package org.dcache.chimera.nfs.vfs;

import com.google.common.base.Function;
import com.google.common.base.Splitter;
import com.google.common.collect.Iterables;
import com.google.common.collect.Lists;
import java.io.IOException;
import java.net.InetAddress;
import java.util.ArrayList;
import java.util.Collection;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import javax.security.auth.Subject;
import org.dcache.auth.Subjects;
import org.dcache.chimera.nfs.ChimeraNFSException;
import org.dcache.chimera.nfs.ExportFile;
import org.dcache.chimera.nfs.FsExport;
import org.dcache.chimera.nfs.NfsUser;
import org.dcache.chimera.nfs.v4.acl.Acls;
import org.dcache.chimera.nfs.v4.xdr.acemask4;
import org.dcache.chimera.nfs.v4.xdr.nfsace4;
import org.dcache.chimera.nfs.vfs.FileHandle;
import org.dcache.chimera.nfs.vfs.Stat;
import org.dcache.xdr.RpcAuth;
import org.dcache.xdr.RpcCall;
import org.dcache.xdr.gss.RpcAuthGss;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/dcache/chimera/nfs/vfs/PseudoFs.class */
public class PseudoFs implements VirtualFileSystem {
    private static final Logger _log = LoggerFactory.getLogger(PseudoFs.class);
    private final Subject _subject;
    private final InetAddress _inetAddress;
    private final VirtualFileSystem _inner;
    private final ExportFile _exportFile;
    private final RpcAuth _auth;
    private static final int BIT_MASK_OWNER_OFFSET = 6;
    private static final int BIT_MASK_GROUP_OFFSET = 3;
    private static final int BIT_MASK_OTHER_OFFSET = 0;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/dcache/chimera/nfs/vfs/PseudoFs$ConvertToRealInode.class */
    public class ConvertToRealInode implements Function<DirectoryEntry, DirectoryEntry> {
        private final PseudoFsNode _node;

        ConvertToRealInode(PseudoFsNode pseudoFsNode) {
            this._node = pseudoFsNode;
        }

        public DirectoryEntry apply(DirectoryEntry directoryEntry) {
            return new DirectoryEntry(directoryEntry.getName(), PseudoFs.pseudoIdToReal(directoryEntry.getInode(), PseudoFs.this.getIndexId(this._node)), directoryEntry.getStat());
        }
    }

    /* loaded from: input_file:org/dcache/chimera/nfs/vfs/PseudoFs$PushParentIndex.class */
    private class PushParentIndex implements Function<DirectoryEntry, DirectoryEntry> {
        private final Inode _inode;

        PushParentIndex(Inode inode) {
            this._inode = inode;
        }

        public DirectoryEntry apply(DirectoryEntry directoryEntry) {
            return new DirectoryEntry(directoryEntry.getName(), PseudoFs.this.pushExportIndex(this._inode, directoryEntry.getInode()), directoryEntry.getStat());
        }
    }

    public PseudoFs(VirtualFileSystem virtualFileSystem, RpcCall rpcCall, ExportFile exportFile) {
        this._inner = virtualFileSystem;
        this._subject = rpcCall.getCredential().getSubject();
        this._auth = rpcCall.getCredential();
        this._inetAddress = rpcCall.getTransport().getRemoteSocketAddress().getAddress();
        this._exportFile = exportFile;
    }

    private boolean canAccess(Inode inode, int i) {
        try {
            checkAccess(inode, i, false);
            return true;
        } catch (IOException e) {
            return false;
        }
    }

    @Override // org.dcache.chimera.nfs.vfs.VirtualFileSystem
    public int access(Inode inode, int i) throws IOException {
        int i2 = 0;
        if ((i & 1) != 0 && canAccess(inode, 1)) {
            i2 = 0 | 1;
        }
        if ((i & 2) != 0 && canAccess(inode, 32)) {
            i2 |= 2;
        }
        if ((i & 4) != 0 && canAccess(inode, 2)) {
            i2 |= 4;
        }
        if ((i & 32) != 0 && canAccess(inode, 32)) {
            i2 |= 32;
        }
        if ((i & 8) != 0 && canAccess(inode, 4)) {
            i2 |= 8;
        }
        if ((i & 16) != 0 && canAccess(inode, 64)) {
            i2 |= 16;
        }
        return i2 & this._inner.access(inode, i2);
    }

    @Override // org.dcache.chimera.nfs.vfs.VirtualFileSystem
    public Inode create(Inode inode, Stat.Type type, String str, int i, int i2, int i3) throws IOException {
        checkAccess(inode, 2);
        return pushExportIndex(inode, this._inner.create(inode, type, str, i, i2, i3));
    }

    @Override // org.dcache.chimera.nfs.vfs.VirtualFileSystem
    public FsStat getFsStat() throws IOException {
        return this._inner.getFsStat();
    }

    @Override // org.dcache.chimera.nfs.vfs.VirtualFileSystem
    public Inode getRootInode() throws IOException {
        if (this._exportFile.exportsFor(this._inetAddress).isEmpty()) {
            _log.warn("Access denied: (no export) fs root for client {}", this._inetAddress);
            throw new ChimeraNFSException(13, "no exports");
        }
        Inode rootInode = this._inner.getRootInode();
        FsExport export = this._exportFile.getExport("/", this._inetAddress);
        return export == null ? realToPseudo(rootInode) : pushExportIndex(rootInode, export.getIndex());
    }

    @Override // org.dcache.chimera.nfs.vfs.VirtualFileSystem
    public Inode lookup(Inode inode, String str) throws IOException {
        checkAccess(inode, 32);
        return inode.isPesudoInode() ? lookupInPseudoDirectory(inode, str) : pushExportIndex(inode, this._inner.lookup(inode, str));
    }

    @Override // org.dcache.chimera.nfs.vfs.VirtualFileSystem
    public Inode link(Inode inode, Inode inode2, String str, int i, int i2) throws IOException {
        checkAccess(inode, 2);
        return pushExportIndex(inode, this._inner.link(inode, inode2, str, i, i2));
    }

    @Override // org.dcache.chimera.nfs.vfs.VirtualFileSystem
    public List<DirectoryEntry> list(Inode inode) throws IOException {
        checkAccess(inode, 1);
        return inode.isPesudoInode() ? listPseudoDirectory(inode) : Lists.transform(this._inner.list(inode), new PushParentIndex(inode));
    }

    @Override // org.dcache.chimera.nfs.vfs.VirtualFileSystem
    public Inode mkdir(Inode inode, String str, int i, int i2, int i3) throws IOException {
        checkAccess(inode, 4);
        return pushExportIndex(inode, this._inner.mkdir(inode, str, i, i2, i3));
    }

    @Override // org.dcache.chimera.nfs.vfs.VirtualFileSystem
    public void move(Inode inode, String str, Inode inode2, String str2) throws IOException {
        checkAccess(inode, 64);
        checkAccess(inode2, 66);
        this._inner.move(inode, str, inode2, str2);
    }

    @Override // org.dcache.chimera.nfs.vfs.VirtualFileSystem
    public Inode parentOf(Inode inode) throws IOException {
        return pushExportIndex(inode, this._inner.parentOf(inode));
    }

    @Override // org.dcache.chimera.nfs.vfs.VirtualFileSystem
    public int read(Inode inode, byte[] bArr, long j, int i) throws IOException {
        checkAccess(inode, 1);
        return this._inner.read(inode, bArr, j, i);
    }

    @Override // org.dcache.chimera.nfs.vfs.VirtualFileSystem
    public String readlink(Inode inode) throws IOException {
        checkAccess(inode, 1);
        return this._inner.readlink(inode);
    }

    @Override // org.dcache.chimera.nfs.vfs.VirtualFileSystem
    public boolean remove(Inode inode, String str) throws IOException {
        try {
            checkAccess(inode, 64);
        } catch (ChimeraNFSException e) {
            if (e.getStatus() != 13) {
                throw e;
            }
            checkAccess(pushExportIndex(inode, this._inner.lookup(inode, str)), 65536);
        }
        return this._inner.remove(inode, str);
    }

    @Override // org.dcache.chimera.nfs.vfs.VirtualFileSystem
    public Inode symlink(Inode inode, String str, String str2, int i, int i2, int i3) throws IOException {
        checkAccess(inode, 2);
        return pushExportIndex(inode, this._inner.symlink(inode, str, str2, i, i2, i3));
    }

    @Override // org.dcache.chimera.nfs.vfs.VirtualFileSystem
    public int write(Inode inode, byte[] bArr, long j, int i) throws IOException {
        checkAccess(inode, 2);
        return this._inner.write(inode, bArr, j, i);
    }

    @Override // org.dcache.chimera.nfs.vfs.VirtualFileSystem
    public Stat getattr(Inode inode) throws IOException {
        checkAccess(inode, 128);
        return this._inner.getattr(inode);
    }

    @Override // org.dcache.chimera.nfs.vfs.VirtualFileSystem
    public void setattr(Inode inode, Stat stat) throws IOException {
        checkAccess(inode, 256);
        this._inner.setattr(inode, stat);
    }

    @Override // org.dcache.chimera.nfs.vfs.VirtualFileSystem
    public nfsace4[] getAcl(Inode inode) throws IOException {
        checkAccess(inode, 131072);
        return this._inner.getAcl(inode);
    }

    @Override // org.dcache.chimera.nfs.vfs.VirtualFileSystem
    public void setAcl(Inode inode, nfsace4[] nfsace4VarArr) throws IOException {
        checkAccess(inode, 262144);
        this._inner.setAcl(inode, nfsace4VarArr);
    }

    @Override // org.dcache.chimera.nfs.vfs.VirtualFileSystem
    public boolean hasIOLayout(Inode inode) throws IOException {
        return this._inner.hasIOLayout(inode);
    }

    private void checkAccess(Inode inode, int i) throws IOException {
        checkAccess(inode, i, true);
    }

    private void checkAccess(Inode inode, int i, boolean z) throws IOException {
        Subject subject = this._subject;
        Stat stat = this._inner.getattr(inode);
        boolean z2 = false;
        if (inode.isPesudoInode() && Acls.wantModify(i)) {
            if (z) {
                _log.warn("Access denied: pseudo Inode {} {} {}", new Object[]{inode, acemask4.toString(i), subject});
            }
            throw new ChimeraNFSException(30, "attempt to modify pseudofs");
        }
        if (!inode.isPesudoInode()) {
            int exportIndex = getExportIndex(inode);
            FsExport export = this._exportFile.getExport(exportIndex, this._inetAddress);
            if (exportIndex != 0 && export == null) {
                if (z) {
                    _log.warn("Access denied: (no export) to inode {} for client {}", inode, this._inetAddress);
                }
                throw new ChimeraNFSException(13, "permission deny");
            }
            checkSecurityFlavor(this._auth, export.getSec());
            if (export.ioMode() == FsExport.IO.RO && Acls.wantModify(i)) {
                if (z) {
                    _log.warn("Access denied: (RO export) inode {} for client {}", inode, this._inetAddress);
                }
                throw new ChimeraNFSException(13, "read-only export");
            }
            if (!export.isTrusted() && Subjects.isRoot(this._subject)) {
                subject = NfsUser.NFS_NOBODY;
            }
            if (export.checkAcls()) {
                z2 = ((ChimeraVfs) this._inner).checkAclAccess(this._subject, inode, i);
            }
        }
        if (z2) {
            return;
        }
        int unixToAccessmask = unixToAccessmask(subject, stat);
        if ((unixToAccessmask & i) != i) {
            if (z) {
                _log.warn("Access denied: {} {} {} {}", new Object[]{inode, acemask4.toString(i), acemask4.toString(unixToAccessmask), this._subject});
            }
            throw new ChimeraNFSException(13, "permission deny");
        }
    }

    private int unixToAccessmask(Subject subject, Stat stat) {
        int mode = stat.getMode();
        boolean z = (mode & 16384) == 16384;
        return Subjects.isRoot(subject) ? Acls.toAccessMask(7, z, true) : Subjects.hasUid(subject, (long) stat.getUid()) ? Acls.toAccessMask(mode >> 6, z, true) : Subjects.hasGid(subject, (long) stat.getGid()) ? Acls.toAccessMask(mode >> 3, z, false) : Acls.toAccessMask(mode >> 0, z, false);
    }

    private Inode lookupInPseudoDirectory(Inode inode, String str) throws IOException {
        PseudoFsNode child;
        for (PseudoFsNode pseudoFsNode : prepareExportTree()) {
            if (pseudoFsNode.id().equals(inode) && (child = pseudoFsNode.getChild(str)) != null) {
                return child.isMountPoint() ? pseudoIdToReal(child.id(), getIndexId(child)) : child.id();
            }
        }
        throw new ChimeraNFSException(2, "");
    }

    public static Inode pseudoIdToReal(Inode inode, int i) {
        return new Inode(new FileHandle.FileHandleBuilder().setExportIdx(i).setType(0).build(inode.getFileId()));
    }

    /* JADX INFO: Access modifiers changed from: private */
    public int getIndexId(PseudoFsNode pseudoFsNode) {
        return pseudoFsNode.getExports().get(0).getIndex();
    }

    private List<DirectoryEntry> listPseudoDirectory(Inode inode) throws ChimeraNFSException, IOException {
        for (PseudoFsNode pseudoFsNode : prepareExportTree()) {
            if (pseudoFsNode.id().equals(inode)) {
                if (pseudoFsNode.isMountPoint()) {
                    return Lists.transform(this._inner.list(inode), new ConvertToRealInode(pseudoFsNode));
                }
                ArrayList arrayList = new ArrayList();
                for (String str : pseudoFsNode.getChildren()) {
                    PseudoFsNode child = pseudoFsNode.getChild(str);
                    Inode id = child.id();
                    arrayList.add(new DirectoryEntry(str, child.isMountPoint() ? pseudoIdToReal(id, getIndexId(child)) : id, this._inner.getattr(id)));
                }
                return arrayList;
            }
        }
        throw new ChimeraNFSException(2, "");
    }

    private Inode pushExportIndex(Inode inode, int i) {
        return new Inode(new FileHandle.FileHandleBuilder().setExportIdx(i).setType(0).build(inode.getFileId()));
    }

    /* JADX INFO: Access modifiers changed from: private */
    public Inode pushExportIndex(Inode inode, Inode inode2) {
        return pushExportIndex(inode2, getExportIndex(inode));
    }

    private int getExportIndex(Inode inode) {
        if (inode.handleVersion() != 0) {
            return inode.exportIndex();
        }
        FsExport fsExport = (FsExport) Iterables.getFirst(this._exportFile.exportsFor(this._inetAddress), (Object) null);
        if (fsExport == null) {
            return -1;
        }
        return fsExport.getIndex();
    }

    private Inode realToPseudo(Inode inode) {
        return realToPseudo(inode, 0);
    }

    private Inode realToPseudo(Inode inode, int i) {
        return new Inode(new FileHandle.FileHandleBuilder().setExportIdx(i).setType(1).build(inode.getFileId()));
    }

    private void pathToPseudoFs(PseudoFsNode pseudoFsNode, Set<PseudoFsNode> set, FsExport fsExport) throws IOException {
        PseudoFsNode pseudoFsNode2 = pseudoFsNode;
        String path = fsExport.getPath();
        if (fsExport.getPath().equals("/")) {
            pseudoFsNode.addExport(fsExport);
            return;
        }
        Splitter omitEmptyStrings = Splitter.on('/').omitEmptyStrings();
        HashSet hashSet = new HashSet();
        for (String str : omitEmptyStrings.split(path)) {
            try {
                PseudoFsNode child = pseudoFsNode2.getChild(str);
                if (child == null) {
                    child = new PseudoFsNode(realToPseudo(this._inner.lookup(pseudoFsNode2.id(), str)));
                    pseudoFsNode2.addChild(str, child);
                    hashSet.add(child);
                }
                pseudoFsNode2 = child;
            } catch (IOException e) {
                return;
            }
        }
        set.addAll(hashSet);
        pseudoFsNode2.setId(pseudoIdToReal(pseudoFsNode2.id(), fsExport.getIndex()));
        pseudoFsNode2.addExport(fsExport);
    }

    private Set<PseudoFsNode> prepareExportTree() throws ChimeraNFSException, IOException {
        Collection<FsExport> exportsFor = this._exportFile.exportsFor(this._inetAddress);
        if (exportsFor.isEmpty()) {
            _log.warn("No exports found for: {}", this._inetAddress);
            throw new ChimeraNFSException(13, "");
        }
        HashSet hashSet = new HashSet();
        PseudoFsNode pseudoFsNode = new PseudoFsNode(realToPseudo(this._inner.getRootInode()));
        Iterator<FsExport> it = exportsFor.iterator();
        while (it.hasNext()) {
            pathToPseudoFs(pseudoFsNode, hashSet, it.next());
        }
        hashSet.add(pseudoFsNode);
        return hashSet;
    }

    private static void checkSecurityFlavor(RpcAuth rpcAuth, FsExport.Sec sec) throws ChimeraNFSException {
        FsExport.Sec sec2;
        switch (rpcAuth.type()) {
            case 0:
                sec2 = FsExport.Sec.NONE;
                break;
            case 1:
                sec2 = FsExport.Sec.SYS;
                break;
            case 6:
                RpcAuthGss rpcAuthGss = (RpcAuthGss) rpcAuth;
                switch (rpcAuthGss.getService()) {
                    case 1:
                        sec2 = FsExport.Sec.KRB5;
                        break;
                    case 2:
                        sec2 = FsExport.Sec.KRB5I;
                        break;
                    case 3:
                        sec2 = FsExport.Sec.KRB5P;
                        break;
                    default:
                        throw new ChimeraNFSException(1, "Unsupported Authentication GSS service: " + rpcAuthGss.getService());
                }
            default:
                throw new ChimeraNFSException(1, "Unsupported Authentication flavor: " + rpcAuth.type());
        }
        if (sec2.compareTo(sec) < 0) {
            throw new ChimeraNFSException(1, "Authentication flavor too weak: allowed <" + sec + "> provided <" + sec2 + ">");
        }
    }
}
