package org.fcrepo.server.security.xacml.pep.ws;

import com.sun.xacml.ctx.RequestCtx;
import com.sun.xacml.ctx.ResponseCtx;
import com.sun.xacml.ctx.Result;
import java.util.Date;
import java.util.HashMap;
import java.util.Map;
import java.util.Set;
import javax.xml.namespace.QName;
import javax.xml.ws.handler.MessageContext;
import javax.xml.ws.handler.soap.SOAPHandler;
import javax.xml.ws.handler.soap.SOAPMessageContext;
import org.fcrepo.server.security.xacml.pep.AuthzDeniedException;
import org.fcrepo.server.security.xacml.pep.ContextHandler;
import org.fcrepo.server.security.xacml.pep.PEPException;
import org.fcrepo.server.security.xacml.pep.ws.operations.OperationHandler;
import org.fcrepo.server.security.xacml.pep.ws.operations.OperationHandlerException;
import org.fcrepo.server.utilities.CXFUtility;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:resources/fedora.war:WEB-INF/lib/fcrepo-security-pep-3.6.1.jar:org/fcrepo/server/security/xacml/pep/ws/PEP.class */
public class PEP implements SOAPHandler<SOAPMessageContext> {
    private static final Logger logger = LoggerFactory.getLogger(PEP.class);
    private Map<String, Map<String, OperationHandler>> m_serviceHandlers;
    ContextHandler m_ctxHandler = null;
    private final boolean feslAuthZ;
    private Date m_ts;

    public PEP(boolean z) throws PEPException {
        this.m_serviceHandlers = null;
        this.m_ts = null;
        this.feslAuthZ = z;
        logger.info("feslAuthZ = " + z);
        if (z) {
            this.m_serviceHandlers = new HashMap(0);
            this.m_ts = new Date();
        }
    }

    public void setContextHandler(ContextHandler contextHandler) {
        this.m_ctxHandler = contextHandler;
    }

    public void setServiceHandlers(Map<String, Map<String, OperationHandler>> map) {
        this.m_serviceHandlers = map;
    }

    @Override // javax.xml.ws.handler.Handler
    public boolean handleMessage(SOAPMessageContext sOAPMessageContext) {
        if (!this.feslAuthZ) {
            return true;
        }
        String localPart = ((QName) sOAPMessageContext.get("javax.xml.ws.wsdl.service")).getLocalPart();
        String localPart2 = ((QName) sOAPMessageContext.get("javax.xml.ws.wsdl.operation")).getLocalPart();
        if (logger.isDebugEnabled()) {
            logger.debug("AuthHandler executed: " + localPart + "/" + localPart2 + " [" + this.m_ts + "]");
        }
        OperationHandler handler = getHandler(localPart, localPart2);
        if (handler == null) {
            logger.error("Missing handler for service/operation: " + localPart + "/" + localPart2);
            throw CXFUtility.getFault(new PEPException("Missing handler for service/operation: " + localPart + "/" + localPart2));
        }
        try {
            RequestCtx handleResponse = ((Boolean) sOAPMessageContext.get(MessageContext.MESSAGE_OUTBOUND_PROPERTY)).booleanValue() ? handler.handleResponse(sOAPMessageContext) : handler.handleRequest(sOAPMessageContext);
            if (handleResponse == null) {
                return false;
            }
            try {
                enforce(this.m_ctxHandler.evaluate(handleResponse));
                return true;
            } catch (PEPException e) {
                logger.error("Error evaluating request", (Throwable) e);
                throw CXFUtility.getFault(new PEPException("Error evaluating request (operation: " + localPart2 + ")", e));
            }
        } catch (OperationHandlerException e2) {
            logger.error("Error handling operation: " + localPart2, (Throwable) e2);
            throw CXFUtility.getFault(new PEPException("Error handling operation: " + localPart2, e2));
        }
    }

    private OperationHandler getHandler(String str, String str2) {
        if (str == null) {
            if (!logger.isDebugEnabled()) {
                return null;
            }
            logger.debug("Service Name was null!");
            return null;
        }
        if (str2 == null) {
            if (!logger.isDebugEnabled()) {
                return null;
            }
            logger.debug("Operation Name was null!");
            return null;
        }
        Map<String, OperationHandler> map = this.m_serviceHandlers.get(str);
        if (map == null) {
            if (!logger.isDebugEnabled()) {
                return null;
            }
            logger.debug("No Service Handlers found for: " + str);
            return null;
        }
        OperationHandler operationHandler = map.get(str2);
        if (operationHandler == null && logger.isDebugEnabled()) {
            logger.debug("Handler not found for: " + str + "/" + str2);
        }
        return operationHandler;
    }

    private void enforce(ResponseCtx responseCtx) {
        for (Result result : responseCtx.getResults()) {
            if (result.getDecision() != 0) {
                if (logger.isDebugEnabled()) {
                    logger.debug("Denying access: " + result.getDecision());
                }
                switch (result.getDecision()) {
                    case 1:
                        throw CXFUtility.getFault(new AuthzDeniedException("Deny"));
                    case 2:
                        throw CXFUtility.getFault(new AuthzDeniedException("Indeterminate"));
                    case 3:
                        throw CXFUtility.getFault(new AuthzDeniedException("NotApplicable"));
                }
            }
        }
        if (logger.isDebugEnabled()) {
            logger.debug("Permitting access!");
        }
    }

    @Override // javax.xml.ws.handler.Handler
    public void close(MessageContext messageContext) {
    }

    @Override // javax.xml.ws.handler.Handler
    public boolean handleFault(SOAPMessageContext sOAPMessageContext) {
        return false;
    }

    @Override // javax.xml.ws.handler.soap.SOAPHandler
    public Set<QName> getHeaders() {
        return null;
    }
}
