package pl.edu.icm.yadda.aas.proxy;

import eu.eudml.service.relation.EudmlRelationConstans;
import java.util.Collection;
import java.util.Iterator;
import java.util.List;
import java.util.Random;
import java.util.Set;
import net.sf.json.util.JSONUtils;
import org.apache.commons.lang.NotImplementedException;
import org.opensaml.lite.xacml.policy.ObligationType;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Required;
import pl.edu.icm.yadda.aas.client.YaddaErrorAwareResult;
import pl.edu.icm.yadda.aas.client.authz.lic.LicensingAuthorizationFacade;
import pl.edu.icm.yadda.aas.handler.HeaderFieldBasedSecurityRequestHandler;
import pl.edu.icm.yadda.aas.handler.ISecurityRequestHandler;
import pl.edu.icm.yadda.aas.proxy.criterion.CriterionCreatorResponse;
import pl.edu.icm.yadda.aas.proxy.criterion.ICriterionCreatorManager;
import pl.edu.icm.yadda.aas.proxy.evaluator.EvaluatorResult;
import pl.edu.icm.yadda.aas.proxy.evaluator.ILicenseEvaluator;
import pl.edu.icm.yadda.aas.proxy.evaluator.LicenseEvaluatorContext;
import pl.edu.icm.yadda.aas.proxy.token.CacheEntry;
import pl.edu.icm.yadda.aas.proxy.token.TokenAwareSecuredService;
import pl.edu.icm.yadda.aas.proxy.token.TokenSecurityException;
import pl.edu.icm.yadda.service2.CatalogObject;
import pl.edu.icm.yadda.service2.CatalogRecordStatisticsRequest;
import pl.edu.icm.yadda.service2.GenericRequest;
import pl.edu.icm.yadda.service2.GetFeaturesRequest;
import pl.edu.icm.yadda.service2.GetFeaturesResponse;
import pl.edu.icm.yadda.service2.GetVersionResponse;
import pl.edu.icm.yadda.service2.GroupedCount;
import pl.edu.icm.yadda.service2.VersionHelper;
import pl.edu.icm.yadda.service2.YaddaError;
import pl.edu.icm.yadda.service2.YaddaErrorCodeConstants;
import pl.edu.icm.yadda.service2.catalog.GetObjectRequest;
import pl.edu.icm.yadda.service2.catalog.GetObjectResponse;
import pl.edu.icm.yadda.service2.catalog.GetPartRequest;
import pl.edu.icm.yadda.service2.catalog.GetPartResponse;
import pl.edu.icm.yadda.service2.catalog.ICatalog;
import pl.edu.icm.yadda.service2.catalog.ListObjectsRequest;
import pl.edu.icm.yadda.service2.catalog.ListObjectsRequest2;
import pl.edu.icm.yadda.service2.catalog.ListObjectsResponse;
import pl.edu.icm.yadda.service2.catalog.ListPartsRequest;
import pl.edu.icm.yadda.service2.catalog.ListPartsResponse;
import pl.edu.icm.yadda.service2.catalog.ListTypesResponse;
import pl.edu.icm.yadda.service2.common.ObjectResponse;
import pl.edu.icm.yadda.service2.common.ParameterRequest;

/* loaded from: input_file:WEB-INF/lib/yadda-aas2-common-1.11.0-SNAPSHOT.jar:pl/edu/icm/yadda/aas/proxy/SecuredCatalog.class */
public class SecuredCatalog extends TokenAwareSecuredService<String, String[]> implements ICatalog<String> {
    private static final Logger log = LoggerFactory.getLogger(SecuredCatalog.class);
    protected ICatalog<String> catalog;
    protected LicensingAuthorizationFacade licAuthzFacade;
    private List<ILicenseEvaluator<String[]>> evaluators;
    private ICriterionCreatorManager<String[]> criterionCreatorManager;
    protected Random rand = new Random();
    private ISecurityRequestHandler securityRequestHandler = new HeaderFieldBasedSecurityRequestHandler();

    @Override // pl.edu.icm.yadda.service2.IYaddaService
    public GetVersionResponse getVersionResponse(GenericRequest genericRequest) {
        return new GetVersionResponse(VersionHelper.currentAPIVersion());
    }

    @Override // pl.edu.icm.yadda.aas.proxy.token.TokenAwareSecuredService
    public boolean equals(CriterionCreatorResponse<String[]> criterionCreatorResponse, CriterionCreatorResponse<String[]> criterionCreatorResponse2) {
        if (criterionCreatorResponse.isAllowAll()) {
            return criterionCreatorResponse2.isAllowAll();
        }
        if (criterionCreatorResponse2.isAllowAll()) {
            return false;
        }
        return SecurityCriterionComparatorHelper.equals(criterionCreatorResponse.getSecurityCriterion(), criterionCreatorResponse2.getSecurityCriterion());
    }

    protected boolean evaluateAccess(Collection<ObligationType> collection, LicenseEvaluatorContext<String[]> licenseEvaluatorContext) {
        for (ILicenseEvaluator<String[]> iLicenseEvaluator : this.evaluators) {
            EvaluatorResult evaluate = iLicenseEvaluator.evaluate(collection, licenseEvaluatorContext);
            if (evaluate.getStatus() == EvaluatorResult.Status.PERMIT) {
                return true;
            }
            if (evaluate.getStatus() == EvaluatorResult.Status.DENY) {
                log.debug("evaluation with module " + iLicenseEvaluator.getClass().getName() + " failed");
            } else if (evaluate.getStatus() == EvaluatorResult.Status.ERROR) {
                log.warn("evaluation with module " + iLicenseEvaluator.getClass().getName() + " finished with error: " + evaluate.getError().getMssg(), (Throwable) evaluate.getError().getException());
            }
        }
        log.error("Permission not granted to retrieve resource id='" + licenseEvaluatorContext.getStoredObjectId() + JSONUtils.SINGLE_QUOTE);
        return false;
    }

    @Override // pl.edu.icm.yadda.service2.IYaddaService
    public GetFeaturesResponse getFeatures(GetFeaturesRequest getFeaturesRequest) {
        GetFeaturesResponse features = this.catalog.getFeatures(getFeaturesRequest);
        features.getFeatures().add(SecurityConstants.FEATURE_REQUIRES_AUTHORIZATION);
        return features;
    }

    @Override // pl.edu.icm.yadda.service2.catalog.ICatalog
    public GetObjectResponse<String> getObject(GetObjectRequest getObjectRequest) {
        GetObjectResponse<String> object = this.catalog.getObject(getObjectRequest);
        if (object.isOK() && object.getObject() != null) {
            LicenseEvaluatorContext<String[]> licenseEvaluatorContext = new LicenseEvaluatorContext<>(getObjectRequest.getObject().getId(), object.getObject().getTags());
            YaddaErrorAwareResult<Set<ObligationType>> retrieveLicenseObligations = this.licAuthzFacade.retrieveLicenseObligations(this.securityRequestHandler.extract(getObjectRequest));
            if (retrieveLicenseObligations.getError() != null) {
                log.error("got error from security client: " + retrieveLicenseObligations.getError().getCode() + EudmlRelationConstans.SEPARATOR + retrieveLicenseObligations.getError().getMssg());
                GetObjectResponse<String> getObjectResponse = new GetObjectResponse<>();
                getObjectResponse.setError(retrieveLicenseObligations.getError());
                return getObjectResponse;
            }
            if (evaluateAccess(retrieveLicenseObligations.getData(), licenseEvaluatorContext)) {
                return object;
            }
            GetObjectResponse<String> getObjectResponse2 = new GetObjectResponse<>();
            getObjectResponse2.setError(new YaddaError(YaddaErrorCodeConstants.ERROR_AUTH, "Permission not granted to retrieve resource id='" + getObjectRequest.getObject().getId() + "'!"));
            return getObjectResponse2;
        }
        return object;
    }

    @Override // pl.edu.icm.yadda.service2.catalog.ICatalog
    public GetPartResponse<String> getPart(GetPartRequest getPartRequest) {
        GetObjectRequest getObjectRequest = new GetObjectRequest();
        getObjectRequest.setObject(getPartRequest.getObject());
        this.securityRequestHandler.attach(getObjectRequest, this.securityRequestHandler.extract(getPartRequest));
        GetObjectResponse<String> object = getObject(getObjectRequest);
        if (object.isOK()) {
            return this.catalog.getPart(getPartRequest);
        }
        GetPartResponse<String> getPartResponse = new GetPartResponse<>();
        getPartResponse.setError(object.getError());
        return getPartResponse;
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v68, types: [java.lang.String[], java.lang.String[][]] */
    /* JADX WARN: Type inference failed for: r0v77, types: [java.lang.String[], java.lang.String[][]] */
    /* JADX WARN: Type inference failed for: r0v91, types: [java.lang.String[], java.lang.String[][]] */
    @Override // pl.edu.icm.yadda.service2.catalog.ICatalog
    public ListObjectsResponse listObjects(ListObjectsRequest listObjectsRequest) {
        YaddaErrorAwareResult<Set<ObligationType>> retrieveLicenseObligations = this.licAuthzFacade.retrieveLicenseObligations(this.securityRequestHandler.extract(listObjectsRequest));
        if (retrieveLicenseObligations.getError() != null) {
            log.error("got error from security client: " + retrieveLicenseObligations.getError().getCode() + EudmlRelationConstans.SEPARATOR + retrieveLicenseObligations.getError().getMssg());
            ListObjectsResponse listObjectsResponse = new ListObjectsResponse();
            listObjectsResponse.setError(retrieveLicenseObligations.getError());
            return listObjectsResponse;
        }
        CriterionCreatorResponse<String[]> createCriteria = this.criterionCreatorManager.createCriteria(retrieveLicenseObligations.getData());
        if (listObjectsRequest.getResumptionToken() != null) {
            try {
                CacheEntry<String, String[]> cachedEntryWithSecurityCriterionCheckAndRemoval = getCachedEntryWithSecurityCriterionCheckAndRemoval(listObjectsRequest.getResumptionToken(), createCriteria);
                if (cachedEntryWithSecurityCriterionCheckAndRemoval != null) {
                    listObjectsRequest.setResumptionToken(cachedEntryWithSecurityCriterionCheckAndRemoval.getInternalToken());
                    ListObjectsResponse listObjects = this.catalog.listObjects(listObjectsRequest);
                    listObjects.setResumptionToken(storeEntry(listObjects.getResumptionToken(), cachedEntryWithSecurityCriterionCheckAndRemoval.getSecurityCriterion()));
                    return listObjects;
                }
                String str = "invalid resumption token: " + listObjectsRequest.getResumptionToken();
                log.debug(str);
                ListObjectsResponse listObjectsResponse2 = new ListObjectsResponse();
                listObjectsResponse2.setError(new YaddaError(YaddaErrorCodeConstants.ERROR_AUTH, str));
                return listObjectsResponse2;
            } catch (TokenSecurityException e) {
                log.debug("Security constraints were violated: security criteria have changed!");
                ListObjectsResponse listObjectsResponse3 = new ListObjectsResponse();
                listObjectsResponse3.setError(new YaddaError(YaddaErrorCodeConstants.ERROR_AUTH, "Security constraints were violated: security criteria have changed!", e));
                return listObjectsResponse3;
            }
        }
        if (!shouldBeProcessed(createCriteria)) {
            log.debug("no permission to list objects: no security tags found!");
            ListObjectsResponse listObjectsResponse4 = new ListObjectsResponse();
            listObjectsResponse4.setError(new YaddaError(YaddaErrorCodeConstants.ERROR_AUTH, "no permission to list objects: no security tags found!"));
            return listObjectsResponse4;
        }
        ListObjectsRequest2 listObjectsRequest2 = new ListObjectsRequest2();
        this.securityRequestHandler.attach(listObjectsRequest2, this.securityRequestHandler.extract(listObjectsRequest));
        listObjectsRequest2.setFrom(listObjectsRequest.getFrom());
        listObjectsRequest2.setHistory(listObjectsRequest.isHistory());
        listObjectsRequest2.setPartSearchKey(listObjectsRequest.getPartSearchKey());
        listObjectsRequest2.setResumptionToken(listObjectsRequest.getResumptionToken());
        listObjectsRequest2.setTypes(listObjectsRequest.getTypes());
        listObjectsRequest2.setUntil(listObjectsRequest.getUntil());
        listObjectsRequest2.setCreationTimestampFrom(listObjectsRequest.getCreationTimestampFrom());
        listObjectsRequest2.setCreationTimeStampUntil(listObjectsRequest.getCreationTimestampUntil());
        listObjectsRequest2.setUsePartStamps(listObjectsRequest.isUsingPartStamps());
        listObjectsRequest2.setTagPrefixes(listObjectsRequest.getTagPrefixes());
        if (listObjectsRequest instanceof ListObjectsRequest2) {
            throw new NotImplementedException("Implement injecting license tags into ListObjectsRequest2");
        }
        if (listObjectsRequest.getTags() == null) {
            if (createCriteria.getSecurityCriterion() != null) {
                listObjectsRequest2.setTagConstraint(new String[]{createCriteria.getSecurityCriterion()});
            }
        } else if (createCriteria.getSecurityCriterion() != null) {
            ?? r0 = new String[listObjectsRequest.getTags().length + 1];
            for (int i = 0; i < listObjectsRequest.getTags().length; i++) {
                String[] strArr = new String[1];
                strArr[0] = listObjectsRequest.getTags()[i];
                r0[i] = strArr;
            }
            r0[listObjectsRequest.getTags().length] = createCriteria.getSecurityCriterion();
            listObjectsRequest2.setTagConstraint(r0);
        } else {
            ?? r02 = new String[listObjectsRequest.getTags().length];
            for (int i2 = 0; i2 < listObjectsRequest.getTags().length; i2++) {
                String[] strArr2 = new String[1];
                strArr2[0] = listObjectsRequest.getTags()[i2];
                r02[i2] = strArr2;
            }
            listObjectsRequest2.setTagConstraint(r02);
        }
        ListObjectsResponse listObjects2 = this.catalog.listObjects(listObjectsRequest2);
        listObjects2.setResumptionToken(storeEntry(listObjects2.getResumptionToken(), createCriteria));
        return listObjects2;
    }

    protected boolean shouldBeProcessed(CriterionCreatorResponse<String[]> criterionCreatorResponse) {
        if (criterionCreatorResponse.isAllowAll()) {
            return true;
        }
        return criterionCreatorResponse.getSecurityCriterion() != null && criterionCreatorResponse.getSecurityCriterion().length > 0;
    }

    @Override // pl.edu.icm.yadda.service2.catalog.ICatalog
    public ListPartsResponse<String> listParts(ListPartsRequest listPartsRequest) {
        ListPartsResponse<String> listParts = this.catalog.listParts(listPartsRequest);
        if (listParts == null || listParts.getPage() == null) {
            return listParts;
        }
        Set<ObligationType> data = this.licAuthzFacade.retrieveLicenseObligations(this.securityRequestHandler.extract(listPartsRequest)).getData();
        Iterator<String> it = listParts.getPage().iterator();
        while (it.hasNext()) {
            CatalogObject catalogObject = (CatalogObject) it.next();
            if (!evaluateAccess(data, new LicenseEvaluatorContext<>(catalogObject.getId(), catalogObject.getTags()))) {
                log.debug("removing" + catalogObject.getId() + " from result list!");
                it.remove();
            }
        }
        return listParts;
    }

    @Override // pl.edu.icm.yadda.service2.catalog.ICatalog
    public ListTypesResponse listTypes() {
        return this.catalog.listTypes();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // pl.edu.icm.yadda.aas.proxy.token.TokenAwareSecuredService
    public String generateExternalToken(String str) {
        return System.currentTimeMillis() + "-" + this.rand.nextInt(100);
    }

    @Required
    public void setCatalog(ICatalog<String> iCatalog) {
        this.catalog = iCatalog;
    }

    @Required
    public void setEvaluators(List<ILicenseEvaluator<String[]>> list) {
        this.evaluators = list;
    }

    public void setCriterionCreatorManager(ICriterionCreatorManager<String[]> iCriterionCreatorManager) {
        this.criterionCreatorManager = iCriterionCreatorManager;
    }

    public void setSecurityRequestHandler(ISecurityRequestHandler iSecurityRequestHandler) {
        this.securityRequestHandler = iSecurityRequestHandler;
    }

    @Required
    public void setLicAuthzFacade(LicensingAuthorizationFacade licensingAuthorizationFacade) {
        this.licAuthzFacade = licensingAuthorizationFacade;
    }

    @Override // pl.edu.icm.yadda.service2.catalog.ICatalog
    public ObjectResponse<GroupedCount> getRecordStats(ParameterRequest<CatalogRecordStatisticsRequest> parameterRequest) {
        return this.catalog.getRecordStats(parameterRequest);
    }
}
