package org.dcache.webdav.transfer;

import com.google.common.base.Joiner;
import diskCacheV111.util.CacheException;
import diskCacheV111.util.FileNotFoundCacheException;
import diskCacheV111.util.FsPath;
import diskCacheV111.util.PermissionDeniedCacheException;
import diskCacheV111.util.PnfsHandler;
import eu.emi.security.authn.x509.X509Credential;
import io.milton.http.Filter;
import io.milton.http.FilterChain;
import io.milton.http.Request;
import io.milton.http.Response;
import io.milton.http.exceptions.BadRequestException;
import io.milton.servlet.ServletRequest;
import java.net.URI;
import java.net.URISyntaxException;
import java.security.AccessController;
import java.util.Collections;
import java.util.EnumSet;
import java.util.HashMap;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.concurrent.TimeUnit;
import java.util.stream.Collectors;
import javax.security.auth.Subject;
import javax.servlet.http.HttpServletRequest;
import org.dcache.acl.enums.AccessMask;
import org.dcache.auth.Subjects;
import org.dcache.auth.attributes.Restriction;
import org.dcache.cells.CellStub;
import org.dcache.namespace.FileAttribute;
import org.dcache.namespace.FileType;
import org.dcache.vehicles.FileAttributes;
import org.dcache.webdav.AuthenticationHandler;
import org.dcache.webdav.PathMapper;
import org.dcache.webdav.transfer.RemoteTransferHandler;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Required;

/* loaded from: input_file:org/dcache/webdav/transfer/CopyFilter.class */
public class CopyFilter implements Filter {
    private static final String QUERY_KEY_ASKED_TO_DELEGATE = "asked-to-delegate";
    private static final String REQUEST_HEADER_CREDENTIAL = "Credential";
    private PnfsHandler _pnfs;
    private CredentialServiceClient _credentialService;
    private PathMapper _pathMapper;
    private RemoteTransferHandler _remoteTransfers;
    private static final Logger _log = LoggerFactory.getLogger(CopyFilter.class);
    private static final Set<AccessMask> READ_ACCESS_MASK = EnumSet.of(AccessMask.READ_DATA);
    private static final Set<AccessMask> WRITE_ACCESS_MASK = EnumSet.of(AccessMask.WRITE_DATA);
    private static final Set<AccessMask> CREATE_ACCESS_MASK = EnumSet.of(AccessMask.ADD_FILE);

    /* loaded from: input_file:org/dcache/webdav/transfer/CopyFilter$CredentialSource.class */
    public enum CredentialSource {
        GRIDSITE("gridsite"),
        NONE("none");

        private static final Map<String, CredentialSource> SOURCE_FOR_HEADER = new HashMap();
        private final String _headerValue;

        public static CredentialSource forHeaderValue(String str) {
            return SOURCE_FOR_HEADER.get(str);
        }

        public static Iterable<String> headerValues() {
            return SOURCE_FOR_HEADER.keySet();
        }

        CredentialSource(String str) {
            this._headerValue = str;
        }

        public String getHeaderValue() {
            return this._headerValue;
        }

        static {
            for (CredentialSource credentialSource : values()) {
                SOURCE_FOR_HEADER.put(credentialSource.getHeaderValue(), credentialSource);
            }
        }
    }

    @Required
    public void setPathMapper(PathMapper pathMapper) {
        this._pathMapper = pathMapper;
    }

    @Required
    public void setPnfsStub(CellStub cellStub) {
        this._pnfs = new PnfsHandler(cellStub);
    }

    @Required
    public void setCredentialServiceClient(CredentialServiceClient credentialServiceClient) {
        this._credentialService = credentialServiceClient;
    }

    @Required
    public void setRemoteTransferHandler(RemoteTransferHandler remoteTransferHandler) {
        this._remoteTransfers = remoteTransferHandler;
    }

    public void process(FilterChain filterChain, Request request, Response response) {
        try {
            if (isRequestThirdPartyCopy(request)) {
                processThirdPartyCopy(request, response);
            } else {
                filterChain.process(request, response);
            }
        } catch (ErrorResponseException e) {
            response.sendError(e.getStatus(), e.getMessage());
        } catch (BadRequestException e2) {
            response.sendError(Response.Status.SC_BAD_REQUEST, e2.getMessage());
        } catch (InterruptedException e3) {
            response.sendError(Response.Status.SC_SERVICE_UNAVAILABLE, "dCache is shutting down");
        }
    }

    public static boolean isRequestThirdPartyCopy(Request request) throws BadRequestException {
        if (request.getMethod() != Request.Method.COPY) {
            return false;
        }
        URI remoteLocation = getRemoteLocation();
        return (remoteLocation.getScheme() == null || remoteLocation.getHost() == null) ? false : true;
    }

    private static RemoteTransferHandler.Direction getDirection() throws BadRequestException {
        HttpServletRequest request = ServletRequest.getRequest();
        String header = request.getHeader(RemoteTransferHandler.Direction.PULL.getHeaderName());
        String header2 = request.getHeader(RemoteTransferHandler.Direction.PUSH.getHeaderName());
        if (header == null && header2 == null) {
            throw new BadRequestException("COPY request is missing both " + RemoteTransferHandler.Direction.PUSH.getHeaderName() + " and " + RemoteTransferHandler.Direction.PULL.getHeaderName() + " request headers");
        }
        if (header == null || header2 == null) {
            return header2 != null ? RemoteTransferHandler.Direction.PUSH : RemoteTransferHandler.Direction.PULL;
        }
        throw new BadRequestException("COPY request contains both " + RemoteTransferHandler.Direction.PUSH.getHeaderName() + " and " + RemoteTransferHandler.Direction.PULL.getHeaderName() + " request headers");
    }

    private static URI getRemoteLocation() throws BadRequestException {
        RemoteTransferHandler.Direction direction = getDirection();
        try {
            return new URI(ServletRequest.getRequest().getHeader(direction.getHeaderName()));
        } catch (URISyntaxException e) {
            throw new BadRequestException(direction.getHeaderName() + " request header contains an invalid URI: " + e.getMessage());
        }
    }

    private void processThirdPartyCopy(Request request, Response response) throws BadRequestException, InterruptedException, ErrorResponseException {
        RemoteTransferHandler.Direction direction = getDirection();
        URI remoteLocation = getRemoteLocation();
        RemoteTransferHandler.TransferType fromScheme = RemoteTransferHandler.TransferType.fromScheme(remoteLocation.getScheme());
        if (fromScheme == null) {
            throw new ErrorResponseException(Response.Status.SC_BAD_REQUEST, "The " + direction.getHeaderName() + " request header URI contains unsupported scheme; supported schemes are " + Joiner.on(", ").join(RemoteTransferHandler.TransferType.validSchemes()));
        }
        if (remoteLocation.getPath() == null) {
            throw new ErrorResponseException(Response.Status.SC_BAD_REQUEST, direction.getHeaderName() + " header is missing a path");
        }
        FsPath asDcachePath = this._pathMapper.asDcachePath(ServletRequest.getRequest(), request.getAbsolutePath());
        checkPath(asDcachePath, direction);
        CredentialSource credentialSource = getCredentialSource(request, fromScheme);
        X509Credential fetchCredential = fetchCredential(credentialSource);
        if (fetchCredential != null || credentialSource == CredentialSource.NONE) {
            this._remoteTransfers.acceptRequest(response.getOutputStream(), request.getHeaders(), getSubject(), asDcachePath, remoteLocation, fetchCredential, direction);
        } else {
            redirectWithDelegation(response);
        }
    }

    private CredentialSource getCredentialSource(Request request, RemoteTransferHandler.TransferType transferType) throws ErrorResponseException {
        String str = (String) request.getHeaders().get(REQUEST_HEADER_CREDENTIAL);
        CredentialSource forHeaderValue = str != null ? CredentialSource.forHeaderValue(str) : transferType.getDefaultCredentialSource();
        if (forHeaderValue == null) {
            throw new ErrorResponseException(Response.Status.SC_BAD_REQUEST, "HTTP header 'Credential' has unknown value \"" + str + "\".  Valid values are: " + Joiner.on(',').join(CredentialSource.headerValues()));
        }
        if (transferType.isSupported(forHeaderValue)) {
            return forHeaderValue;
        }
        throw new ErrorResponseException(Response.Status.SC_BAD_REQUEST, "HTTP header 'Credential' value \"" + str + "\" is not supported for transport " + transferType.getScheme());
    }

    private X509Credential fetchCredential(CredentialSource credentialSource) throws InterruptedException, ErrorResponseException {
        switch (credentialSource) {
            case GRIDSITE:
                Subject subject = Subject.getSubject(AccessController.getContext());
                String dn = Subjects.getDn(subject);
                if (dn == null) {
                    throw new ErrorResponseException(Response.Status.SC_UNAUTHORIZED, "user must present valid X.509 certificate");
                }
                return this._credentialService.getDelegatedCredential(dn, Objects.toString(Subjects.getPrimaryFqan(subject), null), 20, TimeUnit.MINUTES);
            case NONE:
                return null;
            default:
                throw new RuntimeException("Unsupported source " + credentialSource);
        }
    }

    private void redirectWithDelegation(Response response) {
        HttpServletRequest request = ServletRequest.getRequest();
        if (hasClientAlreadyBeenRedirected(request)) {
            _log.debug("client failed to delegate a credential before re-requesting the COPY");
            response.sendError(Response.Status.SC_UNAUTHORIZED, "client failed to delegate a credential");
            return;
        }
        try {
            response.setNonStandardHeader("X-Delegate-To", (String) this._credentialService.getDelegationEndpoints().stream().map((v0) -> {
                return v0.toASCIIString();
            }).collect(Collectors.joining(" ")));
            response.sendRedirect(buildRedirectUrl(request));
        } catch (IllegalArgumentException e) {
            _log.debug(e.getMessage());
            response.sendError(Response.Status.SC_INTERNAL_SERVER_ERROR, e.getMessage());
        }
    }

    private String buildRedirectUrl(HttpServletRequest httpServletRequest) {
        Map parameterMap = httpServletRequest.getParameterMap();
        try {
            URI uri = new URI(httpServletRequest.getRequestURL().toString());
            HashMap hashMap = new HashMap(parameterMap);
            hashMap.put(QUERY_KEY_ASKED_TO_DELEGATE, new String[]{"true"});
            StringBuilder sb = new StringBuilder();
            for (Map.Entry entry : hashMap.entrySet()) {
                String str = (String) entry.getKey();
                String[] strArr = (String[]) entry.getValue();
                if (sb.length() > 0 && strArr.length > 0) {
                    sb.append('&');
                }
                for (String str2 : strArr) {
                    sb.append(str).append("=").append(str2);
                }
            }
            try {
                return new URI(uri.getScheme(), uri.getAuthority(), uri.getPath(), sb.toString(), null).toASCIIString();
            } catch (URISyntaxException e) {
                throw new IllegalArgumentException("cannot create redirection URI: " + e.getReason(), e);
            }
        } catch (URISyntaxException e2) {
            throw new IllegalArgumentException("cannot parse request URI: " + e2.getReason(), e2);
        }
    }

    private boolean hasClientAlreadyBeenRedirected(HttpServletRequest httpServletRequest) {
        return httpServletRequest.getParameter(QUERY_KEY_ASKED_TO_DELEGATE) != null;
    }

    private boolean clientAllowsOverwrite() throws ErrorResponseException {
        String header = ServletRequest.getRequest().getHeader("Overwrite");
        if (header == null) {
            return true;
        }
        boolean z = -1;
        switch (header.hashCode()) {
            case 70:
                if (header.equals("F")) {
                    z = true;
                    break;
                }
                break;
            case 84:
                if (header.equals("T")) {
                    z = false;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                return true;
            case true:
                return false;
            default:
                throw new ErrorResponseException(Response.Status.SC_BAD_REQUEST, "Invalid Overwrite request header value: must be either 'T' or 'F'");
        }
    }

    private void checkPath(FsPath fsPath, RemoteTransferHandler.Direction direction) throws ErrorResponseException {
        FileAttributes fileAttributes;
        PnfsHandler pnfsHandler = new PnfsHandler(this._pnfs, getSubject(), getRestriction());
        boolean clientAllowsOverwrite = clientAllowsOverwrite();
        try {
            try {
                fileAttributes = pnfsHandler.getFileAttributes(fsPath.toString(), EnumSet.of(FileAttribute.PNFSID, FileAttribute.TYPE), direction == RemoteTransferHandler.Direction.PUSH ? READ_ACCESS_MASK : WRITE_ACCESS_MASK, false);
            } catch (FileNotFoundCacheException e) {
                if (direction == RemoteTransferHandler.Direction.PUSH) {
                    throw new ErrorResponseException(Response.Status.SC_NOT_FOUND, "no such file");
                }
                pnfsHandler.getFileAttributes(fsPath.parent().toString(), Collections.emptySet(), CREATE_ACCESS_MASK, false);
            }
            if (fileAttributes.getFileType() != FileType.REGULAR) {
                throw new ErrorResponseException(Response.Status.SC_BAD_REQUEST, "Not a file");
            }
            if (direction == RemoteTransferHandler.Direction.PULL) {
                if (!clientAllowsOverwrite) {
                    throw new ErrorResponseException(Response.Status.SC_PRECONDITION_FAILED, "File already exists");
                }
                try {
                    pnfsHandler.deletePnfsEntry(fileAttributes.getPnfsId(), fsPath.toString(), EnumSet.of(FileType.REGULAR));
                } catch (FileNotFoundCacheException e2) {
                }
            }
        } catch (CacheException e3) {
            _log.error("failed query file {} for copy request: {}", fsPath, e3.getMessage());
            throw new ErrorResponseException(Response.Status.SC_INTERNAL_SERVER_ERROR, "Internal problem with server");
        } catch (PermissionDeniedCacheException e4) {
            _log.debug("Permission denied: {}", e4.getMessage());
            throw new ErrorResponseException(Response.Status.SC_UNAUTHORIZED, "Permission denied");
        }
    }

    private Subject getSubject() {
        return Subject.getSubject(AccessController.getContext());
    }

    private Restriction getRestriction() {
        return (Restriction) ServletRequest.getRequest().getAttribute(AuthenticationHandler.DCACHE_RESTRICTION_ATTRIBUTE);
    }
}
