package pl.edu.icm.yadda.aas.client;

import java.util.HashMap;
import java.util.HashSet;
import java.util.Set;
import org.apache.commons.lang.NotImplementedException;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.opensaml.lite.common.SAMLObject;
import org.opensaml.lite.saml2.core.Assertion;
import org.opensaml.lite.saml2.core.EncryptedAssertion;
import org.opensaml.lite.xacml.ctx.DecisionType;
import org.opensaml.lite.xacml.ctx.impl.ActionTypeImpl;
import org.opensaml.lite.xacml.ctx.impl.AttributeTypeImpl;
import org.opensaml.lite.xacml.ctx.impl.AttributeValueTypeImpl;
import org.opensaml.lite.xacml.ctx.impl.EnvironmentTypeImpl;
import org.opensaml.lite.xacml.ctx.impl.RequestTypeImpl;
import org.opensaml.lite.xacml.ctx.impl.ResourceTypeImpl;
import org.opensaml.lite.xacml.ctx.impl.SubjectTypeImpl;
import org.opensaml.lite.xacml.policy.ObligationType;
import org.opensaml.lite.xacml.profile.saml.impl.XACMLAuthzDecisionQueryTypeImpl;
import pl.edu.icm.yadda.aal.dao2.CatalogBasedAuthenticationDAO;
import pl.edu.icm.yadda.aal.model2.User;
import pl.edu.icm.yadda.aas.XACMLConstants;
import pl.edu.icm.yadda.aas.client.session.GroupIdentity;
import pl.edu.icm.yadda.aas.client.session.LicenseAuthority;
import pl.edu.icm.yadda.aas.client.session.LoginIdentity;
import pl.edu.icm.yadda.aas.client.session.RoleAuthority;
import pl.edu.icm.yadda.desklight.model.reference.Serializer;
import pl.edu.icm.yadda.service2.CatalogObjectMeta;
import pl.edu.icm.yadda.service2.CatalogObjectPart;
import pl.edu.icm.yadda.service2.YaddaObjectID;
import pl.edu.icm.yadda.service2.aas.AAError;
import pl.edu.icm.yadda.service2.aas.AuthenticateResponse;
import pl.edu.icm.yadda.service2.aas.AuthorizeRequest;
import pl.edu.icm.yadda.service2.aas.AuthorizeRequestHeader;
import pl.edu.icm.yadda.service2.aas.AuthorizeResponse;
import pl.edu.icm.yadda.service2.aas.IAAService;
import pl.edu.icm.yadda.service2.catalog.CatalogException;
import pl.edu.icm.yadda.service2.catalog.CountingIterator;
import pl.edu.icm.yadda.service2.catalog.ICatalogFacade;
import pl.edu.icm.yadda.service2.catalog.search.MatchCriteria;
import pl.edu.icm.yadda.service2.catalog.search.PartSearchKey;

/* loaded from: input_file:pl/edu/icm/yadda/aas/client/ClientSecurityService.class */
public class ClientSecurityService implements IClientSecurityService {
    private static final Log log = LogFactory.getLog(ClientSecurityService.class);
    private IAAService aasService;
    private IAasSessionService sessionService;
    private IAssertionHolder assertionHolder;
    private Serializer serializer;
    private ICatalogFacade<String> aasCatalog;
    private String authnType = ClientSecurityServiceHelper.AUTHN_TYPE_USER;

    public void setSerializer(Serializer serializer) {
        this.serializer = serializer;
    }

    @Override // pl.edu.icm.yadda.aas.client.IClientSecurityService
    public Set<String> retrieveLicenses(String str) {
        return str == null ? retrieveLicenses((Assertion) null) : retrieveLicenses(this.assertionHolder.getAssertion(str));
    }

    public static AuthorizeRequest buildLicensingAuthzRequest(SAMLObject... sAMLObjectArr) {
        XACMLAuthzDecisionQueryTypeImpl xACMLAuthzDecisionQueryTypeImpl = new XACMLAuthzDecisionQueryTypeImpl();
        AuthorizeRequest authorizeRequest = new AuthorizeRequest(xACMLAuthzDecisionQueryTypeImpl);
        authorizeRequest.setHeader(new AuthorizeRequestHeader(sAMLObjectArr));
        RequestTypeImpl requestTypeImpl = new RequestTypeImpl();
        xACMLAuthzDecisionQueryTypeImpl.setRequest(requestTypeImpl);
        SubjectTypeImpl subjectTypeImpl = new SubjectTypeImpl();
        subjectTypeImpl.setSubjectCategory("urn:oasis:names:tc:xacml:1.0:subject-category:license-subject");
        AttributeTypeImpl attributeTypeImpl = new AttributeTypeImpl();
        attributeTypeImpl.setAttributeID(XACMLConstants.SUBJECT_ID);
        attributeTypeImpl.setDataType(XACMLConstants.DATATYPE_STRING);
        AttributeValueTypeImpl attributeValueTypeImpl = new AttributeValueTypeImpl();
        attributeValueTypeImpl.setValue("*");
        attributeTypeImpl.getAttributeValues().add(attributeValueTypeImpl);
        subjectTypeImpl.getAttributes().add(attributeTypeImpl);
        requestTypeImpl.getSubjects().add(subjectTypeImpl);
        requestTypeImpl.getResources().add(new ResourceTypeImpl());
        ActionTypeImpl actionTypeImpl = new ActionTypeImpl();
        AttributeTypeImpl attributeTypeImpl2 = new AttributeTypeImpl();
        attributeTypeImpl2.setAttributeID(XACMLConstants.ACTION_ID);
        attributeTypeImpl2.setDataType(XACMLConstants.DATATYPE_STRING);
        AttributeValueTypeImpl attributeValueTypeImpl2 = new AttributeValueTypeImpl();
        attributeValueTypeImpl2.setValue("evaluate-license");
        attributeTypeImpl2.getAttributeValues().add(attributeValueTypeImpl2);
        actionTypeImpl.getAttributes().add(attributeTypeImpl2);
        requestTypeImpl.setAction(actionTypeImpl);
        requestTypeImpl.setEnvironment(new EnvironmentTypeImpl());
        return authorizeRequest;
    }

    @Override // pl.edu.icm.yadda.aas.client.IClientSecurityService
    public Set<String> retrieveLicenses(SAMLObject... sAMLObjectArr) {
        AuthorizeResponse authorize = this.aasService.authorize(buildLicensingAuthzRequest(sAMLObjectArr));
        for (AAError aAError : authorize.getErrors()) {
            log.error(new Exception("Error id:" + aAError.getErrorId() + "\n" + aAError.getMessage(), aAError.getThrowable()));
        }
        HashSet hashSet = new HashSet();
        if (!(authorize.getResult().getDecision().getDecision() == DecisionType.DECISION.Permit)) {
            hashSet.add(IClientSecurityService.NOT_EXISTING_LICENSE);
        }
        for (ObligationType obligationType : authorize.getResult().getObligations().getObligations()) {
            if (obligationType.getObligationId().startsWith(IClientSecurityService.OBLIGATION_LICENSE_PREFIX)) {
                hashSet.add(obligationType.getObligationId().replace(IClientSecurityService.OBLIGATION_LICENSE_PREFIX, ""));
            }
        }
        return hashSet;
    }

    @Override // pl.edu.icm.yadda.aas.client.IClientSecurityService
    public Set<ObligationType> retrieveLicenseObligations(SAMLObject... sAMLObjectArr) {
        AuthorizeResponse authorize = this.aasService.authorize(buildLicensingAuthzRequest(sAMLObjectArr));
        for (AAError aAError : authorize.getErrors()) {
            log.error(new Exception("Error id:" + aAError.getErrorId() + "\n" + aAError.getMessage(), aAError.getThrowable()));
        }
        HashSet hashSet = new HashSet();
        if (!(authorize.getResult().getDecision().getDecision() == DecisionType.DECISION.Permit)) {
            return hashSet;
        }
        for (ObligationType obligationType : authorize.getResult().getObligations().getObligations()) {
            if (obligationType.getObligationId().startsWith(IClientSecurityService.OBLIGATION_LICENSE_PREFIX)) {
                hashSet.add(obligationType);
            }
        }
        return hashSet;
    }

    @Override // pl.edu.icm.yadda.aas.client.IClientSecurityService
    public LoginResult login(String str, String str2, String str3) {
        User userByLogin;
        Assertion assertion = null;
        AuthenticateResponse authenticate = this.aasService.authenticate(ClientSecurityServiceHelper.buildUserAuthnRequest(str, str2, str3, this.authnType));
        if (authenticate.getSAMLObject() instanceof Assertion) {
            assertion = (Assertion) authenticate.getSAMLObject();
        } else if (authenticate.getSAMLObject() instanceof EncryptedAssertion) {
            throw new NotImplementedException();
        }
        if (authenticate.getXacmlResponse() != null && authenticate.getXacmlResponse().getResult().getDecision().getDecision() == DecisionType.DECISION.Permit) {
            ISecuritySession current = this.sessionService.getCurrent();
            ((LicenseAuthority) current.getAuthorities("LICENSE")).addAll(retrieveLicenses(assertion));
            current.setAuthorities(new LoginIdentity(str));
            try {
                try {
                    if (isSupportedFetchingUserData() && (userByLogin = getUserByLogin(str)) != null) {
                        ((RoleAuthority) current.getAuthorities("ROLE")).addAll(userByLogin.getRolesNames());
                        ((GroupIdentity) current.getAuthorities("GROUP")).addAll(userByLogin.getGroupsNames());
                    }
                    this.assertionHolder.addOrReplace(assertion);
                    current.setSecuritySessionId(assertion.getID());
                } catch (Exception e) {
                    log.error("Error: " + e.getMessage(), e);
                    this.assertionHolder.addOrReplace(assertion);
                    current.setSecuritySessionId(assertion.getID());
                }
            } catch (Throwable th) {
                this.assertionHolder.addOrReplace(assertion);
                current.setSecuritySessionId(assertion.getID());
                throw th;
            }
        }
        return new LoginResult(assertion, authenticate.getXacmlResponse() == null ? null : authenticate.getXacmlResponse().getResult().getDecision().getDecision(), authenticate.getErrors());
    }

    @Override // pl.edu.icm.yadda.aas.client.IClientSecurityService
    public LoginResult login(String str) {
        Assertion assertion = null;
        AuthenticateResponse authenticate = this.aasService.authenticate(ClientSecurityServiceHelper.buildAnonymousAuthnRequest(str));
        if (authenticate.getSAMLObject() instanceof Assertion) {
            assertion = (Assertion) authenticate.getSAMLObject();
        } else if (authenticate.getSAMLObject() instanceof EncryptedAssertion) {
            throw new NotImplementedException();
        }
        if (authenticate.getXacmlResponse() != null && authenticate.getXacmlResponse().getResult().getDecision().getDecision() == DecisionType.DECISION.Permit) {
            ISecuritySession current = this.sessionService.getCurrent();
            ((LicenseAuthority) current.getAuthorities("LICENSE")).addAll(retrieveLicenses(assertion));
            this.assertionHolder.addOrReplace(assertion);
            current.setSecuritySessionId(assertion.getID());
        }
        return new LoginResult(assertion, authenticate.getXacmlResponse() == null ? null : authenticate.getXacmlResponse().getResult().getDecision().getDecision(), authenticate.getErrors());
    }

    @Override // pl.edu.icm.yadda.aas.client.IClientSecurityService
    public boolean logout(SAMLObject... sAMLObjectArr) {
        return logout();
    }

    @Override // pl.edu.icm.yadda.aas.client.IClientSecurityService
    public boolean logout() {
        ISecuritySession current = this.sessionService.getCurrent();
        log.info("Loggin out, removing assertion from AssertionHolder assertionId=" + current.getSecuritySessionId() + ", httpSessionId=" + current.getHttpSessionId());
        boolean z = this.assertionHolder.remove(current.getSecuritySessionId()) != null;
        current.invalidate();
        return z;
    }

    private User getUserByLogin(String str) throws CatalogException {
        CountingIterator findObjects = this.aasCatalog.findObjects(new MatchCriteria().types(new String[]{CatalogBasedAuthenticationDAO.PART_TYPE_USER}).partSearchKey(new PartSearchKey(str)));
        HashMap hashMap = new HashMap();
        String str2 = null;
        String str3 = null;
        if (findObjects.hasNext()) {
            CatalogObjectMeta catalogObjectMeta = (CatalogObjectMeta) findObjects.next();
            CatalogObjectPart catalogObjectPart = null;
            if (catalogObjectMeta.getId() != null && catalogObjectMeta.getId().getId() != null) {
                catalogObjectPart = this.aasCatalog.getPart(new YaddaObjectID(catalogObjectMeta.getId().getId()), CatalogBasedAuthenticationDAO.PART_TYPE_USER, (String) null);
            }
            if (catalogObjectPart != null) {
                hashMap.put(catalogObjectMeta, catalogObjectPart.getData());
                if (0 == 0) {
                    str2 = catalogObjectMeta.getId().getId();
                    str3 = (String) catalogObjectPart.getData();
                }
            }
        }
        if (hashMap.size() == 0) {
            return null;
        }
        if (hashMap.size() > 1) {
            log.warn("Expected only one user with name: " + str);
        }
        return (User) this.serializer.toObject(str2, str3);
    }

    public boolean isSupportedFetchingUserData() {
        return (this.aasCatalog == null || this.serializer == null) ? false : true;
    }

    public void setAssertionHolder(IAssertionHolder iAssertionHolder) {
        this.assertionHolder = iAssertionHolder;
    }

    public void setAasService(IAAService iAAService) {
        this.aasService = iAAService;
    }

    public void setSessionService(IAasSessionService iAasSessionService) {
        this.sessionService = iAasSessionService;
    }

    public void setAasCatalog(ICatalogFacade<String> iCatalogFacade) {
        this.aasCatalog = iCatalogFacade;
    }

    public void setAuthnType(String str) {
        this.authnType = str;
    }
}
