package org.dcache.auth.gplazma;

import com.google.common.base.Preconditions;
import com.google.common.collect.Iterables;
import java.io.File;
import java.io.IOException;
import java.security.Principal;
import java.util.Properties;
import java.util.Set;
import javax.security.auth.kerberos.KerberosPrincipal;
import org.dcache.auth.GidPrincipal;
import org.dcache.auth.KAuthFile;
import org.dcache.auth.LoginNamePrincipal;
import org.dcache.auth.PasswordCredential;
import org.dcache.auth.UidPrincipal;
import org.dcache.auth.UserAuthRecord;
import org.dcache.auth.UserNamePrincipal;
import org.dcache.auth.UserPwdRecord;
import org.dcache.auth.attributes.HomeDirectory;
import org.dcache.auth.attributes.Restrictions;
import org.dcache.auth.attributes.RootDirectory;
import org.dcache.gplazma.AuthenticationException;
import org.dcache.gplazma.plugins.GPlazmaAccountPlugin;
import org.dcache.gplazma.plugins.GPlazmaAuthenticationPlugin;
import org.dcache.gplazma.plugins.GPlazmaMappingPlugin;
import org.dcache.gplazma.plugins.GPlazmaSessionPlugin;
import org.globus.gsi.gssapi.jaas.GlobusPrincipal;

/* loaded from: input_file:org/dcache/auth/gplazma/KpwdPlugin.class */
public class KpwdPlugin implements GPlazmaAuthenticationPlugin, GPlazmaMappingPlugin, GPlazmaAccountPlugin, GPlazmaSessionPlugin {
    private static final String KPWD = "gplazma.kpwd.file";
    private final File _kpwdFile;
    private long _cacheTime;
    private KAuthFile _cacheAuthFile;

    public KpwdPlugin(Properties properties) {
        String property = properties.getProperty(KPWD, null);
        Preconditions.checkArgument(property != null, "gplazma.kpwd.file argument must be specified");
        this._kpwdFile = new File(property);
    }

    KpwdPlugin(KAuthFile kAuthFile) {
        this._cacheAuthFile = kAuthFile;
        this._kpwdFile = null;
    }

    private synchronized KAuthFile getAuthFile() throws AuthenticationException {
        try {
            if (this._kpwdFile != null && this._kpwdFile.lastModified() >= this._cacheTime) {
                this._cacheAuthFile = new KAuthFile(this._kpwdFile.getPath());
                this._cacheTime = System.currentTimeMillis();
            }
            return this._cacheAuthFile;
        } catch (IOException e) {
            throw new AuthenticationException(String.format("failed to read %s: %s", this._kpwdFile.getName(), e.getMessage()), e);
        }
    }

    public void authenticate(Set<Object> set, Set<Object> set2, Set<Principal> set3) throws AuthenticationException {
        PasswordCredential passwordCredential = (PasswordCredential) Iterables.getFirst(Iterables.filter(set2, PasswordCredential.class), (Object) null);
        org.dcache.gplazma.util.Preconditions.checkAuthentication(passwordCredential != null, "no username and password");
        String username = passwordCredential.getUsername();
        UserPwdRecord userPwdRecord = getAuthFile().getUserPwdRecord(username);
        org.dcache.gplazma.util.Preconditions.checkAuthentication(userPwdRecord != null, username + " is unknown");
        org.dcache.gplazma.util.Preconditions.checkAuthentication(userPwdRecord.isAnonymous() || userPwdRecord.isDisabled() || userPwdRecord.passwordIsValid(String.valueOf(passwordCredential.getPassword())), "wrong password");
        set3.add(new KpwdPrincipal(userPwdRecord));
        org.dcache.gplazma.util.Preconditions.checkAuthentication(!userPwdRecord.isDisabled(), "account is disabled");
    }

    public void map(Set<Principal> set) throws AuthenticationException {
        KpwdPrincipal kpwdPrincipal = (KpwdPrincipal) Iterables.getFirst(Iterables.filter(set, KpwdPrincipal.class), (Object) null);
        if (kpwdPrincipal == null) {
            KAuthFile authFile = getAuthFile();
            String str = null;
            Principal principal = null;
            for (Principal principal2 : set) {
                if (principal2 instanceof LoginNamePrincipal) {
                    org.dcache.gplazma.util.Preconditions.checkAuthentication(str == null, errorMessage(principal, principal2));
                    str = principal2.getName();
                } else if (principal2 instanceof GlobusPrincipal) {
                    org.dcache.gplazma.util.Preconditions.checkAuthentication(principal == null, errorMessage(principal, principal2));
                    principal = principal2;
                } else if (principal2 instanceof KerberosPrincipal) {
                    org.dcache.gplazma.util.Preconditions.checkAuthentication(principal == null, errorMessage(principal, principal2));
                    principal = principal2;
                } else if (principal2 instanceof UserNamePrincipal) {
                    org.dcache.gplazma.util.Preconditions.checkAuthentication(principal == null, errorMessage(principal, principal2));
                    principal = principal2;
                }
            }
            org.dcache.gplazma.util.Preconditions.checkAuthentication(principal != null, "no mappable principals");
            if (str == null) {
                str = authFile.getIdMapping(principal.getName());
                org.dcache.gplazma.util.Preconditions.checkAuthentication(str != null, "no login name");
            }
            UserAuthRecord userRecord = authFile.getUserRecord(str);
            org.dcache.gplazma.util.Preconditions.checkAuthentication(userRecord != null, "unknown login name: " + str);
            org.dcache.gplazma.util.Preconditions.checkAuthentication(userRecord.hasSecureIdentity(principal.getName()), "not allowed to login as " + str);
            userRecord.DN = principal.getName();
            kpwdPrincipal = new KpwdPrincipal(userRecord);
        }
        set.add(kpwdPrincipal);
        org.dcache.gplazma.util.Preconditions.checkAuthentication(!kpwdPrincipal.isDisabled, "account disabled");
        set.add(new UserNamePrincipal(kpwdPrincipal.getName()));
        set.add(new UidPrincipal(kpwdPrincipal.uid));
        boolean z = true;
        for (long j : kpwdPrincipal.gids) {
            set.add(new GidPrincipal(j, z));
            z = false;
        }
    }

    private static String errorMessage(Principal principal, Principal principal2) {
        if (principal == null || principal2 == null) {
            return "";
        }
        String nameFor = nameFor(principal);
        String nameFor2 = nameFor(principal2);
        return nameFor.equals(nameFor2) ? "multiple " + nameFor2 + " principals found" : nameFor + " and " + nameFor2 + " principals found";
    }

    private static String nameFor(Principal principal) {
        return principal instanceof KerberosPrincipal ? "Kerberos" : principal instanceof GlobusPrincipal ? "X509" : principal.getClass().getSimpleName();
    }

    public void account(Set<Principal> set) throws AuthenticationException {
        KpwdPrincipal kpwdPrincipal = (KpwdPrincipal) Iterables.getFirst(Iterables.filter(set, KpwdPrincipal.class), (Object) null);
        org.dcache.gplazma.util.Preconditions.checkAuthentication(kpwdPrincipal == null || !kpwdPrincipal.isDisabled, "account disabled");
    }

    public void session(Set<Principal> set, Set<Object> set2) throws AuthenticationException {
        KpwdPrincipal kpwdPrincipal = (KpwdPrincipal) Iterables.getFirst(Iterables.filter(set, KpwdPrincipal.class), (Object) null);
        org.dcache.gplazma.util.Preconditions.checkAuthentication(kpwdPrincipal != null, "no record found");
        set2.add(new HomeDirectory(kpwdPrincipal.home));
        set2.add(new RootDirectory(kpwdPrincipal.root));
        if (kpwdPrincipal.isReadOnly) {
            set2.add(Restrictions.readOnly());
        }
    }
}
