nrc.cadc.vos.NodeNotFoundException;
import ca.nrc.cadc.vos.NodeProperty;
import ca.nrc.cadc.vos.VOSURI;
import ca.nrc.cadc.vos.server.NodeID;
import ca.nrc.cadc.vos.server.NodePersistence;
import java.io.File;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.net.URI;
import java.net.URISyntaxException;
import java.security.AccessControlException;
import java.security.AccessController;
import java.security.Principal;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Set;
import javax.security.auth.Subject;
import org.apache.log4j.Logger;
import org.opencadc.gms.GroupURI;

/* loaded from: input_file:ca/nrc/cadc/vos/server/auth/VOSpaceAuthorizer.class */
public class VOSpaceAuthorizer implements Authorizer {
    private static final String CRED_SERVICE_ID = "ivo://cadc.nrc.ca/cred";
    public static final String OFFLINE = "Offline";
    public static final String OFFLINE_MSG = "System is offline for maintainence";
    public static final String READ_ONLY = "ReadOnly";
    public static final String READ_ONLY_MSG = "System is in read-only mode for maintainence";
    public static final String READ_WRITE = "ReadWrite";
    private boolean readable;
    private boolean writable;
    private boolean allowPartialPaths;
    private boolean resolveMetadata;
    private boolean disregardLocks;
    private NodePersistence nodePersistence;
    private final Profiler profiler;
    protected static final Logger LOG = Logger.getLogger(VOSpaceAuthorizer.class);
    public static final String MODE_KEY = VOSpaceAuthorizer.class.getName() + ".state";

    public VOSpaceAuthorizer() {
        this(false);
    }

    public VOSpaceAuthorizer(boolean z) {
        this(z, true);
    }

    public VOSpaceAuthorizer(boolean z, boolean z2) {
        this.readable = true;
        this.writable = true;
        this.allowPartialPaths = false;
        this.resolveMetadata = true;
        this.disregardLocks = false;
        this.profiler = new Profiler(VOSpaceAuthorizer.class);
        initState();
        this.allowPartialPaths = z;
        this.resolveMetadata = z2;
    }

    private void initState() {
        String property = System.getProperty(MODE_KEY);
        if (OFFLINE.equals(property)) {
            this.readable = false;
            this.writable = false;
        } else if (READ_ONLY.equals(property)) {
            this.writable = false;
        }
    }

    public Object getReadPermission(URI uri) throws AccessControlException, FileNotFoundException, TransientException {
        initState();
        if (!this.readable) {
            if (this.writable) {
                throw new IllegalStateException(READ_ONLY_MSG);
            }
            throw new IllegalStateException(OFFLINE_MSG);
        }
        try {
            Node node = this.nodePersistence.get(new VOSURI(uri), this.allowPartialPaths, this.resolveMetadata);
            this.profiler.checkpoint("nodePersistence.get");
            return getReadPermission(node);
        } catch (NodeNotFoundException e) {
            throw new FileNotFoundException("not found: " + uri);
        }
    }

    public Object getReadPermission(Node node) throws AccessControlException {
        initState();
        if (!this.readable) {
            if (this.writable) {
                throw new IllegalStateException(READ_ONLY_MSG);
            }
            throw new IllegalStateException(OFFLINE_MSG);
        }
        Subject subject = Subject.getSubject(AccessController.getContext());
        checkDelegation(node, subject);
        LinkedList nodeList = Node.getNodeList(node);
        if (isOwner((Node) nodeList.getLast(), subject)) {
            LOG.debug("Read permission granted to root user.");
            return node;
        }
        Iterator descendingIterator = nodeList.descendingIterator();
        while (descendingIterator.hasNext()) {
            Node node2 = (Node) descendingIterator.next();
            if (!hasSingleNodeReadPermission(node2, subject)) {
                throw new AccessControlException("Read permission denied on " + node2.getUri().toString());
            }
        }
        return node;
    }

    public Object getWritePermission(URI uri) throws AccessControlException, FileNotFoundException, TransientException, NodeLockedException {
        initState();
        if (!this.writable) {
            if (this.readable) {
                throw new IllegalStateException(READ_ONLY_MSG);
            }
            throw new IllegalStateException(OFFLINE_MSG);
        }
        try {
            Node node = this.nodePersistence.get(new VOSURI(uri), this.allowPartialPaths, this.resolveMetadata);
            this.profiler.checkpoint("nodePersistence.get");
            return getWritePermission(node);
        } catch (NodeNotFoundException e) {
            throw new FileNotFoundException("not found: " + uri);
        }
    }

    public Object getWritePermission(Node node) throws AccessControlException, NodeLockedException {
        initState();
        if (!this.writable) {
            if (this.readable) {
                throw new IllegalStateException(READ_ONLY_MSG);
            }
            throw new IllegalStateException(OFFLINE_MSG);
        }
        Subject subject = Subject.getSubject(AccessController.getContext());
        checkDelegation(node, subject);
        if (!this.disregardLocks && node.isLocked()) {
            throw new NodeLockedException(node.getUri().toString());
        }
        LinkedList nodeList = Node.getNodeList(node);
        if (isOwner((Node) nodeList.getLast(), subject)) {
            LOG.debug("Write permission granted to root user.");
            return node;
        }
        Iterator descendingIterator = nodeList.descendingIterator();
        while (descendingIterator.hasNext()) {
            Node node2 = (Node) descendingIterator.next();
            if (node2 == node) {
                if (!hasSingleNodeWritePermission(node2, subject)) {
                    throw new AccessControlException("Write permission denied on " + node2.getUri().toString());
                }
                if (!hasSingleNodeReadPermission(node2, subject)) {
                    throw new AccessControlException("Read permission denied on " + node2.getUri().toString());
                }
            }
        }
        return node;
    }

    public void getDeletePermission(Node node) throws AccessControlException, NodeLockedException, TransientException {
        initState();
        if (!this.writable) {
            if (!this.readable) {
                throw new IllegalStateException(OFFLINE_MSG);
            }
            throw new IllegalStateException(READ_ONLY_MSG);
        }
        getWritePermission((Node) node.getParent());
        if (!this.disregardLocks && node.isLocked()) {
            throw new NodeLockedException(node.getUri().toString());
        }
        if (node instanceof ContainerNode) {
            ContainerNode containerNode = (ContainerNode) node;
            getWritePermission((Node) containerNode);
            Integer num = new Integer(1000);
            VOSURI vosuri = null;
            this.nodePersistence.getChildren(containerNode, null, num, this.resolveMetadata);
            while (!containerNode.getNodes().isEmpty()) {
                for (Node node2 : containerNode.getNodes()) {
                    getDeletePermission(node2);
                    vosuri = node2.getUri();
                }
                containerNode.getNodes().clear();
                this.nodePersistence.getChildren(containerNode, vosuri, num);
                if (!containerNode.getNodes().isEmpty() && ((Node) containerNode.getNodes().get(0)).getUri().equals(vosuri)) {
                    containerNode.getNodes().remove(0);
                }
            }
        }
    }

    private boolean hasMembership(NodeProperty nodeProperty, Subject subject) {
        List<String> extractPropertyValueList;
        boolean isMember;
        if (subject.getPrincipals().isEmpty() || (extractPropertyValueList = nodeProperty.extractPropertyValueList()) == null || extractPropertyValueList.isEmpty()) {
            return false;
        }
        IOException iOException = null;
        RuntimeException runtimeException = null;
        try {
            if (CredUtil.checkCredentials(subject)) {
                for (String str : extractPropertyValueList) {
                    try {
                        LOG.debug("Checking GMS on groupURI: " + str);
                        GroupURI groupURI = new GroupURI(str);
                        URI serviceID = groupURI.getServiceID();
                        LOG.debug("Using GMS service ID: " + serviceID);
                        isMember = new GMSClient(serviceID).isMember(groupURI.getName(), Role.MEMBER);
                        this.profiler.checkpoint("gmsClient.ismember");
                    } catch (IOException e) {
                        LOG.debug("failed to call canfar gms service", e);
                        if (iOException == null) {
                            iOException = e;
                            runtimeException = new RuntimeException("failed to check membership with group service", e);
                        }
                    } catch (URISyntaxException e2) {
                        LOG.warn("skipping invalid group URI: " + str, e2);
                    } catch (UserNotFoundException e3) {
                        LOG.debug("failed to call canfar gms service", e3);
                        if (iOException == null) {
                            iOException = e3;
                            runtimeException = new AccessControlException("failed to check membership with group service: " + e3);
                        }
                    }
                    if (isMember) {
                        return true;
                    }
                }
            }
        } catch (AccessControlException | CertificateExpiredException | CertificateNotYetValidException e4) {
            runtimeException = new RuntimeException("failed credentials check", e4);
        }
        if (runtimeException != null) {
            throw runtimeException;
        }
        return false;
    }

    private Subject createOpsSubject() {
        return SSLUtil.createSubject(new File(System.getProperty("user.home") + "/.pub/proxy.pem"));
    }

    private boolean isOwner(Node node, Subject subject) {
        NodeID nodeID = (NodeID) node.appData;
        if (nodeID == null) {
            throw new IllegalStateException("BUG: no owner found for node: " + node);
        }
        if (nodeID.getID() == null) {
            return false;
        }
        Subject owner = nodeID.getOwner();
        if (owner == null) {
            throw new IllegalStateException("BUG: no owner found for node: " + node);
        }
        Set<Principal> principals = owner.getPrincipals();
        Set<Principal> principals2 = subject.getPrincipals();
        for (Principal principal : principals) {
            for (Principal principal2 : principals2) {
                if (LOG.isDebugEnabled()) {
                    LOG.debug(String.format("Checking owner of node \"%s\" (owner=\"%s\") where user=\"%s\"", node.getName(), principal, principal2));
                }
                if (AuthenticationUtil.equals(principal, principal2)) {
                    return true;
                }
            }
        }
        return false;
    }

    private boolean hasSingleNodeReadPermission(Node node, Subject subject) {
        LOG.debug("checkSingleNodeReadPermission: " + node.getUri());
        if (node.isPublic()) {
            return true;
        }
        if (subject == null) {
            return false;
        }
        if (isOwner(node, subject)) {
            LOG.debug("Node owner granted read permission.");
            return true;
        }
        NodeProperty findProperty = node.findProperty("ivo://ivoa.net/vospace/core#groupread");
        if (LOG.isDebugEnabled()) {
            LOG.debug(String.format("Checking group read permission on node \"%s\" (groupRead=\"%s\")", node.getName(), findProperty == null ? "null" : findProperty.getPropertyValue()));
        }
        if (findProperty != null && findProperty.getPropertyValue() != null && applyMaskOnGroupRead(node) && hasMembership(findProperty, subject)) {
            return true;
        }
        NodeProperty findProperty2 = node.findProperty("ivo://ivoa.net/vospace/core#groupwrite");
        if (LOG.isDebugEnabled()) {
            LOG.debug(String.format("Checking group write permission on node \"%s\" (groupWrite=\"%s\")", node.getName(), findProperty2 == null ? "null" : findProperty2.getPropertyValue()));
        }
        return findProperty2 != null && findProperty2.getPropertyValue() != null && applyMaskOnGroupReadWrite(node) && hasMembership(findProperty2, subject);
    }

    private boolean hasSingleNodeWritePermission(Node node, Subject subject) {
        if (node.getUri().isRoot() || subject == null) {
            return false;
        }
        if (isOwner(node, subject)) {
            LOG.debug("Node owner granted write permission.");
            return true;
        }
        NodeProperty findProperty = node.findProperty("ivo://ivoa.net/vospace/core#groupwrite");
        if (LOG.isDebugEnabled()) {
            LOG.debug(String.format("Checking group write permission on node \"%s\" (groupWrite=\"%s\")", node.getName(), findProperty == null ? "null" : findProperty.getPropertyValue()));
        }
        return findProperty != null && findProperty.getPropertyValue() != null && applyMaskOnGroupReadWrite(node) && hasMembership(findProperty, subject);
    }

    boolean applyMaskOnGroupRead(Node node) {
        NodeProperty findProperty = node.findProperty("ivo://ivoa.net/vospace/core#groupmask");
        if (findProperty == null || findProperty.getPropertyValue() == null) {
            return true;
        }
        String propertyValue = findProperty.getPropertyValue();
        if (propertyValue.length() != 3) {
            LOG.debug("invalid mask format: " + propertyValue);
            return true;
        }
        if (propertyValue.charAt(0) == 'r') {
            LOG.debug("mask allows read: " + propertyValue);
            return true;
        }
        LOG.debug("mask disallows read: " + propertyValue);
        return false;
    }

    boolean applyMaskOnGroupReadWrite(Node node) {
        NodeProperty findProperty = node.findProperty("ivo://ivoa.net/vospace/core#groupmask");
        if (findProperty == null || findProperty.getPropertyValue() == null) {
            return true;
        }
        String propertyValue = findProperty.getPropertyValue();
        if (propertyValue.length() != 3) {
            LOG.debug("invalid mask format: " + propertyValue);
            return true;
        }
        if (propertyValue.charAt(0) == 'r' && propertyValue.charAt(1) == 'w') {
            LOG.debug("mask allows write: " + propertyValue);
            return true;
        }
        LOG.debug("mask disallows write: " + propertyValue);
        return false;
    }

    public void setDisregardLocks(boolean z) {
        this.disregardLocks = z;
    }

    public NodePersistence getNodePersistence() {
        return this.nodePersistence;
    }

    public void setNodePersistence(NodePersistence nodePersistence) {
        this.nodePersistence = nodePersistence;
    }

    private void checkDelegation(Node node, Subject subject) throws AccessControlException {
        Iterator it = subject.getPublicCredentials(SignedToken.class).iterator();
        if (!it.hasNext()) {
            return;
        }
        VOSURI vosuri = new VOSURI(((SignedToken) it.next()).getScope());
        VOSURI uri = node.getUri();
        while (true) {
            VOSURI vosuri2 = uri;
            if (vosuri2 == null) {
                String str = "Scoped search (" + vosuri + ") on node (" + node.getUri() + ")- accessed denied";
                LOG.debug(str);
                throw new AccessControlException(str);
            }
            if (vosuri.equals(vosuri2)) {
                return;
            } else {
                uri = vosuri2.getParentURI();
            }
        }
    }
}
