package org.opencadc.inventory.server;

import ca.nrc.cadc.auth.AuthMethod;
import ca.nrc.cadc.auth.AuthenticationUtil;
import ca.nrc.cadc.cred.client.CredUtil;
import ca.nrc.cadc.log.WebServiceLogInfo;
import ca.nrc.cadc.net.ResourceNotFoundException;
import ca.nrc.cadc.net.TransientException;
import ca.nrc.cadc.reg.Standards;
import ca.nrc.cadc.reg.client.LocalAuthority;
import java.net.URI;
import java.security.AccessControlException;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.security.cert.CertificateException;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import java.util.TreeSet;
import javax.security.auth.Subject;
import org.apache.log4j.Logger;
import org.opencadc.gms.GroupURI;
import org.opencadc.gms.GroupUtil;
import org.opencadc.inventory.InventoryUtil;
import org.opencadc.permissions.ReadGrant;
import org.opencadc.permissions.WriteGrant;
import org.opencadc.permissions.client.PermissionsClient;

/* loaded from: input_file:org/opencadc/inventory/server/PermissionsCheck.class */
public class PermissionsCheck {
    private final URI artifactURI;
    private final boolean authenticateOnly;
    private final WebServiceLogInfo logInfo;
    private static final Logger log = Logger.getLogger(PermissionsCheck.class);

    /* loaded from: input_file:org/opencadc/inventory/server/PermissionsCheck$GetReadGrantsAction.class */
    private class GetReadGrantsAction implements PrivilegedExceptionAction<List<ReadGrant>> {
        URI artifactURI;
        private List<URI> readGrantServices;

        GetReadGrantsAction(URI uri, List<URI> list) {
            this.artifactURI = uri;
            this.readGrantServices = list;
        }

        /* JADX WARN: Can't rename method to resolve collision */
        @Override // java.security.PrivilegedExceptionAction
        public List<ReadGrant> run() throws Exception {
            ArrayList arrayList = new ArrayList();
            for (URI uri : this.readGrantServices) {
                try {
                    ReadGrant readGrant = new PermissionsClient(uri).getReadGrant(this.artifactURI);
                    if (readGrant != null) {
                        arrayList.add(readGrant);
                    }
                } catch (ResourceNotFoundException e) {
                    PermissionsCheck.log.warn("failed to find granting service: " + uri + " -- cause: " + e);
                }
            }
            return arrayList;
        }
    }

    /* loaded from: input_file:org/opencadc/inventory/server/PermissionsCheck$GetWriteGrantsAction.class */
    private class GetWriteGrantsAction implements PrivilegedExceptionAction<List<WriteGrant>> {
        URI artifactURI;
        List<URI> writeGrantServices;

        GetWriteGrantsAction(URI uri, List<URI> list) {
            this.artifactURI = uri;
            this.writeGrantServices = list;
        }

        /* JADX WARN: Can't rename method to resolve collision */
        @Override // java.security.PrivilegedExceptionAction
        public List<WriteGrant> run() throws Exception {
            ArrayList arrayList = new ArrayList();
            for (URI uri : this.writeGrantServices) {
                try {
                    WriteGrant writeGrant = new PermissionsClient(uri).getWriteGrant(this.artifactURI);
                    if (writeGrant != null) {
                        arrayList.add(writeGrant);
                    }
                } catch (ResourceNotFoundException e) {
                    PermissionsCheck.log.warn("failed to find granting service: " + uri + " -- cause: " + e);
                }
            }
            return arrayList;
        }
    }

    public PermissionsCheck(URI uri, boolean z, WebServiceLogInfo webServiceLogInfo) {
        InventoryUtil.assertNotNull(PermissionsCheck.class, "artifactURI", uri);
        InventoryUtil.assertNotNull(PermissionsCheck.class, "logInfo", webServiceLogInfo);
        this.artifactURI = uri;
        this.authenticateOnly = z;
        this.logInfo = webServiceLogInfo;
    }

    public void checkReadPermission(List<URI> list) throws AccessControlException, TransientException {
        InventoryUtil.assertNotNull(PermissionsCheck.class, "readGrantServices", list);
        if (this.authenticateOnly) {
            log.warn("authenticateOnly=true: allowing unrestricted access");
            return;
        }
        TreeSet<GroupURI> treeSet = new TreeSet();
        try {
            for (ReadGrant readGrant : (List) Subject.doAs(CredUtil.createOpsSubject(), new GetReadGrantsAction(this.artifactURI, list))) {
                if (readGrant.isAnonymousAccess()) {
                    this.logInfo.setMessage("read grant: anonymous");
                    return;
                }
                treeSet.addAll(readGrant.getGroups());
            }
            if (treeSet.isEmpty()) {
                throw new AccessControlException("permission denied: no read grants for " + this.artifactURI);
            }
            try {
                if (CredUtil.checkCredentials()) {
                    List memberships = GroupUtil.getGroupClient(new LocalAuthority().getServiceURI(Standards.GMS_SEARCH_01.toString())).getMemberships();
                    for (GroupURI groupURI : treeSet) {
                        Iterator it = memberships.iterator();
                        while (it.hasNext()) {
                            if (groupURI.equals((GroupURI) it.next())) {
                                this.logInfo.setMessage("read grant: " + groupURI);
                                return;
                            }
                        }
                    }
                }
                throw new AccessControlException("permission denied");
            } catch (CertificateException e) {
                throw new AccessControlException("permission denied (invalid delegated client certificate)");
            }
        } catch (PrivilegedActionException e2) {
            throw new RuntimeException("BUG: unexpected exception calling permissions service(s)", e2);
        }
    }

    public void checkWritePermission(List<URI> list) throws AccessControlException, TransientException {
        InventoryUtil.assertNotNull(PermissionsCheck.class, "writeGrantServices", list);
        AuthMethod authMethod = AuthenticationUtil.getAuthMethod(AuthenticationUtil.getCurrentSubject());
        if (authMethod != null && authMethod.equals(AuthMethod.ANON)) {
            throw new AccessControlException("permission denied");
        }
        if (this.authenticateOnly) {
            log.warn("authenticateOnly=true: allowing unrestricted access");
            return;
        }
        TreeSet<GroupURI> treeSet = new TreeSet();
        try {
            Iterator it = ((List) Subject.doAs(CredUtil.createOpsSubject(), new GetWriteGrantsAction(this.artifactURI, list))).iterator();
            while (it.hasNext()) {
                treeSet.addAll(((WriteGrant) it.next()).getGroups());
            }
            if (treeSet.isEmpty()) {
                throw new AccessControlException("permission denied: no write grants for " + this.artifactURI);
            }
            try {
                if (CredUtil.checkCredentials()) {
                    List memberships = GroupUtil.getGroupClient(new LocalAuthority().getServiceURI(Standards.GMS_SEARCH_01.toString())).getMemberships();
                    for (GroupURI groupURI : treeSet) {
                        Iterator it2 = memberships.iterator();
                        while (it2.hasNext()) {
                            if (groupURI.equals((GroupURI) it2.next())) {
                                this.logInfo.setMessage("write grant: " + groupURI);
                                return;
                            }
                        }
                    }
                }
                throw new AccessControlException("permission denied");
            } catch (CertificateException e) {
                throw new AccessControlException("permission denied (invalid delegated client certificate)");
            }
        } catch (PrivilegedActionException e2) {
            throw new RuntimeException("BUG: unexpected exception calling permissions service(s)", e2);
        }
    }
}
