package ca.nrc.cadc.caom2.repo;

import ca.nrc.cadc.auth.AuthenticationUtil;
import ca.nrc.cadc.cred.client.CredUtil;
import ca.nrc.cadc.net.ResourceNotFoundException;
import ca.nrc.cadc.reg.Standards;
import ca.nrc.cadc.reg.client.LocalAuthority;
import ca.nrc.cadc.util.PropertiesReader;
import ca.nrc.cadc.util.StringUtil;
import java.net.URI;
import java.net.URISyntaxException;
import java.security.AccessControlException;
import java.security.Principal;
import java.security.cert.CertificateException;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import javax.security.auth.Subject;
import javax.security.auth.x500.X500Principal;
import org.apache.log4j.Logger;
import org.opencadc.gms.GroupClient;
import org.opencadc.gms.GroupURI;
import org.opencadc.gms.GroupUtil;

/* loaded from: input_file:ca/nrc/cadc/caom2/repo/PropertyAuthorizer.class */
public class PropertyAuthorizer {
    private static final Logger log = Logger.getLogger(PropertyAuthorizer.class);
    static final String USER_DNS_PROPERTY = "user";
    static final String GROUP_URIS_PROPERTY = "group";
    private final String propertiesFilename;

    public PropertyAuthorizer(String str) {
        if (str == null) {
            throw new IllegalArgumentException(PropertyAuthorizer.class.getSimpleName() + ": null propertiesFilename");
        }
        this.propertiesFilename = str;
    }

    public void authorize() throws AccessControlException, ResourceNotFoundException {
        Subject currentSubject = AuthenticationUtil.getCurrentSubject();
        log.debug("Subject: " + currentSubject.toString());
        PropertiesReader propertiesReader = getPropertiesReader(this.propertiesFilename);
        if (propertiesReader == null) {
            log.debug(this.propertiesFilename + " not found");
            throw new AccessControlException("no grants configured");
        }
        Set<Principal> authorizedUserPrincipals = getAuthorizedUserPrincipals(propertiesReader);
        if (isAuthorizedUser(currentSubject, authorizedUserPrincipals)) {
            log.debug("Subject is an authorized user");
            return;
        }
        Set<GroupURI> authorizedGroupUris = getAuthorizedGroupUris(propertiesReader);
        if (authorizedUserPrincipals.isEmpty() && authorizedGroupUris.isEmpty()) {
            log.debug("no user's or group's configured");
            throw new AccessControlException("no grants configured");
        }
        try {
            if (!CredUtil.checkCredentials()) {
                throw new AccessControlException("permission denied (anon access or invalid credentials)");
            }
            GroupClient groupClient = GroupUtil.getGroupClient(new LocalAuthority().getServiceURI(Standards.GMS_SEARCH_01.toString()));
            for (GroupURI groupURI : authorizedGroupUris) {
                if (groupClient.isMember(groupURI)) {
                    log.debug("authorized group: " + groupURI);
                    return;
                }
            }
            throw new AccessControlException("permission denied");
        } catch (CertificateException e) {
            throw new AccessControlException("permission denied (invalid delegated client certificate)");
        }
    }

    private Set<Principal> getAuthorizedUserPrincipals(PropertiesReader propertiesReader) {
        HashSet hashSet = new HashSet();
        try {
            List<String> property = propertiesReader.getAllProperties().getProperty(USER_DNS_PROPERTY);
            if (property != null) {
                for (String str : property) {
                    if (!str.isEmpty()) {
                        hashSet.add(new X500Principal(str));
                        log.debug("found authorized user: " + str);
                    }
                }
            }
        } catch (IllegalArgumentException e) {
            log.debug("No authorized users configured");
        }
        return hashSet;
    }

    private boolean isAuthorizedUser(Subject subject, Set<Principal> set) {
        if (set.isEmpty()) {
            log.debug("Authorized users not configured.");
            return false;
        }
        for (Principal principal : subject.getPrincipals(X500Principal.class)) {
            Iterator<Principal> it = set.iterator();
            while (it.hasNext()) {
                if (AuthenticationUtil.equals(it.next(), principal)) {
                    return true;
                }
            }
        }
        return false;
    }

    private Set<GroupURI> getAuthorizedGroupUris(PropertiesReader propertiesReader) {
        HashSet hashSet = new HashSet();
        try {
            List<String> property = propertiesReader.getAllProperties().getProperty(GROUP_URIS_PROPERTY);
            if (property != null) {
                for (String str : property) {
                    if (StringUtil.hasLength(str)) {
                        try {
                            hashSet.add(new GroupURI(new URI(str)));
                            log.debug("found authorized group: " + str);
                        } catch (IllegalArgumentException | URISyntaxException e) {
                            log.error("invalid GroupURI: " + str, e);
                        }
                    }
                }
            }
        } catch (IllegalArgumentException e2) {
            log.debug("Authorized groupURI's not configured");
        }
        return hashSet;
    }

    private PropertiesReader getPropertiesReader(String str) {
        PropertiesReader propertiesReader = null;
        if (str != null) {
            propertiesReader = new PropertiesReader(str);
            if (!propertiesReader.canRead()) {
                propertiesReader = null;
            }
        }
        return propertiesReader;
    }
}
