package eu.unicore.security.wsutil;

import eu.emi.security.authn.x509.X509CertChainValidator;
import eu.emi.security.authn.x509.impl.X500NameUtils;
import eu.emi.security.authn.x509.proxy.ProxyUtils;
import eu.unicore.security.SecurityTokens;
import eu.unicore.security.SelfCallChecker;
import eu.unicore.security.TrustDelegationException;
import eu.unicore.security.UnicoreSecurityFactory;
import eu.unicore.security.ValidationResult;
import eu.unicore.security.etd.ETDApi;
import eu.unicore.security.etd.TrustDelegation;
import eu.unicore.util.Log;
import java.io.ByteArrayOutputStream;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import org.apache.cxf.binding.soap.SoapMessage;
import org.apache.cxf.binding.soap.interceptor.AbstractSoapInterceptor;
import org.apache.cxf.interceptor.Fault;
import org.apache.log4j.Logger;
import org.w3c.dom.Node;
import xmlbeans.org.oasis.saml2.assertion.AssertionDocument;

/* loaded from: input_file:eu/unicore/security/wsutil/ETDInHandler.class */
public class ETDInHandler extends AbstractSoapInterceptor {
    public static final String SAML2_NS = "urn:oasis:names:tc:SAML:2.0:assertion";
    private static final Logger logger = Log.getLogger("unicore.security", ETDInHandler.class);
    private final SelfCallChecker selfCallChecker;
    private X509CertChainValidator validator;
    private X509CertChainValidator trustedDelegationIssuers;

    public ETDInHandler(SelfCallChecker selfCallChecker, X509CertChainValidator x509CertChainValidator, X509CertChainValidator x509CertChainValidator2) {
        super("pre-invoke");
        getAfter().add(AuthInHandler.class.getName());
        this.selfCallChecker = selfCallChecker;
        this.validator = x509CertChainValidator;
        this.trustedDelegationIssuers = x509CertChainValidator2;
    }

    public void handleMessage(SoapMessage soapMessage) {
        SecurityTokens securityTokens = (SecurityTokens) soapMessage.get(SecurityTokens.KEY);
        if (securityTokens == null) {
            logger.error("No security info in headers. Wrong configuration: " + AuthInHandler.class.getCanonicalName() + " handler must be configure before this ETD handler.");
        } else {
            if (Boolean.TRUE.equals(securityTokens.getContext().get("reused-unicore-security-session"))) {
                return;
            }
            try {
                doCheck(securityTokens);
            } catch (Exception e) {
                throw new Fault(e);
            }
        }
    }

    protected void doCheck(SecurityTokens securityTokens) throws Exception {
        List<TrustDelegation> trustAssertionsFromHeader = getTrustAssertionsFromHeader(securityTokens.getContext());
        securityTokens.setTrustDelegationTokens(trustAssertionsFromHeader);
        securityTokens.setTrustDelegationValidated(false);
        securityTokens.setConsignorTrusted(false);
        String consignorName = securityTokens.getConsignorName();
        if (consignorName == null) {
            logger.debug("No CONSIGNOR information present (it means that request wasn't authenticated!). Trust Delegations won't be further processed.");
            return;
        }
        String issuerName = getIssuerName(trustAssertionsFromHeader);
        if (issuerName == null) {
            logger.debug("No ETD tokens are present.");
            if (securityTokens.getUserName() == null || X500NameUtils.equal(securityTokens.getUserName(), consignorName)) {
                logger.debug("Performing the request with the Consignor's identity.");
                securityTokens.setConsignorTrusted(true);
                return;
            } else {
                if (!securityTokens.isConsignorUsingProxy() || !X500NameUtils.equal(securityTokens.getUserName(), securityTokens.getConsignorRealName())) {
                    logger.warn("Got request with User set to " + X500NameUtils.getReadableForm(securityTokens.getUserName()) + " without a TD! Consignor is " + X500NameUtils.getReadableForm(consignorName));
                    return;
                }
                logger.debug("Performing the request with the Consignor's identity (handling proxy which is used by consignor).");
                securityTokens.setConsignorTrusted(true);
                securityTokens.setUserName(consignorName);
                return;
            }
        }
        boolean isIssuerDN = isIssuerDN(trustAssertionsFromHeader);
        String custodianName = getCustodianName(trustAssertionsFromHeader);
        String userName = securityTokens.getUserName();
        if (userName == null) {
            logger.debug("No user was requested so TD won't be checked. Performing the request with Consignor's identity.");
            securityTokens.setConsignorTrusted(true);
            return;
        }
        if (!X500NameUtils.equal(userName, custodianName)) {
            logger.warn("Trust delegation is present but its custodian differ from the requested user. Trust delegation tokens won't be verified and delegation status is set to invalid. TD Custodian: " + X500NameUtils.getReadableForm(custodianName) + " Requested user: " + X500NameUtils.getReadableForm(userName));
            return;
        }
        if (logger.isDebugEnabled()) {
            logger.debug("ETD initial issuer: " + (isIssuerDN ? X500NameUtils.getReadableForm(issuerName) : issuerName) + "\nConsignor: " + X500NameUtils.getReadableForm(consignorName) + "\nETD custodian: " + X500NameUtils.getReadableForm(custodianName));
            if (X500NameUtils.equal(consignorName, custodianName)) {
                logger.debug("ETD custodian and consignor are equal");
            } else if (isIssuerDN && securityTokens.isConsignorUsingProxy() && X500NameUtils.equal(securityTokens.getConsignorRealName(), issuerName)) {
                logger.debug("ETD issuer and consignor are equal after handling a proxy");
            } else {
                logger.debug("ETD issuer and consignor are different");
            }
        }
        checkDelegation(securityTokens, trustAssertionsFromHeader);
    }

    protected void checkDelegation(SecurityTokens securityTokens, List<TrustDelegation> list) throws TrustDelegationException {
        String userName = securityTokens.getUserName();
        if (logger.isDebugEnabled()) {
            logger.debug("Checking trust delegation, expected custodian is <" + X500NameUtils.getReadableForm(userName) + ">");
        }
        String consignorName = securityTokens.getConsignorName();
        boolean checkSuppliedTD = checkSuppliedTD(userName, list);
        boolean checkIfConsignorTrusted = checkIfConsignorTrusted(checkSuppliedTD, securityTokens.isConsignorUsingProxy(), list, securityTokens.getConsignorRealName(), consignorName, userName);
        securityTokens.setTrustDelegationValidated(checkSuppliedTD);
        securityTokens.setConsignorTrusted(checkIfConsignorTrusted);
        if (checkSuppliedTD && checkIfConsignorTrusted) {
            X509Certificate[] issuer = getIssuer(list);
            if (securityTokens.isSupportingProxy() && ProxyUtils.isProxy(issuer)) {
                securityTokens.setUser(new X509Certificate[]{ProxyUtils.getEndUserCertificate(issuer)});
            }
        }
        if (logger.isDebugEnabled()) {
            logger.debug("Final SecurityTokens after ETD processing:\n" + securityTokens.toString());
        }
    }

    protected boolean checkIfConsignorTrusted(boolean z, boolean z2, List<TrustDelegation> list, String str, String str2, String str3) {
        if (X500NameUtils.equal(str, str3)) {
            return true;
        }
        if (this.selfCallChecker != null && this.selfCallChecker.isSelfCall(str2)) {
            logger.debug("Accept message by server as valid trust delegation.");
            return true;
        }
        if (!z || list.size() == 0) {
            return false;
        }
        ETDApi eTDEngine = UnicoreSecurityFactory.getETDEngine();
        if (eTDEngine.isSubjectInChain(list, str)) {
            return true;
        }
        return z2 && eTDEngine.isSubjectInChain(list, str2);
    }

    protected boolean checkSuppliedTD(String str, List<TrustDelegation> list) {
        if (list.size() == 0) {
            return false;
        }
        String subjectName = list.get(list.size() - 1).getSubjectName();
        if (logger.isDebugEnabled()) {
            logger.debug("Got TD to <" + subjectName + ">, dumping the TD chain");
            int i = 0;
            for (TrustDelegation trustDelegation : list) {
                int i2 = i;
                i++;
                logger.debug("(Entry " + i2 + ") issuer: " + trustDelegation.getIssuerName() + " receiver: " + trustDelegation.getSubjectName() + " custodian: " + trustDelegation.getCustodianDN());
            }
        }
        ETDApi eTDEngine = UnicoreSecurityFactory.getETDEngine();
        HashSet hashSet = new HashSet();
        if (this.trustedDelegationIssuers != null) {
            Collections.addAll(hashSet, this.trustedDelegationIssuers.getTrustedIssuers());
        }
        ValidationResult isTrustDelegated = eTDEngine.isTrustDelegated(list, subjectName, str, this.validator, hashSet);
        if (logger.isDebugEnabled()) {
            logger.debug("Validation of supplied TD result: " + isTrustDelegated.isValid());
        }
        if (isTrustDelegated.isValid()) {
            return true;
        }
        logger.warn("Unsuccessful TD validation (" + str + " to " + subjectName + "), reason: " + isTrustDelegated.getInvalidResaon());
        return false;
    }

    protected List<TrustDelegation> getTrustAssertionsFromHeader(Map<String, Object> map) {
        ArrayList arrayList = new ArrayList();
        List list = map == null ? null : (List) map.get(AuthInHandler.RAW_SAML_ASSERTIONS_KEY);
        if (list == null || list.size() == 0) {
            return arrayList;
        }
        for (int i = 0; i < list.size(); i++) {
            ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
            try {
                CXFUtils.writeXml((Node) list.get(i), byteArrayOutputStream);
                arrayList.add(new TrustDelegation(AssertionDocument.Factory.parse(byteArrayOutputStream.toString())));
            } catch (Exception e) {
                logger.trace("Ignoring non-parsable as trust delegation assertion: " + e.getMessage());
            }
        }
        if (logger.isDebugEnabled()) {
            logger.debug("TD chain length " + arrayList.size());
        }
        return arrayList;
    }

    protected String getIssuerName(List<TrustDelegation> list) {
        if (list == null || list.size() == 0) {
            return null;
        }
        try {
            return list.get(0).getIssuerName();
        } catch (Exception e) {
            logger.warn("Can't parse ETD assertion issuer name: " + e.toString());
            return null;
        }
    }

    protected boolean isIssuerDN(List<TrustDelegation> list) {
        if (list == null || list.size() == 0) {
            return false;
        }
        try {
            return "urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName".equals(list.get(0).getIssuerNameFormat());
        } catch (Exception e) {
            logger.warn("Can't parse ETD assertion issuer name format: " + e.toString());
            return false;
        }
    }

    protected String getCustodianName(List<TrustDelegation> list) {
        if (list == null || list.size() == 0) {
            return null;
        }
        try {
            return list.get(0).getCustodianDN();
        } catch (Exception e) {
            logger.warn("Can't parse ETD assertion custodian name: " + e.toString());
            return null;
        }
    }

    protected X509Certificate[] getIssuer(List<TrustDelegation> list) {
        if (list == null || list.size() == 0) {
            return null;
        }
        try {
            return list.get(0).getIssuerFromSignature();
        } catch (Exception e) {
            return null;
        }
    }
}
