package org.opencadc.vospace.server.auth;

import ca.nrc.cadc.auth.AuthenticationUtil;
import ca.nrc.cadc.auth.SignedToken;
import ca.nrc.cadc.cred.client.CredUtil;
import ca.nrc.cadc.net.ResourceNotFoundException;
import ca.nrc.cadc.profiler.Profiler;
import java.io.IOException;
import java.security.AccessControlException;
import java.security.Principal;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Set;
import javax.security.auth.Subject;
import org.apache.log4j.Logger;
import org.opencadc.gms.GroupURI;
import org.opencadc.gms.IvoaGroupClient;
import org.opencadc.vospace.Node;
import org.opencadc.vospace.VOSURI;
import org.opencadc.vospace.server.LocalServiceURI;
import org.opencadc.vospace.server.NodePersistence;
import org.opencadc.vospace.server.Utils;

/* loaded from: input_file:org/opencadc/vospace/server/auth/VOSpaceAuthorizer.class */
public class VOSpaceAuthorizer {
    protected static final Logger log = Logger.getLogger(VOSpaceAuthorizer.class);
    private final NodePersistence nodePersistence;
    private final IvoaGroupClient gmsClient = new IvoaGroupClient();
    private final Set<GroupURI> callerGroups = new HashSet();
    private final Profiler profiler = new Profiler(VOSpaceAuthorizer.class);
    private boolean disregardLocks = false;

    public VOSpaceAuthorizer(NodePersistence nodePersistence) {
        if (nodePersistence == null) {
            throw new IllegalStateException("BUG: nodePersistence cannot be null");
        }
        this.nodePersistence = nodePersistence;
    }

    public void setDisregardLocks(boolean z) {
        this.disregardLocks = z;
    }

    public boolean hasSingleNodeReadPermission(Node node, Subject subject) {
        log.debug("hasSingleNodeReadPermission: " + Utils.getPath(node) + "\n" + node);
        if (node.isPublic != null && node.isPublic.booleanValue()) {
            return true;
        }
        if (subject == null) {
            return false;
        }
        if (isOwner(node, subject)) {
            log.debug("Node owner granted read permission.");
            return true;
        }
        checkDelegation(node, subject);
        if (log.isDebugEnabled()) {
            log.debug(String.format("Checking group read permission on node \"%s\" (groupRead=\"%s\")", node.getName(), node.getReadOnlyGroup()));
        }
        if (hasMembership(node.getReadOnlyGroup(), subject)) {
            return true;
        }
        if (log.isDebugEnabled()) {
            log.debug(String.format("Checking group write permission on node \"%s\" (groupWrite=\"%s\")", node.getName(), node.getReadWriteGroup()));
        }
        return hasMembership(node.getReadWriteGroup(), subject);
    }

    public boolean hasSingleNodeWritePermission(Node node, Subject subject) {
        log.debug("hasSingleNodeWritePermission: " + Utils.getPath(node));
        if (!this.disregardLocks && node.isLocked != null && node.isLocked.booleanValue()) {
            log.debug("Node locked");
            return false;
        }
        if (subject == null) {
            return false;
        }
        if (isOwner(node, subject)) {
            log.debug("Node owner granted write permission.");
            return true;
        }
        checkDelegation(node, subject);
        if (log.isDebugEnabled()) {
            log.debug(String.format("Checking group write permission on node \"%s\" (groupWrite=\"%s\")", node.getName(), node.getReadWriteGroup()));
        }
        return hasMembership(node.getReadWriteGroup(), subject);
    }

    private boolean hasMembership(Set<GroupURI> set, Subject subject) {
        if (subject.getPrincipals().isEmpty() || set == null || set.isEmpty()) {
            return false;
        }
        RuntimeException runtimeException = null;
        try {
            if (CredUtil.checkCredentials(subject)) {
                HashSet hashSet = new HashSet(set);
                HashSet hashSet2 = new HashSet(hashSet);
                hashSet2.removeAll(this.callerGroups);
                if (hashSet2.size() < set.size()) {
                    log.debug("Found groups in cache");
                    return true;
                }
                try {
                    Set memberships = this.gmsClient.getMemberships(hashSet);
                    if (!memberships.isEmpty()) {
                        log.debug("Found groups on the GMS service");
                        this.callerGroups.addAll(memberships);
                        return true;
                    }
                } catch (IOException | InterruptedException | ResourceNotFoundException e) {
                    log.debug("failed to call canfar gms service", e);
                    if (0 == 0) {
                        runtimeException = new RuntimeException("failed to check membership with group service", e);
                    }
                }
            }
        } catch (AccessControlException | CertificateExpiredException | CertificateNotYetValidException e2) {
            runtimeException = new RuntimeException("failed credentials check", e2);
        }
        if (runtimeException != null) {
            throw runtimeException;
        }
        log.debug("User not member of groups " + set);
        return false;
    }

    private boolean isOwner(Node node, Subject subject) {
        Subject subject2 = node.owner;
        if (subject2 == null) {
            throw new IllegalStateException("BUG: no owner found for node: " + node);
        }
        Set<Principal> principals = subject2.getPrincipals();
        Set<Principal> principals2 = subject.getPrincipals();
        for (Principal principal : principals) {
            for (Principal principal2 : principals2) {
                if (log.isDebugEnabled()) {
                    log.debug(String.format("Checking owner of node \"%s\" (owner=\"%s\") where user=\"%s\"", node.getName(), principal, principal2));
                }
                if (AuthenticationUtil.equals(principal, principal2)) {
                    return true;
                }
            }
        }
        return false;
    }

    private void checkDelegation(Node node, Subject subject) throws AccessControlException {
        Iterator it = subject.getPublicCredentials(SignedToken.class).iterator();
        if (!it.hasNext()) {
            return;
        }
        VOSURI vosuri = new VOSURI(((SignedToken) it.next()).getScope());
        VOSURI uri = new LocalServiceURI(this.nodePersistence.getResourceID()).getURI(node);
        while (true) {
            VOSURI vosuri2 = uri;
            if (vosuri2 == null) {
                String str = "Scoped search (" + vosuri + ") on node (" + Utils.getPath(node) + ")- accessed denied";
                log.debug(str);
                throw new AccessControlException(str);
            }
            if (vosuri.equals(vosuri2)) {
                return;
            } else {
                uri = vosuri2.getParentURI();
            }
        }
    }
}
