package com.yahoo.athenz.zpe;

import com.yahoo.athenz.auth.token.AccessToken;
import com.yahoo.athenz.auth.token.RoleToken;
import com.yahoo.athenz.auth.token.jwts.JwtsSigningKeyResolver;
import com.yahoo.athenz.auth.util.Crypto;
import com.yahoo.athenz.auth.util.CryptoException;
import com.yahoo.athenz.zpe.match.ZpeMatch;
import com.yahoo.athenz.zpe.pkey.PublicKeyStore;
import com.yahoo.athenz.zpe.pkey.PublicKeyStoreFactory;
import com.yahoo.rdl.Struct;
import java.security.PublicKey;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.naming.InvalidNameException;
import javax.naming.ldap.LdapName;
import javax.naming.ldap.Rdn;
import javax.net.ssl.SSLContext;
import javax.security.auth.x500.X500Principal;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/yahoo/athenz/zpe/AuthZpeClient.class */
public class AuthZpeClient {
    public static final String ZPE_UPDATER_CLASS = "com.yahoo.athenz.zpe.ZpeUpdater";
    public static final String ZPE_PKEY_CLASS = "com.yahoo.athenz.zpe.pkey.file.FilePublicKeyStoreFactory";
    public static final String ZTS_PUBLIC_KEY = "zts_public_key";
    public static final String ZMS_PUBLIC_KEY = "zms_public_key";
    public static final String ZTS_PUBLIC_KEY_PREFIX = "zts.public_key.";
    public static final String ZMS_PUBLIC_KEY_PREFIX = "zms.public_key.";
    public static final String SYS_AUTH_DOMAIN = "sys.auth";
    public static final String ZTS_SERVICE_NAME = "zts";
    public static final String ZMS_SERVICE_NAME = "zms";
    public static final String DEFAULT_DOMAIN = "sys.auth";
    public static final String UNKNOWN_DOMAIN = "unknown";
    public static final String BEARER_TOKEN = "Bearer ";
    private static final Logger LOG = LoggerFactory.getLogger(AuthZpeClient.class);
    public static final String ZPE_TOKEN_HDR = System.getProperty("athenz.auth.role.header", "Athenz-Role-Auth");
    private static int allowedOffset = 300;
    private static JwtsSigningKeyResolver accessSignKeyResolver = null;
    private static ZpeClient zpeClt = null;
    private static PublicKeyStore publicKeyStore = null;
    private static final Set<String> X509_ISSUERS_NAMES = new HashSet();
    private static final List<List<Rdn>> X509_ISSUERS_RDNS = new ArrayList();
    private static int maxTokenCacheSize = 10240;

    /* loaded from: input_file:com/yahoo/athenz/zpe/AuthZpeClient$AccessCheckStatus.class */
    public enum AccessCheckStatus {
        ALLOW { // from class: com.yahoo.athenz.zpe.AuthZpeClient.AccessCheckStatus.1
            @Override // java.lang.Enum
            public String toString() {
                return "Access Check was explicitly allowed";
            }
        },
        DENY { // from class: com.yahoo.athenz.zpe.AuthZpeClient.AccessCheckStatus.2
            @Override // java.lang.Enum
            public String toString() {
                return "Access Check was explicitly denied";
            }
        },
        DENY_NO_MATCH { // from class: com.yahoo.athenz.zpe.AuthZpeClient.AccessCheckStatus.3
            @Override // java.lang.Enum
            public String toString() {
                return "Access denied due to no match to any of the assertions defined in domain policy file";
            }
        },
        DENY_ROLETOKEN_EXPIRED { // from class: com.yahoo.athenz.zpe.AuthZpeClient.AccessCheckStatus.4
            @Override // java.lang.Enum
            public String toString() {
                return "Access denied due to expired Token";
            }
        },
        DENY_ROLETOKEN_INVALID { // from class: com.yahoo.athenz.zpe.AuthZpeClient.AccessCheckStatus.5
            @Override // java.lang.Enum
            public String toString() {
                return "Access denied due to invalid Token";
            }
        },
        DENY_DOMAIN_MISMATCH { // from class: com.yahoo.athenz.zpe.AuthZpeClient.AccessCheckStatus.6
            @Override // java.lang.Enum
            public String toString() {
                return "Access denied due to domain mismatch between Resource and Token";
            }
        },
        DENY_DOMAIN_NOT_FOUND { // from class: com.yahoo.athenz.zpe.AuthZpeClient.AccessCheckStatus.7
            @Override // java.lang.Enum
            public String toString() {
                return "Access denied due to domain not found in library cache";
            }
        },
        DENY_DOMAIN_EXPIRED { // from class: com.yahoo.athenz.zpe.AuthZpeClient.AccessCheckStatus.8
            @Override // java.lang.Enum
            public String toString() {
                return "Access denied due to expired domain policy file";
            }
        },
        DENY_DOMAIN_EMPTY { // from class: com.yahoo.athenz.zpe.AuthZpeClient.AccessCheckStatus.9
            @Override // java.lang.Enum
            public String toString() {
                return "Access denied due to no policies in the domain file";
            }
        },
        DENY_INVALID_PARAMETERS { // from class: com.yahoo.athenz.zpe.AuthZpeClient.AccessCheckStatus.10
            @Override // java.lang.Enum
            public String toString() {
                return "Access denied due to invalid/empty action/resource values";
            }
        },
        DENY_CERT_MISMATCH_ISSUER { // from class: com.yahoo.athenz.zpe.AuthZpeClient.AccessCheckStatus.11
            @Override // java.lang.Enum
            public String toString() {
                return "Access denied due to certificate mismatch in issuer";
            }
        },
        DENY_CERT_MISSING_SUBJECT { // from class: com.yahoo.athenz.zpe.AuthZpeClient.AccessCheckStatus.12
            @Override // java.lang.Enum
            public String toString() {
                return "Access denied due to missing subject in certificate";
            }
        },
        DENY_CERT_MISSING_DOMAIN { // from class: com.yahoo.athenz.zpe.AuthZpeClient.AccessCheckStatus.13
            @Override // java.lang.Enum
            public String toString() {
                return "Access denied due to missing domain name in certificate";
            }
        },
        DENY_CERT_MISSING_ROLE_NAME { // from class: com.yahoo.athenz.zpe.AuthZpeClient.AccessCheckStatus.14
            @Override // java.lang.Enum
            public String toString() {
                return "Access denied due to missing role name in certificate";
            }
        },
        DENY_CERT_HASH_MISMATCH { // from class: com.yahoo.athenz.zpe.AuthZpeClient.AccessCheckStatus.15
            @Override // java.lang.Enum
            public String toString() {
                return "Access denied due to access token certificate hash mismatch";
            }
        }
    }

    public static void init() {
        if (LOG.isDebugEnabled()) {
            LOG.debug("Init: load the ZPE");
        }
    }

    public static void close() {
        if (LOG.isDebugEnabled()) {
            LOG.debug("close: finishing the ZPE");
        }
        zpeClt.close();
    }

    public static void setTokenAllowedOffset(int i) {
        if (i > 0) {
            allowedOffset = i;
        }
    }

    public static void setTokenCacheMaxValue(int i) {
        if (i > -1) {
            maxTokenCacheSize = i;
        }
    }

    public static void setX509CAIssuers(String str) {
        if (str == null || str.isEmpty()) {
            return;
        }
        for (String str2 : str.split("\\|")) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("x509 issuer: {}", str2);
            }
            X509_ISSUERS_NAMES.add(str2.replaceAll("\\s+", ""));
            try {
                X509_ISSUERS_RDNS.add(new LdapName(str2).getRdns());
            } catch (InvalidNameException e) {
                LOG.error("Invalid issuer: {}, error: {}", str2, e.getMessage());
            }
        }
    }

    public static void setPublicKeyStoreFactoryClass(String str) {
        try {
            publicKeyStore = ((PublicKeyStoreFactory) Class.forName(str).newInstance()).create();
        } catch (ClassNotFoundException | IllegalAccessException | InstantiationException e) {
            LOG.error("Invalid PublicKeyStore class: {}, error: {}", str, e.getMessage());
            throw new RuntimeException(e);
        }
    }

    public static void setAccessTokenSignKeyResolver(String str, SSLContext sSLContext) {
        setAccessTokenSignKeyResolver(str, sSLContext, null);
    }

    public static void setAccessTokenSignKeyResolver(String str, SSLContext sSLContext, String str2) {
        accessSignKeyResolver = new JwtsSigningKeyResolver(str, sSLContext, str2);
    }

    public static void addAccessTokenSignKeyResolverKey(String str, PublicKey publicKey) {
        accessSignKeyResolver.addPublicKey(str, publicKey);
    }

    public static void setZPEClientClass(String str) {
        try {
            zpeClt = (ZpeClient) Class.forName(str).newInstance();
            zpeClt.init(null);
        } catch (ClassNotFoundException | IllegalAccessException | InstantiationException e) {
            LOG.error("Unable to instantiate zpe class: {}, error: {}", str, e.getMessage());
            throw new RuntimeException(e);
        }
    }

    public static PublicKey getZtsPublicKey(String str) {
        PublicKey ztsKey = publicKeyStore.getZtsKey(str);
        if (ztsKey == null) {
            ztsKey = accessSignKeyResolver.getPublicKey(str);
        }
        return ztsKey;
    }

    protected static void setMillisBetweenZtsCalls(long j) {
        JwtsSigningKeyResolver jwtsSigningKeyResolver = accessSignKeyResolver;
        JwtsSigningKeyResolver.setMillisBetweenZtsCalls(j);
    }

    public static PublicKey getZmsPublicKey(String str) {
        return publicKeyStore.getZmsKey(str);
    }

    public static AccessCheckStatus allowAccess(X509Certificate x509Certificate, String str, String str2) {
        return allowAccess(x509Certificate, str, str2, new StringBuilder(256));
    }

    public static AccessCheckStatus allowAccess(X509Certificate x509Certificate, String str, String str2, StringBuilder sb) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("allowAccess: action={} resource={}", str2, str);
        }
        if (!certIssuerMatch(x509Certificate)) {
            return AccessCheckStatus.DENY_CERT_MISMATCH_ISSUER;
        }
        String extractX509CertCommonName = Crypto.extractX509CertCommonName(x509Certificate);
        if (extractX509CertCommonName == null || extractX509CertCommonName.isEmpty()) {
            LOG.error("allowAccess: missing subject in x.509 certificate");
            return AccessCheckStatus.DENY_CERT_MISSING_SUBJECT;
        }
        int indexOf = extractX509CertCommonName.indexOf(":role.");
        if (indexOf == -1) {
            LOG.error("allowAccess: invalid role format in x.509 subject: {}", extractX509CertCommonName);
            return AccessCheckStatus.DENY_CERT_MISSING_ROLE_NAME;
        }
        String substring = extractX509CertCommonName.substring(0, indexOf);
        if (substring.isEmpty()) {
            LOG.error("allowAccess: missing domain in x.509 subject: {}", extractX509CertCommonName);
            return AccessCheckStatus.DENY_CERT_MISSING_DOMAIN;
        }
        String substring2 = extractX509CertCommonName.substring(indexOf + ":role.".length());
        if (substring2.isEmpty()) {
            LOG.error("allowAccess: missing role in x.509 subject: {}", extractX509CertCommonName);
            return AccessCheckStatus.DENY_CERT_MISSING_ROLE_NAME;
        }
        ArrayList arrayList = new ArrayList();
        arrayList.add(substring2);
        return allowActionZPE(str2, substring, str, arrayList, sb);
    }

    public static AccessCheckStatus allowAccess(String str, String str2, String str3) {
        return allowAccess(str, null, null, str2, str3, new StringBuilder(256));
    }

    public static AccessCheckStatus allowAccess(String str, String str2, String str3, StringBuilder sb) {
        return allowAccess(str, null, null, str2, str3, sb);
    }

    public static AccessCheckStatus allowAccess(String str, X509Certificate x509Certificate, String str2, String str3, String str4, StringBuilder sb) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("allowAccess: action={} resource={}", str4, str3);
        }
        return str.startsWith("v=Z1;") ? allowRoleTokenAccess(str, str3, str4, sb) : allowAccessTokenAccess(str, x509Certificate, str2, str3, str4, sb);
    }

    public static AccessCheckStatus allowAccess(String str, X509Certificate x509Certificate, String str2, String str3, String str4) {
        return allowAccess(str, x509Certificate, str2, str3, str4, new StringBuilder());
    }

    static AccessCheckStatus allowRoleTokenAccess(String str, String str2, String str3, StringBuilder sb) {
        Map<String, RoleToken> roleTokenCacheMap = zpeClt.getRoleTokenCacheMap();
        RoleToken roleToken = roleTokenCacheMap.get(str);
        if (roleToken == null) {
            roleToken = new RoleToken(str);
            if (!roleToken.validate(getZtsPublicKey(roleToken.getKeyId()), allowedOffset, false, (StringBuilder) null)) {
                if (isTokenExpired(roleToken)) {
                    return AccessCheckStatus.DENY_ROLETOKEN_EXPIRED;
                }
                LOG.error("allowAccess: Authorization denied. Authentication failed for token={}", roleToken.getUnsignedToken());
                return AccessCheckStatus.DENY_ROLETOKEN_INVALID;
            }
            addTokenToCache(roleTokenCacheMap, str, roleToken);
        }
        return allowAccess(roleToken, str2, str3, sb);
    }

    static AccessCheckStatus allowAccessTokenAccess(String str, X509Certificate x509Certificate, String str2, String str3, String str4, StringBuilder sb) {
        if (str.startsWith(BEARER_TOKEN)) {
            str = str.substring(BEARER_TOKEN.length());
        }
        Map<String, AccessToken> accessTokenCacheMap = zpeClt.getAccessTokenCacheMap();
        AccessToken accessToken = accessTokenCacheMap.get(str);
        if (accessToken != null && x509Certificate != null && !accessToken.confirmMTLSBoundToken(x509Certificate, str2)) {
            LOG.error("allowAccess: mTLS Client certificate confirmation failed");
            return AccessCheckStatus.DENY_CERT_HASH_MISMATCH;
        }
        if (accessToken == null) {
            try {
                accessToken = (x509Certificate == null && str2 == null) ? new AccessToken(str, accessSignKeyResolver) : new AccessToken(str, accessSignKeyResolver, x509Certificate, str2);
                addTokenToCache(accessTokenCacheMap, str, accessToken);
            } catch (Exception e) {
                LOG.error("allowAccess: Authorization denied. Authentication failed for token={}", e.getMessage());
                return AccessCheckStatus.DENY_ROLETOKEN_INVALID;
            } catch (CryptoException e2) {
                LOG.error("allowAccess: Authorization denied. Authentication failed for token={}", e2.getMessage());
                return e2.getCode() == 2 ? AccessCheckStatus.DENY_CERT_HASH_MISMATCH : AccessCheckStatus.DENY_ROLETOKEN_INVALID;
            }
        }
        return allowAccess(accessToken, str3, str4, sb);
    }

    public static AccessCheckStatus allowAccess(RoleToken roleToken, String str, String str2, StringBuilder sb) {
        if (roleToken != null) {
            return isTokenExpired(roleToken) ? AccessCheckStatus.DENY_ROLETOKEN_EXPIRED : allowActionZPE(str2, roleToken.getDomain(), str, roleToken.getRoles(), sb);
        }
        LOG.error("allowAccess: Authorization denied. Token is null");
        return AccessCheckStatus.DENY_ROLETOKEN_INVALID;
    }

    public static AccessCheckStatus allowAccess(AccessToken accessToken, String str, String str2, StringBuilder sb) {
        if (accessToken != null) {
            return isTokenExpired(accessToken) ? AccessCheckStatus.DENY_ROLETOKEN_EXPIRED : allowActionZPE(str2, accessToken.getAudience(), str, accessToken.getScope(), sb);
        }
        LOG.error("allowAccess: Authorization denied. Token is null");
        return AccessCheckStatus.DENY_ROLETOKEN_INVALID;
    }

    public static AccessCheckStatus allowAccess(List<String> list, String str, String str2, StringBuilder sb) {
        AccessCheckStatus accessCheckStatus = AccessCheckStatus.DENY_NO_MATCH;
        CharSequence charSequence = null;
        for (String str3 : list) {
            StringBuilder sb2 = new StringBuilder(256);
            AccessCheckStatus allowAccess = allowAccess(str3, str, str2, sb2);
            if (allowAccess == AccessCheckStatus.DENY) {
                sb.append((CharSequence) sb2);
                return allowAccess;
            }
            if (accessCheckStatus != AccessCheckStatus.ALLOW) {
                accessCheckStatus = allowAccess;
                charSequence = sb2;
            }
        }
        if (charSequence != null) {
            sb.append(charSequence);
        }
        return accessCheckStatus;
    }

    static boolean isTokenExpired(RoleToken roleToken) {
        long currentTimeMillis = System.currentTimeMillis() / 1000;
        long expiryTime = roleToken.getExpiryTime();
        if (expiryTime == 0 || expiryTime >= currentTimeMillis) {
            return false;
        }
        LOG.error("ExpiryCheck: Token expired. now={} expiry={} token={}", new Object[]{Long.valueOf(currentTimeMillis), Long.valueOf(expiryTime), roleToken.getUnsignedToken()});
        return true;
    }

    static boolean isTokenExpired(AccessToken accessToken) {
        long currentTimeMillis = System.currentTimeMillis() / 1000;
        long expiryTime = accessToken.getExpiryTime();
        if (expiryTime == 0 || expiryTime >= currentTimeMillis) {
            return false;
        }
        LOG.error("ExpiryCheck: Token expired. now={} expiry={} token={}", new Object[]{Long.valueOf(currentTimeMillis), Long.valueOf(expiryTime), accessToken.getClientId()});
        return true;
    }

    public static AccessToken validateAccessToken(String str, X509Certificate x509Certificate, String str2) {
        if (str.startsWith(BEARER_TOKEN)) {
            str = str.substring(BEARER_TOKEN.length());
        }
        Map<String, AccessToken> accessTokenCacheMap = zpeClt.getAccessTokenCacheMap();
        AccessToken accessToken = accessTokenCacheMap.get(str);
        if (accessToken != null && x509Certificate != null && !accessToken.confirmMTLSBoundToken(x509Certificate, str2)) {
            return null;
        }
        if (accessToken == null) {
            try {
                accessToken = (x509Certificate == null && str2 == null) ? new AccessToken(str, accessSignKeyResolver) : new AccessToken(str, accessSignKeyResolver, x509Certificate, str2);
                addTokenToCache(accessTokenCacheMap, str, accessToken);
            } catch (Exception e) {
                LOG.error("validateAccessToken: Access Token validation failed: {}", e.getMessage());
                return null;
            }
        }
        return accessToken;
    }

    public static RoleToken validateRoleToken(String str) {
        Map<String, RoleToken> roleTokenCacheMap = zpeClt.getRoleTokenCacheMap();
        RoleToken roleToken = roleTokenCacheMap.get(str);
        if (roleToken != null && isTokenExpired(roleToken)) {
            roleTokenCacheMap.remove(str);
            roleToken = null;
        }
        if (roleToken == null) {
            roleToken = new RoleToken(str);
            if (!roleToken.validate(getZtsPublicKey(roleToken.getKeyId()), allowedOffset, false, (StringBuilder) null)) {
                return null;
            }
            addTokenToCache(roleTokenCacheMap, str, roleToken);
        }
        return roleToken;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static String stripDomainPrefix(String str, String str2, String str3) {
        int indexOf = str.indexOf(58);
        return indexOf == -1 ? str : !str.substring(0, indexOf).equals(str2) ? str3 : str.substring(indexOf + 1);
    }

    public static AccessCheckStatus allowActionZPE(String str, String str2, String str3, List<String> list, StringBuilder sb) {
        String str4 = "allowActionZPE: domain(" + str2 + ") action(" + str + ") resource(" + str3 + ")";
        if (list == null || list.size() == 0) {
            LOG.error("{} ERROR: No roles so access denied", str4);
            return AccessCheckStatus.DENY_ROLETOKEN_INVALID;
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("{} roles({}) starting...", str4, String.join(",", list));
        }
        if (str2 == null || str2.isEmpty()) {
            LOG.error("{} ERROR: No domain so access denied", str4);
            return AccessCheckStatus.DENY_ROLETOKEN_INVALID;
        }
        if (str == null || str.isEmpty()) {
            LOG.error("{} ERROR: No action so access denied", str4);
            return AccessCheckStatus.DENY_INVALID_PARAMETERS;
        }
        String lowerCase = str.toLowerCase();
        if (str3 == null || str3.isEmpty()) {
            LOG.error("{} ERROR: No resource so access denied", str4);
            return AccessCheckStatus.DENY_INVALID_PARAMETERS;
        }
        String lowerCase2 = str3.toLowerCase();
        String stripDomainPrefix = stripDomainPrefix(lowerCase2, str2, zpeClt.getDomainCount() == 1 ? lowerCase2 : null);
        if (stripDomainPrefix == null) {
            LOG.error("{} ERROR: Domain mismatch in token({}) and resource so access denied", str4, str2);
            return AccessCheckStatus.DENY_DOMAIN_MISMATCH;
        }
        AccessCheckStatus accessCheckStatus = AccessCheckStatus.DENY_DOMAIN_NOT_FOUND;
        Map<String, List<Struct>> roleDenyAssertions = zpeClt.getRoleDenyAssertions(str2);
        if (roleDenyAssertions == null || roleDenyAssertions.isEmpty()) {
            if (roleDenyAssertions != null) {
                accessCheckStatus = AccessCheckStatus.DENY_DOMAIN_EMPTY;
            }
        } else {
            if (actionByRole(lowerCase, str2, stripDomainPrefix, list, roleDenyAssertions, sb)) {
                return AccessCheckStatus.DENY;
            }
            accessCheckStatus = AccessCheckStatus.DENY_NO_MATCH;
        }
        Map<String, List<Struct>> wildcardDenyAssertions = zpeClt.getWildcardDenyAssertions(str2);
        if (wildcardDenyAssertions == null || wildcardDenyAssertions.isEmpty()) {
            if (accessCheckStatus != AccessCheckStatus.DENY_NO_MATCH && wildcardDenyAssertions != null) {
                accessCheckStatus = AccessCheckStatus.DENY_DOMAIN_EMPTY;
            }
        } else {
            if (actionByWildCardRole(lowerCase, str2, stripDomainPrefix, list, wildcardDenyAssertions, sb)) {
                return AccessCheckStatus.DENY;
            }
            accessCheckStatus = AccessCheckStatus.DENY_NO_MATCH;
        }
        Map<String, List<Struct>> roleAllowAssertions = zpeClt.getRoleAllowAssertions(str2);
        if (roleAllowAssertions == null || roleAllowAssertions.isEmpty()) {
            if (accessCheckStatus != AccessCheckStatus.DENY_NO_MATCH && roleAllowAssertions != null) {
                accessCheckStatus = AccessCheckStatus.DENY_DOMAIN_EMPTY;
            }
        } else {
            if (actionByRole(lowerCase, str2, stripDomainPrefix, list, roleAllowAssertions, sb)) {
                return AccessCheckStatus.ALLOW;
            }
            accessCheckStatus = AccessCheckStatus.DENY_NO_MATCH;
        }
        Map<String, List<Struct>> wildcardAllowAssertions = zpeClt.getWildcardAllowAssertions(str2);
        if (wildcardAllowAssertions == null || wildcardAllowAssertions.isEmpty()) {
            if (accessCheckStatus != AccessCheckStatus.DENY_NO_MATCH && wildcardAllowAssertions != null) {
                accessCheckStatus = AccessCheckStatus.DENY_DOMAIN_EMPTY;
            }
        } else {
            if (actionByWildCardRole(lowerCase, str2, stripDomainPrefix, list, wildcardAllowAssertions, sb)) {
                return AccessCheckStatus.ALLOW;
            }
            accessCheckStatus = AccessCheckStatus.DENY_NO_MATCH;
        }
        if (accessCheckStatus == AccessCheckStatus.DENY_DOMAIN_NOT_FOUND) {
            LOG.error("{}: No role map found for domain={} so access denied", str4, str2);
        } else if (accessCheckStatus == AccessCheckStatus.DENY_DOMAIN_EMPTY) {
            LOG.error("{}: No policy assertions for domain={} so access denied", str4, str2);
        }
        return accessCheckStatus;
    }

    static boolean matchAssertions(List<Struct> list, String str, String str2, String str3, StringBuilder sb, String str4) {
        String str5 = null;
        String str6 = null;
        String str7 = null;
        for (Struct struct : list) {
            if (LOG.isDebugEnabled()) {
                str5 = struct.getString(ZpeConsts.ZPE_FIELD_ACTION);
                str6 = struct.getString(ZpeConsts.ZPE_FIELD_RESOURCE);
                str7 = struct.getString(ZpeConsts.ZPE_FIELD_POLICY_NAME);
                LOG.debug("{}: Process Assertion: policy({}) assert-action={} assert-resource={} assert-role={}", new Object[]{str4, str7, str5, str6, struct.getString(ZpeConsts.ZPE_FIELD_ROLE)});
            }
            if (((ZpeMatch) struct.get(ZpeConsts.ZPE_ACTION_MATCH_STRUCT)).matches(str2)) {
                if (((ZpeMatch) struct.get(ZpeConsts.ZPE_RESOURCE_MATCH_STRUCT)).matches(str3)) {
                    sb.setLength(0);
                    sb.append(str);
                    return true;
                }
                if (LOG.isDebugEnabled()) {
                    LOG.debug("{}: policy({}) regexpr-match: FAILed: assert-resource({}) doesn't match resource({})", new Object[]{str4, str7, str6, str3});
                }
            } else if (LOG.isDebugEnabled()) {
                LOG.debug("{}: policy({}) regexpr-match: FAILed: assert-action({}) doesn't match action({})", new Object[]{str4, str7, str5, str2});
            }
        }
        return false;
    }

    static boolean actionByRole(String str, String str2, String str3, List<String> list, Map<String, List<Struct>> map, StringBuilder sb) {
        String str4 = LOG.isDebugEnabled() ? "allowActionByRole: domain(" + str2 + ") action(" + str + ") resource(" + str3 + ")" : null;
        for (String str5 : list) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("{}: Process role ({})", str4, str5);
            }
            List<Struct> list2 = map.get(str5);
            if (list2 != null && !list2.isEmpty()) {
                if (matchAssertions(list2, str5, str, str3, sb, str4)) {
                    return true;
                }
            } else if (LOG.isDebugEnabled()) {
                LOG.debug("{}: No policy assertions in domain={} for role={} so access denied", new Object[]{str4, str2, str5});
            }
        }
        return false;
    }

    static boolean actionByWildCardRole(String str, String str2, String str3, List<String> list, Map<String, List<Struct>> map, StringBuilder sb) {
        String str4 = LOG.isDebugEnabled() ? "allowActionByWildCardRole: domain(" + str2 + ") action(" + str + ") resource(" + str3 + ")" : null;
        Set<String> keySet = map.keySet();
        for (String str5 : list) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("{}: Process role ({})", str4, str5);
            }
            for (String str6 : keySet) {
                List<Struct> list2 = map.get(str6);
                if (list2 != null && !list2.isEmpty()) {
                    Struct struct = list2.get(0);
                    if (((ZpeMatch) struct.get(ZpeConsts.ZPE_ROLE_MATCH_STRUCT)).matches(str5)) {
                        if (matchAssertions(list2, str6, str, str3, sb, str4)) {
                            return true;
                        }
                    } else if (LOG.isDebugEnabled()) {
                        LOG.debug("{}: policy({}) regexpr-match: FAILed: assert-role({}) doesnt match role({})", new Object[]{str4, struct.getString(ZpeConsts.ZPE_FIELD_POLICY_NAME), str6, str5});
                    }
                } else if (LOG.isDebugEnabled()) {
                    LOG.debug("{}: No policy assertions in domain={} for role={} so access denied", new Object[]{str4, str2, str5});
                }
            }
        }
        return false;
    }

    static boolean certIssuerMatch(X509Certificate x509Certificate) {
        if (X509_ISSUERS_NAMES.isEmpty()) {
            return true;
        }
        String name = x509Certificate.getIssuerX500Principal().getName();
        if (issuerMatch(name)) {
            return true;
        }
        LOG.error("certIssuerMatch: missing or mismatch issuer {}", name);
        return false;
    }

    static boolean issuerMatch(String str) {
        if (str == null || str.isEmpty()) {
            return false;
        }
        if (X509_ISSUERS_NAMES.contains(str.replaceAll("\\s+", ""))) {
            return true;
        }
        try {
            List rdns = new LdapName(new X500Principal(str).getName()).getRdns();
            for (List<Rdn> list : X509_ISSUERS_RDNS) {
                if (list.size() == rdns.size() && list.containsAll(rdns)) {
                    return true;
                }
            }
            return false;
        } catch (InvalidNameException e) {
            return false;
        }
    }

    static <T> void addTokenToCache(Map<String, T> map, String str, T t) {
        if (maxTokenCacheSize == 0 || map.size() < maxTokenCacheSize) {
            map.put(str, t);
        }
    }

    public static void main(String[] strArr) {
        if (strArr.length != 3) {
            System.out.println("usage: AuthZpeClient <authz-token> <action> <resource>");
            System.exit(1);
        }
        String str = strArr[0];
        String str2 = strArr[1];
        String str3 = strArr[2];
        StringBuilder sb = new StringBuilder();
        init();
        System.out.println(allowAccess(str, str3, str2, sb).toString() + ":" + sb);
        System.exit(0);
    }

    static {
        setPublicKeyStoreFactoryClass(System.getProperty(ZpeConsts.ZPE_PROP_PUBLIC_KEY_CLASS, ZPE_PKEY_CLASS));
        setZPEClientClass(System.getProperty(ZpeConsts.ZPE_PROP_CLIENT_IMPL, ZPE_UPDATER_CLASS));
        setTokenAllowedOffset(Integer.parseInt(System.getProperty(ZpeConsts.ZPE_PROP_TOKEN_OFFSET, "300")));
        setTokenCacheMaxValue(Integer.parseInt(System.getProperty(ZpeConsts.ZPE_PROP_MAX_TOKEN_CACHE, "10240")));
        setX509CAIssuers(System.getProperty(ZpeConsts.ZPE_PROP_X509_CA_ISSUERS));
        setAccessTokenSignKeyResolver(null, null);
        setMillisBetweenZtsCalls(Long.parseLong(System.getProperty(ZpeConsts.ZPE_PROP_MILLIS_BETWEEN_ZTS_CALLS, Long.toString(1800000L))));
    }
}
