package eu.emi.emir.security;

import com.sun.jersey.api.client.ClientResponse;
import com.sun.jersey.spi.container.ContainerRequest;
import com.sun.jersey.spi.container.ContainerRequestFilter;
import eu.emi.emir.EMIRServer;
import eu.emi.emir.client.util.Log;
import eu.emi.emir.util.FileWatcher;
import java.io.BufferedReader;
import java.io.File;
import java.io.FileNotFoundException;
import java.io.FileReader;
import java.io.IOException;
import java.security.cert.X509Certificate;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.TimeUnit;
import javax.security.auth.x500.X500Principal;
import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.WebApplicationException;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.Response;
import org.apache.log4j.Logger;

/* loaded from: input_file:eu/emi/emir/security/ACLFilter.class */
public class ACLFilter implements ContainerRequestFilter {
    private File aclFile;
    private FileWatcher watchDog;
    private boolean active;
    private final Map<String, String> acceptedDNs;

    @Context
    HttpServletRequest httpRequest;
    private File aclFile2;
    private static Logger logger = Log.getLogger("emir.security", ACLFilter.class);
    private static Set<String> roles = new HashSet();

    public ACLFilter() throws IOException {
        this(new File(EMIRServer.getServerSecurityProperties().getACLConfigurationFile()));
    }

    public ACLFilter(File file) {
        this.aclFile = null;
        this.acceptedDNs = new HashMap();
        this.aclFile = file;
        if (!file.exists()) {
            logger.warn("ACL not active: file <" + file + "> does not exist");
            this.active = false;
            this.watchDog = null;
            return;
        }
        this.active = true;
        logger.info("EMIR using ACL file " + file);
        readACL();
        try {
            this.watchDog = new FileWatcher(file, new Runnable() { // from class: eu.emi.emir.security.ACLFilter.1
                @Override // java.lang.Runnable
                public void run() {
                    ACLFilter.this.readACL();
                }
            });
            this.watchDog.schedule(3000, TimeUnit.MILLISECONDS);
        } catch (FileNotFoundException e) {
            Log.logException("Invalid file path: " + file, e, logger);
        }
    }

    public ContainerRequest filter(ContainerRequest containerRequest) throws WebApplicationException {
        Client client = null;
        new Role();
        Boolean valueOf = Boolean.valueOf(EMIRServer.getServerSecurityProperties().isSslEnabled());
        String path = containerRequest.getPath();
        if (valueOf.booleanValue() && EMIRServer.getServerSecurityProperties().isACLAccessControlEnabled()) {
            String name = ((X509Certificate[]) this.httpRequest.getAttribute("javax.servlet.request.X509Certificate"))[0].getSubjectX500Principal().getName();
            if (path.equalsIgnoreCase("serviceadmin")) {
                client = checkAccess(name);
            } else {
                client = new Client();
                client.setDistinguishedName(name);
            }
        }
        if (logger.isDebugEnabled() && !containerRequest.getPath().equalsIgnoreCase("favicon.ico")) {
            logger.debug("Accessing resource: '" + containerRequest.getPath() + "' with DN: " + client.getDistinguishedName());
        }
        this.httpRequest.setAttribute(SecurityManager.CLIENT, client);
        return containerRequest;
    }

    protected Client checkAccess(String str) throws WebApplicationException {
        Client client;
        String str2 = "Admin access denied!\n\nTo allow access for this certificate, the distinguished name \n" + str + "\nneeds to be entered into the ACL file.\nPlease check the EMIR's ACL file!\n\n";
        synchronized (this.acceptedDNs) {
            if (!this.acceptedDNs.containsKey(str)) {
                logger.info(str2);
                throw new WebApplicationException(Response.status(ClientResponse.Status.UNAUTHORIZED).entity(str2).build());
            }
            client = new Client();
            client.setDistinguishedName(str);
            String str3 = this.acceptedDNs.get(str);
            logger.debug(Boolean.valueOf(roles.contains(str3)));
            if (str3 == null || !roles.contains(str3)) {
                throw new WebApplicationException(Response.status(ClientResponse.Status.UNAUTHORIZED).entity(str2).build());
            }
            client.setRole(new Role(str3, ""));
        }
        return client;
    }

    protected void readACL() {
        synchronized (this.acceptedDNs) {
            BufferedReader bufferedReader = null;
            try {
                try {
                    bufferedReader = new BufferedReader(new FileReader(this.aclFile));
                    this.acceptedDNs.clear();
                    while (true) {
                        String readLine = bufferedReader.readLine();
                        if (readLine == null) {
                            break;
                        }
                        String trim = readLine.trim();
                        if (!trim.startsWith("#")) {
                            if (!trim.trim().equals("")) {
                                try {
                                    String[] split = trim.split("::");
                                    X500Principal x500Principal = new X500Principal(split[0].trim());
                                    if (this.acceptedDNs.containsKey(x500Principal.getName())) {
                                        logger.warn(("Duplicate access for this DN: " + trim) + "\n First one will be use!!!");
                                    } else {
                                        this.acceptedDNs.put(x500Principal.getName(), split[1].trim());
                                        logger.info("Allowing " + split[1].trim() + " access for <" + trim + ">");
                                    }
                                } catch (Exception e) {
                                    logger.warn("Invalid entry <" + trim + ">", e);
                                }
                            }
                        }
                    }
                    if (bufferedReader != null) {
                        try {
                            bufferedReader.close();
                        } catch (IOException e2) {
                        }
                    }
                } catch (Exception e3) {
                    logger.fatal("ACL file read error!", e3);
                }
            } finally {
                if (bufferedReader != null) {
                    try {
                        bufferedReader.close();
                    } catch (IOException e4) {
                    }
                }
            }
        }
    }

    static {
        roles.add("serviceowner");
        roles.add(IAttributeSource.ROLE_ADMIN);
    }
}
