package be.iminds.ilabt.jfed.lowlevel;

import be.iminds.ilabt.jfed.lowlevel.TestbedInfoSource;
import be.iminds.ilabt.jfed.util.GeniUrn;
import be.iminds.ilabt.jfed.util.JFedTrustStore;
import be.iminds.ilabt.jfed.util.KeyUtil;
import be.iminds.ilabt.jfed.util.RFC3339Util;
import be.iminds.ilabt.jfed.util.XmlUtil;
import java.io.IOException;
import java.io.StringReader;
import java.security.Key;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.security.cert.X509Certificate;
import java.security.interfaces.RSAPublicKey;
import java.text.ParseException;
import java.util.ArrayList;
import java.util.Date;
import java.util.Iterator;
import java.util.List;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.ParserConfigurationException;
import javax.xml.stream.XMLInputFactory;
import javax.xml.stream.XMLStreamException;
import javax.xml.stream.XMLStreamReader;
import javax.xml.transform.TransformerException;
import javax.xml.transform.stream.StreamSource;
import org.apache.http.cookie.ClientCookie;
import org.apache.log4j.spi.Configurator;
import org.apache.xml.security.exceptions.XMLSecurityException;
import org.apache.xml.security.utils.Constants;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.w3c.dom.Attr;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.NamedNodeMap;
import org.w3c.dom.Node;
import org.w3c.dom.NodeList;
import org.xml.sax.InputSource;
import org.xml.sax.SAXException;

/* loaded from: input_file:be/iminds/ilabt/jfed/lowlevel/AbacCredential.class */
public class AbacCredential extends AnyCredential {
    private static final Logger LOG;
    protected String name;
    protected String credentialXml;
    protected String type;
    protected String version;
    private boolean processed;
    private boolean speaksFor;
    private GeniUrn spokenForUrn;
    private PublicKey spokenForPubKey;
    private List<String> signerCerts;
    protected String headKeyId;
    protected String tailKeyId;
    protected String headRole;
    protected String expiresText;
    private static final String CREDENTIAL_NAMESPACE_URI = "http://www.protogeni.net/resources/credential/credential.xsd";
    static final /* synthetic */ boolean $assertionsDisabled;

    /* JADX INFO: Access modifiers changed from: protected */
    public AbacCredential(String str, String str2, String str3, String str4) {
        super(str, str2, str3, str4);
        this.processed = false;
        this.name = str;
        this.credentialXml = str2;
        this.type = str3;
        this.version = str4;
        if (!$assertionsDisabled && !str3.equalsIgnoreCase("abac") && !str3.equalsIgnoreCase("geni_abac")) {
            throw new AssertionError("Created SfaCredential not of type sfa, but of type=\"" + str3 + "\" version=\"" + str4 + "\"");
        }
        if (str2 == null) {
            throw new RuntimeException("AbacCredential credentialXml may not be null");
        }
    }

    @Override // be.iminds.ilabt.jfed.lowlevel.AnyCredential
    public String getExpires() {
        return this.expiresText;
    }

    @Override // be.iminds.ilabt.jfed.lowlevel.AnyCredential
    public Date getExpiresDate() {
        process();
        try {
            if (this.expiresText == null) {
                return null;
            }
            return RFC3339Util.iso8601StringToDate(this.expiresText);
        } catch (ParseException e) {
            throw new RuntimeException("Invalid date in ABAC credential expires: \"" + this.expiresText + "\"", e);
        }
    }

    @Override // be.iminds.ilabt.jfed.lowlevel.AnyCredential
    public String getCredentialXml() {
        if ($assertionsDisabled || this.credentialXml != null) {
            return this.credentialXml;
        }
        throw new AssertionError();
    }

    @Override // be.iminds.ilabt.jfed.lowlevel.AnyCredential
    public boolean isSpeaksFor() {
        process();
        return this.speaksFor;
    }

    public GeniUrn getSpokenForUrn() {
        process();
        return this.spokenForUrn;
    }

    public PublicKey getSpokenForPubKey() {
        process();
        return this.spokenForPubKey;
    }

    public String getHeadKeyId() {
        return this.headKeyId;
    }

    public String getTailKeyId() {
        return this.tailKeyId;
    }

    public String getHeadRole() {
        return this.headRole;
    }

    private void process() {
        String text;
        if (this.processed) {
            return;
        }
        this.processed = true;
        this.speaksFor = false;
        this.signerCerts = new ArrayList();
        this.spokenForUrn = null;
        this.spokenForPubKey = null;
        XMLStreamReader xMLStreamReader = null;
        try {
            try {
                xMLStreamReader = XMLInputFactory.newFactory().createXMLStreamReader(new StreamSource(new StringReader(this.credentialXml)));
                boolean z = false;
                boolean z2 = false;
                boolean z3 = false;
                boolean z4 = false;
                boolean z5 = false;
                boolean z6 = false;
                boolean z7 = false;
                boolean z8 = false;
                boolean z9 = false;
                boolean z10 = false;
                boolean z11 = false;
                boolean z12 = false;
                boolean z13 = false;
                String str = "";
                while (xMLStreamReader.hasNext()) {
                    xMLStreamReader.next();
                    switch (xMLStreamReader.getEventType()) {
                        case 1:
                            if (xMLStreamReader.getName().getLocalPart().equals("signed-credential")) {
                                z = true;
                            }
                            if (z && xMLStreamReader.getName().getLocalPart().equals("credential")) {
                                z2 = true;
                            }
                            if (z2 && xMLStreamReader.getName().getLocalPart().equals(ClientCookie.EXPIRES_ATTR)) {
                                z4 = true;
                            }
                            if (z2 && xMLStreamReader.getName().getLocalPart().equals("abac")) {
                                z3 = true;
                            }
                            if (z3 && xMLStreamReader.getName().getLocalPart().equals("head")) {
                                z5 = true;
                            }
                            if (z3 && xMLStreamReader.getName().getLocalPart().equals("tail")) {
                                z6 = true;
                            }
                            if (z5 && xMLStreamReader.getName().getLocalPart().equals("role")) {
                                z8 = true;
                            }
                            if ((z5 || z6) && xMLStreamReader.getName().getLocalPart().equals("keyid")) {
                                z7 = true;
                            }
                            if (z && xMLStreamReader.getName().getLocalPart().equals("signatures")) {
                                z9 = true;
                            }
                            if (z9 && xMLStreamReader.getName().getLocalPart().equals("Signature")) {
                                z10 = true;
                            }
                            if (z10 && xMLStreamReader.getName().getLocalPart().equals(Constants._TAG_KEYINFO)) {
                                z11 = true;
                            }
                            if (z11 && xMLStreamReader.getName().getLocalPart().equals(Constants._TAG_X509DATA)) {
                                z12 = true;
                            }
                            if (z12 && xMLStreamReader.getName().getLocalPart().equals(Constants._TAG_X509CERTIFICATE)) {
                                z13 = true;
                                str = "";
                                break;
                            }
                            break;
                        case 2:
                            if (z && xMLStreamReader.getName().getLocalPart().equals("signed-credential")) {
                                z = false;
                            }
                            if (z9 && xMLStreamReader.getName().getLocalPart().equals("credential")) {
                                z2 = false;
                            }
                            if (z2 && xMLStreamReader.getName().getLocalPart().equals("abac")) {
                                z3 = false;
                            }
                            if (z2 && xMLStreamReader.getName().getLocalPart().equals(ClientCookie.EXPIRES_ATTR)) {
                                z4 = false;
                            }
                            if (z3 && xMLStreamReader.getName().getLocalPart().equals("head")) {
                                z5 = false;
                            }
                            if (z3 && xMLStreamReader.getName().getLocalPart().equals("tail")) {
                                z6 = false;
                            }
                            if (z5 && xMLStreamReader.getName().getLocalPart().equals("role")) {
                                z8 = false;
                            }
                            if ((z5 || z6) && xMLStreamReader.getName().getLocalPart().equals("keyid")) {
                                z7 = false;
                            }
                            if (z && xMLStreamReader.getName().getLocalPart().equals("signatures")) {
                                z9 = false;
                            }
                            if (z9 && xMLStreamReader.getName().getLocalPart().equals("Signature")) {
                                z10 = false;
                            }
                            if (z10 && xMLStreamReader.getName().getLocalPart().equals(Constants._TAG_KEYINFO)) {
                                z11 = false;
                            }
                            if (z11 && xMLStreamReader.getName().getLocalPart().equals(Constants._TAG_X509DATA)) {
                                z12 = false;
                            }
                            if (z12 && xMLStreamReader.getName().getLocalPart().equals(Constants._TAG_X509CERTIFICATE)) {
                                if (!str.trim().isEmpty() && str != null) {
                                    if (!str.startsWith("-----BEGIN CERTIFICATE-----")) {
                                        str = "-----BEGIN CERTIFICATE-----\n" + str + "\n-----END CERTIFICATE-----\n";
                                    }
                                    this.signerCerts.add(str.trim());
                                }
                                z13 = false;
                                str = "";
                                break;
                            }
                            break;
                        case 4:
                            if (z8 && (text = xMLStreamReader.getText()) != null) {
                                this.headRole = text.trim();
                                this.speaksFor = this.headRole.toLowerCase().startsWith("speaks_for_");
                            }
                            if (z4) {
                                this.expiresText = xMLStreamReader.getText();
                            }
                            if (z5 && z7) {
                                this.headKeyId = xMLStreamReader.getText();
                            }
                            if (z6 && z7) {
                                this.tailKeyId = xMLStreamReader.getText();
                            }
                            if (z13) {
                                str = str + xMLStreamReader.getText();
                                break;
                            } else {
                                break;
                            }
                            break;
                    }
                }
                if (xMLStreamReader != null) {
                    try {
                        xMLStreamReader.close();
                    } catch (XMLStreamException e) {
                        LOG.error("Exception closing streamReader is ignored", e);
                    }
                }
            } catch (XMLStreamException e2) {
                LOG.error("Exception while parsing ABAC credential", e2);
                this.speaksFor = false;
                if (xMLStreamReader != null) {
                    try {
                        xMLStreamReader.close();
                    } catch (XMLStreamException e3) {
                        LOG.error("Exception closing streamReader is ignored", e3);
                    }
                }
            }
            if (this.speaksFor) {
                ArrayList arrayList = new ArrayList();
                ArrayList arrayList2 = new ArrayList();
                for (String str2 : this.signerCerts) {
                    X509Certificate pemToX509Certificate = KeyUtil.pemToX509Certificate(str2);
                    if (pemToX509Certificate == null) {
                        LOG.warn("Failed to convert signerCert to X509 certificate: \"\"\"\n" + str2 + "\n\"\"\"");
                    } else {
                        arrayList.addAll(KeyUtil.findUrnsInCertAltNames(pemToX509Certificate, KeyUtil.AltNamesSource.SUBJECT_ALT_NAMES, false));
                        arrayList2.addAll(KeyUtil.findUrnsInCertAltNames(pemToX509Certificate, KeyUtil.AltNamesSource.ISSUES_ALT_NAMES, false));
                    }
                }
                ArrayList arrayList3 = new ArrayList(arrayList);
                arrayList3.removeAll(arrayList2);
                if (arrayList3.isEmpty()) {
                    return;
                }
                if (arrayList3.size() > 1) {
                    System.err.println("Warning: more than 1 possible user urn in speaksFor credential signer subject alt names: " + arrayList3);
                    LOG.warn("Warning: more than 1 possible user urn in speaksFor credential signer subject alt names: " + arrayList3);
                }
                this.spokenForUrn = (GeniUrn) arrayList3.get(0);
                for (String str3 : this.signerCerts) {
                    X509Certificate pemToX509Certificate2 = KeyUtil.pemToX509Certificate(str3);
                    if (pemToX509Certificate2 == null) {
                        LOG.warn("Failed to convert signerCert to X509 certificate: \"\"\"\n" + str3 + "\n\"\"\"");
                    } else {
                        this.spokenForPubKey = pemToX509Certificate2.getPublicKey();
                        if (!$assertionsDisabled && !this.speaksFor) {
                            throw new AssertionError();
                        }
                        String generateKeyId = generateKeyId(pemToX509Certificate2);
                        String substring = this.headRole.substring("speaks_for_".length());
                        if (!generateKeyId.equals(substring)) {
                            throw new RuntimeException("AbacCredential credential is speaksfor, but signer does not match spoken for: signer=" + generateKeyId + " spokenForKeyId=" + substring);
                        }
                    }
                }
            }
        } catch (Throwable th) {
            if (xMLStreamReader != null) {
                try {
                    xMLStreamReader.close();
                } catch (XMLStreamException e4) {
                    LOG.error("Exception closing streamReader is ignored", e4);
                }
            }
            throw th;
        }
    }

    @Override // be.iminds.ilabt.jfed.lowlevel.AnyCredential
    public boolean check(TestbedInfoSource testbedInfoSource) throws CredentialException {
        process();
        JFedTrustStore jFedTrustStore = new JFedTrustStore();
        Iterator<String> it = this.signerCerts.iterator();
        while (it.hasNext()) {
            X509Certificate pemToX509Certificate = KeyUtil.pemToX509Certificate(it.next());
            List<GeniUrn> findUrnsInCertAltNames = KeyUtil.findUrnsInCertAltNames(pemToX509Certificate, KeyUtil.AltNamesSource.SUBJECT_ALT_NAMES, false);
            findUrnsInCertAltNames.addAll(KeyUtil.findUrnsInCertAltNames(pemToX509Certificate, KeyUtil.AltNamesSource.ISSUES_ALT_NAMES, false));
            Iterator<GeniUrn> it2 = findUrnsInCertAltNames.iterator();
            while (it2.hasNext()) {
                jFedTrustStore.addAuthorityCert(testbedInfoSource.getFromAnyUrn(it2.next(), TestbedInfoSource.SubAuthMatchAllowed.ALLOW_TOPLEVEL, TestbedInfoSource.SubAuthMatchPreference.PREFER_EXACT_SUBAUTHORITY));
            }
        }
        return check(jFedTrustStore.getTrustStore());
    }

    public static String getGeniSubjectName(X509Certificate x509Certificate) {
        return x509Certificate == null ? Configurator.NULL : x509Certificate.getSubjectDN().getName();
    }

    public static String generateKeyId(X509Certificate x509Certificate) {
        PublicKey publicKey = x509Certificate.getPublicKey();
        try {
            MessageDigest messageDigest = MessageDigest.getInstance("SHA-1");
            messageDigest.reset();
            messageDigest.update(KeyUtil.getPublicKeyPKCS1((RSAPublicKey) publicKey));
            String str = "";
            for (byte b : messageDigest.digest()) {
                str = str + String.format("%02x", Byte.valueOf(b));
            }
            return str;
        } catch (NoSuchAlgorithmException e) {
            throw new RuntimeException("This java has no support for SHA-1", e);
        }
    }

    public static AbacCredential createSpeaksFor(Date date, X509Certificate x509Certificate, X509Certificate x509Certificate2, Key key) throws CredentialException {
        String lowerCase = generateKeyId(x509Certificate2).toLowerCase();
        String str = "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"no\"?>\n<signed-credential xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"\nxsi:noNamespaceSchemaLocation=\"http://www.protogeni.net/resources/credential/credential.xsd\"\nxsi:schemaLocation=\"http://www.protogeni.net/resources/credential/ext/policy/1\nhttp://www.protogeni.net/resources/credential/ext/policy/1/policy.xsd\">\n  <credential xml:id=\"_0\">\n\n        <type>abac</type>\n        <serial/>\n        <owner_gid/>\n        <target_gid/>\n        <uuid/>\n        <expires>" + RFC3339Util.dateToRFC3339String(date, true) + "</expires>\n        <abac>\n            <rt0>\n                <version>1.1</version>\n                <head>\n   <ABACprincipal><keyid>" + lowerCase + "</keyid></ABACprincipal>\n   <role>speaks_for_" + lowerCase + "</role>\n</head>\n<tail>\n   <ABACprincipal><keyid>" + generateKeyId(x509Certificate).toLowerCase() + "</keyid></ABACprincipal>\n</tail>\n\n            </rt0>\n        </abac>\n\n</credential>\n  <signatures>\n  </signatures>\n</signed-credential>";
        DocumentBuilderFactory newInstance = DocumentBuilderFactory.newInstance();
        newInstance.setNamespaceAware(true);
        try {
            Document parse = newInstance.newDocumentBuilder().parse(new InputSource(new StringReader(str)));
            Element documentElement = parse.getDocumentElement();
            if (!$assertionsDisabled && documentElement == null) {
                throw new AssertionError();
            }
            if (!$assertionsDisabled && documentElement.getTagName() == null) {
                throw new AssertionError();
            }
            if (!$assertionsDisabled && !documentElement.getTagName().equals("signed-credential")) {
                throw new AssertionError();
            }
            NodeList elementsByTagName = documentElement.getElementsByTagName("credential");
            if (!$assertionsDisabled && elementsByTagName.getLength() != 1) {
                throw new AssertionError();
            }
            LOG.debug("Need to mark " + elementsByTagName.getLength() + " <credential> xml:id attributes as xml IDs");
            for (int i = 0; i < elementsByTagName.getLength(); i++) {
                Node item = elementsByTagName.item(i);
                if (item.getNodeType() == 1) {
                    Element element = (Element) item;
                    NamedNodeMap attributes = element.getAttributes();
                    for (int i2 = 0; i2 < attributes.getLength(); i2++) {
                        Attr attr = (Attr) attributes.item(i2);
                        if (attr.getName().equals("xml:id")) {
                            LOG.debug("Marking <credential> Attribute as id: " + attr);
                            element.setIdAttributeNode(attr, true);
                        } else {
                            LOG.debug("<credential> Attribute is not id: '" + attr.getNamespaceURI() + "' : '" + attr.getName() + "' -> " + attr);
                        }
                    }
                }
            }
            try {
                return new AbacCredential("speaksFor credential allowing " + getGeniSubjectName(x509Certificate) + " to speak for " + getGeniSubjectName(x509Certificate2), XmlUtil.signXml(parse, "_0", "signatures", x509Certificate2, key), "abac", "1.1");
            } catch (TransformerException e) {
                throw new CredentialException("Failed to sign generated credential: " + e.getMessage(), e);
            } catch (XMLSecurityException e2) {
                throw new CredentialException("Failed to sign generated credential: " + e2.getMessage(), e2);
            }
        } catch (IOException e3) {
            throw new CredentialException("Failed to create credential: " + e3.getMessage(), e3);
        } catch (ParserConfigurationException e4) {
            throw new CredentialException("Failed to create credential: " + e4.getMessage(), e4);
        } catch (SAXException e5) {
            throw new CredentialException("Failed to create credential: " + e5.getMessage(), e5);
        }
    }

    @Override // be.iminds.ilabt.jfed.lowlevel.AnyCredential
    public boolean equals(Object obj) {
        if (this == obj) {
            return true;
        }
        if (obj == null || getClass() != obj.getClass()) {
            return false;
        }
        AbacCredential abacCredential = (AbacCredential) obj;
        return this.credentialXml.equals(abacCredential.credentialXml) && this.name.equals(abacCredential.name);
    }

    @Override // be.iminds.ilabt.jfed.lowlevel.AnyCredential
    public int hashCode() {
        return (31 * this.name.hashCode()) + this.credentialXml.hashCode();
    }

    static {
        $assertionsDisabled = !AbacCredential.class.desiredAssertionStatus();
        LOG = LoggerFactory.getLogger((Class<?>) AbacCredential.class);
    }
}
