package xsul.dsig.saml.authorization;

import java.io.ByteArrayInputStream;
import java.io.StringReader;
import java.security.Principal;
import java.util.Arrays;
import java.util.Enumeration;
import java.util.Iterator;
import java.util.Vector;
import javax.xml.parsers.DocumentBuilderFactory;
import org.apache.xml.security.Init;
import org.globus.gsi.GlobusCredential;
import org.globus.gsi.GlobusCredentialException;
import org.opensaml.SAMLAction;
import org.opensaml.SAMLAssertion;
import org.opensaml.SAMLAttributeStatement;
import org.opensaml.SAMLAuthenticationStatement;
import org.opensaml.SAMLAuthorizationDecisionStatement;
import org.w3c.dom.Element;
import org.xmlpull.v1.builder.XmlElement;
import org.xmlpull.v1.builder.XmlInfosetBuilder;
import xsul.MLogger;
import xsul.XmlConstants;
import xsul.XsulException;
import xsul.dsig.globus.security.authentication.wssec.WSConstants;
import xsul.dsig.globus.security.authentication.wssec.WSSecurityUtil;

/* loaded from: input_file:xsul/dsig/saml/authorization/CapabilityAuthorizer.class */
public class CapabilityAuthorizer {
    private static final XmlInfosetBuilder builder = XmlConstants.BUILDER;
    private static final MLogger logger = MLogger.getLogger();
    private String service_identifier;
    private String owner;
    private static DocumentBuilderFactory dbfNonValidating;

    protected CapabilityAuthorizer() {
        this.service_identifier = "";
        this.owner = "";
    }

    protected CapabilityAuthorizer(String str, String str2) throws CapabilityException {
        this.service_identifier = "";
        this.owner = "";
        this.service_identifier = str;
        if (str2 != null) {
            this.owner = CapabilityUtil.canonicalizeSubject(str2);
        } else {
            try {
                this.owner = CapabilityUtil.canonicalizeSubject(GlobusCredential.getDefaultCredential().getSubject());
            } catch (GlobusCredentialException e) {
                throw new CapabilityException("could not get Globus Credential");
            }
        }
    }

    protected CapabilityAuthorizer(String str) throws CapabilityException {
        this.service_identifier = "";
        this.owner = "";
        if (str != null) {
            this.owner = CapabilityUtil.canonicalizeSubject(str);
        } else {
            try {
                this.owner = CapabilityUtil.canonicalizeSubject(GlobusCredential.getDefaultCredential().getSubject());
            } catch (GlobusCredentialException e) {
                throw new CapabilityException("could not get Globus Credential");
            }
        }
    }

    public static CapabilityAuthorizer newInstance(String str, String str2) throws CapabilityException {
        return new CapabilityAuthorizer(str, str2);
    }

    public static CapabilityAuthorizer newInstance(String str) throws CapabilityException {
        return new CapabilityAuthorizer(str);
    }

    public void setServiceIdentifier(String str) {
        this.service_identifier = str;
    }

    public String getServiceIdentifier() {
        return this.service_identifier;
    }

    public void setOwner(String str) {
        this.owner = str;
    }

    public String getOwner() {
        return this.owner;
    }

    public void isAuthorized(String str, XmlElement xmlElement) throws CapabilityException {
    }

    public void isAuthorized(Capability capability, XmlElement xmlElement) throws CapabilityException {
        logger.finest(new StringBuffer().append("restored cap=\n").append(capability).toString());
        CapabilityVerifier.newInstance(this.owner).verify(capability);
        logger.finest("signatures verified!!!");
        SAMLAssertion[] allAssertions = capability.getAllAssertions();
        if (allAssertions == null) {
            throw new CapabilityException("no capability available");
        }
        if (xmlElement == null) {
            throw new CapabilityException("SOAP Env null");
        }
        XmlElement findElementByName = xmlElement.findElementByName("Body");
        if (findElementByName == null) {
            throw new CapabilityException("no SOAP body can be found");
        }
        Iterator children = findElementByName.children();
        if (children == null) {
            throw new CapabilityException("Body has no children");
        }
        Vector vector = new Vector(1);
        while (children.hasNext()) {
            vector.add(((XmlElement) children.next()).getName());
        }
        logger.finest("before verifying the actions.");
        for (SAMLAssertion sAMLAssertion : allAssertions) {
            Iterator statements = sAMLAssertion.getStatements();
            while (statements.hasNext()) {
                SAMLAuthorizationDecisionStatement sAMLAuthorizationDecisionStatement = null;
                Object next = statements.next();
                if (next instanceof SAMLAuthorizationDecisionStatement) {
                    sAMLAuthorizationDecisionStatement = (SAMLAuthorizationDecisionStatement) next;
                    logger.finest("type SAMLAuthorizationDecisionStatement");
                } else if (next instanceof SAMLAuthenticationStatement) {
                    logger.finest("type SAMLAuthenticationStatement");
                } else {
                    if (!(next instanceof SAMLAttributeStatement)) {
                        throw new CapabilityException("illegal SAML statement");
                    }
                    logger.finest("type SAMLAttributeStatement");
                }
                if (sAMLAuthorizationDecisionStatement != null) {
                    if (!sAMLAuthorizationDecisionStatement.getResource().equalsIgnoreCase(this.service_identifier) && sAMLAuthorizationDecisionStatement.getResource().indexOf(this.service_identifier) < 0) {
                        logger.finest(new StringBuffer().append("resource: ").append(sAMLAuthorizationDecisionStatement.getResource()).toString());
                        logger.finest(new StringBuffer().append("service uri:").append(this.service_identifier).toString());
                        throw new CapabilityException("the resource doesn't match!");
                    }
                    String name = sAMLAuthorizationDecisionStatement.getSubject().getName();
                    logger.finest(new StringBuffer().append("subject name: ").append(name).toString());
                    if (!name.equalsIgnoreCase(this.owner)) {
                        logger.finest(new StringBuffer().append("owner name: ").append(this.owner).toString());
                        throw new CapabilityException("the subject doesn't match!");
                    }
                    Iterator actions = sAMLAuthorizationDecisionStatement.getActions();
                    if (actions == null) {
                        throw new CapabilityException("no actions!");
                    }
                    Enumeration elements = vector.elements();
                    while (elements.hasMoreElements()) {
                        Object nextElement = elements.nextElement();
                        if (nextElement instanceof String) {
                            logger.finest(new StringBuffer().append("o1 string: ").append((String) nextElement).toString());
                            String str = (String) nextElement;
                            while (actions.hasNext()) {
                                Object next2 = actions.next();
                                if (next2 instanceof SAMLAction) {
                                    SAMLAction sAMLAction = (SAMLAction) next2;
                                    logger.finest(new StringBuffer().append("SAMLAction namespace: ").append(sAMLAction.getNamespace()).toString());
                                    String data = sAMLAction.getData();
                                    logger.finest(new StringBuffer().append("SAMLAction data: ").append(data).toString());
                                    if (str.equalsIgnoreCase(data) && sAMLAuthorizationDecisionStatement.getDecision().equals(CapConstants.DENY)) {
                                        throw new CapabilityException(new StringBuffer().append("action: ").append(data).append(" is not authorized by the capability.\n").toString());
                                    }
                                } else {
                                    logger.finest(new StringBuffer().append("o2 class type: ").append(next2.getClass()).toString());
                                }
                            }
                            logger.finest("herererer");
                        }
                    }
                }
            }
        }
    }

    public void isAuthorized(Principal principal, Capability capability, XmlElement xmlElement) throws CapabilityException {
        isAuthorized(principal.getName(), capability, xmlElement);
    }

    public void isAuthorized(String str, Capability capability, XmlElement xmlElement) throws CapabilityException {
        if (capability == null) {
            isAuthorized(str, xmlElement);
        } else {
            isAuthorized(capability, xmlElement);
            logger.finest("after verifying the actions.");
        }
    }

    public void isAuthorized(String str) throws Exception {
        try {
            isAuthorized(getCapability(str), builder.parseFragmentFromReader(new StringReader(str)));
        } catch (Exception e) {
            throw e;
        }
    }

    public void isAuthorized(XmlElement xmlElement) throws Exception {
        isAuthorized(getCapability(xmlElement), xmlElement);
    }

    private Capability getCapability(XmlElement xmlElement) throws Exception {
        return getCapability(builder.serializeToString(xmlElement));
    }

    private Capability getCapability(String str) throws Exception {
        Element element = (Element) WSSecurityUtil.getDirectChild((Element) dbfNonValidating.newDocumentBuilder().parse(new ByteArrayInputStream(str.getBytes())).getFirstChild(), "Header", "http://schemas.xmlsoap.org/soap/envelope/");
        if (element == null) {
            throw new XsulException("could not find Header in envelope");
        }
        Element element2 = (Element) WSSecurityUtil.getDirectChild(element, WSConstants.WS_SEC_LN, WSConstants.WSSE_NS);
        if (element2 == null) {
            throw new XsulException("could not find wssec:Security in envelope");
        }
        Element element3 = (Element) WSSecurityUtil.getDirectChild(element2, "Assertion", CapConstants.SAML_NS);
        if (element3 == null) {
            throw new XsulException("could not find ds:Signature in envelope");
        }
        Capability capability = new Capability(Arrays.asList(new SAMLAssertion(element3)));
        logger.finest(new StringBuffer().append("capabiltiy generated: ").append(capability.toString()).toString());
        return capability;
    }

    static {
        Init.init();
        dbfNonValidating = DocumentBuilderFactory.newInstance();
        dbfNonValidating.setNamespaceAware(true);
    }
}
