package org.fcrepo.server.security.impl;

import com.sun.xacml.PDPConfig;
import com.sun.xacml.ctx.Attribute;
import com.sun.xacml.ctx.RequestCtx;
import com.sun.xacml.ctx.ResponseCtx;
import com.sun.xacml.ctx.Subject;
import java.util.Collections;
import java.util.Map;
import java.util.Set;
import org.fcrepo.server.Context;
import org.fcrepo.server.config.ModuleConfiguration;
import org.fcrepo.server.errors.ModuleInitializationException;
import org.fcrepo.server.errors.authorization.AuthzDeniedException;
import org.fcrepo.server.errors.authorization.AuthzException;
import org.fcrepo.server.errors.authorization.AuthzOperationalException;
import org.fcrepo.server.errors.authorization.AuthzPermittedException;
import org.fcrepo.server.security.ContextRegistry;
import org.fcrepo.server.security.PolicyEnforcementPoint;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/fcrepo/server/security/impl/DefaultPolicyEnforcementPoint.class */
public class DefaultPolicyEnforcementPoint extends AbstractPolicyEnforcementPoint implements PolicyEnforcementPoint {
    private static final Logger logger = LoggerFactory.getLogger(DefaultPolicyEnforcementPoint.class);
    private static final String ROLE = PolicyEnforcementPoint.class.getName();
    private static final String ENFORCE_MODE_CONFIG_KEY = "ENFORCE-MODE";
    static final String ENFORCE_MODE_ENFORCE_POLICIES = "enforce-policies";
    static final String ENFORCE_MODE_PERMIT_ALL_REQUESTS = "permit-all-requests";
    static final String ENFORCE_MODE_DENY_ALL_REQUESTS = "deny-all-requests";
    private final ContextRegistry m_registry;
    private String m_enforceMode;
    private int n;

    public DefaultPolicyEnforcementPoint(PDPConfig pDPConfig, ContextRegistry contextRegistry, ModuleConfiguration moduleConfiguration) throws ModuleInitializationException {
        super(pDPConfig);
        this.m_enforceMode = ENFORCE_MODE_ENFORCE_POLICIES;
        this.n = 0;
        this.m_registry = contextRegistry;
        Map<String, String> parameters = moduleConfiguration.getParameters();
        if (parameters.containsKey(ENFORCE_MODE_CONFIG_KEY)) {
            this.m_enforceMode = parameters.get(ENFORCE_MODE_CONFIG_KEY);
            if (!ENFORCE_MODE_ENFORCE_POLICIES.equals(this.m_enforceMode) && !ENFORCE_MODE_PERMIT_ALL_REQUESTS.equals(this.m_enforceMode) && !ENFORCE_MODE_DENY_ALL_REQUESTS.equals(this.m_enforceMode)) {
                throw new ModuleInitializationException("invalid enforceMode from config \"" + this.m_enforceMode + "\"", ROLE);
            }
        }
    }

    private synchronized int next() {
        int i = this.n;
        this.n = i + 1;
        return i;
    }

    @Override // org.fcrepo.server.security.PolicyEnforcementPoint
    public final void enforce(String str, String str2, String str3, String str4, String str5, Context context) throws AuthzException {
        long currentTimeMillis = System.currentTimeMillis();
        try {
            synchronized (this) {
            }
            if (ENFORCE_MODE_PERMIT_ALL_REQUESTS.equals(this.m_enforceMode)) {
                logger.debug("permitting request because enforceMode==ENFORCE_MODE_PERMIT_ALL_REQUESTS");
            } else {
                if (ENFORCE_MODE_DENY_ALL_REQUESTS.equals(this.m_enforceMode)) {
                    logger.debug("denying request because enforceMode==ENFORCE_MODE_DENY_ALL_REQUESTS");
                    throw new AuthzDeniedException("all requests are currently denied");
                }
                if (!ENFORCE_MODE_ENFORCE_POLICIES.equals(this.m_enforceMode)) {
                    logger.debug("denying request because enforceMode is invalid");
                    throw new AuthzOperationalException("invalid enforceMode from config \"" + this.m_enforceMode + "\"");
                }
                try {
                    try {
                        String num = new Integer(next()).toString();
                        logger.debug("context index set={}", num);
                        Set<Subject> wrapSubjects = wrapSubjects(str);
                        Set<Attribute> wrapActions = wrapActions(str2, str3, num);
                        RequestCtx requestCtx = new RequestCtx(wrapSubjects, wrapResources(str4, str5), wrapActions, Collections.EMPTY_SET);
                        for (Attribute attribute : wrapActions) {
                            logger.debug("request action has {}={}", attribute.getId(), attribute.getValue().toString());
                        }
                        this.m_registry.registerContext(num, context);
                        long currentTimeMillis2 = System.currentTimeMillis();
                        try {
                            ResponseCtx evaluate = this.m_pdp.evaluate(requestCtx);
                            logger.debug("Policy evaluation took {}ms.", Long.valueOf(System.currentTimeMillis() - currentTimeMillis2));
                            logger.debug("in pep, after evaluate() called");
                            this.m_registry.unregisterContext(num);
                            logger.debug("in pep, before denyBiasedAuthz() called");
                            if (!denyBiasedAuthz(evaluate.getResults())) {
                                throw new AuthzDeniedException("");
                            }
                        } catch (Throwable th) {
                            logger.debug("Policy evaluation took {}ms.", Long.valueOf(System.currentTimeMillis() - currentTimeMillis2));
                            throw th;
                        }
                    } catch (Throwable th2) {
                        logger.error("Error evaluating policy", th2);
                        throw new AuthzOperationalException("");
                    }
                } catch (Throwable th3) {
                    this.m_registry.unregisterContext(null);
                    throw th3;
                }
            }
            if (context.getNoOp()) {
                throw new AuthzPermittedException("noOp");
            }
            logger.debug("Policy enforcement took {}ms.", Long.valueOf(System.currentTimeMillis() - currentTimeMillis));
        } catch (Throwable th4) {
            logger.debug("Policy enforcement took {}ms.", Long.valueOf(System.currentTimeMillis() - currentTimeMillis));
            throw th4;
        }
    }
}
