package edu.ucsb.nceas.metacat.dataone;

import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import javax.servlet.http.HttpServletRequest;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.dataone.client.v2.CNode;
import org.dataone.client.v2.itk.D1Client;
import org.dataone.service.exceptions.InvalidRequest;
import org.dataone.service.exceptions.InvalidToken;
import org.dataone.service.exceptions.NotAuthorized;
import org.dataone.service.exceptions.NotImplemented;
import org.dataone.service.exceptions.ServiceFailure;
import org.dataone.service.types.v1.Group;
import org.dataone.service.types.v1.Identifier;
import org.dataone.service.types.v1.NodeReference;
import org.dataone.service.types.v1.NodeType;
import org.dataone.service.types.v1.Permission;
import org.dataone.service.types.v1.Replica;
import org.dataone.service.types.v1.Session;
import org.dataone.service.types.v1.Subject;
import org.dataone.service.types.v1.util.AuthUtils;
import org.dataone.service.types.v2.Node;
import org.dataone.service.types.v2.NodeList;
import org.dataone.service.types.v2.SystemMetadata;
import org.dataone.service.types.v2.util.NodelistUtil;

/* loaded from: input_file:edu/ucsb/nceas/metacat/dataone/D1AuthHelper.class */
public class D1AuthHelper {
    private HttpServletRequest request;
    private String notAuthorizedCode;
    private String serviceFailureCode;
    private Identifier requestIdentifier;
    private static Log logMetacat = LogFactory.getLog(D1NodeService.class);
    private static NodeList cnList = null;

    public D1AuthHelper(HttpServletRequest httpServletRequest, Identifier identifier, String str, String str2) {
        this.request = httpServletRequest;
        this.requestIdentifier = identifier;
        this.notAuthorizedCode = str;
        this.serviceFailureCode = str2;
    }

    public void doIsAuthorized(Session session, SystemMetadata systemMetadata, Permission permission) throws ServiceFailure, NotAuthorized {
        NodeList cNNodeList;
        if (session != null && session.getSubject() != null) {
            logMetacat.debug("D1AuthHepler.doIsAuthorzied - the session is " + session.getSubject().getValue());
        }
        ArrayList arrayList = new ArrayList();
        if (isAuthorizedBySysMetaSubjects(session, systemMetadata, permission)) {
            return;
        }
        try {
            if (isLocalNodeAdmin(session, null)) {
                return;
            }
        } catch (ServiceFailure e) {
            arrayList.add(e);
        }
        try {
            cNNodeList = getCNNodeList();
        } catch (ServiceFailure e2) {
            arrayList.add(e2);
        }
        if (isAuthoritativeMNodeAdmin(session, systemMetadata.getAuthoritativeMemberNode(), cNNodeList)) {
            return;
        }
        if (isCNAdmin(session, cNNodeList)) {
            return;
        }
        try {
            if (checkExpandedPermissions(session, systemMetadata, permission)) {
                return;
            }
        } catch (ServiceFailure e3) {
            arrayList.add(e3);
        }
        if (arrayList.isEmpty()) {
            prepareAndThrowNotAuthorized(session, this.requestIdentifier, permission, this.notAuthorizedCode);
        } else {
            ServiceFailure serviceFailure = (ServiceFailure) arrayList.get(0);
            serviceFailure.setDetail_code(this.serviceFailureCode);
            throw serviceFailure;
        }
    }

    public void doAuthoritativeMNAuthorization(Session session, SystemMetadata systemMetadata) throws ServiceFailure, NotAuthorized {
        if (session != null && session.getSubject() != null) {
            logMetacat.debug("D1AuthHepler.doAuthoritativeMNAuthorization - the session is " + session.getSubject().getValue());
        }
        ArrayList arrayList = new ArrayList();
        try {
            if (isLocalNodeAdmin(session, null)) {
                return;
            }
        } catch (ServiceFailure e) {
            arrayList.add(e);
        }
        try {
            if (isAuthoritativeMNodeAdmin(session, systemMetadata.getAuthoritativeMemberNode(), getCNNodeList())) {
                return;
            }
        } catch (ServiceFailure e2) {
            arrayList.add(e2);
        }
        if (arrayList.isEmpty()) {
            prepareAndThrowNotAuthorized(session, this.requestIdentifier, null, this.notAuthorizedCode);
        } else {
            ServiceFailure serviceFailure = (ServiceFailure) arrayList.get(0);
            serviceFailure.setDetail_code(this.serviceFailureCode);
            throw serviceFailure;
        }
    }

    public void doUpdateAuth(Session session, SystemMetadata systemMetadata, Permission permission, NodeReference nodeReference) throws NotAuthorized, ServiceFailure {
        if (session != null && session.getSubject() != null) {
            logMetacat.debug("D1AuthHepler.doUpdateAuth - the session is " + session.getSubject().getValue());
        }
        boolean z = true;
        ArrayList<Throwable> arrayList = new ArrayList();
        if (systemMetadata.getAuthoritativeMemberNode().equals(nodeReference) && StringUtils.isNotBlank(systemMetadata.getAuthoritativeMemberNode().getValue())) {
            if (isAuthorizedBySysMetaSubjects(session, systemMetadata, permission)) {
                return;
            }
            try {
                if (isLocalMNAdmin(session)) {
                    return;
                }
            } catch (ServiceFailure e) {
                arrayList.add(e);
            }
            try {
                if (checkExpandedPermissions(session, systemMetadata, permission)) {
                    return;
                }
            } catch (ServiceFailure e2) {
                arrayList.add(e2);
            }
        } else {
            z = false;
        }
        try {
            if (isCNAdmin(session, getCNNodeList())) {
                return;
            }
        } catch (ServiceFailure e3) {
            arrayList.add(e3);
        }
        String str = "clients can only call the update/updateSystemMetadata request on an object when it locates on its authoritative memember node. However, the authoritative member node of the object " + systemMetadata.getIdentifier().getValue() + " on your request is " + systemMetadata.getAuthoritativeMemberNode().getValue() + ", which is differen to the current node " + nodeReference.getValue();
        if (arrayList.isEmpty()) {
            if (z) {
                prepareAndThrowNotAuthorized(session, this.requestIdentifier, permission, this.notAuthorizedCode);
                return;
            } else {
                logMetacat.warn(str);
                throw new NotAuthorized(this.notAuthorizedCode, str);
            }
        }
        for (Throwable th : arrayList) {
            logMetacat.warn("For request [" + this.request + "]: ServiceFailure raised:" + th.getDescription(), th);
        }
        ServiceFailure serviceFailure = (ServiceFailure) arrayList.get(0);
        serviceFailure.setDetail_code(this.serviceFailureCode);
        throw serviceFailure;
    }

    public void doCNOnlyAuthorization(Session session) throws ServiceFailure, NotAuthorized {
        if (session != null && session.getSubject() != null) {
            logMetacat.debug("D1AuthHepler.doCNOnlyAuthorization - the session is " + session.getSubject().getValue());
        }
        ArrayList arrayList = new ArrayList();
        try {
            if (isLocalNodeAdmin(session, NodeType.CN)) {
                return;
            }
        } catch (ServiceFailure e) {
            arrayList.add(e);
        }
        try {
            if (isCNAdmin(session, getCNNodeList())) {
                return;
            }
        } catch (ServiceFailure e2) {
            arrayList.add(e2);
        }
        if (arrayList.isEmpty()) {
            prepareAndThrowNotAuthorized(session, this.requestIdentifier, null, this.notAuthorizedCode);
        } else {
            ServiceFailure serviceFailure = (ServiceFailure) arrayList.get(0);
            serviceFailure.setDetail_code(this.serviceFailureCode);
            throw serviceFailure;
        }
    }

    public void doAdminAuthorization(Session session) throws ServiceFailure, NotAuthorized {
        if (session != null && session.getSubject() != null) {
            logMetacat.debug("D1AuthHepler.doAdminAuthorization - the session is " + session.getSubject().getValue());
        }
        ArrayList arrayList = new ArrayList();
        try {
            if (isLocalNodeAdmin(session, null)) {
                return;
            }
        } catch (ServiceFailure e) {
            arrayList.add(e);
        }
        try {
            if (isCNAdmin(session, getCNNodeList())) {
                return;
            }
        } catch (ServiceFailure e2) {
            arrayList.add(e2);
        }
        if (arrayList.isEmpty()) {
            prepareAndThrowNotAuthorized(session, this.requestIdentifier, null, this.notAuthorizedCode);
        } else {
            ServiceFailure serviceFailure = (ServiceFailure) arrayList.get(0);
            serviceFailure.setDetail_code(this.serviceFailureCode);
            throw serviceFailure;
        }
    }

    public void doGetSysmetaAuthorization(Session session, SystemMetadata systemMetadata, Permission permission) throws ServiceFailure, NotAuthorized {
        NodeList cNNodeList;
        if (session != null && session.getSubject() != null) {
            logMetacat.debug("D1AuthHepler.doGetSysmetaAuthorization - the session is " + session.getSubject().getValue());
        }
        ArrayList arrayList = new ArrayList();
        if (isAuthorizedBySysMetaSubjects(session, systemMetadata, permission)) {
            return;
        }
        try {
            if (isLocalNodeAdmin(session, null)) {
                return;
            }
        } catch (ServiceFailure e) {
            arrayList.add(e);
        }
        try {
            cNNodeList = getCNNodeList();
        } catch (ServiceFailure e2) {
            arrayList.add(e2);
        }
        if (isAuthoritativeMNodeAdmin(session, systemMetadata.getAuthoritativeMemberNode(), cNNodeList) || isCNAdmin(session, cNNodeList)) {
            return;
        }
        if (isReplicaMNodeAdmin(session, systemMetadata, cNNodeList)) {
            return;
        }
        try {
            if (checkExpandedPermissions(session, systemMetadata, permission)) {
                return;
            }
        } catch (ServiceFailure e3) {
            arrayList.add(e3);
        }
        if (arrayList.isEmpty()) {
            prepareAndThrowNotAuthorized(session, this.requestIdentifier, permission, this.notAuthorizedCode);
        } else {
            ServiceFailure serviceFailure = (ServiceFailure) arrayList.get(0);
            serviceFailure.setDetail_code(this.serviceFailureCode);
            throw serviceFailure;
        }
    }

    protected void prepareAndThrowNotAuthorized(Session session, Identifier identifier, Permission permission, String str) throws NotAuthorized {
        Set authorizedClientSubjects = AuthUtils.authorizedClientSubjects(session);
        StringBuffer stringBuffer = new StringBuffer();
        Iterator it = authorizedClientSubjects.iterator();
        while (it.hasNext()) {
            stringBuffer.append(((Subject) it.next()).getValue() + "; ");
        }
        Object[] objArr = new Object[3];
        objArr[0] = permission == null ? "Permission" : permission;
        objArr[1] = identifier == null ? null : identifier.getValue();
        objArr[2] = stringBuffer.toString();
        String format = String.format("%s not allowed on %s for subject[s]: %s", objArr);
        logMetacat.warn(format);
        throw new NotAuthorized(str, format);
    }

    protected boolean checkExpandedPermissions(Session session, SystemMetadata systemMetadata, Permission permission) throws ServiceFailure {
        boolean z = false;
        try {
            Iterator it = AuthUtils.authorizedClientSubjects(session).iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                Subject subject = (Subject) it.next();
                if (!subject.getValue().equalsIgnoreCase("public") && expandRightsHolder(systemMetadata.getRightsHolder(), subject)) {
                    z = true;
                    break;
                }
            }
        } catch (NotAuthorized e) {
            z = false;
        } catch (NotImplemented | InvalidRequest | InvalidToken e2) {
            ServiceFailure serviceFailure = new ServiceFailure("1030", "Exception thrown from expandRightsHolder(): " + e2.getClass().getCanonicalName() + ":: " + e2.getDescription());
            serviceFailure.initCause(e2);
            throw serviceFailure;
        }
        return z;
    }

    protected NodeList getCNNodeList() throws ServiceFailure {
        if (cnList != null && cnList.getNodeList() != null && cnList.getNodeList().size() > 0) {
            logMetacat.debug("D1AuthHelper.getCNNodeList - got the cn list from the cache.");
            return cnList;
        }
        try {
            CNode cn = D1Client.getCN();
            logMetacat.debug("D1AuthHelper.getCNNodeList - got CN instance and get the cn list from the network.");
            cnList = cn.listNodes();
            return cnList;
        } catch (NotImplemented e) {
            logMetacat.error("Unexpected Error getting NodeList from getCNNodeList().  Got 'NotImplemented' from the service call!", e);
            throw new ServiceFailure("", "Could not get NodeList from the CN. got 'NotImplemented' from the service call!");
        }
    }

    /* JADX WARN: Code restructure failed: missing block: B:34:0x01b8, code lost:
    
        if (r9 != false) goto L42;
     */
    /* JADX WARN: Code restructure failed: missing block: B:35:0x01bb, code lost:
    
        edu.ucsb.nceas.metacat.dataone.D1AuthHelper.logMetacat.debug("D1AuthorizationDelegate.expandRightHolder - We can NOT find any member in the group " + r0 + " (if it is a group) matches the user " + r8.getValue());
     */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    public static boolean expandRightsHolder(org.dataone.service.types.v1.Subject r7, org.dataone.service.types.v1.Subject r8) throws org.dataone.service.exceptions.ServiceFailure, org.dataone.service.exceptions.NotImplemented, org.dataone.service.exceptions.InvalidRequest, org.dataone.service.exceptions.NotAuthorized, org.dataone.service.exceptions.InvalidToken {
        /*
            Method dump skipped, instructions count: 498
            To view this dump add '--comments-level debug' option
        */
        throw new UnsupportedOperationException("Method not decompiled: edu.ucsb.nceas.metacat.dataone.D1AuthHelper.expandRightsHolder(org.dataone.service.types.v1.Subject, org.dataone.service.types.v1.Subject):boolean");
    }

    private static boolean isInGroups(Subject subject, Subject subject2, List<Group> list) {
        if (list != null) {
            logMetacat.debug("D1NodeService.isInGroups -  the given groups' (the returned result including groups) size is " + list.size());
            Iterator<Group> it = list.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                Group next = it.next();
                if (next != null && next.getSubject() != null && next.getSubject().equals(subject2)) {
                    logMetacat.debug("D1NodeService.isInGroups - there is a group in the list having the subjecct " + next.getSubject().getValue() + " which matches the right holder's subject " + subject2.getValue());
                    List<Subject> hasMemberList = next.getHasMemberList();
                    if (hasMemberList != null) {
                        logMetacat.debug("D1NodeService.isInGroups - the group " + next.getSubject().getValue() + " in the cn has members");
                        for (Subject subject3 : hasMemberList) {
                            logMetacat.debug("D1NodeService.isInGroups - compare the member " + subject3.getValue() + " with the user " + subject.getValue());
                            if (subject3.getValue() != null && !subject3.getValue().trim().equals("") && subject.getValue() != null && subject3.getValue().equals(subject.getValue())) {
                                logMetacat.debug("D1NodeService.isInGroups - Find it! The member " + subject3.getValue() + " in the group " + next.getSubject().getValue() + " matches the user " + subject.getValue());
                                return true;
                            }
                        }
                    }
                }
            }
        } else {
            logMetacat.debug("D1NodeService.isInGroups -  the given group is null (the returned result does NOT have a group");
        }
        return false;
    }

    public boolean isLocalMNAdmin(Session session) throws ServiceFailure {
        return isLocalNodeAdmin(session, NodeType.MN);
    }

    public boolean isLocalCNAdmin(Session session) throws ServiceFailure {
        return isLocalNodeAdmin(session, NodeType.CN);
    }

    protected boolean isLocalNodeAdmin(Session session, NodeType nodeType) throws ServiceFailure {
        boolean z = false;
        if (session == null) {
            logMetacat.debug("In isLocalNodeAdmin(), session is null ");
            return false;
        }
        logMetacat.debug("In isLocalNodeAdmin(), MN authorization for the user " + session.getSubject().getValue());
        Node capabilities = MNodeService.getInstance(this.request).getCapabilities();
        logMetacat.debug("In isLocalNodeAdmin(), Node reference is: " + capabilities.getIdentifier().getValue());
        Set authorizedClientSubjects = AuthUtils.authorizedClientSubjects(session);
        if (nodeType == null || capabilities.getType() == nodeType) {
            List<Subject> subjectList = capabilities.getSubjectList();
            if (authorizedClientSubjects != null) {
                Iterator it = authorizedClientSubjects.iterator();
                loop0: while (true) {
                    if (!it.hasNext()) {
                        break;
                    }
                    Subject subject = (Subject) it.next();
                    for (Subject subject2 : subjectList) {
                        logMetacat.debug("In isLocalNodeAdmin(), comparing subjects: " + subject2.getValue() + " and the user" + subject.getValue());
                        if (subject2.equals(subject)) {
                            z = true;
                            break loop0;
                        }
                    }
                }
            }
        }
        logMetacat.debug("In is isLocalNodeAdmin method. Is this a local node admin? " + z);
        return z;
    }

    protected boolean isAuthorizedBySysMetaSubjects(Session session, SystemMetadata systemMetadata, Permission permission) {
        Set authorizedClientSubjects = AuthUtils.authorizedClientSubjects(session);
        if (logMetacat.isDebugEnabled() && authorizedClientSubjects != null) {
            Iterator it = authorizedClientSubjects.iterator();
            while (it.hasNext()) {
                logMetacat.debug("=================== The equalvent subject is " + ((Subject) it.next()).getValue());
            }
        }
        return AuthUtils.isAuthorized(authorizedClientSubjects, permission, systemMetadata);
    }

    protected boolean isReplicaMNodeAdmin(Session session, SystemMetadata systemMetadata, NodeList nodeList) {
        boolean z = false;
        Subject subject = session == null ? null : session.getSubject();
        List replicaList = systemMetadata.getReplicaList();
        if (replicaList != null && subject != null) {
            Set selectNode = NodelistUtil.selectNode(nodeList, subject);
            if (selectNode.size() > 0) {
                Iterator it = replicaList.iterator();
                loop0: while (true) {
                    if (!it.hasNext()) {
                        break;
                    }
                    NodeReference replicaMemberNode = ((Replica) it.next()).getReplicaMemberNode();
                    Iterator it2 = selectNode.iterator();
                    while (it2.hasNext()) {
                        if (((Node) it2.next()).getIdentifier().equals(replicaMemberNode)) {
                            z = true;
                            break loop0;
                        }
                    }
                }
            }
        }
        return z;
    }

    protected boolean isAuthoritativeMNodeAdmin(Session session, NodeReference nodeReference, NodeList nodeList) {
        Set<Subject> authorizedClientSubjects;
        Node findNode;
        boolean z = false;
        if (session == null || nodeReference == null || nodeList == null || (authorizedClientSubjects = AuthUtils.authorizedClientSubjects(session)) == null || (findNode = NodelistUtil.findNode(nodeList, nodeReference)) == null) {
            return false;
        }
        List subjectList = findNode.getSubjectList();
        if (subjectList != null) {
            Iterator it = subjectList.iterator();
            loop0: while (true) {
                if (!it.hasNext()) {
                    break;
                }
                Subject subject = (Subject) it.next();
                for (Subject subject2 : authorizedClientSubjects) {
                    logMetacat.debug("D1NodeService.isAuthoritativeMNodeAdmin(), comparing subjects: " + subject.getValue() + " and " + subject2.getValue());
                    if (subject != null && subject.equals(subject2)) {
                        z = true;
                        break loop0;
                    }
                }
            }
        }
        return z;
    }

    protected boolean isCNAdmin(Session session, NodeList nodeList) {
        List nodeList2;
        boolean z = false;
        logMetacat.debug("D1NodeService.isCNAdmin - the beginning");
        if (session == null || session.getSubject() == null || nodeList == null || (nodeList2 = nodeList.getNodeList()) == null || nodeList2.size() == 0) {
            return false;
        }
        Set<Subject> authorizedClientSubjects = AuthUtils.authorizedClientSubjects(session);
        Iterator it = nodeList2.iterator();
        loop0: while (true) {
            if (!it.hasNext()) {
                break;
            }
            Node node = (Node) it.next();
            NodeReference identifier = node.getIdentifier();
            if (logMetacat.isDebugEnabled()) {
                logMetacat.debug("In isCNAdmin(), a Node reference from the CN node list is: " + identifier.getValue());
            }
            if (node.getType() == NodeType.CN) {
                for (Subject subject : node.getSubjectList()) {
                    if (authorizedClientSubjects != null) {
                        for (Subject subject2 : authorizedClientSubjects) {
                            if (logMetacat.isDebugEnabled()) {
                                logMetacat.debug("In isCNAdmin(), comparing subjects: " + subject.getValue() + " and the user " + subject2.getValue());
                            }
                            if (subject.equals(subject2)) {
                                z = true;
                                break loop0;
                            }
                        }
                    }
                }
            }
        }
        if (logMetacat.isDebugEnabled()) {
            logMetacat.debug("D1NodeService.isCNAdmin. Is it a cn admin? " + z);
        }
        return z;
    }
}
