package org.dcache.gridsite;

import com.google.common.base.Charsets;
import com.google.common.collect.Iterables;
import com.google.common.hash.Hashing;
import com.google.common.io.BaseEncoding;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Calendar;
import java.util.Map;
import javax.servlet.http.HttpServletRequest;
import javax.xml.rpc.holders.StringHolder;
import org.apache.axis.MessageContext;
import org.apache.axis.transport.http.HTTPConstants;
import org.dcache.delegation.gridsite2.Delegation;
import org.dcache.delegation.gridsite2.DelegationException;
import org.dcache.srm.util.Axis;
import org.dcache.util.Version;
import org.glite.voms.VOMSValidator;
import org.globus.gsi.bc.BouncyCastleUtil;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/dcache/gridsite/ServletDelegation.class */
public class ServletDelegation implements Delegation {
    private static final String INTERFACE_VERSION = "2.0.0";
    public static final String ATTRIBUTE_NAME_CREDENTIAL_STORE = "org.dcache.gridsite.credential-store";
    public static final String ATTRIBUTE_NAME_CREDENTIAL_DELEGATION_STORE = "org.dcache.gridsite.credential-delegation-store";
    public static final String ATTRIBUTE_NAME_CREDENTIAL_DELEGATION_FACTORY = "org.dcache.gridsite.credential-delegation-factory";
    public static final String ATTRIBUTE_NAME_SERVICE_METADATA = "org.dcache.gridsite.service-metadata";
    private final Map<String, String> _serviceMetadata = getServiceMetadata();
    private final CredentialDelegationStore _delegations = getDelegationStore();
    private final CredentialDelegationFactory _factory = getFactory();
    private final CredentialStore _credentials = getCredentialStore();
    private static final Logger LOG = LoggerFactory.getLogger(ServletDelegation.class);
    private static final String VERSION = Version.of(ServletDelegation.class).getVersion();

    private static CredentialStore getCredentialStore() {
        return (CredentialStore) Axis.getAttribute(ATTRIBUTE_NAME_CREDENTIAL_STORE, CredentialStore.class);
    }

    private static CredentialDelegationStore getDelegationStore() {
        return (CredentialDelegationStore) Axis.getAttribute(ATTRIBUTE_NAME_CREDENTIAL_DELEGATION_STORE, CredentialDelegationStore.class);
    }

    private static CredentialDelegationFactory getFactory() {
        return (CredentialDelegationFactory) Axis.getAttribute(ATTRIBUTE_NAME_CREDENTIAL_DELEGATION_FACTORY, CredentialDelegationFactory.class);
    }

    private static Map<String, String> getServiceMetadata() {
        return (Map) Axis.getAttribute(ATTRIBUTE_NAME_SERVICE_METADATA, Map.class);
    }

    public String getVersion() {
        return VERSION;
    }

    public String getInterfaceVersion() {
        return INTERFACE_VERSION;
    }

    public String getServiceMetadata(String str) throws DelegationException {
        String str2 = this._serviceMetadata.get(str);
        Utilities.assertThat(str2 != null, "unknown key");
        return str2;
    }

    public String getProxyReq(String str) throws DelegationException {
        return newDelegation(new DelegationIdentity(getClientDn(), str)).getCertificateSigningRequest();
    }

    public void getNewProxyReq(StringHolder stringHolder, StringHolder stringHolder2) throws DelegationException {
        DelegationIdentity delegationIdentity = new DelegationIdentity(getClientDn(), generateDelegationId());
        stringHolder.value = newDelegation(delegationIdentity).getCertificateSigningRequest();
        stringHolder2.value = delegationIdentity.getDelegationId();
    }

    private CredentialDelegation newDelegation(DelegationIdentity delegationIdentity) throws DelegationException {
        Utilities.assertThat(!this._delegations.has(delegationIdentity), "delegation already started", delegationIdentity);
        Utilities.assertThat(!this._credentials.has(delegationIdentity), "delegated credential already exists", delegationIdentity);
        CredentialDelegation newDelegation = this._factory.newDelegation(delegationIdentity, Arrays.asList(getClientCertificates()));
        this._delegations.add(newDelegation);
        return newDelegation;
    }

    public void putProxy(String str, String str2) throws DelegationException {
        DelegationIdentity delegationIdentity = new DelegationIdentity(getClientDn(), str);
        this._credentials.put(delegationIdentity, this._delegations.remove(delegationIdentity).acceptCertificate(str2));
    }

    public String renewProxyReq(String str) throws DelegationException {
        DelegationIdentity delegationIdentity = new DelegationIdentity(getClientDn(), str);
        Utilities.assertThat(!this._delegations.has(delegationIdentity), "delegation already started", delegationIdentity);
        Utilities.assertThat(this._credentials.has(delegationIdentity), "no delegated credential", delegationIdentity);
        CredentialDelegation newDelegation = this._factory.newDelegation(delegationIdentity, Arrays.asList(getClientCertificates()));
        this._delegations.add(newDelegation);
        return newDelegation.getCertificateSigningRequest();
    }

    public Calendar getTerminationTime(String str) throws DelegationException {
        return this._credentials.getExpiry(new DelegationIdentity(getClientDn(), str));
    }

    public void destroy(String str) throws DelegationException {
        DelegationIdentity delegationIdentity = new DelegationIdentity(getClientDn(), str);
        this._delegations.removeIfPresent(delegationIdentity);
        this._credentials.remove(delegationIdentity);
    }

    private String getClientDn() throws DelegationException {
        try {
            return BouncyCastleUtil.getIdentity(BouncyCastleUtil.getIdentityCertificate(getClientCertificates()));
        } catch (IllegalStateException | CertificateException e) {
            throw new DelegationException("user's DN is not known: " + e.getMessage());
        }
    }

    private X509Certificate[] getClientCertificates() throws DelegationException {
        try {
            Object property = MessageContext.getCurrentContext().getProperty(HTTPConstants.MC_HTTP_SERVLETREQUEST);
            if (!(property instanceof HttpServletRequest)) {
                throw new DelegationException("HttpServletRequest is missing from Axis message context.");
            }
            X509Certificate[] x509CertificateArr = (X509Certificate[]) ((HttpServletRequest) property).getAttribute("javax.servlet.request.X509Certificate");
            if (x509CertificateArr == null) {
                throw new DelegationException("Client's certificate chain is missing from request.");
            }
            return x509CertificateArr;
        } catch (IllegalStateException e) {
            throw new DelegationException("user supplied no certificate");
        }
    }

    private String generateDelegationId() throws DelegationException {
        return BaseEncoding.base16().encode(Hashing.sha1().hashBytes((getClientDn() + getFqanList()).getBytes(Charsets.UTF_8)).asBytes(), 0, 20);
    }

    private String getFqanList() throws DelegationException {
        VOMSValidator vOMSValidator = new VOMSValidator((X509Certificate[]) Iterables.toArray(Arrays.asList(getClientCertificates()), X509Certificate.class));
        String[] allFullyQualifiedAttributes = vOMSValidator.validate().getAllFullyQualifiedAttributes();
        vOMSValidator.cleanup();
        if (allFullyQualifiedAttributes == null) {
            return "";
        }
        if (allFullyQualifiedAttributes.length > 1) {
            Arrays.sort(allFullyQualifiedAttributes, 1, allFullyQualifiedAttributes.length);
        }
        return Arrays.toString(allFullyQualifiedAttributes);
    }
}
