package org.gcube.common.vomanagement.security.configuration;

import javax.security.auth.Subject;
import org.apache.axis.MessageContext;
import org.gcube.common.core.contexts.GCUBEServiceContext;
import org.gcube.common.core.contexts.GHNContext;
import org.gcube.common.core.contexts.ghn.CredentialConsumer;
import org.gcube.common.core.contexts.ghn.Events;
import org.gcube.common.core.security.GCUBEAuthzPolicy;
import org.gcube.common.core.security.GCUBESecurityManagerImpl;
import org.gcube.common.core.security.GCUBEServiceSecurityManager;
import org.gcube.common.core.security.SecurityCredentials;
import org.gcube.common.core.security.impl.GSSSecurityCredentials;
import org.gcube.common.core.utils.events.GCUBEEvent;
import org.gcube.common.core.utils.events.GCUBEProducer;
import org.gcube.common.vomanagement.security.authorisation.control.impl.policies.GCUBEPolicy;
import org.gcube.common.vomanagement.security.authorisation.control.impl.policies.GCUBEPolicyFactory;
import org.globus.gsi.jaas.JaasGssUtil;
import org.globus.wsrf.security.SecurityException;
import org.globus.wsrf.security.SecurityManager;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;

/* loaded from: input_file:org/gcube/common/vomanagement/security/configuration/GCUBEServiceSecurityManagerImpl.class */
public class GCUBEServiceSecurityManagerImpl extends GCUBESecurityManagerImpl implements GCUBEServiceSecurityManager {
    private GSSCredential serviceCredentials;
    protected GCUBEServiceContext context;
    private GCUBEPolicy policy;
    private GCUBEPolicyFactory policyFactory;
    private GCUBEProducer<GCUBEServiceSecurityManager.LifetimeTopic, Object> producer = new GCUBEProducer<>();
    private boolean propagateCallerCredentials = true;

    public void initialise(GCUBEServiceContext gCUBEServiceContext) throws Exception {
        this.context = gCUBEServiceContext;
        this.logger = gCUBEServiceContext.getLogger();
        this.policyFactory = (GCUBEPolicyFactory) GHNContext.getImplementation(GCUBEPolicyFactory.class);
        this.policyFactory.initialise(this.context);
        subscribeForCredentials();
        subscribeForPolicy(gCUBEServiceContext);
        this.logger.trace("security manager initialised for " + gCUBEServiceContext.getServiceClass() + ":" + gCUBEServiceContext.getName());
        this.logger.trace("is security enabled?" + isSecurityEnabled());
    }

    public synchronized GCUBEAuthzPolicy getPolicy() {
        return this.policy;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public synchronized void setPolicy(GCUBEPolicy gCUBEPolicy) {
        this.policy = gCUBEPolicy;
        this.logger.trace("setting service policy to " + gCUBEPolicy);
        this.producer.notify(GCUBEServiceSecurityManager.LifetimeTopic.POLICYUPDATE, new GCUBEEvent[]{new GCUBEServiceSecurityManager.LifetimeEvent()});
    }

    public SecurityCredentials getServiceCredentials() throws Exception {
        return new GSSSecurityCredentials(this.serviceCredentials);
    }

    protected synchronized void setServiceCredentials(GSSCredential gSSCredential) {
        this.serviceCredentials = gSSCredential;
        this.logger.trace("setting service credentials to " + (gSSCredential == null ? "no credentials" : gSSCredential.toString()));
        this.producer.notify(GCUBEServiceSecurityManager.LifetimeTopic.CREDENTIALUPDATE, new GCUBEEvent[]{new GCUBEServiceSecurityManager.LifetimeEvent()});
    }

    public void subscribe(GCUBEServiceSecurityManager.LifetimeConsumer lifetimeConsumer, GCUBEServiceSecurityManager.LifetimeTopic... lifetimeTopicArr) {
        this.producer.subscribe(lifetimeConsumer, (lifetimeTopicArr == null) | (lifetimeTopicArr.length == 0) ? GCUBEServiceSecurityManager.LifetimeTopic.values() : lifetimeTopicArr);
    }

    public void unsubscribe(GCUBEServiceSecurityManager.LifetimeConsumer lifetimeConsumer, GCUBEServiceSecurityManager.LifetimeTopic... lifetimeTopicArr) {
        this.producer.unsubscribe(lifetimeConsumer, (lifetimeTopicArr == null) | (lifetimeTopicArr.length == 0) ? GCUBEServiceSecurityManager.LifetimeTopic.values() : lifetimeTopicArr);
    }

    protected void subscribeForCredentials() throws Exception {
        if (!isSecurityEnabled() || !needServiceCredentials()) {
            this.logger.info("no credentials are needed for service " + this.context.getServiceClass() + ":" + this.context.getName());
            setServiceCredentials(null);
        } else {
            this.logger.info("subscribing for credentials for service " + this.context.getServiceClass() + ":" + this.context.getName());
            setServiceCredentials(getHostCredentials());
            GHNContext.getContext().subscribeForCredential(new CredentialConsumer() { // from class: org.gcube.common.vomanagement.security.configuration.GCUBEServiceSecurityManagerImpl.1
                public GCUBEServiceContext getServiceContext() {
                    return GCUBEServiceSecurityManagerImpl.this.context;
                }

                protected void onCredentialDelegation(Events.CredentialDelegationEvent credentialDelegationEvent) {
                    GCUBEServiceSecurityManagerImpl.this.setServiceCredentials(((Events.CredentialPayload) credentialDelegationEvent.getPayload()).getCredentials());
                }
            });
        }
    }

    protected void subscribeForPolicy(GCUBEServiceContext gCUBEServiceContext) throws Exception {
        if (isSecurityEnabled()) {
            setPolicy(":-)" == 0 ? new GCUBEPolicy.GCUBENoPolicy() : this.policyFactory.getGCUBEPolicy(":-)"));
        } else {
            setPolicy(new GCUBEPolicy.GCUBENoPolicy());
        }
    }

    public SecurityCredentials getCredentials() {
        GSSCredential gSSCredential = (GSSCredential) this.callCredentials.get(Thread.currentThread());
        if (gSSCredential != null) {
            this.logger.debug("Credentials found for the current thread");
            return new GSSSecurityCredentials(gSSCredential);
        }
        if (this.propagateCallerCredentials) {
            this.logger.debug("Credentials not set, using caller credentials");
            try {
                return getCallerCredentials();
            } catch (Exception e) {
                this.logger.error("Unable to find caller credentials", e);
                return null;
            }
        }
        this.logger.debug("Credentials not set, using service credentials");
        try {
            return getServiceCredentials();
        } catch (Exception e2) {
            this.logger.error("Unable to find service credentials", e2);
            return null;
        }
    }

    public boolean isSecurityEnabled() {
        return GHNContext.getContext().isSecurityEnabled();
    }

    public SecurityCredentials getCallerCredentials() throws Exception {
        if (!isSecurityEnabled()) {
            return null;
        }
        Subject callerSubject = getCallerSubject();
        if (isSecurityEnabled() && callerSubject != null && JaasGssUtil.getCredential(callerSubject) != null) {
            return new GSSSecurityCredentials(JaasGssUtil.getCredential(callerSubject));
        }
        this.logger.warn("Could not extract credentials from incoming call because: ");
        throw new Exception("Could not extract credentials from incoming call");
    }

    protected String getName() {
        return this.context.getName();
    }

    public boolean needServiceCredentials() {
        return true;
    }

    private Subject getCallerSubject() {
        Subject subject = (Subject) MessageContext.getCurrentContext().getProperty("invocationSubject");
        if (subject == null) {
            this.logger.warn("The caller subject is null!");
        }
        return subject;
    }

    private GSSCredential getHostCredentials() throws SecurityException, GSSException {
        this.logger.debug("Getting host Credentials for service ... ");
        try {
            GSSCredential credential = JaasGssUtil.getCredential(SecurityManager.getManager().getSystemSubject());
            this.logger.debug("Host Credentials name " + credential.getName());
            return credential;
        } catch (SecurityException e) {
            this.logger.error("Cannot get local host credentials", e);
            throw e;
        }
    }

    public void propagateCallerCredentials(boolean z) {
        this.propagateCallerCredentials = z;
    }
}
