package org.dcache.gplazma.plugins;

import com.google.common.base.Preconditions;
import java.io.IOException;
import java.security.Principal;
import java.security.cert.CRLException;
import java.security.cert.CertPath;
import java.security.cert.CertificateException;
import java.util.Arrays;
import java.util.Base64;
import java.util.Iterator;
import java.util.List;
import java.util.Properties;
import java.util.Random;
import java.util.Set;
import java.util.stream.Collectors;
import org.dcache.auth.FQANPrincipal;
import org.dcache.gplazma.AuthenticationException;
import org.dcache.gplazma.util.CertPaths;
import org.italiangrid.voms.VOMSValidators;
import org.italiangrid.voms.ac.VOMSACValidator;
import org.italiangrid.voms.ac.VOMSValidationResult;
import org.italiangrid.voms.error.VOMSValidationErrorMessage;
import org.italiangrid.voms.store.VOMSTrustStores;
import org.italiangrid.voms.util.CertificateValidatorBuilder;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/dcache/gplazma/plugins/VomsPlugin.class */
public class VomsPlugin implements GPlazmaAuthenticationPlugin {
    private static final Logger LOG = LoggerFactory.getLogger(VomsPlugin.class);
    private static final String CADIR = "gplazma.vomsdir.ca";
    private static final String VOMSDIR = "gplazma.vomsdir.dir";
    private final String caDir;
    private final String vomsDir;
    private VOMSACValidator validator;
    private final Random random = new Random();

    public VomsPlugin(Properties properties) throws CertificateException, CRLException, IOException {
        this.caDir = properties.getProperty(CADIR);
        this.vomsDir = properties.getProperty(VOMSDIR);
        Preconditions.checkArgument(this.caDir != null, "Undefined property: gplazma.vomsdir.ca");
        Preconditions.checkArgument(this.vomsDir != null, "Undefined property: gplazma.vomsdir.dir");
    }

    public void start() {
        this.validator = VOMSValidators.newValidator(VOMSTrustStores.newTrustStore(Arrays.asList(this.vomsDir)), new CertificateValidatorBuilder().trustAnchorsDir(this.caDir).build());
    }

    public void stop() {
        this.validator.shutdown();
    }

    public void authenticate(Set<Object> set, Set<Object> set2, Set<Principal> set3) throws AuthenticationException {
        boolean z = true;
        boolean z2 = false;
        boolean z3 = false;
        String str = null;
        boolean z4 = false;
        for (Object obj : set) {
            if (CertPaths.isX509CertPath(obj)) {
                z2 = true;
                for (VOMSValidationResult vOMSValidationResult : this.validator.validateWithResult(CertPaths.getX509Certificates((CertPath) obj))) {
                    if (vOMSValidationResult.isValid()) {
                        Iterator it = vOMSValidationResult.getAttributes().getFQANs().iterator();
                        while (it.hasNext()) {
                            z3 = true;
                            set3.add(new FQANPrincipal((String) it.next(), z));
                            z = false;
                        }
                    } else {
                        byte[] bArr = new byte[3];
                        this.random.nextBytes(bArr);
                        String encodeToString = Base64.getEncoder().withoutPadding().encodeToString(bArr);
                        LOG.warn("Validation failure {}: {}", encodeToString, buildErrorMessage(vOMSValidationResult.getValidationErrors()));
                        if (str == null) {
                            str = encodeToString;
                        } else {
                            str = str + ", " + encodeToString;
                            z4 = true;
                        }
                    }
                }
            }
        }
        if (str != null && !z3) {
            throw new AuthenticationException("validation " + (z4 ? "failures" : "failure") + ": " + str);
        }
        org.dcache.gplazma.util.Preconditions.checkAuthentication(z2, "no X509 certificate chain");
        org.dcache.gplazma.util.Preconditions.checkAuthentication(z3, "no FQANs");
    }

    private String buildErrorMessage(List<VOMSValidationErrorMessage> list) {
        return list.isEmpty() ? "(unknown)" : (String) list.stream().map((v0) -> {
            return v0.toString();
        }).collect(Collectors.joining(", ", "[", "]"));
    }
}
