package org.dcache.srm.server;

import com.google.common.base.Throwables;
import com.google.common.collect.Iterables;
import com.google.common.net.InetAddresses;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import javax.servlet.http.HttpServletRequest;
import org.apache.axis.MessageContext;
import org.apache.axis.transport.http.HTTPConstants;
import org.dcache.auth.util.GSSUtils;
import org.dcache.srm.SRMAuthenticationException;
import org.dcache.srm.SRMAuthorization;
import org.dcache.srm.SRMAuthorizationException;
import org.dcache.srm.SRMInternalErrorException;
import org.dcache.srm.SRMUser;
import org.dcache.srm.request.RequestCredential;
import org.dcache.srm.request.RequestCredentialStorage;
import org.globus.gsi.bc.BouncyCastleUtil;
import org.globus.gsi.gssapi.auth.AuthorizationException;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/dcache/srm/server/SrmAuthorizer.class */
public class SrmAuthorizer {
    private static final Logger log = LoggerFactory.getLogger(SrmAuthorizer.class);
    private final RequestCredentialStorage storage;
    private final String vomsdir;
    private final String capath;
    private final SRMAuthorization authorization;
    private final boolean isClientDNSLookup;

    public SrmAuthorizer(SRMAuthorization sRMAuthorization, RequestCredentialStorage requestCredentialStorage, boolean z, String str, String str2) {
        this.isClientDNSLookup = z;
        this.authorization = sRMAuthorization;
        this.storage = requestCredentialStorage;
        this.vomsdir = str;
        this.capath = str2;
    }

    public UserCredential getUserCredentials() throws SRMInternalErrorException, SRMAuthenticationException {
        try {
            Object property = MessageContext.getCurrentContext().getProperty(HTTPConstants.MC_HTTP_SERVLETREQUEST);
            if (!(property instanceof HttpServletRequest)) {
                throw new SRMInternalErrorException("HttpServletRequest is missing from Axis message context.");
            }
            HttpServletRequest httpServletRequest = (HttpServletRequest) property;
            GSSCredential gSSCredential = (GSSCredential) httpServletRequest.getAttribute("org.globus.gsi.credentials");
            if (gSSCredential != null) {
                try {
                    log.debug("User credential (delegcred) is: {}", gSSCredential.getName());
                } catch (GSSException e) {
                    Throwables.propagate(e);
                }
            }
            X509Certificate[] x509CertificateArr = (X509Certificate[]) httpServletRequest.getAttribute("javax.servlet.request.X509Certificate");
            if (x509CertificateArr == null) {
                throw new SRMAuthenticationException("Client's certificate chain is missing from request.");
            }
            String identity = BouncyCastleUtil.getIdentity(BouncyCastleUtil.getIdentityCertificate(x509CertificateArr));
            log.debug("User ID is: {}", identity);
            UserCredential userCredential = new UserCredential();
            userCredential.secureId = identity;
            userCredential.credential = gSSCredential;
            userCredential.chain = x509CertificateArr;
            if (this.isClientDNSLookup) {
                userCredential.clientHost = InetAddresses.forString(httpServletRequest.getRemoteAddr()).getCanonicalHostName();
            } else {
                userCredential.clientHost = httpServletRequest.getRemoteAddr();
            }
            return userCredential;
        } catch (CertificateException e2) {
            throw new SRMAuthenticationException(e2.toString(), e2);
        }
    }

    public SRMUser getRequestUser(RequestCredential requestCredential, X509Certificate[] x509CertificateArr) throws SRMInternalErrorException, SRMAuthorizationException, SRMAuthenticationException {
        return this.authorization.authorize(Long.valueOf(requestCredential.getId()), requestCredential.getCredentialName(), x509CertificateArr, ((HttpServletRequest) MessageContext.getCurrentContext().getProperty(HTTPConstants.MC_HTTP_SERVLETREQUEST)).getRemoteAddr());
    }

    public RequestCredential getRequestCredential(UserCredential userCredential) throws SRMAuthenticationException {
        try {
            String str = (String) Iterables.getFirst(GSSUtils.extractFQANs(this.vomsdir, this.capath, userCredential.chain), (Object) null);
            String str2 = userCredential.secureId;
            GSSCredential gSSCredential = userCredential.credential;
            RequestCredential newRequestCredential = RequestCredential.newRequestCredential(str2, str, this.storage);
            newRequestCredential.keepBestDelegatedCredential(gSSCredential);
            newRequestCredential.saveCredential();
            return newRequestCredential;
        } catch (GSSException | AuthorizationException e) {
            throw new SRMAuthenticationException("Problem getting request credential: " + e.getMessage(), e);
        }
    }
}
