package pl.edu.icm.yadda.service2.audit;

import com.thoughtworks.xstream.XStream;
import com.thoughtworks.xstream.io.xml.DomDriver;
import java.util.ArrayList;
import org.apache.commons.lang.ArrayUtils;
import org.opensaml.lite.common.SAMLObject;
import org.opensaml.lite.saml2.core.Assertion;
import org.opensaml.lite.xacml.ctx.DecisionType;
import org.opensaml.lite.xacml.policy.ObligationsType;
import org.opensaml.lite.xacml.profile.saml.XACMLAuthzDecisionQueryType;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.InitializingBean;
import org.springframework.beans.factory.annotation.Required;
import pl.edu.icm.yadda.aas.handler.HeaderFieldBasedSecurityRequestHandler;
import pl.edu.icm.yadda.aas.handler.ISecurityRequestHandler;
import pl.edu.icm.yadda.service2.aas.AAResponse;
import pl.edu.icm.yadda.service2.aas.AASConstants;
import pl.edu.icm.yadda.service2.aas.AuthenticateRequest;
import pl.edu.icm.yadda.service2.aas.AuthenticateResponse;
import pl.edu.icm.yadda.service2.aas.AuthorizeRequest;
import pl.edu.icm.yadda.service2.aas.AuthorizeResponse;
import pl.edu.icm.yadda.service2.aas.IAAService;
import pl.edu.icm.yadda.service2.aas.IAAServiceBackend;
import pl.edu.icm.yadda.service2.audit.AbstractAuditWrapper;

/* loaded from: input_file:WEB-INF/lib/yadda-services2-impl-4.2.1-agro.jar:pl/edu/icm/yadda/service2/audit/AuditedAAService.class */
public class AuditedAAService extends AbstractAuditWrapper<IAAService> implements IAAService, InitializingBean {
    public static final String ARG_KEY_AUTH_RESULT = "result";
    public static final String ARG_KEY_AUTH_ERRORS = "errors";
    protected final Logger log = LoggerFactory.getLogger(getClass());
    protected boolean useAssertionIdsOnly = true;
    protected XStream xStream;
    protected IAuditFormatter<XACMLAuthzDecisionQueryType> xacmlRequestFormatter;
    protected IAuditFormatter<SAMLObject> samlObjectFormatter;
    protected IAuditFormatter<ObligationsType> obligationsFormatter;
    protected ISecurityRequestHandler securityRequestHandler;

    public AuditedAAService() {
        this.xStream = null;
        this.xStream = new XStream(new DomDriver());
        this.serviceId = "aas";
        this.securityRequestHandler = new HeaderFieldBasedSecurityRequestHandler();
    }

    @Override // org.springframework.beans.factory.InitializingBean
    public void afterPropertiesSet() throws Exception {
        if (!(this.service instanceof IAAServiceBackend)) {
            this.log.warn("AAS is not an instance of IAAServiceBackend, cannot set mode: MODE_AUDIT_OBLIGATIONS_PASSTHROUGH");
        } else if (this.obligationsFormatter == null) {
            this.log.warn("Obligations audit formatter was not injected, mode: MODE_AUDIT_OBLIGATIONS_PASSTHROUGHwill not be set");
        } else if (!((IAAServiceBackend) this.service).setWorkingMode(AASConstants.MODE_AUDIT_OBLIGATIONS_PASSTHROUGH, true, null)) {
            throw new RuntimeException("service " + ((IAAService) this.service).getClass().getName() + " didn't understand mode " + AASConstants.MODE_AUDIT_OBLIGATIONS_PASSTHROUGH);
        }
    }

    @Override // pl.edu.icm.yadda.service2.aas.IAAService
    public AuthenticateResponse authenticate(AuthenticateRequest authenticateRequest) {
        AbstractAuditWrapper.EventContext handleEvent = handleEvent("authn", prepareAuditAuthnArgs(authenticateRequest), authenticateRequest);
        AuthenticateResponse authenticate = ((IAAService) this.service).authenticate(authenticateRequest);
        String[] prepareAuthAuditResult = prepareAuthAuditResult(authenticate);
        boolean z = (authenticate == null || !authenticate.isOK() || authenticate.getResult() == null || authenticate.getResult().getDecision() == null || authenticate.getResult().getDecision().getDecision() == DecisionType.DECISION.Permit) ? false : true;
        if (!z) {
            handleEvent.sessionId = "aas2:" + prepareAuthAuditResult[0];
        }
        handleEventResult(handleEvent, authenticate, prepareAuthAuditResult, z ? EventResultCode.UNAUTHORIZED : null);
        return authenticate;
    }

    protected String[] prepareAuditAuthnArgs(AuthenticateRequest authenticateRequest) {
        String[] strArr = new String[0];
        if (authenticateRequest != null && authenticateRequest.getAuthnQuery() != null) {
            strArr = this.xacmlRequestFormatter.format(authenticateRequest.getAuthnQuery());
        }
        return strArr;
    }

    protected String extractSAMLObjectId(SAMLObject sAMLObject) {
        if (sAMLObject instanceof Assertion) {
            return ((Assertion) sAMLObject).getID();
        }
        return null;
    }

    protected String[] prepareAuthAuditResult(AAResponse aAResponse) {
        String str;
        str = "";
        String str2 = null;
        String[] strArr = null;
        if (aAResponse != null) {
            str = aAResponse.getSAMLObject() != null ? extractSAMLObjectId(aAResponse.getSAMLObject()) : "";
            if (aAResponse.getErrors().size() > 0) {
                str2 = "errors=" + this.xStream.toXML(aAResponse.getErrors());
            }
            if (this.obligationsFormatter == null) {
                this.log.warn("obligations formatter was not injected, audit obligations will not be processed!");
            } else if (aAResponse.getResult() != null && aAResponse.getResult().getObligations() != null) {
                strArr = this.obligationsFormatter.format(aAResponse.getResult().getObligations());
            }
        }
        if (this.useAssertionIdsOnly) {
            return mergeIntoArray(str, strArr, str2);
        }
        String str3 = null;
        String[] strArr2 = null;
        if (aAResponse != null) {
            if (aAResponse.getResult() != null) {
                str3 = "result=" + this.xStream.toXML(aAResponse.getResult());
            }
            if (aAResponse.getSAMLObject() != null) {
                strArr2 = this.samlObjectFormatter.format(aAResponse.getSAMLObject());
            }
        }
        return mergeIntoArray(str, strArr2, str3, strArr, str2);
    }

    protected String[] mergeIntoArray(Object... objArr) {
        ArrayList arrayList = new ArrayList();
        for (Object obj : objArr) {
            if (obj != null) {
                if (obj instanceof String) {
                    arrayList.add((String) obj);
                } else if (obj instanceof String[]) {
                    for (String str : (String[]) obj) {
                        arrayList.add(str);
                    }
                } else {
                    this.log.warn("unsupported instance: " + obj.getClass().getName() + ", convering to string anyway...");
                    arrayList.add(obj.toString());
                }
            }
        }
        return (String[]) arrayList.toArray(new String[arrayList.size()]);
    }

    @Override // pl.edu.icm.yadda.service2.aas.IAAService
    public AuthorizeResponse authorize(AuthorizeRequest authorizeRequest) {
        AuthorizeResponse authorize = ((IAAService) this.service).authorize(authorizeRequest);
        if (doAuthzAudit(authorize)) {
            handleEventResult(handleEvent("authz", prepareAuditAuthzArgs(authorizeRequest), authorizeRequest), authorize, prepareAuthAuditResult(authorize));
        }
        return authorize;
    }

    protected boolean doAuthzAudit(AuthorizeResponse authorizeResponse) {
        return authorizeResponse == null || authorizeResponse.getResult() == null || authorizeResponse.getResult().getDecision() == null || authorizeResponse.getResult().getDecision().getDecision() != DecisionType.DECISION.Permit;
    }

    protected String[] prepareAuditAuthzArgs(AuthorizeRequest authorizeRequest) {
        String[] strArr = new String[2];
        String str = null;
        SAMLObject[] extract = this.securityRequestHandler.extract(authorizeRequest);
        if (extract != null && extract.length > 0) {
            StringBuffer stringBuffer = new StringBuffer();
            boolean z = true;
            for (SAMLObject sAMLObject : extract) {
                if (this.useAssertionIdsOnly) {
                    if (!z) {
                        stringBuffer.append(", ");
                    }
                    stringBuffer.append(extractSAMLObjectId(sAMLObject));
                } else {
                    for (String str2 : this.samlObjectFormatter.format(sAMLObject)) {
                        if (!z) {
                            stringBuffer.append(", ");
                        }
                        stringBuffer.append(str2);
                    }
                }
                if (z) {
                    z = false;
                }
            }
            str = stringBuffer.toString();
        }
        String[] strArr2 = new String[0];
        if (authorizeRequest != null && authorizeRequest.getAuthzQuery() != null) {
            strArr2 = this.xacmlRequestFormatter.format(authorizeRequest.getAuthzQuery());
        }
        return str != null ? (String[]) ArrayUtils.add(strArr2, str) : strArr;
    }

    protected SAMLObject getAuthnToken(AuthenticateRequest authenticateRequest) {
        SAMLObject[] extract;
        if (authenticateRequest == null || (extract = this.securityRequestHandler.extract(authenticateRequest)) == null || extract.length <= 0) {
            return null;
        }
        return extract[0];
    }

    public void setUseAssertionIdsOnly(boolean z) {
        this.useAssertionIdsOnly = z;
    }

    @Required
    public void setXacmlRequestFormatter(IAuditFormatter<XACMLAuthzDecisionQueryType> iAuditFormatter) {
        this.xacmlRequestFormatter = iAuditFormatter;
    }

    @Required
    public void setSamlObjectFormatter(IAuditFormatter<SAMLObject> iAuditFormatter) {
        this.samlObjectFormatter = iAuditFormatter;
    }

    @Required
    public void setObligationsFormatter(IAuditFormatter<ObligationsType> iAuditFormatter) {
        this.obligationsFormatter = iAuditFormatter;
    }

    public void setSecurityRequestHandler(ISecurityRequestHandler iSecurityRequestHandler) {
        this.securityRequestHandler = iSecurityRequestHandler;
    }
}
