package javatunnel;

import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.security.cert.X509Certificate;
import java.util.Iterator;
import javax.security.auth.Subject;
import org.dcache.auth.FQANPrincipal;
import org.dcache.auth.util.GSSUtils;
import org.dcache.util.Args;
import org.dcache.util.Crypto;
import org.dcache.util.Files;
import org.glite.voms.FQAN;
import org.globus.gsi.CredentialException;
import org.globus.gsi.GSIConstants;
import org.globus.gsi.X509Credential;
import org.globus.gsi.gssapi.GSSConstants;
import org.globus.gsi.gssapi.GlobusGSSCredentialImpl;
import org.globus.gsi.gssapi.auth.AuthorizationException;
import org.globus.gsi.jaas.GlobusPrincipal;
import org.gridforum.jgss.ExtendedGSSContext;
import org.gridforum.jgss.ExtendedGSSManager;
import org.ietf.jgss.GSSException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:javatunnel/GsiTunnel.class */
class GsiTunnel extends GssTunnel {
    private static final Logger _log = LoggerFactory.getLogger(GsiTunnel.class);
    private final String caDir;
    private final String vomsDir;
    private ExtendedGSSContext _e_context;
    private static final String SERVICE_KEY = "service_key";
    private static final String SERVICE_CERT = "service_cert";
    private static final String SERVICE_TRUSTED_CERTS = "service_trusted_certs";
    private static final String SERVICE_VOMS_DIR = "service_voms_dir";
    private static final String CIPHER_FLAGS = "ciphers";
    private final Args _arguments;
    private Subject _subject = new Subject();

    public GsiTunnel(String str) throws GSSException, IOException {
        this._arguments = new Args(str);
        String option = this._arguments.getOption(SERVICE_KEY);
        String option2 = this._arguments.getOption(SERVICE_CERT);
        this.caDir = this._arguments.getOption(SERVICE_TRUSTED_CERTS);
        this.vomsDir = this._arguments.getOption(SERVICE_VOMS_DIR);
        Files.checkFile(option);
        Files.checkFile(option2);
        Files.checkDirectory(this.caDir);
        try {
            this._e_context = ExtendedGSSManager.getInstance().createContext(new GlobusGSSCredentialImpl(new X509Credential(option2, option), 2));
            this._e_context.setOption(GSSConstants.GSS_MODE, GSIConstants.MODE_GSI);
            this._e_context.setBannedCiphers(Crypto.getBannedCipherSuitesFromConfigurationValue(this._arguments.getOption(CIPHER_FLAGS)));
            this._context = this._e_context;
            super.useChannelBinding(false);
        } catch (IOException e) {
            throw new GSSException(13, 0, "could not load host globus credentials " + e.toString());
        } catch (CredentialException e2) {
            throw new GSSException(13, 0, e2.getMessage());
        }
    }

    @Override // javatunnel.GssTunnel, javatunnel.TunnelConverter, javatunnel.Convertable
    public boolean verify(InputStream inputStream, OutputStream outputStream, Object obj) {
        try {
            if (super.verify(inputStream, outputStream, obj)) {
                this._subject.getPublicCredentials().add((X509Certificate[]) this._e_context.inquireByOid(GSSConstants.X509_CERT_CHAIN));
                this._subject.getPrincipals().add(new GlobusPrincipal(this._e_context.getSrcName().toString()));
                scanExtendedAttributes(this._e_context);
            }
        } catch (GSSException e) {
            _log.error("Failed to verify: {}", e.toString());
        }
        return this._context.isEstablished();
    }

    @Override // javatunnel.GssTunnel, javatunnel.TunnelConverter, javatunnel.Convertable
    public Convertable makeCopy() throws IOException {
        try {
            return new GsiTunnel(this._arguments.toString());
        } catch (GSSException e) {
            throw new IOException((Throwable) e);
        }
    }

    private void scanExtendedAttributes(ExtendedGSSContext extendedGSSContext) {
        try {
            boolean z = true;
            Iterator it = GSSUtils.getFQANsFromGSSContext(this.vomsDir, this.caDir, extendedGSSContext).iterator();
            while (it.hasNext()) {
                FQAN fqan = new FQAN((String) it.next());
                String group = fqan.getGroup();
                String role = fqan.getRole();
                this._subject.getPrincipals().add(new FQANPrincipal((role == null || role.equals("")) ? group : group + "/Role=" + role, z));
                z = false;
            }
        } catch (AuthorizationException e) {
            _log.error("Failed to get users group and role context: {}", e.toString());
        }
    }

    @Override // javatunnel.GssTunnel, javatunnel.TunnelConverter, javatunnel.Convertable, javatunnel.UserBindible
    public Subject getSubject() {
        return this._subject;
    }
}
