package org.gcube.common.vomanagement.security.authorisation.control.impl.xacml;

import java.net.MalformedURLException;
import java.net.URL;
import java.util.Iterator;
import javax.security.auth.Subject;
import javax.xml.namespace.QName;
import javax.xml.rpc.handler.MessageContext;
import org.gcube.common.core.utils.logging.GCUBELog;
import org.gcube.common.vomanagement.security.authorisation.HandlersConstants;
import org.gcube.common.vomanagement.security.authorisation.SAMLAssertionConstants;
import org.gcube.common.vomanagement.security.authorisation.control.AuthorizationConstants;
import org.globus.wsrf.impl.security.authorization.exceptions.AttributeException;
import org.globus.wsrf.impl.security.authorization.exceptions.CloseException;
import org.globus.wsrf.impl.security.authorization.exceptions.InitializeException;
import org.globus.wsrf.impl.security.util.AuthUtil;
import org.globus.wsrf.security.authorization.PDPConfig;
import org.globus.wsrf.security.authorization.PIP;
import org.opensaml.SAMLAssertion;
import org.opensaml.SAMLAttribute;
import org.opensaml.SAMLAttributeStatement;

/* loaded from: input_file:org/gcube/common/vomanagement/security/authorisation/control/impl/xacml/XACMLBasedPIP.class */
public class XACMLBasedPIP implements PIP, AuthorizationConstants, SAMLAssertionConstants {
    private static final long serialVersionUID = 1;
    private GCUBELog logger = new GCUBELog(this);
    private boolean multiroleSupport;

    public void initialize(PDPConfig pDPConfig, String str, String str2) throws InitializeException {
        this.logger.debug("PIP  initialization for chain " + str);
        String str3 = (String) pDPConfig.getProperty(str, AuthorizationConstants.MULTI_ROLE_SUPPORT);
        if (str3 == null || !str3.equalsIgnoreCase("false")) {
            this.multiroleSupport = true;
        } else {
            this.multiroleSupport = false;
        }
        this.logger.debug("Multi role support " + this.multiroleSupport);
    }

    public void collectAttributes(Subject subject, MessageContext messageContext, QName qName) throws AttributeException {
        this.logger.debug("collecting attributes...");
        if (!addSubjectAttributes(subject, messageContext, qName)) {
            throw new AttributeException("No role in the assertion");
        }
        if (!addActionAttribute(subject, messageContext, qName)) {
            throw new AttributeException("Unable to find the action");
        }
        if (!addResourceAttribute(subject, messageContext, qName)) {
            throw new AttributeException("Unable to find the resource");
        }
        this.logger.debug("attributes collected");
    }

    protected boolean addSubjectAttributes(Subject subject, MessageContext messageContext, QName qName) {
        this.logger.debug("adding subject attributes...");
        boolean z = false;
        SAMLAssertion sAMLAssertion = (SAMLAssertion) messageContext.getProperty(HandlersConstants.SAML_AUTHZ_ASSERTION);
        if (sAMLAssertion == null) {
            this.logger.error("SAML Assertion not found");
        } else {
            Iterator statements = sAMLAssertion.getStatements();
            this.logger.debug("Statements iterator retrieved");
            if (statements.hasNext()) {
                SAMLAttributeStatement sAMLAttributeStatement = (SAMLAttributeStatement) statements.next();
                this.logger.debug("Statement " + sAMLAttributeStatement.getSubject().getName());
                Iterator attributes = sAMLAttributeStatement.getAttributes();
                Iterator it = null;
                while (attributes.hasNext() && it == null) {
                    SAMLAttribute sAMLAttribute = (SAMLAttribute) attributes.next();
                    String name = sAMLAttribute.getName();
                    this.logger.debug("Attribute name = " + name);
                    if (name.equals(SAMLAssertionConstants.ROLE_ID_ATTRIBUTE)) {
                        it = sAMLAttribute.getValues();
                        this.logger.debug("Role values empty " + (it == null));
                    }
                }
                if (it == null) {
                    this.logger.error("Roles attributes not found");
                } else {
                    this.logger.debug("More than a role cycle = " + (this.multiroleSupport || 1 != 0));
                    for (boolean z2 = true; it.hasNext() && (this.multiroleSupport || z2); z2 = false) {
                        String str = (String) it.next();
                        this.logger.debug("Role: " + str);
                        if (this.logger.isWarnEnabled() && it.hasNext()) {
                            this.logger.warn("Extra roles ignored");
                        }
                        messageContext.setProperty(AuthorizationConstants.ROLE_VALUE, str);
                    }
                    this.logger.debug("Roles values iterator inserted in the context");
                    z = true;
                }
            } else {
                this.logger.error("SAML Assertion statement not found");
            }
        }
        this.logger.debug("end");
        return z;
    }

    protected boolean addActionAttribute(Subject subject, MessageContext messageContext, QName qName) {
        this.logger.debug("collectActionAttributes] start");
        if (qName == null) {
            this.logger.warn("No action attribute found");
            return false;
        }
        String localPart = qName.getLocalPart();
        this.logger.debug("Operation being invoked " + localPart);
        messageContext.setProperty(AuthorizationConstants.ACTION_ATTR, localPart);
        this.logger.debug("end");
        return true;
    }

    protected boolean addResourceAttribute(Subject subject, MessageContext messageContext, QName qName) {
        this.logger.debug("adding resource attribute");
        org.apache.axis.MessageContext messageContext2 = (org.apache.axis.MessageContext) messageContext;
        try {
            URL endpointAddressURL = AuthUtil.getEndpointAddressURL(messageContext2);
            if (endpointAddressURL != null) {
                String path = endpointAddressURL.getPath();
                this.logger.debug("Resource being accessed is " + path);
                messageContext2.setProperty(AuthorizationConstants.RESOURCE_ATTR, path);
                this.logger.debug("end");
                return true;
            }
        } catch (MalformedURLException e) {
            this.logger.error("Invalid url", e);
        }
        this.logger.warn("No resource found");
        return false;
    }

    public void close() throws CloseException {
        this.logger.debug("PIP closed");
    }
}
