package org.dcache.xrootd.plugins.authz.scitokens;

import io.netty.channel.ChannelHandlerContext;
import java.net.InetSocketAddress;
import java.util.Map;
import javax.security.auth.Subject;
import org.dcache.xrootd.core.XrootdException;
import org.dcache.xrootd.plugins.AuthorizationHandler;
import org.dcache.xrootd.protocol.XrootdProtocol;
import org.dcache.xrootd.security.TokenValidator;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/dcache/xrootd/plugins/authz/scitokens/XrootdSciTokenAuthzHandler.class */
public class XrootdSciTokenAuthzHandler implements AuthorizationHandler {
    protected static final Logger LOGGER = LoggerFactory.getLogger(XrootdSciTokenAuthzHandler.class);
    private static final String SCITOKEN = "authz";
    private static final String TPC_STAGE = "tpc.stage";
    private static final String TPC_PLACEMENT = "placement";
    protected final boolean strict;
    protected final TokenValidator validator;
    protected final ChannelHandlerContext ctx;

    public XrootdSciTokenAuthzHandler(TokenValidator tokenValidator, boolean z, ChannelHandlerContext channelHandlerContext) {
        this.validator = tokenValidator;
        this.strict = z;
        this.ctx = channelHandlerContext;
    }

    public String authorize(Subject subject, InetSocketAddress inetSocketAddress, InetSocketAddress inetSocketAddress2, String str, Map<String, String> map, int i, XrootdProtocol.FilePerm filePerm) throws XrootdException, SecurityException {
        LOGGER.trace("authorize: {}, {}, {}, {}, {}, {}, {}.", new Object[]{subject, inetSocketAddress, inetSocketAddress2, str, map, Integer.valueOf(i), filePerm});
        if (TPC_PLACEMENT.equals(map.get(TPC_STAGE))) {
            return str;
        }
        String str2 = map.get(SCITOKEN);
        if (str2 != null) {
            this.validator.validate(this.ctx, TokenValidator.stripOffPrefix(str2));
            return str;
        }
        LOGGER.debug("no token for {}; strict? {}.", str, Boolean.valueOf(this.strict));
        if (this.strict) {
            throw new XrootdException(3006, "user provided no bearer token.");
        }
        return str;
    }
}
