package org.exist.security.xacml;

import com.sun.xacml.Indenter;
import com.sun.xacml.PDP;
import com.sun.xacml.PDPConfig;
import com.sun.xacml.ctx.RequestCtx;
import com.sun.xacml.ctx.ResponseCtx;
import com.sun.xacml.ctx.Result;
import com.sun.xacml.ctx.Status;
import com.sun.xacml.finder.AttributeFinder;
import com.sun.xacml.finder.PolicyFinder;
import com.sun.xacml.finder.ResourceFinder;
import com.sun.xacml.finder.impl.CurrentEnvModule;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Iterator;
import java.util.Set;
import org.apache.commons.io.output.ByteArrayOutputStream;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.exist.security.PermissionDeniedException;
import org.exist.storage.BrokerPool;

/* loaded from: input_file:WEB-INF/lib/exist-core-3.0.RC1.jar:org/exist/security/xacml/ExistPDP.class */
public class ExistPDP {
    private static final Logger LOG = LogManager.getLogger((Class<?>) ExistPDP.class);
    private PDPConfig pdpConfig;
    private XACMLUtil util;
    private PDP pdp;
    private BrokerPool pool;
    private RequestHelper helper = new RequestHelper();

    private ExistPDP() {
    }

    public ExistPDP(BrokerPool brokerPool) {
        if (brokerPool == null) {
            throw new NullPointerException("BrokerPool cannot be null");
        }
        this.pool = brokerPool;
        this.util = new XACMLUtil(this);
        this.pdpConfig = new PDPConfig(createAttributeFinder(), createPolicyFinder(), createResourceFinder());
        this.pdp = new PDP(this.pdpConfig);
    }

    public void initializePolicyCollection() {
        this.util.initializePolicyCollection();
    }

    public PDPConfig getPDPConfig() {
        return this.pdpConfig;
    }

    public BrokerPool getBrokerPool() {
        return this.pool;
    }

    public XACMLUtil getUtil() {
        return this.util;
    }

    public void close() {
        this.util.close();
    }

    public void evaluate(RequestCtx requestCtx) throws PermissionDeniedException {
        if (requestCtx == null) {
            throw new PermissionDeniedException("Request cannot be null");
        }
        if (LOG.isDebugEnabled()) {
            ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
            requestCtx.encode(byteArrayOutputStream, new Indenter(4));
            LOG.debug("Processing request:");
            LOG.debug(byteArrayOutputStream.toString());
        }
        ResponseCtx evaluate = this.pdp.evaluate(requestCtx);
        if (LOG.isDebugEnabled()) {
            ByteArrayOutputStream byteArrayOutputStream2 = new ByteArrayOutputStream();
            evaluate.encode(byteArrayOutputStream2, new Indenter(4));
            LOG.debug("PDP response to request:");
            LOG.debug(byteArrayOutputStream2.toString());
        }
        handleResponse(evaluate);
    }

    public void handleResponse(ResponseCtx responseCtx) throws PermissionDeniedException {
        if (responseCtx == null) {
            throw new PermissionDeniedException("The response was null");
        }
        Set results = responseCtx.getResults();
        if (results == null || results.size() == 0) {
            throw new PermissionDeniedException("The response was empty");
        }
        Iterator it = results.iterator();
        while (it.hasNext()) {
            handleResult((Result) it.next());
        }
    }

    public void handleResult(Result result) throws PermissionDeniedException {
        if (result == null) {
            throw new PermissionDeniedException("A result of a request's response was null");
        }
        Set obligations = result.getObligations();
        if (obligations != null && obligations.size() > 0) {
            throw new PermissionDeniedException("The XACML response had obligations that could not be fulfilled.");
        }
        int decision = result.getDecision();
        if (decision != 0) {
            throw new PermissionDeniedException("The response did not permit the request.  The decision was: " + getDecisionString(decision, result.getStatus()));
        }
    }

    private static String getDecisionString(int i, Status status) {
        switch (i) {
            case 0:
                return "permit the request";
            case 1:
                return "deny the request";
            case 2:
                String message = status == null ? null : status.getMessage();
                if (message == null) {
                    message = "";
                } else if (message.length() > 0) {
                    message = ": " + message;
                }
                return "indeterminate (there was an error)" + message;
            case 3:
                return "the request was not applicable to the policy";
            default:
                return ": of an unknown type";
        }
    }

    public PDP getPDP() {
        return this.pdp;
    }

    public RequestHelper getRequestHelper() {
        return this.helper;
    }

    private ResourceFinder createResourceFinder() {
        return null;
    }

    private AttributeFinder createAttributeFinder() {
        ArrayList arrayList = new ArrayList(2);
        arrayList.add(new UserAttributeModule(this));
        arrayList.add(new CurrentEnvModule());
        AttributeFinder attributeFinder = new AttributeFinder();
        attributeFinder.setModules(arrayList);
        return attributeFinder;
    }

    private PolicyFinder createPolicyFinder() {
        ExistPolicyModule existPolicyModule = new ExistPolicyModule(this);
        PolicyFinder policyFinder = new PolicyFinder();
        policyFinder.setModules(Collections.singleton(existPolicyModule));
        return policyFinder;
    }
}
