package org.dcache.xdr.gss;

import com.google.common.primitives.Ints;
import java.io.IOException;
import java.util.UUID;
import org.dcache.utils.Bytes;
import org.dcache.xdr.BadXdrOncRpcException;
import org.dcache.xdr.RpcAuthError;
import org.dcache.xdr.RpcAuthVerifier;
import org.dcache.xdr.RpcCall;
import org.dcache.xdr.RpcException;
import org.glassfish.grizzly.Buffer;
import org.glassfish.grizzly.filterchain.BaseFilter;
import org.glassfish.grizzly.filterchain.FilterChainContext;
import org.glassfish.grizzly.filterchain.NextAction;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSName;
import org.ietf.jgss.MessageProp;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/dcache/xdr/gss/GssProtocolFilter.class */
public class GssProtocolFilter extends BaseFilter {
    private static final Logger _log = LoggerFactory.getLogger((Class<?>) GssProtocolFilter.class);
    public static final int COMPLETE = 0;
    public static final int CONTINUE_NEEDED = 1;
    private final GssSessionManager _gssSessionManager;

    public GssProtocolFilter(GssSessionManager gssSessionManager) {
        this._gssSessionManager = gssSessionManager;
    }

    @Override // org.glassfish.grizzly.filterchain.BaseFilter, org.glassfish.grizzly.filterchain.Filter
    public NextAction handleRead(FilterChainContext filterChainContext) throws IOException {
        RpcCall rpcCall = (RpcCall) filterChainContext.getMessage();
        if (rpcCall.getCredential().type() != 6) {
            return filterChainContext.getInvokeAction();
        }
        boolean z = false;
        try {
            RpcAuthGss rpcAuthGss = (RpcAuthGss) rpcCall.getCredential();
            GSSContext gSSContext = null;
            rpcAuthGss.getSequence();
            switch (rpcAuthGss.getProc()) {
                case 0:
                    GSSContext establishedContext = this._gssSessionManager.getEstablishedContext(rpcAuthGss.getHandle());
                    validateVerifier(rpcAuthGss, establishedContext);
                    GSSName srcName = establishedContext.getSrcName();
                    rpcAuthGss.getSubject().getPrincipals().addAll(this._gssSessionManager.subjectOf(srcName).getPrincipals());
                    _log.debug("RPCGSS_SEC: {}", srcName);
                    rpcAuthGss.setVerifier(new RpcAuthVerifier(rpcAuthGss.type(), establishedContext.getMIC(Ints.toByteArray(rpcAuthGss.getSequence()), 0, 4, new MessageProp(false))));
                    filterChainContext.setMessage(new RpcGssCall(rpcCall, establishedContext, new MessageProp(false)));
                    z = true;
                    break;
                case 1:
                    UUID randomUUID = UUID.randomUUID();
                    byte[] bArr = new byte[16];
                    Bytes.putLong(bArr, 0, randomUUID.getLeastSignificantBits());
                    Bytes.putLong(bArr, 8, randomUUID.getMostSignificantBits());
                    gSSContext = this._gssSessionManager.createContext(bArr);
                    rpcAuthGss.setHandle(bArr);
                case 2:
                    if (gSSContext == null) {
                        gSSContext = this._gssSessionManager.getContext(rpcAuthGss.getHandle());
                    }
                    GSSINITargs gSSINITargs = new GSSINITargs();
                    GSSINITres gSSINITres = new GSSINITres();
                    rpcCall.retrieveCall(gSSINITargs);
                    byte[] token = gSSINITargs.getToken();
                    byte[] acceptSecContext = gSSContext.acceptSecContext(token, 0, token.length);
                    gSSINITres.setHandle(rpcAuthGss.getHandle());
                    gSSINITres.setGssMajor(gSSContext.isEstablished() ? 0 : 1);
                    gSSINITres.setGssMinor(0);
                    gSSINITres.setToken(acceptSecContext);
                    if (gSSContext.isEstablished()) {
                        gSSINITres.setSequence(128);
                        rpcAuthGss.setVerifier(new RpcAuthVerifier(rpcAuthGss.type(), gSSContext.getMIC(Ints.toByteArray(128), 0, 4, new MessageProp(false))));
                    }
                    rpcCall.reply(gSSINITres);
                    break;
                case 3:
                    GSSContext destroyContext = this._gssSessionManager.destroyContext(rpcAuthGss.getHandle());
                    validateVerifier(rpcAuthGss, destroyContext);
                    destroyContext.dispose();
                    break;
            }
        } catch (BadXdrOncRpcException e) {
            rpcCall.failRpcGarbage();
            _log.warn("Broken RPCSEC_GSS package: {}", e.getMessage());
        } catch (RpcException e2) {
            rpcCall.reject(e2.getStatus(), e2.getRpcReply());
            _log.warn("GSS mechanism failed {}", e2.getMessage());
        } catch (IOException | GSSException e3) {
            rpcCall.reject(1, new RpcAuthError(14));
            _log.warn("GSS mechanism failed {}", e3.getMessage());
        }
        return z ? filterChainContext.getInvokeAction() : filterChainContext.getStopAction();
    }

    private void validateVerifier(RpcAuthGss rpcAuthGss, GSSContext gSSContext) throws GSSException {
        Buffer header = rpcAuthGss.getHeader();
        byte[] bArr = new byte[header.remaining()];
        header.get(bArr);
        gSSContext.verifyMIC(rpcAuthGss.getVerifier().getBody(), 0, rpcAuthGss.getVerifier().getBody().length, bArr, 0, bArr.length, new MessageProp(false));
    }
}
