package org.dcache.xrootd.plugins.authn.gsi;

import io.netty.channel.ChannelFutureListener;
import io.netty.channel.ChannelHandlerContext;
import io.netty.channel.ChannelId;
import java.io.Serializable;
import java.util.Optional;
import org.dcache.xrootd.core.XrootdException;
import org.dcache.xrootd.plugins.authn.gsi.post49.GSIPost49ClientRequestHandler;
import org.dcache.xrootd.plugins.authn.gsi.pre49.GSIPre49ClientRequestHandler;
import org.dcache.xrootd.security.XrootdSecurityProtocol;
import org.dcache.xrootd.tpc.AbstractClientAuthnHandler;
import org.dcache.xrootd.tpc.XrootdTpcClient;
import org.dcache.xrootd.tpc.XrootdTpcInfo;
import org.dcache.xrootd.tpc.protocol.messages.InboundAuthenticationResponse;
import org.dcache.xrootd.tpc.protocol.messages.InboundErrorResponse;
import org.dcache.xrootd.tpc.protocol.messages.OutboundAuthenticationRequest;
import org.slf4j.Logger;

/* loaded from: input_file:org/dcache/xrootd/plugins/authn/gsi/GSIClientAuthenticationHandler.class */
public class GSIClientAuthenticationHandler extends AbstractClientAuthnHandler {
    private GSICredentialManager credentialManager;
    private GSIClientRequestHandler requestHandler;
    private int serverStep;

    public GSIClientAuthenticationHandler(GSICredentialManager gSICredentialManager) {
        super(GSIRequestHandler.PROTOCOL);
        this.credentialManager = gSICredentialManager;
    }

    public void setClient(XrootdTpcClient xrootdTpcClient) {
        super.setClient(xrootdTpcClient);
    }

    protected void doOnErrorResponse(ChannelHandlerContext channelHandlerContext, InboundErrorResponse inboundErrorResponse) throws XrootdException {
        if (this.requestHandler != null) {
            this.requestHandler.handleAuthenticationError(inboundErrorResponse);
        } else {
            exceptionCaught(channelHandlerContext, new RuntimeException("An authentication error was  intercepted before an authentication request was sent; this is a bug.", new XrootdException(inboundErrorResponse.getError(), inboundErrorResponse.getErrorMessage())));
        }
    }

    protected void doOnAuthenticationResponse(ChannelHandlerContext channelHandlerContext, InboundAuthenticationResponse inboundAuthenticationResponse) throws XrootdException {
        if (this.requestHandler.isRequestExpired()) {
            throw new XrootdException(3006, "Authentication request response time expired.");
        }
        this.serverStep = inboundAuthenticationResponse.getServerStep();
        ChannelId id = channelHandlerContext.channel().id();
        int status = inboundAuthenticationResponse.getStatus();
        int streamId = this.client.getStreamId();
        XrootdTpcInfo info = this.client.getInfo();
        switch (status) {
            case 0:
                LOGGER.debug("Authentication to {}, channel {}, stream {}, sessionId {} succeeded; passing to next handler.", new Object[]{info.getSrc(), id, Integer.valueOf(streamId), this.client.getSessionId()});
                channelHandlerContext.fireChannelRead(inboundAuthenticationResponse);
                return;
            case 4002:
                LOGGER.debug("Authentication to {}, channel {}, stream {}, sessionId {}, proceeding to next step.", new Object[]{info.getSrc(), id, Integer.valueOf(streamId), this.client.getSessionId()});
                this.client.setAuthResponse(inboundAuthenticationResponse);
                sendAuthenticationRequest(channelHandlerContext);
                return;
            default:
                throw new XrootdException(10015, "wrong status from GSI authentication response: " + status);
        }
    }

    protected void sendAuthenticationRequest(ChannelHandlerContext channelHandlerContext) throws XrootdException {
        OutboundAuthenticationRequest handleCertReqStep;
        if (this.requestHandler == null) {
            this.requestHandler = createRequestHandler();
        }
        ChannelId id = channelHandlerContext.channel().id();
        int streamId = this.client.getStreamId();
        XrootdTpcInfo info = this.client.getInfo();
        InboundAuthenticationResponse authResponse = this.client.getAuthResponse();
        if (authResponse == null) {
            handleCertReqStep = this.requestHandler.handleCertReqStep();
            LOGGER.debug("sendAuthenticationRequest to {}, channel {}, stream {}, step: cert request.", new Object[]{info.getSrc(), id, Integer.valueOf(streamId)});
        } else {
            if (!authResponse.getProtocol().equals(GSIRequestHandler.PROTOCOL)) {
                throw new XrootdException(10003, "server replied with incorrect protocol: " + authResponse.getProtocol());
            }
            switch (this.serverStep) {
                case 2001:
                    handleCertReqStep = this.requestHandler.handleCertStep(authResponse, channelHandlerContext);
                    LOGGER.debug("sendAuthenticationRequest to {}, channel {}, stream {}, step: cert.", new Object[]{info.getSrc(), id, Integer.valueOf(streamId)});
                    break;
                case 2002:
                default:
                    throw new XrootdException(10015, "client does not handle requested authentication step " + XrootdSecurityProtocol.getServerStep(this.serverStep) + ".");
            }
        }
        this.requestHandler.updateLastRequest();
        this.client.setExpectedResponse(3000);
        this.client.setAuthResponse((InboundAuthenticationResponse) null);
        channelHandlerContext.writeAndFlush(handleCertReqStep, channelHandlerContext.newPromise()).addListener(ChannelFutureListener.FIRE_EXCEPTION_ON_FAILURE);
        this.client.startTimer(channelHandlerContext);
    }

    private GSIClientRequestHandler createRequestHandler() throws XrootdException {
        GSIClientRequestHandler gSIPre49ClientRequestHandler;
        String str = (String) ((Optional) this.client.getAuthnContext().get("version")).orElse(null);
        if (str == null) {
            throw new XrootdException(10003, "Server did not indicate GSI protocol version.");
        }
        int parseInt = Integer.parseInt(str);
        Serializable delegatedProxy = this.client.getInfo().getDelegatedProxy();
        if (parseInt >= 10400 && delegatedProxy != null) {
            gSIPre49ClientRequestHandler = new GSIPost49ClientRequestHandler(this.credentialManager, this.client);
        } else {
            if (this.credentialManager.isDelegationOnly()) {
                throw new XrootdException(10026, "proxy delegation required but not available.");
            }
            gSIPre49ClientRequestHandler = new GSIPre49ClientRequestHandler(this.credentialManager, this.client);
        }
        Logger logger = LOGGER;
        Object[] objArr = new Object[3];
        objArr[0] = Integer.valueOf(parseInt);
        objArr[1] = Boolean.valueOf(delegatedProxy != null);
        objArr[2] = gSIPre49ClientRequestHandler.getClass().getSimpleName();
        logger.info("Server protocol version was {}; delegated proxy exists? {}; using {}.", objArr);
        return gSIPre49ClientRequestHandler;
    }
}
