package org.apache.airavata.api.server.security;

import java.io.BufferedReader;
import java.io.File;
import java.io.FileNotFoundException;
import java.io.FileReader;
import java.io.IOException;
import java.util.List;
import java.util.Map;
import org.apache.airavata.api.server.security.authzcache.AuthzCacheEntry;
import org.apache.airavata.api.server.security.authzcache.AuthzCacheIndex;
import org.apache.airavata.api.server.security.authzcache.AuthzCacheManager;
import org.apache.airavata.api.server.security.authzcache.AuthzCacheManagerFactory;
import org.apache.airavata.api.server.security.authzcache.AuthzCachedStatus;
import org.apache.airavata.api.server.security.oauth.DefaultOAuthClient;
import org.apache.airavata.api.server.security.xacml.DefaultPAPClient;
import org.apache.airavata.api.server.security.xacml.DefaultXACMLPEP;
import org.apache.airavata.common.exception.ApplicationSettingsException;
import org.apache.airavata.common.utils.ServerSettings;
import org.apache.airavata.credential.store.client.CredentialStoreClientFactory;
import org.apache.airavata.credential.store.cpi.CredentialStoreService;
import org.apache.airavata.credential.store.datamodel.PasswordCredential;
import org.apache.airavata.credential.store.exception.CredentialStoreException;
import org.apache.airavata.model.appcatalog.gatewayprofile.GatewayResourceProfile;
import org.apache.airavata.model.security.AuthzToken;
import org.apache.airavata.registry.core.experiment.catalog.impl.RegistryFactory;
import org.apache.airavata.registry.cpi.AppCatalogException;
import org.apache.airavata.security.AiravataSecurityException;
import org.apache.airavata.security.util.TrustStoreManager;
import org.apache.axis2.AxisFault;
import org.apache.axis2.context.ConfigurationContext;
import org.apache.axis2.context.ConfigurationContextFactory;
import org.apache.thrift.TException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.wso2.carbon.identity.oauth2.stub.dto.OAuth2TokenValidationResponseDTO;

/* loaded from: input_file:org/apache/airavata/api/server/security/DefaultAiravataSecurityManager.class */
public class DefaultAiravataSecurityManager implements AiravataSecurityManager {
    private static final Logger logger = LoggerFactory.getLogger(DefaultAiravataSecurityManager.class);

    @Override // org.apache.airavata.api.server.security.AiravataSecurityManager
    public void initializeSecurityInfra() throws AiravataSecurityException {
        try {
            if (ServerSettings.isAPISecured()) {
                ConfigurationContext createConfigurationContextFromFileSystem = ConfigurationContextFactory.createConfigurationContextFromFileSystem((String) null, (String) null);
                new TrustStoreManager().initializeTrustStoreManager(ServerSettings.getTrustStorePath(), ServerSettings.getTrustStorePassword());
                List<GatewayResourceProfile> allGatewayProfiles = RegistryFactory.getAppCatalog().getGatewayProfile().getAllGatewayProfiles();
                BufferedReader bufferedReader = new BufferedReader(new FileReader(new File(ServerSettings.getAuthorizationPoliyName() + ".xml")));
                StringBuilder sb = new StringBuilder();
                while (true) {
                    String readLine = bufferedReader.readLine();
                    if (readLine == null) {
                        break;
                    } else {
                        sb.append(readLine);
                    }
                }
                String sb2 = sb.toString();
                CredentialStoreService.Client credentialStoreServiceClient = getCredentialStoreServiceClient();
                for (GatewayResourceProfile gatewayResourceProfile : allGatewayProfiles) {
                    if (gatewayResourceProfile.getIdentityServerPwdCredToken() == null || gatewayResourceProfile.getIdentityServerTenant() == null) {
                        logger.warn("Identity Server configuration missing for gateway : " + gatewayResourceProfile.getGatewayID());
                    } else {
                        PasswordCredential passwordCredential = credentialStoreServiceClient.getPasswordCredential(gatewayResourceProfile.getIdentityServerPwdCredToken(), gatewayResourceProfile.getGatewayID());
                        String loginUserName = passwordCredential.getLoginUserName();
                        if (gatewayResourceProfile.getIdentityServerTenant() != null && !gatewayResourceProfile.getIdentityServerTenant().isEmpty()) {
                            loginUserName = loginUserName + "@" + gatewayResourceProfile.getIdentityServerTenant();
                        }
                        DefaultPAPClient defaultPAPClient = new DefaultPAPClient(ServerSettings.getRemoteAuthzServerUrl(), loginUserName, passwordCredential.getPassword(), createConfigurationContextFromFileSystem);
                        if (defaultPAPClient.isPolicyAdded(ServerSettings.getAuthorizationPoliyName())) {
                            logger.debug("Authorization policy is already added in the authorization server.");
                        } else {
                            defaultPAPClient.addPolicy(sb2);
                            logger.debug("Authorization policy is published in the authorization server.");
                        }
                    }
                }
            }
        } catch (FileNotFoundException e) {
            logger.error(e.getMessage(), e);
            throw new AiravataSecurityException("Error in reading authorization policy.");
        } catch (ApplicationSettingsException e2) {
            logger.error(e2.getMessage(), e2);
            throw new AiravataSecurityException("Error in reading configuration when creating the PAP client.");
        } catch (TException e3) {
            logger.error(e3.getMessage(), e3);
            throw new AiravataSecurityException("Error in connecting to Credential Store Service.");
        } catch (IOException e4) {
            logger.error(e4.getMessage(), e4);
            throw new AiravataSecurityException("Error in reading the authorization policy.");
        } catch (AxisFault e5) {
            logger.error(e5.getMessage(), e5);
            throw new AiravataSecurityException("Error in initializing the configuration context for creating the PAP client.");
        } catch (AppCatalogException e6) {
            logger.error(e6.getMessage(), e6);
            throw new AiravataSecurityException("Error in reading the Gateway Profiles from App Catalog.");
        }
    }

    @Override // org.apache.airavata.api.server.security.AiravataSecurityManager
    public boolean isUserAuthorized(AuthzToken authzToken, Map<String, String> map) throws AiravataSecurityException {
        try {
            String str = (String) authzToken.getClaimsMap().get("userName");
            String accessToken = authzToken.getAccessToken();
            String str2 = (String) authzToken.getClaimsMap().get("gatewayID");
            String str3 = map.get("api.method.name");
            if (!ServerSettings.isAuthzCacheEnabled()) {
                CredentialStoreService.Client credentialStoreServiceClient = getCredentialStoreServiceClient();
                GatewayResourceProfile gatewayProfile = RegistryFactory.getAppCatalog().getGatewayProfile().getGatewayProfile(str2);
                PasswordCredential passwordCredential = credentialStoreServiceClient.getPasswordCredential(gatewayProfile.getIdentityServerPwdCredToken(), gatewayProfile.getGatewayID());
                String loginUserName = passwordCredential.getLoginUserName();
                if (gatewayProfile.getIdentityServerTenant() != null && !gatewayProfile.getIdentityServerTenant().isEmpty()) {
                    loginUserName = loginUserName + "@" + gatewayProfile.getIdentityServerTenant();
                }
                String password = passwordCredential.getPassword();
                ConfigurationContext createConfigurationContextFromFileSystem = ConfigurationContextFactory.createConfigurationContextFromFileSystem((String) null, (String) null);
                new TrustStoreManager().initializeTrustStoreManager(ServerSettings.getTrustStorePath(), ServerSettings.getTrustStorePassword());
                return new DefaultOAuthClient(ServerSettings.getRemoteAuthzServerUrl(), loginUserName, password, createConfigurationContextFromFileSystem).validateAccessToken(authzToken.getAccessToken()).getValid() && new DefaultXACMLPEP(ServerSettings.getRemoteAuthzServerUrl(), loginUserName, password, createConfigurationContextFromFileSystem).getAuthorizationDecision(authzToken, map);
            }
            AuthzCacheManager authzCacheManager = AuthzCacheManagerFactory.getAuthzCacheManager();
            AuthzCachedStatus authzCachedStatus = authzCacheManager.getAuthzCachedStatus(new AuthzCacheIndex(str, str2, accessToken, str3));
            if (AuthzCachedStatus.AUTHORIZED.equals(authzCachedStatus)) {
                logger.debug("Authz decision for: (" + str + ", " + accessToken + ", " + str3 + ") is retrieved from cache.");
                return true;
            }
            if (AuthzCachedStatus.NOT_AUTHORIZED.equals(authzCachedStatus)) {
                logger.debug("Authz decision for: (" + str + ", " + accessToken + ", " + str3 + ") is retrieved from cache.");
                return false;
            }
            if (!AuthzCachedStatus.NOT_CACHED.equals(authzCachedStatus)) {
                throw new AiravataSecurityException("Error in reading from the authorization cache.");
            }
            logger.debug("Authz decision for: (" + str + ", " + accessToken + ", " + str3 + ") is not in the cache. Obtaining it from the authorization server.");
            CredentialStoreService.Client credentialStoreServiceClient2 = getCredentialStoreServiceClient();
            GatewayResourceProfile gatewayProfile2 = RegistryFactory.getAppCatalog().getGatewayProfile().getGatewayProfile(str2);
            PasswordCredential passwordCredential2 = credentialStoreServiceClient2.getPasswordCredential(gatewayProfile2.getIdentityServerPwdCredToken(), gatewayProfile2.getGatewayID());
            String loginUserName2 = passwordCredential2.getLoginUserName();
            if (gatewayProfile2.getIdentityServerTenant() != null && !gatewayProfile2.getIdentityServerTenant().isEmpty()) {
                loginUserName2 = loginUserName2 + "@" + gatewayProfile2.getIdentityServerTenant();
            }
            String password2 = passwordCredential2.getPassword();
            ConfigurationContext createConfigurationContextFromFileSystem2 = ConfigurationContextFactory.createConfigurationContextFromFileSystem((String) null, (String) null);
            new TrustStoreManager().initializeTrustStoreManager(ServerSettings.getTrustStorePath(), ServerSettings.getTrustStorePassword());
            OAuth2TokenValidationResponseDTO validateAccessToken = new DefaultOAuthClient(ServerSettings.getRemoteAuthzServerUrl(), loginUserName2, password2, createConfigurationContextFromFileSystem2).validateAccessToken(authzToken.getAccessToken());
            if (!validateAccessToken.getValid()) {
                return false;
            }
            String authorizedUser = validateAccessToken.getAuthorizedUser();
            if (authorizedUser.contains("@")) {
                authorizedUser = authorizedUser.split("@")[0];
            }
            if (!authorizedUser.equals(str)) {
                return false;
            }
            long expiryTime = validateAccessToken.getExpiryTime();
            boolean authorizationDecision = new DefaultXACMLPEP(ServerSettings.getRemoteAuthzServerUrl(), loginUserName2, password2, createConfigurationContextFromFileSystem2).getAuthorizationDecision(authzToken, map);
            authzCacheManager.addToAuthzCache(new AuthzCacheIndex(str, str2, accessToken, str3), new AuthzCacheEntry(authorizationDecision, expiryTime, System.currentTimeMillis()));
            return authorizationDecision;
        } catch (ApplicationSettingsException e) {
            logger.error(e.getMessage(), e);
            throw new AiravataSecurityException("Error in reading OAuth server configuration.");
        } catch (AppCatalogException e2) {
            logger.error(e2.getMessage(), e2);
            throw new AiravataSecurityException("Error in accessing AppCatalog.");
        } catch (TException e3) {
            logger.error(e3.getMessage(), e3);
            throw new AiravataSecurityException("Error in connecting to Credential Store Service.");
        } catch (AxisFault e4) {
            logger.error(e4.getMessage(), e4);
            throw new AiravataSecurityException("Error in initializing the configuration context for creating the OAuth validation client.");
        }
    }

    private CredentialStoreService.Client getCredentialStoreServiceClient() throws TException, ApplicationSettingsException {
        try {
            return CredentialStoreClientFactory.createAiravataCSClient(ServerSettings.getCredentialStoreServerHost(), Integer.parseInt(ServerSettings.getCredentialStoreServerPort()));
        } catch (CredentialStoreException e) {
            throw new TException("Unable to create credential store client...", e);
        }
    }
}
