package org.opencastproject.authorization.xacml;

import java.io.IOException;
import java.io.InputStream;
import java.net.URI;
import java.net.URISyntaxException;
import java.util.Arrays;
import java.util.Dictionary;
import java.util.Map;
import java.util.Optional;
import javax.xml.bind.JAXBException;
import org.apache.commons.io.IOUtils;
import org.apache.commons.lang3.StringUtils;
import org.opencastproject.mediapackage.Attachment;
import org.opencastproject.mediapackage.MediaPackage;
import org.opencastproject.mediapackage.MediaPackageElementBuilderFactory;
import org.opencastproject.mediapackage.MediaPackageElementFlavor;
import org.opencastproject.mediapackage.MediaPackageElements;
import org.opencastproject.mediapackage.MediaPackageException;
import org.opencastproject.mediapackage.MediaPackageSerializer;
import org.opencastproject.security.api.AccessControlEntry;
import org.opencastproject.security.api.AccessControlList;
import org.opencastproject.security.api.AclScope;
import org.opencastproject.security.api.AuthorizationService;
import org.opencastproject.security.api.Role;
import org.opencastproject.security.api.SecurityService;
import org.opencastproject.security.api.User;
import org.opencastproject.series.api.SeriesService;
import org.opencastproject.util.Checksum;
import org.opencastproject.util.MimeTypes;
import org.opencastproject.util.NotFoundException;
import org.opencastproject.util.data.Tuple;
import org.opencastproject.workspace.api.Workspace;
import org.osgi.service.cm.ManagedService;
import org.osgi.service.component.ComponentContext;
import org.osgi.service.component.annotations.Activate;
import org.osgi.service.component.annotations.Component;
import org.osgi.service.component.annotations.Modified;
import org.osgi.service.component.annotations.Reference;
import org.osgi.service.component.annotations.ReferenceCardinality;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Component(property = {"service.description=Provides translation between access control entries and xacml documents"}, service = {AuthorizationService.class, ManagedService.class})
/* loaded from: input_file:org/opencastproject/authorization/xacml/XACMLAuthorizationService.class */
public class XACMLAuthorizationService implements AuthorizationService, ManagedService {
    private static final String XACML_FILENAME = "xacml.xml";
    protected Workspace workspace;
    protected SecurityService securityService;
    protected SeriesService seriesService;
    private MediaPackageSerializer serializer;
    private static final String CONFIG_MERGE_MODE = "merge.mode";
    private static final Logger logger = LoggerFactory.getLogger(XACMLAuthorizationService.class);
    private static MergeMode mergeMode = MergeMode.OVERRIDE;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: org.opencastproject.authorization.xacml.XACMLAuthorizationService$1, reason: invalid class name */
    /* loaded from: input_file:org/opencastproject/authorization/xacml/XACMLAuthorizationService$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$opencastproject$security$api$AclScope = new int[AclScope.values().length];

        static {
            try {
                $SwitchMap$org$opencastproject$security$api$AclScope[AclScope.Episode.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$opencastproject$security$api$AclScope[AclScope.Series.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            $SwitchMap$org$opencastproject$authorization$xacml$XACMLAuthorizationService$MergeMode = new int[MergeMode.values().length];
            try {
                $SwitchMap$org$opencastproject$authorization$xacml$XACMLAuthorizationService$MergeMode[MergeMode.ACTIONS.ordinal()] = 1;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$org$opencastproject$authorization$xacml$XACMLAuthorizationService$MergeMode[MergeMode.ROLES.ordinal()] = 2;
            } catch (NoSuchFieldError e4) {
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/opencastproject/authorization/xacml/XACMLAuthorizationService$MergeMode.class */
    public enum MergeMode {
        OVERRIDE,
        ROLES,
        ACTIONS
    }

    @Activate
    public void activate(ComponentContext componentContext) {
        updated(componentContext.getProperties());
    }

    @Modified
    public void modified(Map<String, Object> map) {
    }

    @Reference(cardinality = ReferenceCardinality.OPTIONAL)
    public void setMediaPackageSerializer(MediaPackageSerializer mediaPackageSerializer) {
        this.serializer = mediaPackageSerializer;
    }

    public synchronized void updated(Dictionary<String, ?> dictionary) {
        if (dictionary == null) {
            mergeMode = MergeMode.OVERRIDE;
            logger.debug("Merge mode set to {}", mergeMode);
        } else {
            try {
                mergeMode = MergeMode.valueOf(((String) StringUtils.defaultIfBlank((String) dictionary.get(CONFIG_MERGE_MODE), MergeMode.OVERRIDE.toString())).toUpperCase());
            } catch (IllegalArgumentException e) {
                logger.warn("Invalid value set for ACL merge mode, defaulting to {}", MergeMode.OVERRIDE);
                mergeMode = MergeMode.OVERRIDE;
            }
            logger.debug("Merge mode set to {}", mergeMode);
        }
    }

    public Tuple<AccessControlList, AclScope> getActiveAcl(MediaPackage mediaPackage) {
        logger.debug("getActiveACl for media package {}", mediaPackage.getIdentifier());
        return getAcl(mediaPackage, AclScope.Episode);
    }

    public Tuple<AccessControlList, AclScope> getAcl(MediaPackage mediaPackage, AclScope aclScope) {
        Optional<AccessControlList> empty = Optional.empty();
        Optional<AccessControlList> empty2 = Optional.empty();
        if (AclScope.Episode.equals(aclScope) || AclScope.Merged.equals(aclScope)) {
            for (Attachment attachment : mediaPackage.getAttachments(MediaPackageElements.XACML_POLICY_EPISODE)) {
                URI uri = attachment.getURI();
                try {
                    if (this.serializer != null) {
                        uri = this.serializer.decodeURI(uri);
                    }
                } catch (URISyntaxException e) {
                    logger.warn("URI {} syntax error, skip decoding", uri);
                }
                empty = loadAcl(uri);
            }
        }
        if (Arrays.asList(AclScope.Episode, AclScope.Series, AclScope.Merged).contains(aclScope)) {
            for (Attachment attachment2 : mediaPackage.getAttachments(MediaPackageElements.XACML_POLICY_SERIES)) {
                URI uri2 = attachment2.getURI();
                try {
                    if (this.serializer != null) {
                        uri2 = this.serializer.decodeURI(uri2);
                    }
                } catch (URISyntaxException e2) {
                    logger.warn("URI {} syntax error, skip decoding", uri2);
                }
                empty2 = loadAcl(uri2);
            }
        }
        if (empty.isPresent() && empty2.isPresent()) {
            logger.debug("Found event and series ACL for media package {}", mediaPackage.getIdentifier());
            switch (mergeMode) {
                case ACTIONS:
                    logger.debug("Merging ACLs based on individual actions");
                    return Tuple.tuple(empty2.get().mergeActions(empty.get()), AclScope.Merged);
                case ROLES:
                    logger.debug("Merging ACLs based on roles");
                    return Tuple.tuple(empty2.get().merge(empty.get()), AclScope.Merged);
                default:
                    logger.debug("Episode ACL overrides series ACL");
                    return Tuple.tuple(empty.get(), AclScope.Merged);
            }
        }
        if (empty.isPresent()) {
            logger.debug("Found event ACL for media package {}", mediaPackage.getIdentifier());
            return Tuple.tuple(empty.get(), AclScope.Episode);
        }
        if (empty2.isPresent()) {
            logger.debug("Found series ACL for media package {}", mediaPackage.getIdentifier());
            return Tuple.tuple(empty2.get(), AclScope.Series);
        }
        logger.debug("Falling back to global default ACL");
        return Tuple.tuple(new AccessControlList(), AclScope.Global);
    }

    public Tuple<MediaPackage, Attachment> setAcl(MediaPackage mediaPackage, AclScope aclScope, AccessControlList accessControlList) throws MediaPackageException {
        try {
            String xacml = XACMLUtils.getXacml(mediaPackage, accessControlList);
            Attachment attachment = (Attachment) removeFromMediaPackageAndWorkspace(mediaPackage, toFlavor(aclScope)).getB();
            String elementId = toElementId(aclScope);
            try {
                InputStream inputStream = IOUtils.toInputStream(xacml, "UTF-8");
                Throwable th = null;
                try {
                    try {
                        URI put = this.workspace.put(mediaPackage.getIdentifier().toString(), elementId, XACML_FILENAME, inputStream);
                        if (inputStream != null) {
                            if (0 != 0) {
                                try {
                                    inputStream.close();
                                } catch (Throwable th2) {
                                    th.addSuppressed(th2);
                                }
                            } else {
                                inputStream.close();
                            }
                        }
                        if (attachment == null) {
                            attachment = (Attachment) MediaPackageElementBuilderFactory.newInstance().newElementBuilder().elementFromURI(put, Attachment.TYPE, toFlavor(aclScope));
                        }
                        attachment.setURI(put);
                        attachment.setIdentifier(elementId);
                        attachment.setMimeType(MimeTypes.XML);
                        attachment.setChecksum((Checksum) null);
                        mediaPackage.add(attachment);
                        logger.debug("Saved XACML as {}", put);
                        return Tuple.tuple(mediaPackage, attachment);
                    } finally {
                    }
                } finally {
                }
            } catch (IOException e) {
                throw new MediaPackageException("Error storing xacml for media package " + mediaPackage.getIdentifier());
            }
        } catch (JAXBException e2) {
            throw new MediaPackageException("Unable to generate xacml for media package " + mediaPackage.getIdentifier());
        }
    }

    public MediaPackage removeAcl(MediaPackage mediaPackage, AclScope aclScope) {
        return (MediaPackage) removeFromMediaPackageAndWorkspace(mediaPackage, toFlavor(aclScope)).getA();
    }

    private static MediaPackageElementFlavor toFlavor(AclScope aclScope) {
        switch (AnonymousClass1.$SwitchMap$org$opencastproject$security$api$AclScope[aclScope.ordinal()]) {
            case 1:
                return MediaPackageElements.XACML_POLICY_EPISODE;
            case 2:
                return MediaPackageElements.XACML_POLICY_SERIES;
            default:
                throw new IllegalArgumentException("No flavors match the given ACL scope");
        }
    }

    private static String toElementId(AclScope aclScope) {
        switch (AnonymousClass1.$SwitchMap$org$opencastproject$security$api$AclScope[aclScope.ordinal()]) {
            case 1:
                return "security-policy-episode";
            case 2:
                return "security-policy-series";
            default:
                throw new IllegalArgumentException("No element id matches the given ACL scope");
        }
    }

    private Tuple<MediaPackage, Attachment> removeFromMediaPackageAndWorkspace(MediaPackage mediaPackage, MediaPackageElementFlavor mediaPackageElementFlavor) {
        Attachment attachment = null;
        for (Attachment attachment2 : mediaPackage.getAttachments(mediaPackageElementFlavor)) {
            attachment = (Attachment) attachment2.clone();
            try {
                this.workspace.delete(attachment2.getURI());
            } catch (Exception e) {
                logger.warn("Unable to delete XACML file:", e);
            }
            mediaPackage.remove(attachment2);
        }
        return Tuple.tuple(mediaPackage, attachment);
    }

    private Optional<AccessControlList> loadAcl(URI uri) {
        InputStream read;
        Throwable th;
        AccessControlList parseXacml;
        logger.debug("Load Acl from {}", uri);
        try {
            read = this.workspace.read(uri);
            th = null;
            try {
                try {
                    parseXacml = XACMLUtils.parseXacml(read);
                } finally {
                }
            } catch (Throwable th2) {
                if (read != null) {
                    if (th != null) {
                        try {
                            read.close();
                        } catch (Throwable th3) {
                            th.addSuppressed(th3);
                        }
                    } else {
                        read.close();
                    }
                }
                throw th2;
            }
        } catch (Exception e) {
            logger.warn("Unable to load or parse Acl from URI {}", uri, e);
        } catch (NotFoundException e2) {
            logger.debug("URI {} not found", uri);
        }
        if (parseXacml == null) {
            if (read != null) {
                if (0 != 0) {
                    try {
                        read.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    read.close();
                }
            }
            return Optional.empty();
        }
        Optional<AccessControlList> of = Optional.of(parseXacml);
        if (read != null) {
            if (0 != 0) {
                try {
                    read.close();
                } catch (Throwable th5) {
                    th.addSuppressed(th5);
                }
            } else {
                read.close();
            }
        }
        return of;
    }

    public boolean hasPermission(MediaPackage mediaPackage, String str) {
        AccessControlList accessControlList = (AccessControlList) getActiveAcl(mediaPackage).getA();
        boolean z = false;
        User user = this.securityService.getUser();
        for (AccessControlEntry accessControlEntry : accessControlList.getEntries()) {
            if (accessControlEntry.getAction().equals(str)) {
                for (Role role : user.getRoles()) {
                    if (accessControlEntry.getRole().equals(role.getName())) {
                        if (!accessControlEntry.isAllow()) {
                            logger.debug("Access explicitly denied for role({}), action({})", role.getName(), str);
                            return false;
                        }
                        z = true;
                    }
                }
            }
        }
        logger.debug("XACML file allowed access");
        return z;
    }

    @Reference(name = "workspace")
    public void setWorkspace(Workspace workspace) {
        this.workspace = workspace;
    }

    @Reference(name = "security")
    public void setSecurityService(SecurityService securityService) {
        this.securityService = securityService;
    }

    @Reference(name = "series")
    protected void setSeriesService(SeriesService seriesService) {
        this.seriesService = seriesService;
    }
}
