package org.dcache.xrootd.plugins.authn.gsi;

import javax.security.auth.Subject;
import org.dcache.xrootd.core.XrootdException;
import org.dcache.xrootd.plugins.AuthenticationHandler;
import org.dcache.xrootd.plugins.authn.gsi.GSIBucketUtils;
import org.dcache.xrootd.plugins.authn.gsi.post49.GSIPost49ServerRequestHandler;
import org.dcache.xrootd.plugins.authn.gsi.pre49.GSIPre49ServerRequestHandler;
import org.dcache.xrootd.protocol.messages.AuthenticationRequest;
import org.dcache.xrootd.protocol.messages.OkResponse;
import org.dcache.xrootd.protocol.messages.XrootdResponse;
import org.dcache.xrootd.security.BufferDecrypter;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/dcache/xrootd/plugins/authn/gsi/GSIAuthenticationHandler.class */
public class GSIAuthenticationHandler implements AuthenticationHandler {
    protected static final Logger LOGGER = LoggerFactory.getLogger(GSIAuthenticationHandler.class);
    private final GSICredentialManager credentialManager;
    private GSIServerRequestHandler requestHandler;
    private boolean finished = false;
    private final Subject subject = new Subject();

    public GSIAuthenticationHandler(GSICredentialManager gSICredentialManager) {
        this.credentialManager = gSICredentialManager;
    }

    public XrootdResponse<AuthenticationRequest> authenticate(AuthenticationRequest authenticationRequest) throws XrootdException {
        OkResponse handleSigPxyStep;
        GSIBucketUtils.BucketData deserializeData = GSIBucketUtils.deserializeData(authenticationRequest);
        if (!GSIRequestHandler.PROTOCOL.equalsIgnoreCase(deserializeData.getProtocol())) {
            this.requestHandler.cancelHandshake();
            throw new XrootdException(3006, "Specified Protocol " + deserializeData.getProtocol() + " is not the protocol that was negotiated.");
        }
        if (this.requestHandler == null) {
            this.requestHandler = createRequestHandler(deserializeData.getVersion());
        }
        if (this.requestHandler.isRequestExpired()) {
            this.requestHandler.cancelHandshake();
            throw new XrootdException(3006, "Client authentication request time expired.");
        }
        switch (deserializeData.getStep()) {
            case 0:
                handleSigPxyStep = new OkResponse(authenticationRequest);
                break;
            case 1000:
                handleSigPxyStep = this.requestHandler.handleCertReqStep(authenticationRequest, deserializeData);
                LOGGER.debug("authenticate, processed certreq step for stream {}, session {}.", Integer.valueOf(authenticationRequest.getStreamId()), authenticationRequest.getSession());
                break;
            case 1001:
                handleSigPxyStep = this.requestHandler.handleCertStep(authenticationRequest, deserializeData);
                this.finished = this.requestHandler.isFinished(deserializeData);
                LOGGER.debug("authenticate, processed cert step for stream {}, session {}.", Integer.valueOf(authenticationRequest.getStreamId()), authenticationRequest.getSession());
                break;
            case 1002:
                handleSigPxyStep = this.requestHandler.handleSigPxyStep(authenticationRequest, deserializeData);
                LOGGER.debug("authenticate, processed sigpxy step for stream {}, session {}.", Integer.valueOf(authenticationRequest.getStreamId()), authenticationRequest.getSession());
                this.finished = this.requestHandler.isFinished(deserializeData);
                break;
            default:
                this.requestHandler.cancelHandshake();
                throw new XrootdException(10015, "Error during authentication, unknown processing step: " + deserializeData.getStep());
        }
        this.requestHandler.updateLastRequest();
        return handleSigPxyStep;
    }

    public BufferDecrypter getDecrypter() {
        return this.requestHandler.getDecrypter();
    }

    public String getProtocol() {
        return "&P=gsi,v:10400,c:ssl,ca:" + CertUtil.computeMD5Hash(this.credentialManager.getHostCredential().getCertificate().getIssuerX500Principal());
    }

    public Subject getSubject() {
        return this.subject;
    }

    public boolean isCompleted() {
        return this.finished;
    }

    private GSIServerRequestHandler createRequestHandler(Integer num) throws XrootdException {
        if (num == null) {
            throw new XrootdException(10003, "Client did not provide GSI protocol version number.");
        }
        GSIServerRequestHandler gSIPost49ServerRequestHandler = num.intValue() >= 10400 ? new GSIPost49ServerRequestHandler(this.subject, this.credentialManager) : new GSIPre49ServerRequestHandler(this.subject, this.credentialManager);
        LOGGER.info("Client protocol version was {}, using {}.", num, gSIPost49ServerRequestHandler.getClass().getSimpleName());
        return gSIPost49ServerRequestHandler;
    }
}
