package org.gcube.common.core.security.impl;

import java.util.Map;
import javax.security.auth.Subject;
import org.apache.axis.MessageContext;
import org.gcube.common.core.contexts.GCUBEServiceContext;
import org.gcube.common.core.faults.GCUBEException;
import org.gcube.common.core.faults.GCUBEUnrecoverableException;
import org.gcube.common.core.security.GCUBEServiceAuthorizationController;
import org.gcube.common.core.security.GCUBEServiceSecurityController;
import org.gcube.common.core.security.GCUBEServiceSecurityManager;
import org.gcube.common.core.utils.logging.GCUBELog;
import org.globus.wsrf.Resource;
import org.globus.wsrf.ResourceContext;
import org.globus.wsrf.ResourceContextException;
import org.globus.wsrf.ResourceException;
import org.globus.wsrf.config.ConfigException;
import org.globus.wsrf.impl.security.authentication.Constants;
import org.globus.wsrf.impl.security.authorization.Authorization;
import org.globus.wsrf.impl.security.authorization.ServiceAuthorizationChain;
import org.globus.wsrf.impl.security.authorization.exceptions.AuthorizationException;
import org.globus.wsrf.impl.security.authorization.exceptions.CloseException;
import org.globus.wsrf.impl.security.descriptor.ContainerSecurityConfig;
import org.globus.wsrf.impl.security.descriptor.SecureResourcePropertiesHelper;
import org.globus.wsrf.impl.security.descriptor.SecurityDescriptor;
import org.globus.wsrf.impl.security.descriptor.SecurityPropertiesHelper;
import org.globus.wsrf.impl.security.util.AuthUtil;
import org.globus.wsrf.impl.security.util.PDPUtils;
import org.globus.wsrf.utils.ContextUtils;

/* loaded from: input_file:org/gcube/common/core/security/impl/GCUBEAuthzChainAuthorizationController.class */
public class GCUBEAuthzChainAuthorizationController implements GCUBEServiceAuthorizationController {
    private GCUBEServiceSecurityManager securityManager;
    private ServiceAuthorizationChain authzChain = null;
    protected GCUBELog logger = new GCUBELog(this);

    @Override // org.gcube.common.core.security.GCUBEServiceSecurityController
    public void initialise(GCUBEServiceContext gCUBEServiceContext, GCUBEServiceSecurityManager gCUBEServiceSecurityManager) throws Exception {
        this.authzChain = null;
        this.securityManager = gCUBEServiceSecurityManager;
    }

    @Override // org.gcube.common.core.security.GCUBEServiceAuthorizationController
    public void authoriseCall(Map<String, Object> map) throws GCUBEException {
        this.logger.debug("starting authorization process...");
        if (!isSecurityEnabled()) {
            this.logger.debug("Security not enabled");
            return;
        }
        MessageContext messageContext = (MessageContext) map.get(GCUBEServiceSecurityController.MESSAGE_CONTEXT);
        if (messageContext == null) {
            throw new GCUBEUnrecoverableException("Message context not found");
        }
        this.logger.debug("authorizing...");
        performAuthorisation(messageContext);
        this.logger.debug("authorization process completed: authorization granted");
    }

    @Override // org.gcube.common.core.security.GCUBEServiceSecurityController
    public boolean isSecurityEnabled() {
        return this.securityManager.isSecurityEnabled();
    }

    private void performAuthorisation(MessageContext messageContext) throws GCUBEUnrecoverableException {
        this.logger.debug("Authorization");
        Subject subject = (Subject) messageContext.getProperty(Constants.PEER_SUBJECT);
        if (subject == null) {
            this.logger.debug("No authenticaiton done, so no authz");
            return;
        }
        String targetServicePath = ContextUtils.getTargetServicePath(messageContext);
        if (targetServicePath == null) {
            return;
        }
        this.logger.debug("Service path " + targetServicePath);
        if (this.authzChain == null) {
            this.authzChain = generateServiceAuthzChain(messageContext, targetServicePath);
        }
        if (this.authzChain == null) {
            this.logger.debug("Unable to retrieve authz chain");
            return;
        }
        this.logger.debug("Invoking authorize on authz chain");
        try {
            try {
                this.authzChain.authorize(subject, messageContext, targetServicePath);
                try {
                    this.authzChain.close();
                } catch (CloseException e) {
                    throw new GCUBEUnrecoverableException((Throwable) e);
                }
            } catch (AuthorizationException e2) {
                this.logger.error("Authorization failed", e2);
                throw new GCUBEUnrecoverableException(e2);
            }
        } catch (Throwable th) {
            try {
                this.authzChain.close();
                throw th;
            } catch (CloseException e3) {
                throw new GCUBEUnrecoverableException((Throwable) e3);
            }
        }
    }

    private ServiceAuthorizationChain generateServiceAuthzChain(MessageContext messageContext, String str) throws GCUBEUnrecoverableException {
        Resource resource;
        this.logger.debug("Generating Security Descriptor");
        ServiceAuthorizationChain serviceAuthorizationChain = null;
        try {
            resource = ResourceContext.getResourceContext(messageContext).getResource();
        } catch (ResourceContextException e) {
            resource = null;
            this.logger.debug("Error getting resource/may not exist", e);
        } catch (ResourceException e2) {
            resource = null;
            this.logger.debug("Error getting resource/may not exist", e2);
        }
        this.logger.debug("Resource is null: " + (resource == null));
        SecurityDescriptor securityDescriptor = null;
        if (resource != null) {
            securityDescriptor = SecureResourcePropertiesHelper.getResourceSecDescriptor(resource);
            if (securityDescriptor != null) {
                try {
                    serviceAuthorizationChain = SecureResourcePropertiesHelper.getAuthzChain(resource);
                } catch (ConfigException e3) {
                    throw new GCUBEUnrecoverableException(e3);
                }
            }
        }
        if (serviceAuthorizationChain == null) {
            try {
                ContainerSecurityConfig config = ContainerSecurityConfig.getConfig();
                securityDescriptor = config.getSecurityDescriptor();
                if (securityDescriptor != null) {
                    serviceAuthorizationChain = securityDescriptor.getAuthzChain();
                }
                if (serviceAuthorizationChain == null && config.getSecurityDescriptorFile() == null) {
                    this.logger.debug("Insecure container");
                    securityDescriptor = null;
                }
            } catch (ConfigException e4) {
                throw new GCUBEUnrecoverableException(e4);
            }
        }
        this.logger.debug("Sec desc after container is not null: " + (securityDescriptor != null));
        if (securityDescriptor != null && serviceAuthorizationChain == null) {
            this.logger.debug("Insecure setting, return");
            this.logger.debug("Sec desc is present, default authz chain");
            try {
                serviceAuthorizationChain = PDPUtils.getServiceAuthzChain(getDefaultAuthzChain(str, resource), str);
            } catch (ConfigException e5) {
                throw new GCUBEUnrecoverableException(e5);
            }
        }
        return serviceAuthorizationChain;
    }

    private String getDefaultAuthzChain(String str, Resource resource) {
        boolean z;
        String pDPName;
        this.logger.debug("Getting the default authorization chain");
        try {
            z = SecurityPropertiesHelper.gridMapPresent(str, resource);
            this.logger.debug("gridmap present" + z);
        } catch (ConfigException e) {
            z = false;
            this.logger.debug("gridmap presentfalse for configuration error");
        }
        if (z) {
            this.logger.debug("gridmap authorization");
            pDPName = AuthUtil.getPDPName("gridmap");
        } else {
            this.logger.debug("Self authorization");
            pDPName = AuthUtil.getPDPName(Authorization.AUTHZ_SELF);
        }
        return pDPName;
    }
}
