package org.dcache.ftp.door;

import diskCacheV111.util.CacheException;
import diskCacheV111.util.PermissionDeniedCacheException;
import dmg.util.CommandExitException;
import java.io.IOException;
import java.nio.charset.Charset;
import java.util.Base64;
import javax.security.auth.Subject;
import org.dcache.auth.LoginNamePrincipal;
import org.dcache.dss.DssContext;
import org.dcache.dss.DssContextFactory;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/dcache/ftp/door/GssFtpDoorV1.class */
public abstract class GssFtpDoorV1 extends AbstractFtpDoorV1 {
    public static final String GLOBUS_URL_COPY_DEFAULT_USER = ":globus-mapping:";
    protected Subject subject;
    protected String gssFlavor;
    protected DssContext context;
    private DssContextFactory dssContextFactory;
    private static final Logger LOGGER = LoggerFactory.getLogger(GssFtpDoorV1.class);
    private static final Charset UTF8 = Charset.forName("UTF-8");

    public GssFtpDoorV1(String str, String str2, String str3, DssContextFactory dssContextFactory) {
        super(str, str2);
        this.gssFlavor = str3;
        this.dssContextFactory = dssContextFactory;
    }

    @Override // org.dcache.ftp.door.AbstractFtpDoorV1
    protected void secure_reply(String str, String str2) {
        byte[] bytes = (str + "\r\n").getBytes(UTF8);
        try {
            println(str2 + " " + Base64.getEncoder().encodeToString(this.context.wrap(bytes, 0, bytes.length)));
        } catch (IOException e) {
            reply("500 Reply encryption error: " + e);
        }
    }

    @Help("AUTH <SP> <arg> - Initiate secure context negotiation.")
    public void ftp_auth(String str) throws FTPCommandException {
        LOGGER.info("GssFtpDoorV1::secure_reply: going to authorize using {}", this.gssFlavor);
        if (!str.equals("GSSAPI")) {
            throw new FTPCommandException(504, "Authenticating method not supported");
        }
        if (this.context != null && this.context.isEstablished()) {
            throw new FTPCommandException(534, "Already authenticated");
        }
        try {
            this.context = this.dssContextFactory.create(this._remoteSocketAddress, this._localSocketAddress);
            reply("334 ADAT must follow");
        } catch (IOException e) {
            LOGGER.error("Unable to initialise service context: {}", e.toString());
            throw new FTPCommandException(431, "Internal error");
        }
    }

    @Help("ADAT <SP> <arg> - Supply context negotation data.")
    public void ftp_adat(String str) {
        if (str == null || str.length() <= 0) {
            reply("501 ADAT must have data");
            return;
        }
        if (this.context == null) {
            reply("503 Send AUTH first");
            return;
        }
        try {
            byte[] accept = this.context.accept(Base64.getDecoder().decode(str));
            this.subject = this.context.getSubject();
            if (accept != null) {
                if (this.context.isEstablished()) {
                    reply("235 ADAT=" + Base64.getEncoder().encodeToString(accept));
                    return;
                } else {
                    reply("335 ADAT=" + Base64.getEncoder().encodeToString(accept));
                    return;
                }
            }
            if (!this.context.isEstablished()) {
                reply("335 ADAT=");
            } else {
                LOGGER.info("GssFtpDoorV1::ftp_adat: security context established with {}", this.subject);
                reply("235 OK");
            }
        } catch (IOException e) {
            LOGGER.trace("Authentication failed", e);
            reply("535 Authentication failed: " + e.getMessage());
        }
    }

    @Help("CCC - Switch control channel to cleartext.")
    public void ftp_ccc(String str) {
        reply("533 CCC must be protected");
    }

    @Help("MIC <SP> <arg> - Integrity protected command.")
    public void ftp_mic(String str) throws CommandExitException {
        secure_command(str, "mic");
    }

    @Help("ENC <SP> <arg> - Privacy protected command.")
    public void ftp_enc(String str) throws CommandExitException {
        secure_command(str, "enc");
    }

    @Help("CONF <SP> <arg> - Confidentiality protection command.")
    public void ftp_conf(String str) throws CommandExitException {
        secure_command(str, "conf");
    }

    public void secure_command(String str, String str2) throws CommandExitException {
        if (str == null || str.length() <= 0) {
            reply("500 Wrong syntax of " + str2 + " command");
            return;
        }
        if (this.context == null || !this.context.isEstablished()) {
            reply("503 Security context is not established");
            return;
        }
        try {
            byte[] unwrap = this.context.unwrap(Base64.getDecoder().decode(str));
            int length = unwrap.length;
            while (length > 0 && unwrap[length - 1] == 0) {
                length--;
            }
            String trim = new String(unwrap, 0, length, UTF8).trim();
            if (!trim.toLowerCase().startsWith("pass") || trim.length() == 4) {
                this._commandLine = str2.toUpperCase() + "{" + trim + "}";
            } else {
                this._commandLine = str2.toUpperCase() + "{" + trim.substring(0, 4) + " ...}";
            }
            if (trim.equalsIgnoreCase("CCC")) {
                this._gReplyType = "clear";
                reply("200 OK");
            } else {
                this._gReplyType = str2;
                ftpcommand(trim);
            }
        } catch (IOException e) {
            reply("500 Can not decrypt command: " + e);
            LOGGER.error("GssFtpDoorV1::secure_command: got IOException: {}", e.getMessage());
        }
    }

    @Override // org.dcache.ftp.door.AbstractFtpDoorV1
    public void ftp_user(String str) {
        if (str.equals("")) {
            reply(err("USER", str));
            return;
        }
        if (this.context == null || !this.context.isEstablished()) {
            reply("530 Authentication required");
            return;
        }
        Subject subject = this.context.getSubject();
        subject.getPrincipals().add(this._origin);
        if (!str.equals(GLOBUS_URL_COPY_DEFAULT_USER)) {
            subject.getPrincipals().add(new LoginNamePrincipal(str));
        }
        try {
            login(subject);
            reply("200 User " + str + " logged in", this.subject);
        } catch (CacheException e) {
            LOGGER.error("Login failed for {}: {}", this.context.getPeerName(), e.getMessage());
            println("530 Login failed: " + e.getMessage());
        } catch (PermissionDeniedCacheException e2) {
            LOGGER.warn("Login denied for {}: {}", this.context.getPeerName(), e2.getMessage());
            println("530 Login denied");
        }
    }

    @Override // org.dcache.ftp.door.AbstractFtpDoorV1
    public void ftp_pass(String str) {
        LOGGER.debug("GssFtpDoorV1::ftp_pass: PASS is a no-op with GSSAPI authentication.");
        if (this.subject != null) {
            reply(ok("PASS"));
        } else {
            reply("500 Send USER first");
        }
    }
}
