package org.dcache.auth.util;

import com.google.common.base.Objects;
import com.google.common.base.Preconditions;
import java.io.File;
import java.io.IOException;
import java.security.cert.CRLException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
import java.util.LinkedHashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import org.glite.voms.PKIStore;
import org.glite.voms.PKIVerifier;
import org.glite.voms.VOMSAttribute;
import org.glite.voms.VOMSValidator;
import org.glite.voms.ac.ACValidator;
import org.globus.gsi.gssapi.GSSConstants;
import org.globus.gsi.gssapi.auth.AuthorizationException;
import org.gridforum.jgss.ExtendedGSSContext;
import org.gridforum.jgss.ExtendedGSSCredential;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;
import org.slf4j.MDC;

/* loaded from: input_file:org/dcache/auth/util/GSSUtils.class */
public class GSSUtils {
    static final String SYS_VOMSDIR = "VOMSDIR";
    static final String SYS_CADIR = "CADIR";
    static final String CAPNULL = "/Capability=NULL";
    static final String ROLENULL = "/Role=NULL";
    private static final Map<PKIKey, PKIVerifier> verifiers = new HashMap();

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/dcache/auth/util/GSSUtils$PKIKey.class */
    public static class PKIKey {
        private final String vomsDir;
        private final String caDir;

        private PKIKey(String str, String str2) {
            str = str == null ? System.getProperty(GSSUtils.SYS_VOMSDIR) : str;
            this.vomsDir = (String) Preconditions.checkNotNull(str == null ? PKIStore.DEFAULT_VOMSDIR : str);
            str2 = str2 == null ? System.getProperty(GSSUtils.SYS_CADIR) : str2;
            this.caDir = (String) Preconditions.checkNotNull(str2 == null ? PKIStore.DEFAULT_CADIR : str2);
        }

        public String toString() {
            return Objects.toStringHelper(PKIKey.class).add("vomsDir", this.vomsDir).add("caDir", this.caDir).toString();
        }

        public boolean equals(Object obj) {
            if (!(obj instanceof PKIKey)) {
                return false;
            }
            PKIKey pKIKey = (PKIKey) obj;
            return this.vomsDir.equals(pKIKey.vomsDir) && this.caDir.equals(pKIKey.caDir);
        }

        public int hashCode() {
            return (33 * this.vomsDir.hashCode()) ^ this.caDir.hashCode();
        }
    }

    public static Iterable<String> getFQANsFromGSSContext(String str, String str2, ExtendedGSSContext extendedGSSContext) throws AuthorizationException {
        try {
            return extractFQANs(str, str2, (X509Certificate[]) extendedGSSContext.inquireByOid(GSSConstants.X509_CERT_CHAIN));
        } catch (GSSException e) {
            throw new AuthorizationException("Could not extract certificate chain from context " + e.getMessage() + "\n" + e.getCause());
        }
    }

    public static Iterable<String> getFQANsFromGSSCredential(String str, String str2, GSSCredential gSSCredential) throws GSSException, AuthorizationException {
        X509Certificate[] x509CertificateArr = null;
        if (gSSCredential instanceof ExtendedGSSCredential) {
            x509CertificateArr = (X509Certificate[]) ((ExtendedGSSCredential) gSSCredential).inquireByOid(GSSConstants.X509_CERT_CHAIN);
        }
        return x509CertificateArr == null ? Collections.emptyList() : extractFQANs(str, str2, x509CertificateArr);
    }

    public static Iterable<String> extractFQANs(String str, String str2, X509Certificate[] x509CertificateArr) throws AuthorizationException {
        try {
            VOMSValidator vOMSValidator = new VOMSValidator((X509Certificate[]) null, new ACValidator(getPkiVerifier(str, str2)));
            vOMSValidator.setClientChain(x509CertificateArr).parse();
            return getFQANSfromVOMSAttributes(vOMSValidator.getVOMSAttributes());
        } catch (Exception e) {
            throw new AuthorizationException("Could not validate role.");
        } catch (AuthorizationException e2) {
            throw new AuthorizationException(e2.toString());
        }
    }

    private static Set<String> getFQANSfromVOMSAttributes(List<VOMSAttribute> list) {
        LinkedHashSet linkedHashSet = new LinkedHashSet();
        Iterator<VOMSAttribute> it = list.iterator();
        while (it.hasNext()) {
            for (String str : it.next().getFullyQualifiedAttributes()) {
                if (str.endsWith(CAPNULL)) {
                    str = str.substring(0, str.length() - CAPNULL.length());
                }
                if (str.endsWith(ROLENULL)) {
                    str = str.substring(0, str.length() - ROLENULL.length());
                }
                linkedHashSet.add(str);
            }
        }
        return linkedHashSet;
    }

    public static synchronized PKIVerifier getPkiVerifier(String str, String str2) throws IOException, CertificateException, CRLException {
        PKIKey pKIKey = new PKIKey(str, str2);
        PKIVerifier pKIVerifier = verifiers.get(pKIKey);
        if (pKIVerifier == null) {
            Map copyOfContextMap = MDC.getCopyOfContextMap();
            try {
                MDC.clear();
                PKIStore pKIStore = null;
                File file = new File(pKIKey.vomsDir);
                if (file.exists() && file.isDirectory() && file.list().length > 0) {
                    pKIStore = new PKIStore(pKIKey.vomsDir, 1);
                }
                PKIStore pKIStore2 = null;
                File file2 = new File(pKIKey.caDir);
                if (file2.exists() && file2.isDirectory() && file2.list().length > 0) {
                    pKIStore2 = new PKIStore(pKIKey.caDir, 2);
                }
                pKIVerifier = new PKIVerifier(pKIStore, pKIStore2);
                verifiers.put(pKIKey, pKIVerifier);
                if (copyOfContextMap != null) {
                    MDC.setContextMap(copyOfContextMap);
                }
            } catch (Throwable th) {
                if (copyOfContextMap != null) {
                    MDC.setContextMap(copyOfContextMap);
                }
                throw th;
            }
        }
        return pKIVerifier;
    }
}
