package eu.emi.emir.security;

import com.sun.jersey.api.client.ClientResponse;
import com.sun.jersey.spi.container.ContainerRequest;
import com.sun.jersey.spi.container.ContainerRequestFilter;
import eu.emi.emir.EMIRServer;
import eu.emi.emir.client.util.Log;
import eu.emi.emir.security.util.AuthZAttributeStore;
import eu.emi.emir.security.util.ResourceDescriptor;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.WebApplicationException;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriInfo;
import org.apache.log4j.Logger;

/* loaded from: input_file:eu/emi/emir/security/AccessControlFilter.class */
public class AccessControlFilter implements ContainerRequestFilter {
    private static Logger logger = Log.getLogger("emir.security", AccessControlFilter.class);

    @Context
    UriInfo uriInfo;

    @Context
    HttpServletRequest httpRequest;
    private static final String REALM = "HTTPS authentication";

    public ContainerRequest filter(ContainerRequest containerRequest) throws WebApplicationException {
        try {
            checkAccess();
            return containerRequest;
        } catch (AuthorisationException e) {
            throw new WebApplicationException(e, Response.status(ClientResponse.Status.UNAUTHORIZED).entity("Error performing access control: \n" + e).build());
        }
    }

    protected void checkAccess() throws AuthorisationException {
        try {
            if (Boolean.valueOf(EMIRServer.getServerSecurityProperties().isSslEnabled()).booleanValue()) {
                X509Certificate[] x509CertificateArr = (X509Certificate[]) this.httpRequest.getAttribute("javax.servlet.request.X509Certificate");
                SecurityTokens securityTokens = new SecurityTokens();
                securityTokens.setUser(CertificateFactory.getInstance("X.509").generateCertPath(Arrays.asList(x509CertificateArr)));
                securityTokens.setUserName(x509CertificateArr[0].getSubjectX500Principal());
                Client createAndAuthoriseClient = SecurityManager.createAndAuthoriseClient(securityTokens);
                this.httpRequest.setAttribute(SecurityManager.CLIENT, createAndAuthoriseClient);
                if (EMIRServer.getServerSecurityProperties().isXACMLAccessControlEnabled()) {
                    AuthZAttributeStore.setTokens(securityTokens);
                    AuthZAttributeStore.setClient(createAndAuthoriseClient);
                    doCheck(securityTokens, createAndAuthoriseClient, this.httpRequest.getMethod(), new ResourceDescriptor(this.uriInfo.getPath(), null, SecurityManager.getServerIdentity().getName()));
                }
            }
        } catch (Exception e) {
            Log.logException("Error setting up authorisation check", e, logger);
            AuthZAttributeStore.removeClient();
            AuthZAttributeStore.removeTokens();
            throw new WebApplicationException(new AuthorisationException("Authorisation failed. Reason: " + e.getMessage(), e), Response.status(ClientResponse.Status.UNAUTHORIZED).entity("Error performing access control or Unauthorised access: \n" + e).build());
        }
    }

    protected void doCheck(SecurityTokens securityTokens, Client client, String str, ResourceDescriptor resourceDescriptor) throws WebApplicationException {
        if (logger.isDebugEnabled()) {
            logger.debug("Checking access on service " + resourceDescriptor);
        }
        if (!SecurityManager.isServer(client)) {
            SecurityManager.checkAuthentication(securityTokens, str, resourceDescriptor);
            SecurityManager.checkAuthorisation(client, str, resourceDescriptor);
        } else if (logger.isDebugEnabled()) {
            logger.debug("Accept server-scope action <" + str + "> on " + resourceDescriptor);
        }
    }
}
