package org.fcrepo.server.security.xacml.pep.rest;

import com.sun.xacml.ctx.RequestCtx;
import com.sun.xacml.ctx.ResponseCtx;
import com.sun.xacml.ctx.Result;
import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.util.HashMap;
import java.util.Map;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletOutputStream;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.xml.parsers.DocumentBuilderFactory;
import org.apache.axis.deployment.wsdd.WSDDConstants;
import org.fcrepo.common.Constants;
import org.fcrepo.server.security.xacml.pep.AuthzDeniedException;
import org.fcrepo.server.security.xacml.pep.ContextHandler;
import org.fcrepo.server.security.xacml.pep.ContextHandlerImpl;
import org.fcrepo.server.security.xacml.pep.PEPException;
import org.fcrepo.server.security.xacml.pep.rest.filters.DataResponseWrapper;
import org.fcrepo.server.security.xacml.pep.rest.filters.ParameterRequestWrapper;
import org.fcrepo.server.security.xacml.pep.rest.filters.RESTFilter;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.w3c.dom.Node;
import org.w3c.dom.NodeList;

/* loaded from: input_file:WEB-INF/lib/fcrepo-security-pep-3.5.jar:org/fcrepo/server/security/xacml/pep/rest/PEP.class */
public final class PEP implements Filter {
    private static final Logger logger = LoggerFactory.getLogger(PEP.class);
    private Map<String, RESTFilter> filters = null;
    private ContextHandler ctxHandler = null;

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        if (servletResponse.isCommitted()) {
            if (logger.isDebugEnabled()) {
                logger.debug("Response has already been committed. Bypassing PEP.");
                return;
            }
            return;
        }
        if (!(servletRequest instanceof HttpServletRequest) || !(servletResponse instanceof HttpServletResponse)) {
            logger.error("Servlets are not HttpServlets!");
            throw new ServletException("Servlets are not HttpServlets!");
        }
        ParameterRequestWrapper parameterRequestWrapper = null;
        DataResponseWrapper dataResponseWrapper = null;
        String requestURI = ((HttpServletRequest) servletRequest).getRequestURI();
        String servletPath = ((HttpServletRequest) servletRequest).getServletPath();
        if (logger.isDebugEnabled()) {
            logger.debug("Incoming URI: " + requestURI);
            logger.debug("Incoming servletPath: " + servletPath);
        }
        if (requestURI.endsWith("/nextPID") || requestURI.endsWith("/nextPID.xml")) {
            servletPath = "/objects";
        }
        RESTFilter filter = getFilter(servletPath);
        try {
            if (filter == null) {
                logger.error("No FeSL REST filter found for " + servletPath);
                throw new PEPException("No FeSL REST filter found for " + servletPath);
            }
            ServletOutputStream outputStream = servletResponse.getOutputStream();
            try {
                parameterRequestWrapper = new ParameterRequestWrapper((HttpServletRequest) servletRequest);
                DataResponseWrapper dataResponseWrapper2 = new DataResponseWrapper((HttpServletResponse) servletResponse);
                if (logger.isDebugEnabled()) {
                    logger.debug("Filtering URI: [" + parameterRequestWrapper.getRequestURI() + "] with: [" + filter.getClass().getName() + "]");
                }
                RequestCtx handleRequest = filter.handleRequest(parameterRequestWrapper, dataResponseWrapper2);
                if (handleRequest != null) {
                    enforce(this.ctxHandler.evaluate(handleRequest));
                }
                filterChain.doFilter(parameterRequestWrapper, dataResponseWrapper2);
                if (filter != null) {
                    RequestCtx handleResponse = filter.handleResponse(parameterRequestWrapper, dataResponseWrapper2);
                    if (handleResponse != null) {
                        enforce(this.ctxHandler.evaluate(handleResponse));
                    }
                    outputStream.write(dataResponseWrapper2.getData());
                    outputStream.flush();
                    outputStream.close();
                }
            } catch (Exception e) {
                throw new PEPException(e);
            }
        } catch (AuthzDeniedException e2) {
            if (dataResponseWrapper.isCommitted() || !(parameterRequestWrapper.getRemoteUser() == null || "".equals(parameterRequestWrapper.getRemoteUser().trim()))) {
                denyAccess((HttpServletResponse) servletResponse, e2.getMessage());
            } else {
                loginForm(null);
            }
        } catch (PEPException e3) {
            throw new ServletException("Error evaluating request", e3);
        }
    }

    public void init() throws ServletException {
        try {
            this.ctxHandler = ContextHandlerImpl.getInstance();
            logger.info("Initialising Servlet Filter: " + PEP.class);
            loadFilters();
        } catch (PEPException e) {
            logger.error("Error obtaining ContextHandler", (Throwable) e);
            throw new ServletException("Error obtaining ContextHandler", e);
        }
    }

    public void init(FilterConfig filterConfig) throws ServletException {
        init();
    }

    public void destroy() {
        logger.info("Destroying Servlet Filter: " + PEP.class);
        this.filters = null;
        this.ctxHandler = null;
    }

    private void loadFilters() throws ServletException {
        this.filters = new HashMap();
        try {
            FileInputStream fileInputStream = new FileInputStream(new File(Constants.FEDORA_HOME, "server/config/config-melcoe-pep.xml"));
            if (fileInputStream == null) {
                throw new PEPException("Could not locate config file: config-melcoe-pep.xml");
            }
            NodeList childNodes = DocumentBuilderFactory.newInstance().newDocumentBuilder().parse(fileInputStream).getElementsByTagName("handlers-rest").item(0).getChildNodes();
            for (int i = 0; i < childNodes.getLength(); i++) {
                Node item = childNodes.item(i);
                if (item.getNodeType() == 1 && WSDDConstants.ELEM_WSDD_HANDLER.equals(item.getNodeName())) {
                    String nodeValue = item.getAttributes().getNamedItem("operation").getNodeValue();
                    String nodeValue2 = item.getAttributes().getNamedItem("class").getNodeValue();
                    if (nodeValue == null || "".equals(nodeValue)) {
                        throw new PEPException("Cannot have a missing or empty operation attribute");
                    }
                    if (nodeValue2 == null || "".equals(nodeValue2)) {
                        throw new PEPException("Cannot have a missing or empty class attribute");
                    }
                    try {
                        try {
                            try {
                                this.filters.put(nodeValue, (RESTFilter) Class.forName(nodeValue2).newInstance());
                                if (logger.isDebugEnabled()) {
                                    logger.debug("filter added to filter map: " + nodeValue + "/" + nodeValue2);
                                }
                            } catch (ClassNotFoundException e) {
                                if (logger.isDebugEnabled()) {
                                    logger.debug("filterClass not found for: " + nodeValue2);
                                }
                            }
                        } catch (IllegalAccessException e2) {
                            logger.error("Could not instantiate filter: " + nodeValue2);
                            throw new ServletException(e2.getMessage(), e2);
                        }
                    } catch (InstantiationException e3) {
                        logger.error("Could not instantiate filter: " + nodeValue2);
                        throw new ServletException(e3.getMessage(), e3);
                    }
                }
            }
        } catch (Exception e4) {
            logger.error("Failed to initialse the PEP for REST", (Throwable) e4);
            throw new ServletException(e4.getMessage(), e4);
        }
    }

    private RESTFilter getFilter(String str) throws ServletException {
        RESTFilter rESTFilter = this.filters.get(str);
        if (rESTFilter != null && logger.isDebugEnabled()) {
            logger.debug("obtaining filter: " + rESTFilter.getClass().getName());
        }
        return rESTFilter;
    }

    private void enforce(ResponseCtx responseCtx) throws AuthzDeniedException {
        for (Result result : responseCtx.getResults()) {
            if (result.getDecision() != 0) {
                logger.debug("Denying access: " + result.getDecision());
                switch (result.getDecision()) {
                    case 1:
                        throw new AuthzDeniedException("Deny");
                    case 2:
                        throw new AuthzDeniedException("Indeterminate");
                    case 3:
                        throw new AuthzDeniedException("NotApplicable");
                }
            }
        }
        logger.debug("Permitting access!");
    }

    private void denyAccess(HttpServletResponse httpServletResponse, String str) throws IOException {
        StringBuilder sb = new StringBuilder();
        sb.append("Fedora: 403 " + str.toUpperCase());
        httpServletResponse.reset();
        httpServletResponse.setStatus(403);
        httpServletResponse.setContentType("text/plain");
        httpServletResponse.setContentLength(sb.length());
        ServletOutputStream outputStream = httpServletResponse.getOutputStream();
        outputStream.write(sb.toString().getBytes());
        outputStream.flush();
        outputStream.close();
    }

    private void loginForm(HttpServletResponse httpServletResponse) {
        httpServletResponse.reset();
        httpServletResponse.addHeader("WWW-Authenticate", "Basic realm=\"!!Fedora Repository Server\"");
        httpServletResponse.setStatus(401);
    }
}
