package org.dataone.solr.servlet;

import java.io.IOException;
import java.util.ArrayList;
import java.util.Date;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.dataone.cn.servlet.http.ProxyServletRequestWrapper;
import org.dataone.configuration.Settings;
import org.dataone.portal.PortalCertificateManager;
import org.dataone.service.cn.impl.v2.NodeRegistryService;
import org.dataone.service.exceptions.NotAuthorized;
import org.dataone.service.exceptions.NotImplemented;
import org.dataone.service.exceptions.ServiceFailure;
import org.dataone.service.types.v1.NodeState;
import org.dataone.service.types.v1.NodeType;
import org.dataone.service.types.v1.Service;
import org.dataone.service.types.v1.ServiceMethodRestriction;
import org.dataone.service.types.v1.Session;
import org.dataone.service.types.v1.Subject;
import org.dataone.service.types.v2.Node;

/* loaded from: input_file:org/dataone/solr/servlet/SessionAuthorizationFilterStrategy.class */
public abstract class SessionAuthorizationFilterStrategy implements Filter {
    protected static Log logger = LogFactory.getLog(SessionAuthorizationFilterStrategy.class);
    private static NodeRegistryService nodeRegistryService = new NodeRegistryService();
    private static String adminToken = Settings.getConfiguration().getString("cn.solrAdministrator.token");
    private List<Subject> cnAdministrativeSubjects = new ArrayList();
    private List<Subject> mnAdministrativeSubjects = new ArrayList();
    private List<Subject> serviceMethodRestrictionSubjects = new ArrayList();
    private Map<String, List<Subject>> mnNodeNameToSubjectsMap = new HashMap();
    private long lastRefreshTimeMS = 0;
    private long nodelistRefreshIntervalSeconds = 300000;

    protected abstract void handleNoCertificateManagerSession(ProxyServletRequestWrapper proxyServletRequestWrapper, ServletResponse servletResponse, FilterChain filterChain) throws ServletException, IOException, NotAuthorized;

    protected abstract void addAuthenticatedSubjectsToRequest(ProxyServletRequestWrapper proxyServletRequestWrapper, Session session, Subject subject) throws ServiceFailure, NotAuthorized, NotImplemented;

    protected abstract String getServiceMethodName();

    public void init(FilterConfig filterConfig) throws ServletException {
        try {
            logger.debug("about to cache admin");
            cacheAdministrativeSubjectList();
        } catch (NotImplemented e) {
            logger.error(e.serialize(0));
        } catch (ServiceFailure e2) {
            logger.error(e2.serialize(0));
        }
        this.lastRefreshTimeMS = new Date().getTime();
        logger.debug("init SessionAuthorizationFilter: " + getClass().getName());
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        logger.debug("SessionAuthorizationFilterStrategy doFilter invoked by: " + getClass().getName());
        try {
            if (!(servletRequest instanceof HttpServletRequest)) {
                throw new NotImplemented("1461", "ServletRequest is not a HttpServletRequest!?");
            }
            String[] strArr = new String[0];
            ProxyServletRequestWrapper proxyServletRequestWrapper = new ProxyServletRequestWrapper((HttpServletRequest) servletRequest);
            Map parameterMap = proxyServletRequestWrapper.getParameterMap();
            if (parameterMap.containsKey("authorizedSubjects")) {
                logger.debug("removing attempt at supplying authorized user by client");
                proxyServletRequestWrapper.setParameterValues("authorizedSubjects", strArr);
            }
            if (parameterMap.containsKey("isCnAdministrator")) {
                logger.debug("removing attempt at supplying authorized administrative user by client");
                proxyServletRequestWrapper.setParameterValues("isCnAdministrator", strArr);
            }
            if (parameterMap.containsKey("isMnAdministrator")) {
                logger.debug("removing attempt at supplying authorized administrative user by client");
                proxyServletRequestWrapper.setParameterValues("isMnAdministrator", strArr);
            }
            boolean validateSSLAttributes = SessionAuthorizationUtil.validateSSLAttributes(proxyServletRequestWrapper);
            logger.debug("valid SSL: " + validateSSLAttributes);
            if (!validateSSLAttributes) {
                logger.debug("Invalidate SSL Attributes");
                handleNoCertificateManagerSession(proxyServletRequestWrapper, servletResponse, filterChain);
            }
            Session session = PortalCertificateManager.getInstance().getSession((HttpServletRequest) servletRequest);
            if (session != null) {
                if (isTimeForRefresh().booleanValue()) {
                    cacheAdministrativeSubjectList();
                }
                Subject subject = session.getSubject();
                logger.debug("Solr Session Auth found subject: " + subject.getValue());
                if (this.cnAdministrativeSubjects.contains(subject)) {
                    logger.debug(subject.getValue() + " is a cn administrator");
                    proxyServletRequestWrapper.setParameterValues("isCnAdministrator", new String[]{adminToken});
                } else if (this.mnAdministrativeSubjects.contains(subject)) {
                    for (String str : this.mnNodeNameToSubjectsMap.keySet()) {
                        List<Subject> list = this.mnNodeNameToSubjectsMap.get(str);
                        if (list != null && list.contains(subject)) {
                            logger.debug(subject.getValue() + " is a mn administrator");
                            proxyServletRequestWrapper.setParameterValues("isMnAdministrator", new String[]{str});
                        }
                    }
                } else if (this.serviceMethodRestrictionSubjects.isEmpty()) {
                    logger.debug(subject.getValue() + " is authorized");
                    addAuthenticatedSubjectsToRequest(proxyServletRequestWrapper, session, subject);
                } else if (this.serviceMethodRestrictionSubjects.contains(subject)) {
                    addAuthenticatedSubjectsToRequest(proxyServletRequestWrapper, session, subject);
                } else {
                    logger.debug("Solr Session auth - " + subject.getValue() + " not found in restricted list");
                    handleNoCertificateManagerSession(proxyServletRequestWrapper, servletResponse, filterChain);
                }
                filterChain.doFilter(proxyServletRequestWrapper, servletResponse);
            } else {
                logger.debug("Solr Session auth - NO SESSION");
                handleNoCertificateManagerSession(proxyServletRequestWrapper, servletResponse, filterChain);
            }
        } catch (Exception e) {
            ServiceFailure serviceFailure = new ServiceFailure("1490", e.getClass() + ": " + e.getMessage());
            serviceFailure.setStackTrace(e.getStackTrace());
            String serialize = serviceFailure.serialize(0);
            ((HttpServletResponse) servletResponse).setStatus(500);
            servletResponse.getOutputStream().write(serialize.getBytes());
            servletResponse.getOutputStream().flush();
            servletResponse.getOutputStream().close();
        } catch (NotImplemented e2) {
            e2.setDetail_code("1461");
            String serialize2 = e2.serialize(0);
            ((HttpServletResponse) servletResponse).setStatus(400);
            servletResponse.getOutputStream().write(serialize2.getBytes());
            servletResponse.getOutputStream().flush();
            servletResponse.getOutputStream().close();
        } catch (NotAuthorized e3) {
            e3.setDetail_code("1460");
            String serialize3 = e3.serialize(0);
            ((HttpServletResponse) servletResponse).setStatus(401);
            servletResponse.getOutputStream().write(serialize3.getBytes());
            servletResponse.getOutputStream().flush();
            servletResponse.getOutputStream().close();
        } catch (ServiceFailure e4) {
            e4.setDetail_code("1490");
            String serialize4 = e4.serialize(0);
            ((HttpServletResponse) servletResponse).setStatus(500);
            servletResponse.getOutputStream().write(serialize4.getBytes());
            servletResponse.getOutputStream().flush();
            servletResponse.getOutputStream().close();
        }
    }

    private void cacheAdministrativeSubjectList() throws NotImplemented, ServiceFailure {
        this.cnAdministrativeSubjects.clear();
        this.mnAdministrativeSubjects.clear();
        this.serviceMethodRestrictionSubjects.clear();
        List<String> list = Settings.getConfiguration().getList("cn.administrators");
        if (list != null) {
            for (String str : list) {
                logger.debug("AdminList property entry " + str);
                Subject subject = new Subject();
                subject.setValue(str);
                this.cnAdministrativeSubjects.add(subject);
            }
        }
        for (Node node : nodeRegistryService.listNodes().getNodeList()) {
            if (node.getType().equals(NodeType.CN) && node.getState().equals(NodeState.UP)) {
                Iterator it = node.getSubjectList().iterator();
                while (it.hasNext()) {
                    logger.debug("AdminList entry CN subject: " + ((Subject) it.next()).getValue());
                }
                this.cnAdministrativeSubjects.addAll(node.getSubjectList());
                for (Service service : node.getServices().getServiceList()) {
                    if (service.getName().equalsIgnoreCase("CNCore") && service.getRestrictionList() != null && !service.getRestrictionList().isEmpty()) {
                        for (ServiceMethodRestriction serviceMethodRestriction : service.getRestrictionList()) {
                            if (serviceMethodRestriction.getMethodName().equalsIgnoreCase(getServiceMethodName()) && serviceMethodRestriction.getSubjectList() != null) {
                                this.serviceMethodRestrictionSubjects.addAll(serviceMethodRestriction.getSubjectList());
                                Iterator it2 = serviceMethodRestriction.getSubjectList().iterator();
                                while (it2.hasNext()) {
                                    logger.debug("AdminList entry CN subject: " + ((Subject) it2.next()).getValue());
                                }
                            }
                        }
                    }
                }
            }
            if (node.getType().equals(NodeType.MN) && node.getState().equals(NodeState.UP) && node.getSubjectList() != null && !node.getSubjectList().isEmpty()) {
                this.mnAdministrativeSubjects.addAll(node.getSubjectList());
                this.mnNodeNameToSubjectsMap.put(node.getIdentifier().getValue(), node.getSubjectList());
                Iterator it3 = node.getSubjectList().iterator();
                while (it3.hasNext()) {
                    logger.debug("AdminList entry CN subject: " + ((Subject) it3.next()).getValue());
                }
            }
        }
    }

    private Boolean isTimeForRefresh() {
        long currentTimeMillis = System.currentTimeMillis();
        if (currentTimeMillis - this.lastRefreshTimeMS <= this.nodelistRefreshIntervalSeconds) {
            return false;
        }
        this.lastRefreshTimeMS = currentTimeMillis;
        logger.info("nodelist refreshed");
        return true;
    }

    public void destroy() {
        logger.info("destroy SessionAuthorizationFilter");
    }
}
