package ca.nrc.cadc.ac;

import ca.nrc.cadc.ac.client.UserClient;
import ca.nrc.cadc.auth.AuthenticationUtil;
import ca.nrc.cadc.auth.HttpPrincipal;
import ca.nrc.cadc.auth.IdentityManager;
import ca.nrc.cadc.auth.NotAuthenticatedException;
import ca.nrc.cadc.auth.NumericPrincipal;
import ca.nrc.cadc.auth.PosixPrincipal;
import ca.nrc.cadc.auth.TokenValidator;
import ca.nrc.cadc.cred.client.CredUtil;
import ca.nrc.cadc.profiler.Profiler;
import ca.nrc.cadc.reg.Standards;
import ca.nrc.cadc.reg.client.LocalAuthority;
import java.net.URI;
import java.security.Principal;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Set;
import java.util.TreeSet;
import java.util.UUID;
import javax.security.auth.Subject;
import javax.security.auth.x500.X500Principal;
import org.apache.log4j.Logger;

/* loaded from: input_file:ca/nrc/cadc/ac/ACIdentityManager.class */
public class ACIdentityManager implements IdentityManager {
    private static final Set<URI> SEC_METHODS;
    private final boolean requireCompletePosixPrincipal;
    private static final Logger log = Logger.getLogger(ACIdentityManager.class);
    private static final String PP_PROP = ACIdentityManager.class.getName() + ".requireCompletePosixPrincipal";

    public ACIdentityManager() {
        String property = System.getProperty(PP_PROP);
        this.requireCompletePosixPrincipal = "true".equals(property != null ? property.trim() : property);
    }

    public Set<URI> getSecurityMethods() {
        return SEC_METHODS;
    }

    public Subject validate(Subject subject) throws NotAuthenticatedException {
        return TokenValidator.validateTokens(subject);
    }

    public Subject augment(final Subject subject) {
        log.debug("augment START: " + subject);
        if (subject == null) {
            log.debug("augment DONE null: " + subject);
            return subject;
        }
        if (subject.getPrincipals().isEmpty()) {
            log.debug("augment DONE no principals: " + subject);
            return subject;
        }
        boolean z = getNumericPrincipal(subject) == null || subject.getPrincipals().size() == 1;
        if (this.requireCompletePosixPrincipal) {
            PosixPrincipal posixPrincipal = getPosixPrincipal(subject);
            log.debug("augment check posix: " + posixPrincipal);
            z = z || posixPrincipal == null || posixPrincipal.defaultGroup == null || posixPrincipal.username == null;
        } else {
            log.debug("augment: requireCompletePosixPrincipal=false");
        }
        if (!z) {
            log.debug("augment DONE needAugment=false: " + subject);
            return subject;
        }
        try {
            Subject.doAs(CredUtil.createOpsSubject(), new PrivilegedExceptionAction<Object>() { // from class: ca.nrc.cadc.ac.ACIdentityManager.1
                @Override // java.security.PrivilegedExceptionAction
                public Object run() throws Exception {
                    new UserClient(new LocalAuthority().getServiceURI(Standards.UMS_USERS_01.toASCIIString())).augmentSubject(subject);
                    return null;
                }
            });
            log.debug("augment DONE w/ UserClient: " + subject);
            return subject;
        } catch (PrivilegedActionException e) {
            throw new RuntimeException("Error augmenting subject " + subject, e);
        }
    }

    private NumericPrincipal getNumericPrincipal(Subject subject) {
        if (subject == null) {
            return null;
        }
        Set principals = subject.getPrincipals(NumericPrincipal.class);
        if (principals.isEmpty()) {
            return null;
        }
        return (NumericPrincipal) principals.iterator().next();
    }

    private PosixPrincipal getPosixPrincipal(Subject subject) {
        if (subject == null) {
            return null;
        }
        Set principals = subject.getPrincipals(PosixPrincipal.class);
        if (principals.isEmpty()) {
            return null;
        }
        return (PosixPrincipal) principals.iterator().next();
    }

    public Object toOwner(Subject subject) {
        if (subject == null) {
            return null;
        }
        X500Principal x500Principal = null;
        Iterator<Principal> it = subject.getPrincipals().iterator();
        while (it.hasNext()) {
            NumericPrincipal numericPrincipal = (Principal) it.next();
            if (numericPrincipal instanceof NumericPrincipal) {
                return Long.valueOf(numericPrincipal.getUUID().getLeastSignificantBits());
            }
            if (numericPrincipal instanceof X500Principal) {
                x500Principal = (X500Principal) numericPrincipal;
            }
        }
        if (x500Principal == null) {
            return null;
        }
        NumericPrincipal createX500User = createX500User(x500Principal);
        subject.getPrincipals().add(createX500User);
        return Long.valueOf(createX500User.getUUID().getLeastSignificantBits());
    }

    private NumericPrincipal createX500User(final X500Principal x500Principal) {
        try {
            return (NumericPrincipal) Subject.doAs(CredUtil.createOpsSubject(), new PrivilegedExceptionAction<NumericPrincipal>() { // from class: ca.nrc.cadc.ac.ACIdentityManager.2
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.security.PrivilegedExceptionAction
                public NumericPrincipal run() throws Exception {
                    Set identities = new UserClient(new LocalAuthority().getServiceURI(Standards.UMS_USERS_01.toASCIIString())).createUser(x500Principal).getIdentities(NumericPrincipal.class);
                    if (identities.isEmpty()) {
                        throw new IllegalStateException("missing internal id");
                    }
                    return (NumericPrincipal) identities.iterator().next();
                }
            });
        } catch (Exception e) {
            throw new IllegalStateException("failed to create internal id for user " + x500Principal.getName(), e);
        }
    }

    public String toDisplayString(Subject subject) {
        if (subject == null) {
            return null;
        }
        Set principals = subject.getPrincipals(HttpPrincipal.class);
        if (!principals.isEmpty()) {
            return ((HttpPrincipal) principals.iterator().next()).getName();
        }
        Set<Principal> principals2 = subject.getPrincipals();
        if (principals2.isEmpty()) {
            return null;
        }
        return principals2.iterator().next().getName();
    }

    public Subject toSubject(Object obj) {
        Long l;
        if (obj == null) {
            return null;
        }
        if (obj instanceof String) {
            l = Long.valueOf((String) obj);
        } else if (obj instanceof Integer) {
            l = Long.valueOf(((Integer) obj).longValue());
        } else {
            if (!(obj instanceof Long)) {
                throw new IllegalStateException("cannot reconstruct Subject from a " + obj.getClass().getName());
            }
            l = (Long) obj;
        }
        if (l.longValue() <= 0) {
            return new Subject();
        }
        NumericPrincipal numericPrincipal = new NumericPrincipal(new UUID(0L, l.longValue()));
        Subject currentSubject = AuthenticationUtil.getCurrentSubject();
        if (currentSubject != null) {
            Iterator<Principal> it = currentSubject.getPrincipals().iterator();
            while (it.hasNext()) {
                if (AuthenticationUtil.equals(numericPrincipal, it.next())) {
                    log.debug("[cache hit] caller Subject matches " + numericPrincipal + ": " + currentSubject);
                    return currentSubject;
                }
            }
        }
        HashSet hashSet = new HashSet();
        hashSet.add(numericPrincipal);
        Subject subject = new Subject(false, hashSet, new HashSet(), new HashSet());
        Profiler profiler = new Profiler(ACIdentityManager.class);
        Subject augment = augment(subject);
        profiler.checkpoint("CadcIdentityManager.augmentSubject");
        return augment;
    }

    static {
        TreeSet treeSet = new TreeSet();
        treeSet.add(Standards.SECURITY_METHOD_ANON);
        treeSet.add(Standards.SECURITY_METHOD_CERT);
        treeSet.add(Standards.SECURITY_METHOD_COOKIE);
        treeSet.add(Standards.SECURITY_METHOD_TOKEN);
        SEC_METHODS = Collections.unmodifiableSet(treeSet);
    }
}
