package org.fcrepo.server.security;

import com.hp.hpl.jena.sparql.sse.Tags;
import com.sun.xacml.PDP;
import com.sun.xacml.PDPConfig;
import com.sun.xacml.attr.StringAttribute;
import com.sun.xacml.ctx.Attribute;
import com.sun.xacml.ctx.RequestCtx;
import com.sun.xacml.ctx.ResponseCtx;
import com.sun.xacml.ctx.Result;
import com.sun.xacml.ctx.Subject;
import com.sun.xacml.finder.AttributeFinder;
import com.sun.xacml.finder.PolicyFinder;
import java.net.URI;
import java.net.URISyntaxException;
import java.util.ArrayList;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import org.fcrepo.common.Constants;
import org.fcrepo.server.Context;
import org.fcrepo.server.errors.authorization.AuthzDeniedException;
import org.fcrepo.server.errors.authorization.AuthzException;
import org.fcrepo.server.errors.authorization.AuthzOperationalException;
import org.fcrepo.server.errors.authorization.AuthzPermittedException;
import org.fcrepo.server.storage.DOManager;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/fcrepo-server-3.5.jar:org/fcrepo/server/security/PolicyEnforcementPoint.class */
public class PolicyEnforcementPoint {
    public static final String SUBACTION_SEPARATOR = "//";
    public static final String SUBRESOURCE_SEPARATOR = "//";
    static final String ENFORCE_MODE_ENFORCE_POLICIES = "enforce-policies";
    static final String ENFORCE_MODE_PERMIT_ALL_REQUESTS = "permit-all-requests";
    static final String ENFORCE_MODE_DENY_ALL_REQUESTS = "deny-all-requests";
    public static final String XACML_SUBJECT_ID = "urn:oasis:names:tc:xacml:1.0:subject:subject-id";
    public static final String XACML_ACTION_ID = "urn:oasis:names:tc:xacml:1.0:action:action-id";
    public static final String XACML_RESOURCE_ID = "urn:oasis:names:tc:xacml:1.0:resource:resource-id";
    private final URI XACML_SUBJECT_ID_URI;
    private final URI XACML_ACTION_ID_URI;
    private final URI XACML_RESOURCE_ID_URI;
    private final URI SUBJECT_ID_URI;
    private final URI ACTION_ID_URI;
    private final URI ACTION_API_URI;
    private final URI ACTION_CONTEXT_URI;
    private final URI RESOURCE_ID_URI;
    private final URI RESOURCE_NAMESPACE_URI;
    PolicyParser policyParser;
    private static final Logger logger = LoggerFactory.getLogger(PolicyEnforcementPoint.class);
    private static PolicyEnforcementPoint singleton = null;
    private static int count = 0;
    private String enforceMode = ENFORCE_MODE_ENFORCE_POLICIES;
    private PDP pdp = null;
    private final List<com.sun.xacml.finder.AttributeFinderModule> m_attrFinderModules = new ArrayList(0);
    String combiningAlgorithm = null;
    String globalPolicyConfig = null;
    String globalBackendPolicyConfig = null;
    String globalPolicyGuiToolConfig = null;
    DOManager manager = null;
    boolean validateRepositoryPolicies = false;
    boolean validateObjectPoliciesFromDatastream = false;
    String ownerIdSeparator = ",";
    private int n = 0;
    private final Set NULL_SET = new HashSet();

    private PolicyEnforcementPoint() {
        URI uri = null;
        URI uri2 = null;
        URI uri3 = null;
        URI uri4 = null;
        URI uri5 = null;
        URI uri6 = null;
        URI uri7 = null;
        URI uri8 = null;
        URI uri9 = null;
        try {
            try {
                uri = new URI(XACML_SUBJECT_ID);
                uri2 = new URI(XACML_ACTION_ID);
                uri3 = new URI("urn:oasis:names:tc:xacml:1.0:resource:resource-id");
                uri4 = new URI(Constants.SUBJECT.LOGIN_ID.uri);
                uri5 = new URI(Constants.ACTION.ID.uri);
                uri6 = new URI(Constants.ACTION.API.uri);
                uri7 = new URI(Constants.ACTION.CONTEXT_ID.uri);
                uri8 = new URI(Constants.OBJECT.PID.uri);
                uri9 = new URI(Constants.OBJECT.NAMESPACE.uri);
                this.XACML_SUBJECT_ID_URI = uri;
                this.XACML_ACTION_ID_URI = uri2;
                this.XACML_RESOURCE_ID_URI = uri3;
                this.SUBJECT_ID_URI = uri4;
                this.ACTION_ID_URI = uri5;
                this.ACTION_API_URI = uri6;
                this.ACTION_CONTEXT_URI = uri7;
                this.RESOURCE_ID_URI = uri8;
                this.RESOURCE_NAMESPACE_URI = uri9;
            } catch (URISyntaxException e) {
                logger.error("Bad URI syntax", (Throwable) e);
                this.XACML_SUBJECT_ID_URI = uri;
                this.XACML_ACTION_ID_URI = uri2;
                this.XACML_RESOURCE_ID_URI = uri3;
                this.SUBJECT_ID_URI = uri4;
                this.ACTION_ID_URI = uri5;
                this.ACTION_API_URI = uri6;
                this.ACTION_CONTEXT_URI = uri7;
                this.RESOURCE_ID_URI = uri8;
                this.RESOURCE_NAMESPACE_URI = uri9;
            }
        } catch (Throwable th) {
            this.XACML_SUBJECT_ID_URI = uri;
            this.XACML_ACTION_ID_URI = uri2;
            this.XACML_RESOURCE_ID_URI = uri3;
            this.SUBJECT_ID_URI = uri4;
            this.ACTION_ID_URI = uri5;
            this.ACTION_API_URI = uri6;
            this.ACTION_CONTEXT_URI = uri7;
            this.RESOURCE_ID_URI = uri8;
            this.RESOURCE_NAMESPACE_URI = uri9;
            throw th;
        }
    }

    public static final PolicyEnforcementPoint getInstance() {
        if (singleton == null) {
            singleton = new PolicyEnforcementPoint();
        }
        count++;
        logger.debug("***another use (" + count + ") of XACMLPep singleton");
        return singleton;
    }

    public void setAttributeFinderModules(List<com.sun.xacml.finder.AttributeFinderModule> list) {
        this.m_attrFinderModules.clear();
        this.m_attrFinderModules.addAll(list);
    }

    public final void newPdp() throws Exception {
        AttributeFinder attributeFinder = new AttributeFinder();
        attributeFinder.setModules(this.m_attrFinderModules);
        logger.debug("before building policy finder");
        PolicyFinder policyFinder = new PolicyFinder();
        HashSet hashSet = new HashSet();
        PolicyFinderModule policyFinderModule = new PolicyFinderModule(this.combiningAlgorithm, this.globalPolicyConfig, this.globalBackendPolicyConfig, this.globalPolicyGuiToolConfig, this.manager, this.validateRepositoryPolicies, this.validateObjectPoliciesFromDatastream, this.policyParser);
        logger.debug("after constucting fedora policy finder module");
        logger.debug("before adding fedora policy finder module to policy finder hashset");
        hashSet.add(policyFinderModule);
        logger.debug("after adding fedora policy finder module to policy finder hashset");
        logger.debug("o before setting policy finder hashset into policy finder");
        policyFinder.setModules(hashSet);
        logger.debug("o after setting policy finder hashset into policy finder");
        PDP pdp = new PDP(new PDPConfig(attributeFinder, policyFinder, null));
        synchronized (this) {
            this.pdp = pdp;
        }
    }

    public void initPep(String str, String str2, String str3, String str4, String str5, DOManager dOManager, boolean z, boolean z2, PolicyParser policyParser, String str6) throws Exception {
        logger.debug("in initPep()");
        destroy();
        this.policyParser = policyParser;
        this.enforceMode = str;
        if (!ENFORCE_MODE_ENFORCE_POLICIES.equals(str) && !ENFORCE_MODE_PERMIT_ALL_REQUESTS.equals(str) && !ENFORCE_MODE_DENY_ALL_REQUESTS.equals(str)) {
            throw new AuthzOperationalException("invalid enforceMode from config");
        }
        this.combiningAlgorithm = str2;
        this.globalPolicyConfig = str3;
        this.globalBackendPolicyConfig = str4;
        this.globalPolicyGuiToolConfig = str5;
        this.manager = dOManager;
        this.validateRepositoryPolicies = z;
        this.validateObjectPoliciesFromDatastream = z2;
        this.ownerIdSeparator = str6;
        newPdp();
    }

    public void inactivate() {
        destroy();
    }

    public void destroy() {
        this.pdp = null;
    }

    private final Set wrapSubjects(String str) {
        logger.debug("wrapSubjectIdAsSubjects(): " + str);
        Attribute attribute = new Attribute(this.XACML_SUBJECT_ID_URI, null, null, new StringAttribute(""));
        logger.debug("wrapSubjectIdAsSubjects(): subjectAttribute, id=" + attribute.getId() + ", type=" + attribute.getType() + ", value=" + attribute.getValue());
        HashSet hashSet = new HashSet();
        hashSet.add(attribute);
        if (str != null && !"".equals(str)) {
            attribute = new Attribute(this.SUBJECT_ID_URI, null, null, new StringAttribute(str));
            logger.debug("wrapSubjectIdAsSubjects(): subjectAttribute, id=" + attribute.getId() + ", type=" + attribute.getType() + ", value=" + attribute.getValue());
        }
        hashSet.add(attribute);
        Subject subject = new Subject(hashSet);
        HashSet hashSet2 = new HashSet();
        hashSet2.add(subject);
        return hashSet2;
    }

    private final Set wrapActions(String str, String str2, String str3) {
        HashSet hashSet = new HashSet();
        hashSet.add(new Attribute(this.XACML_ACTION_ID_URI, null, null, new StringAttribute("")));
        hashSet.add(new Attribute(this.ACTION_ID_URI, null, null, new StringAttribute(str)));
        hashSet.add(new Attribute(this.ACTION_API_URI, null, null, new StringAttribute(str2)));
        hashSet.add(new Attribute(this.ACTION_CONTEXT_URI, null, null, new StringAttribute(str3)));
        return hashSet;
    }

    private final Set wrapResources(String str, String str2) throws AuthzOperationalException {
        HashSet hashSet = new HashSet();
        hashSet.add(new Attribute(this.XACML_RESOURCE_ID_URI, null, null, new StringAttribute("")));
        hashSet.add(new Attribute(this.RESOURCE_ID_URI, null, null, new StringAttribute(str)));
        hashSet.add(new Attribute(this.RESOURCE_NAMESPACE_URI, null, null, new StringAttribute(str2)));
        return hashSet;
    }

    private synchronized int next() {
        int i = this.n;
        this.n = i + 1;
        return i;
    }

    public final void enforce(String str, String str2, String str3, String str4, String str5, Context context) throws AuthzException {
        long currentTimeMillis = System.currentTimeMillis();
        try {
            synchronized (this) {
            }
            if (ENFORCE_MODE_PERMIT_ALL_REQUESTS.equals(this.enforceMode)) {
                logger.debug("permitting request because enforceMode==ENFORCE_MODE_PERMIT_ALL_REQUESTS");
            } else {
                if (ENFORCE_MODE_DENY_ALL_REQUESTS.equals(this.enforceMode)) {
                    logger.debug("denying request because enforceMode==ENFORCE_MODE_DENY_ALL_REQUESTS");
                    throw new AuthzDeniedException("all requests are currently denied");
                }
                if (!ENFORCE_MODE_ENFORCE_POLICIES.equals(this.enforceMode)) {
                    logger.debug("denying request because enforceMode is invalid");
                    throw new AuthzOperationalException("invalid enforceMode from config");
                }
                try {
                    try {
                        String num = new Integer(next()).toString();
                        logger.debug("context index set=" + num);
                        RequestCtx requestCtx = new RequestCtx(wrapSubjects(str), wrapResources(str4, str5), wrapActions(str2, str3, num), this.NULL_SET);
                        for (Attribute attribute : requestCtx.getAction()) {
                            logger.debug("request action has " + attribute.getId() + Tags.symEQ + attribute.getValue().toString());
                        }
                        for (com.sun.xacml.finder.AttributeFinderModule attributeFinderModule : this.m_attrFinderModules) {
                            if (attributeFinderModule instanceof ContextAttributeFinderModule) {
                                ContextAttributeFinderModule contextAttributeFinderModule = (ContextAttributeFinderModule) attributeFinderModule;
                                logger.debug("about to ref contextAttributeFinder=" + contextAttributeFinderModule);
                                contextAttributeFinderModule.registerContext(num, context);
                            }
                        }
                        long currentTimeMillis2 = System.currentTimeMillis();
                        try {
                            ResponseCtx evaluate = this.pdp.evaluate(requestCtx);
                            logger.debug("Policy evaluation took " + (System.currentTimeMillis() - currentTimeMillis2) + "ms.");
                            logger.debug("in pep, after evaluate() called");
                            for (com.sun.xacml.finder.AttributeFinderModule attributeFinderModule2 : this.m_attrFinderModules) {
                                if (attributeFinderModule2 instanceof ContextAttributeFinderModule) {
                                    ((ContextAttributeFinderModule) attributeFinderModule2).unregisterContext(num);
                                }
                            }
                            logger.debug("in pep, before denyBiasedAuthz() called");
                            if (!denyBiasedAuthz(evaluate.getResults())) {
                                throw new AuthzDeniedException("");
                            }
                        } catch (Throwable th) {
                            logger.debug("Policy evaluation took " + (System.currentTimeMillis() - currentTimeMillis2) + "ms.");
                            throw th;
                        }
                    } catch (Throwable th2) {
                        logger.error("Error evaluating policy", th2);
                        throw new AuthzOperationalException("");
                    }
                } catch (Throwable th3) {
                    for (com.sun.xacml.finder.AttributeFinderModule attributeFinderModule3 : this.m_attrFinderModules) {
                        if (attributeFinderModule3 instanceof ContextAttributeFinderModule) {
                            ((ContextAttributeFinderModule) attributeFinderModule3).unregisterContext(null);
                        }
                    }
                    throw th3;
                }
            }
            if (context.getNoOp()) {
                throw new AuthzPermittedException("noOp");
            }
            logger.debug("Policy enforcement took " + (System.currentTimeMillis() - currentTimeMillis) + "ms.");
        } catch (Throwable th4) {
            logger.debug("Policy enforcement took " + (System.currentTimeMillis() - currentTimeMillis) + "ms.");
            throw th4;
        }
    }

    private static final boolean denyBiasedAuthz(Set set) {
        int i = 0;
        int i2 = 0;
        int i3 = 0;
        int i4 = 0;
        int i5 = 0;
        Iterator it = set.iterator();
        while (it.hasNext()) {
            switch (((Result) it.next()).getDecision()) {
                case 0:
                    i++;
                    break;
                case 1:
                    i2++;
                    break;
                case 2:
                    i4++;
                    break;
                case 3:
                    i3++;
                    break;
                default:
                    i5++;
                    break;
            }
        }
        logger.debug("AUTHZ:  permits=" + i + " denies=" + i2 + " indeterminates=" + i4 + " notApplicables=" + i3 + " unexpecteds=" + i5);
        return i >= 1 && i2 == 0 && i4 == 0 && i5 == 0;
    }
}
