package org.dcache.xrootd.plugins.alice;

import com.google.common.base.Preconditions;
import java.net.InetAddress;
import java.net.InetSocketAddress;
import java.net.UnknownHostException;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.KeyPair;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.SignatureException;
import java.security.interfaces.RSAPrivateKey;
import java.security.interfaces.RSAPublicKey;
import java.util.Arrays;
import java.util.Map;
import javax.crypto.BadPaddingException;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.NoSuchPaddingException;
import javax.security.auth.Subject;
import javax.security.auth.login.CredentialException;
import org.dcache.xrootd.core.XrootdException;
import org.dcache.xrootd.plugins.AuthorizationHandler;
import org.dcache.xrootd.plugins.alice.Envelope;
import org.dcache.xrootd.protocol.XrootdProtocol;

/* loaded from: input_file:org/dcache/xrootd/plugins/alice/TokenAuthorization1.class */
public class TokenAuthorization1 implements AuthorizationHandler {
    private final Map<String, KeyPair> keystore;

    public TokenAuthorization1(Map<String, KeyPair> map) {
        this.keystore = (Map) Preconditions.checkNotNull(map);
    }

    public String authorize(Subject subject, InetSocketAddress inetSocketAddress, InetSocketAddress inetSocketAddress2, String str, Map<String, String> map, int i, XrootdProtocol.FilePerm filePerm) throws XrootdException {
        if (str == null) {
            throw new IllegalArgumentException("The lfn string must not be null.");
        }
        String str2 = map.get("authz");
        if (str2 == null) {
            if (i == 3017 || i == 3022 || i == 3004 || i == 3027) {
                return str;
            }
            throw new XrootdException(3010, "An authorization token is required for this request.");
        }
        try {
            Envelope.GridFile findFile = findFile(str, decodeEnvelope(str2, getKeys(map.get("vo"))));
            if (findFile == null) {
                throw new XrootdException(3010, "Authorization token doesn't contain any file permissions for lfn " + str + ".");
            }
            try {
                if (!Arrays.asList(InetAddress.getAllByName(findFile.getTurl().getHost())).contains(inetSocketAddress.getAddress())) {
                    throw new XrootdException(3010, "Hostname mismatch in authorization token (address=" + inetSocketAddress + " turl=" + findFile.getTurl() + ").");
                }
                int port = findFile.getTurl().getPort();
                if (port == -1) {
                    port = 1094;
                }
                if (port != inetSocketAddress.getPort()) {
                    throw new XrootdException(3010, "Port mismatch in authorization token (address=" + inetSocketAddress + " turl=" + findFile.getTurl() + ").");
                }
                XrootdProtocol.FilePerm access = findFile.getAccess();
                if (filePerm == XrootdProtocol.FilePerm.WRITE) {
                    if (access.ordinal() < XrootdProtocol.FilePerm.WRITE_ONCE.ordinal()) {
                        throw new XrootdException(3010, "Token lacks authorization for requested operation.");
                    }
                } else if (filePerm == XrootdProtocol.FilePerm.DELETE && access.ordinal() < XrootdProtocol.FilePerm.DELETE.ordinal()) {
                    throw new XrootdException(3010, "Token lacks authorization for requested operation.");
                }
                return findFile.getTurl().getPath();
            } catch (UnknownHostException e) {
                throw new XrootdException(3010, "Hostname in authorization token is not resolvable (turl=" + findFile.getTurl() + ").");
            }
        } catch (InvalidKeyException | SignatureException | BadPaddingException | IllegalBlockSizeException | NoSuchPaddingException | CorruptedEnvelopeException e2) {
            throw new XrootdException(3000, "Error parsing authorization token: " + e2.getMessage());
        } catch (CredentialException e3) {
            throw new XrootdException(3010, "Error parsing authorization token: " + e3.getMessage());
        } catch (InvalidAlgorithmParameterException | NoSuchAlgorithmException | NoSuchProviderException e4) {
            throw new XrootdException(3012, "Error parsing authorization token: " + e4.getMessage());
        }
    }

    private Envelope.GridFile findFile(String str, Envelope envelope) {
        for (Envelope.GridFile gridFile : envelope.getFiles()) {
            if (str.equals(gridFile.getLfn())) {
                return gridFile;
            }
        }
        return null;
    }

    private Envelope decodeEnvelope(String str, KeyPair keyPair) throws CorruptedEnvelopeException, NoSuchPaddingException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IllegalBlockSizeException, BadPaddingException, SignatureException, NoSuchProviderException, InvalidKeyException, CredentialException {
        return new Envelope(new EncryptedAuthzToken(str, (RSAPrivateKey) keyPair.getPrivate(), (RSAPublicKey) keyPair.getPublic()).decrypt());
    }

    private KeyPair getKeys(String str) throws XrootdException {
        KeyPair keyPair;
        if (str != null) {
            keyPair = this.keystore.get(str);
            if (keyPair == null) {
                throw new XrootdException(3010, "VO " + str + " is not authorized.");
            }
        } else {
            keyPair = this.keystore.get("*");
            if (keyPair == null) {
                throw new XrootdException(3010, "No default VO configured in key store; VO is required.");
            }
        }
        return keyPair;
    }
}
