package org.globus.wsrf.impl.security.authorization;

import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.Principal;
import java.security.cert.X509Certificate;
import java.text.SimpleDateFormat;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Iterator;
import java.util.Set;
import java.util.TimeZone;
import java.util.Vector;
import javax.security.auth.Subject;
import javax.xml.namespace.QName;
import javax.xml.rpc.ServiceException;
import javax.xml.rpc.Stub;
import org.apache.axis.MessageContext;
import org.apache.axis.message.MessageElement;
import org.apache.axis.message.addressing.Address;
import org.apache.axis.message.addressing.EndpointReferenceType;
import org.apache.axis.types.URI;
import org.apache.axis.utils.XMLUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.globus.axis.transport.HTTPSTransport;
import org.globus.gsi.CertUtil;
import org.globus.gsi.GSIConstants;
import org.globus.gsi.gssapi.GlobusGSSCredentialImpl;
import org.globus.gsi.jaas.JaasGssUtil;
import org.globus.util.I18n;
import org.globus.wsrf.impl.security.SecurityMessageElement;
import org.globus.wsrf.impl.security.authentication.Constants;
import org.globus.wsrf.impl.security.authentication.encryption.EncryptionCredentials;
import org.globus.wsrf.impl.security.authorization.exceptions.AuthorizationException;
import org.globus.wsrf.impl.security.authorization.exceptions.CloseException;
import org.globus.wsrf.impl.security.authorization.exceptions.InitializeException;
import org.globus.wsrf.impl.security.authorization.exceptions.InvalidPolicyException;
import org.globus.wsrf.impl.security.util.AuthUtil;
import org.globus.wsrf.security.SecurityException;
import org.globus.wsrf.security.SecurityManager;
import org.globus.wsrf.security.authorization.AuthorizationServiceAddressingLocator;
import org.globus.wsrf.security.authorization.PDP;
import org.globus.wsrf.security.authorization.PDPConfig;
import org.globus.wsrf.security.authorization.SAMLRequestPortType;
import org.globus.wsrf.utils.ContextUtils;
import org.opensaml.ExtendedAuthorizationDecisionQuery;
import org.opensaml.SAMLAction;
import org.opensaml.SAMLAssertion;
import org.opensaml.SAMLAuthorizationDecisionStatement;
import org.opensaml.SAMLException;
import org.opensaml.SAMLRequest;
import org.opensaml.SAMLResponse;
import org.opensaml.SAMLSubject;
import org.opensaml.SimpleAuthorizationDecisionStatement;
import org.w3c.dom.Element;
import org.w3c.dom.Node;
import org.w3c.dom.NodeList;
import protocol._0._1.SAML.tc.names.oasis.Request;
import protocol._0._1.SAML.tc.names.oasis.Response;

/* JADX WARN: Classes with same name are omitted:
  input_file:WEB-INF/lib/ghn-core-runtime-1.0.0.jar:org/globus/wsrf/impl/security/authorization/SAMLAuthorizationCallout.class
 */
/* loaded from: input_file:WEB-INF/lib/wsrf-core-4.0.4.jar:org/globus/wsrf/impl/security/authorization/SAMLAuthorizationCallout.class */
public class SAMLAuthorizationCallout implements PDP {
    private static I18n i18n;
    private static Log logger;
    private SAMLRequestPortType authzPort = null;
    private boolean simpleDecision = true;
    private boolean sigReq = false;
    private X509Certificate authzServiceCert = null;
    static Class class$org$globus$wsrf$impl$security$authorization$SAMLAuthorizationCallout;

    @Override // org.globus.wsrf.security.authorization.Interceptor
    public void initialize(PDPConfig pDPConfig, String str, String str2) throws InitializeException {
        String str3;
        Integer num = Constants.SIGNATURE;
        String str4 = (String) pDPConfig.getProperty(str, SAMLAuthorizationConstants.AUTHZ_SERVICE_PROPERTY);
        logger.debug(new StringBuffer().append("Authz service ").append(str4).toString());
        if (str4 == null || str4.trim().equals("")) {
            String message = i18n.getMessage("authzServiceConfig");
            logger.debug(message);
            throw new InitializeException(message);
        }
        String trim = str4.trim();
        AuthorizationServiceAddressingLocator authorizationServiceAddressingLocator = new AuthorizationServiceAddressingLocator();
        EndpointReferenceType endpointReferenceType = new EndpointReferenceType();
        try {
            endpointReferenceType.setAddress(new Address(trim));
            this.authzPort = authorizationServiceAddressingLocator.getSAMLRequestPortTypePort(endpointReferenceType);
            Stub stub = (Stub) this.authzPort;
            String str5 = (String) pDPConfig.getProperty(str, SAMLAuthorizationConstants.PROTECTION_LEVEL_PROPERTY);
            if (str5 != null && str5.equals(SAMLAuthorizationConstants.PRIVACY)) {
                num = Constants.ENCRYPTION;
            }
            String str6 = (String) pDPConfig.getProperty(str, SAMLAuthorizationConstants.SECURITY_MECHANISM_PROPERTY);
            if (str6 == null || str6.trim().equals("")) {
                str3 = trim.startsWith(HTTPSTransport.DEFAULT_TRANSPORT_NAME) ? GSIConstants.GSI_TRANSPORT : org.globus.wsrf.security.Constants.GSI_SEC_MSG;
            } else {
                String trim2 = str6.trim();
                str3 = trim2.equals(SAMLAuthorizationConstants.MESSAGE) ? org.globus.wsrf.security.Constants.GSI_SEC_MSG : trim2.equals(SAMLAuthorizationConstants.CONVERSATION) ? org.globus.wsrf.security.Constants.GSI_SEC_CONV : trim2.equals("none") ? null : !trim.startsWith(HTTPSTransport.DEFAULT_TRANSPORT_NAME) ? org.globus.wsrf.security.Constants.GSI_SEC_MSG : GSIConstants.GSI_TRANSPORT;
            }
            if (str3 != null) {
                stub._setProperty(str3, num);
                try {
                    stub._setProperty("org.globus.gsi.credentials", (GlobusGSSCredentialImpl) JaasGssUtil.getCredential(SecurityManager.getManager(MessageContext.getCurrentContext()).getSystemSubject()));
                } catch (SecurityException e) {
                    String message2 = i18n.getMessage("noSystemCreds");
                    logger.debug(message2, e);
                    throw new InitializeException(message2, e);
                }
            }
            String str7 = (String) pDPConfig.getProperty(str, SAMLAuthorizationConstants.AUTHZ_SERVICE_IDENTITY_PROPERTY);
            if (str7 != null && !str7.trim().equals("")) {
                stub._setProperty(org.globus.wsrf.security.Constants.AUTHORIZATION, new IdentityAuthorization(str7));
            } else if (str3 == null) {
                stub._setProperty(org.globus.wsrf.security.Constants.AUTHORIZATION, NoAuthorization.getInstance());
            } else {
                stub._setProperty(org.globus.wsrf.security.Constants.AUTHORIZATION, SelfAuthorization.getInstance());
            }
            String str8 = (String) pDPConfig.getProperty(str, SAMLAuthorizationConstants.AUTHZ_SERVICE_CERT_FILE_PROPERTY);
            if (str8 != null) {
                try {
                    this.authzServiceCert = CertUtil.loadCertificate(str8);
                } catch (IOException e2) {
                    throw new InitializeException(i18n.getMessage("encryptionCert", str8), e2);
                } catch (GeneralSecurityException e3) {
                    throw new InitializeException(i18n.getMessage("encryptionCert", str8), e3);
                }
            } else {
                this.authzServiceCert = (X509Certificate) pDPConfig.getProperty(str, SAMLAuthorizationConstants.AUTHZ_SERVICE_CERT_PROPERTY);
            }
            if (this.authzServiceCert != null) {
                Subject subject = new Subject();
                subject.getPublicCredentials().add(new EncryptionCredentials(new X509Certificate[]{this.authzServiceCert}));
                stub._setProperty(Constants.PEER_SUBJECT, subject);
            } else {
                if (str3 == org.globus.wsrf.security.Constants.GSI_SEC_MSG && num == Constants.ENCRYPTION) {
                    throw new InitializeException(i18n.getMessage("encryptionCertProp", new Object[]{SAMLAuthorizationConstants.AUTHZ_SERVICE_CERT_PROPERTY, SAMLAuthorizationConstants.AUTHZ_SERVICE_CERT_FILE_PROPERTY}));
                }
                if (this.sigReq) {
                    throw new InitializeException(i18n.getMessage("verificationCertProp", new Object[]{SAMLAuthorizationConstants.AUTHZ_SERVICE_CERT_PROPERTY, SAMLAuthorizationConstants.AUTHZ_SERVICE_CERT_FILE_PROPERTY}));
                }
            }
            String str9 = (String) pDPConfig.getProperty(str, SAMLAuthorizationConstants.SIMPLE_DECISION_PROPERTY);
            logger.debug(new StringBuffer().append("Decision string ").append(str9).toString());
            if (str9 != null && !str9.trim().equals("")) {
                this.simpleDecision = Boolean.valueOf(str9).booleanValue();
            }
            logger.debug(new StringBuffer().append("Decision value ").append(this.simpleDecision).toString());
            String str10 = (String) pDPConfig.getProperty(str, SAMLAuthorizationConstants.REQ_SIGNED_PROPERTY);
            logger.debug(new StringBuffer().append("Request signed string ").append(str10).toString());
            if (str10 != null && !str10.trim().equals("")) {
                this.sigReq = Boolean.valueOf(str10).booleanValue();
            }
            logger.debug(new StringBuffer().append("Request signed value ").append(this.sigReq).toString());
        } catch (ServiceException e4) {
            throw new InitializeException(i18n.getMessage("authzServiceInit", trim), e4);
        } catch (URI.MalformedURIException e5) {
            throw new InitializeException(i18n.getMessage("authzServiceInit", trim), e5);
        }
    }

    @Override // org.globus.wsrf.security.authorization.PDP
    public String[] getPolicyNames() {
        return null;
    }

    @Override // org.globus.wsrf.security.authorization.PDP
    public Node getPolicy(Node node) throws InvalidPolicyException {
        return null;
    }

    @Override // org.globus.wsrf.security.authorization.PDP
    public Node setPolicy(Node node) throws InvalidPolicyException {
        return null;
    }

    @Override // org.globus.wsrf.security.authorization.Interceptor
    public void close() throws CloseException {
    }

    @Override // org.globus.wsrf.security.authorization.PDP
    public boolean isPermitted(Subject subject, javax.xml.rpc.handler.MessageContext messageContext, QName qName) throws AuthorizationException {
        String str;
        String str2;
        logger.debug("Authorize invoked");
        String str3 = null;
        Vector vector = null;
        Set<Principal> principals = subject != null ? subject.getPrincipals() : null;
        MessageContext messageContext2 = (MessageContext) messageContext;
        SecurityManager manager = SecurityManager.getManager(messageContext2);
        logger.debug(new StringBuffer().append("caller identity").append(manager.getCaller()).toString());
        if (principals == null || principals.isEmpty()) {
            str = "*";
            str2 = SAMLAuthorizationConstants.ANY_NAME_IDENTIFIER_FORMAT;
        } else {
            str = manager.getCaller();
            str3 = null;
            str2 = SAMLAuthorizationConstants.X509_FORMAT;
            vector = new Vector(1);
            vector.add(SAMLAuthorizationConstants.X509_CONFIRMATION_METHOD);
        }
        logger.debug(new StringBuffer().append("Subject name ").append(str).append(" nameQualifier ").append(str3).append(" format ").append(str2).toString());
        try {
            SAMLSubject sAMLSubject = new SAMLSubject(str, str3, str2, vector, (String) null, (Element) null);
            try {
                String ePRAsString = AuthUtil.getEPRAsString(messageContext2);
                String localPart = qName.getLocalPart();
                logger.debug(new StringBuffer().append("Operation name ").append(localPart).toString());
                Vector vector2 = new Vector();
                try {
                    vector2.add(new SAMLAction(SAMLAuthorizationConstants.ACTION_OPERATION_NS, localPart));
                    try {
                        ExtendedAuthorizationDecisionQuery extendedAuthorizationDecisionQuery = new ExtendedAuthorizationDecisionQuery(sAMLSubject, ePRAsString, vector2, (Collection) null, this.simpleDecision, new org.opensaml.QName((String) null, "SAMLResponse"), (Collection) null);
                        Vector vector3 = new Vector();
                        if (this.simpleDecision) {
                            vector3.add(SAMLAuthorizationConstants.SIMPLE_AUTHZ_DECISION);
                        } else {
                            vector3.add(SAMLAuthorizationConstants.AUTHZ_DECISION);
                        }
                        try {
                            SAMLRequest sAMLRequest = new SAMLRequest(vector3, extendedAuthorizationDecisionQuery, (Collection) null, (Collection) null);
                            if (this.sigReq) {
                                logger.debug("Signature required");
                                try {
                                    GlobusGSSCredentialImpl globusGSSCredentialImpl = (GlobusGSSCredentialImpl) JaasGssUtil.getCredential(manager.getSystemSubject());
                                    try {
                                        sAMLRequest.sign("http://www.w3.org/2000/09/xmldsig#rsa-sha1", globusGSSCredentialImpl.getPrivateKey(), getCertificates(globusGSSCredentialImpl), false);
                                    } catch (SAMLException e) {
                                        String message = i18n.getMessage("samlSign");
                                        logger.debug(message, e);
                                        throw new AuthorizationException(message, e);
                                    }
                                } catch (SecurityException e2) {
                                    String message2 = i18n.getMessage("noSystemCreds");
                                    logger.debug(message2, e2);
                                    throw new AuthorizationException(message2, e2);
                                }
                            }
                            if (logger.isDebugEnabled()) {
                                logger.debug(XMLUtils.ElementToString((Element) sAMLRequest.toDOM()));
                            }
                            NodeList childNodes = ((Element) sAMLRequest.toDOM()).getChildNodes();
                            ArrayList arrayList = new ArrayList();
                            for (int i = 0; i < childNodes.getLength(); i++) {
                                Node item = childNodes.item(i);
                                if (item instanceof Element) {
                                    arrayList.add(new SecurityMessageElement((Element) item));
                                }
                            }
                            SimpleDateFormat simpleDateFormat = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss'Z'");
                            simpleDateFormat.setTimeZone(TimeZone.getTimeZone("GMT"));
                            Request request = new Request((MessageElement[]) arrayList.toArray(new MessageElement[arrayList.size()]), simpleDateFormat.format(sAMLRequest.getIssueInstant()), 1, 0, sAMLRequest.getRequestId());
                            logger.debug(new StringBuffer().append("Target Service Path: ").append(ContextUtils.getTargetServicePath(messageContext2)).toString());
                            try {
                                Response SAMLRequest = this.authzPort.SAMLRequest(request);
                                if (SAMLRequest == null) {
                                    String message3 = i18n.getMessage("nullResponse");
                                    logger.debug(message3);
                                    throw new AuthorizationException(message3);
                                }
                                try {
                                    SAMLResponse sAMLResponse = new SAMLResponse(((MessageElement) SAMLRequest.get_any()[0].getParentElement()).getAsDOM());
                                    if (this.sigReq) {
                                        if (!sAMLResponse.isSigned()) {
                                            throw new AuthorizationException(i18n.getMessage("responseSigRequired"));
                                        }
                                        try {
                                            sAMLResponse.verify(this.authzServiceCert, false);
                                        } catch (SAMLException e3) {
                                            String message4 = i18n.getMessage("badResponseSig");
                                            logger.debug(message4, e3);
                                            throw new AuthorizationException(message4, e3);
                                        }
                                    }
                                    String inResponseTo = sAMLResponse.getInResponseTo();
                                    if (inResponseTo == null || !inResponseTo.equals(sAMLRequest.getRequestId())) {
                                        String message5 = i18n.getMessage("badInResponseTo");
                                        logger.debug(message5);
                                        throw new AuthorizationException(message5);
                                    }
                                    boolean z = false;
                                    Iterator assertions = sAMLResponse.getAssertions();
                                    logger.debug("Getting assertions");
                                    if (assertions != null && assertions.hasNext()) {
                                        logger.debug("assertions present");
                                        Iterator statements = ((SAMLAssertion) assertions.next()).getStatements();
                                        if (statements != null && statements.hasNext()) {
                                            Object next = statements.next();
                                            if (this.simpleDecision) {
                                                if (next instanceof SimpleAuthorizationDecisionStatement) {
                                                    z = processSimpleAuthzStmt(next, sAMLSubject);
                                                }
                                            } else if (next instanceof SAMLAuthorizationDecisionStatement) {
                                                z = processAuthzStmt(next, ePRAsString, vector2, sAMLSubject);
                                            }
                                        }
                                    }
                                    if (!z) {
                                        logger.warn(i18n.getMessage("samlAuthFailed"));
                                    }
                                    return z;
                                } catch (Exception e4) {
                                    logger.debug(new StringBuffer().append("Eception is of type ").append(e4.getClass().getName()).toString());
                                    if (e4 instanceof SAMLException) {
                                        logger.debug("", e4);
                                        throw new AuthorizationException(e4.getMessage(), e4);
                                    }
                                    String message6 = i18n.getMessage("badResponse");
                                    logger.debug(message6, e4);
                                    throw new AuthorizationException(message6, e4);
                                }
                            } catch (Exception e5) {
                                String message7 = i18n.getMessage(SAMLAuthorizationConstants.AUTHZ_SERVICE_PROPERTY, ((Stub) this.authzPort)._getProperty(Stub.ENDPOINT_ADDRESS_PROPERTY));
                                logger.debug(message7, e5);
                                throw new AuthorizationException(message7, e5);
                            }
                        } catch (SAMLException e6) {
                            String message8 = i18n.getMessage("samlObjConstruct", "SAMLRequest");
                            logger.debug(message8, e6);
                            throw new AuthorizationException(message8, e6);
                        }
                    } catch (SAMLException e7) {
                        String message9 = i18n.getMessage("samlObjConstruct", "SAMLAuthzDecisionQuery");
                        logger.debug(message9, e7);
                        throw new AuthorizationException(message9, e7);
                    }
                } catch (SAMLException e8) {
                    String message10 = i18n.getMessage("samlObjConstruct", "SAMLAction");
                    logger.debug(message10, e8);
                    throw new AuthorizationException(message10, e8);
                }
            } catch (SecurityException e9) {
                String message11 = i18n.getMessage("resourceErr");
                logger.debug(message11, e9);
                throw new AuthorizationException(message11, e9);
            }
        } catch (SAMLException e10) {
            String message12 = i18n.getMessage("samlObjConstruct", "SAMLSubject");
            logger.debug(message12, e10);
            throw new AuthorizationException(message12, e10);
        }
    }

    private boolean processSimpleAuthzStmt(Object obj, SAMLSubject sAMLSubject) {
        logger.debug("Process simple authz stmt");
        SimpleAuthorizationDecisionStatement simpleAuthorizationDecisionStatement = (SimpleAuthorizationDecisionStatement) obj;
        if (!simpleAuthorizationDecisionStatement.getDecision().equals("Permit")) {
            return false;
        }
        logger.debug("decision is permit");
        return sAMLSubject.equals(simpleAuthorizationDecisionStatement.getSubject());
    }

    private boolean processAuthzStmt(Object obj, String str, Vector vector, SAMLSubject sAMLSubject) {
        logger.debug("Process authz stmt ");
        SAMLAuthorizationDecisionStatement sAMLAuthorizationDecisionStatement = (SAMLAuthorizationDecisionStatement) obj;
        if (!sAMLAuthorizationDecisionStatement.getDecision().equals("Permit") || !sAMLAuthorizationDecisionStatement.getResource().equals(str)) {
            return false;
        }
        logger.debug("permit and resource");
        if (!sAMLSubject.equals(sAMLAuthorizationDecisionStatement.getSubject()) || sAMLAuthorizationDecisionStatement.getActionsCol() == null) {
            return false;
        }
        return sAMLAuthorizationDecisionStatement.getActionsCol().containsAll(vector);
    }

    private Vector getCertificates(GlobusGSSCredentialImpl globusGSSCredentialImpl) {
        X509Certificate[] certificateChain = globusGSSCredentialImpl.getCertificateChain();
        Vector vector = null;
        if (certificateChain.length > 0) {
            logger.debug("Cert array is not null");
            vector = new Vector(certificateChain.length);
            for (X509Certificate x509Certificate : certificateChain) {
                vector.add(x509Certificate);
            }
        } else {
            logger.debug("Null");
        }
        return vector;
    }

    static Class class$(String str) {
        try {
            return Class.forName(str);
        } catch (ClassNotFoundException e) {
            throw new NoClassDefFoundError().initCause(e);
        }
    }

    static {
        Class cls;
        Class cls2;
        if (class$org$globus$wsrf$impl$security$authorization$SAMLAuthorizationCallout == null) {
            cls = class$("org.globus.wsrf.impl.security.authorization.SAMLAuthorizationCallout");
            class$org$globus$wsrf$impl$security$authorization$SAMLAuthorizationCallout = cls;
        } else {
            cls = class$org$globus$wsrf$impl$security$authorization$SAMLAuthorizationCallout;
        }
        i18n = I18n.getI18n("org.globus.wsrf.impl.security.authorization.errors", cls.getClassLoader());
        if (class$org$globus$wsrf$impl$security$authorization$SAMLAuthorizationCallout == null) {
            cls2 = class$("org.globus.wsrf.impl.security.authorization.SAMLAuthorizationCallout");
            class$org$globus$wsrf$impl$security$authorization$SAMLAuthorizationCallout = cls2;
        } else {
            cls2 = class$org$globus$wsrf$impl$security$authorization$SAMLAuthorizationCallout;
        }
        logger = LogFactory.getLog(cls2.getName());
    }
}
