package org.dcache.xrootd.core;

import com.google.common.collect.Maps;
import io.netty.channel.ChannelHandlerContext;
import java.util.LinkedHashMap;
import java.util.Map;
import java.util.concurrent.ConcurrentMap;
import java.util.concurrent.atomic.AtomicBoolean;
import java.util.stream.Collectors;
import javax.security.auth.Subject;
import org.dcache.xrootd.plugins.AuthenticationHandler;
import org.dcache.xrootd.plugins.authn.none.NoAuthenticationHandler;
import org.dcache.xrootd.protocol.messages.AuthenticationRequest;
import org.dcache.xrootd.protocol.messages.EndSessionRequest;
import org.dcache.xrootd.protocol.messages.LoginRequest;
import org.dcache.xrootd.protocol.messages.LoginResponse;
import org.dcache.xrootd.protocol.messages.OkResponse;
import org.dcache.xrootd.protocol.messages.XrootdRequest;
import org.dcache.xrootd.security.BufferDecrypter;
import org.dcache.xrootd.security.RequiresTLS;
import org.dcache.xrootd.security.SigningPolicy;
import org.dcache.xrootd.security.TLSSessionInfo;
import org.dcache.xrootd.util.UserNameUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/dcache/xrootd/core/XrootdSessionHandler.class */
public class XrootdSessionHandler extends XrootdRequestHandler {
    public static final String SESSION_HANDLER = "sessionHandler";
    private static final Logger LOGGER = LoggerFactory.getLogger(XrootdSessionHandler.class);
    private static final ConcurrentMap<XrootdSessionIdentifier, XrootdSession> SESSIONS = Maps.newConcurrentMap();
    private static final XrootdSessionIdentifier CURRENT_SESSION_PLACEHOLDER = new XrootdSessionIdentifier(new byte[16]);
    private XrootdSession session;
    private TLSSessionInfo tlsSessionInfo;
    private SigningPolicy signingPolicy;
    private XrootdAuthenticationHandler currentHandler;
    private String currentProtocol;
    private final AtomicBoolean inProgress = new AtomicBoolean(false);
    private final XrootdSessionIdentifier sessionId = new XrootdSessionIdentifier();
    private final Map<String, XrootdAuthenticationHandler> handlerMap = new LinkedHashMap();
    private State state = State.NO_LOGIN;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/dcache/xrootd/core/XrootdSessionHandler$State.class */
    public enum State {
        NO_LOGIN,
        NO_AUTH,
        AUTH
    }

    public void channelInactive(ChannelHandlerContext channelHandlerContext) throws Exception {
        SESSIONS.remove(this.sessionId);
        super.channelInactive(channelHandlerContext);
    }

    public void add(XrootdAuthenticationHandler xrootdAuthenticationHandler) {
        this.handlerMap.put(xrootdAuthenticationHandler.getProtocol(), xrootdAuthenticationHandler);
    }

    public void setSubject(Subject subject) {
        this.session.setSubject(subject);
    }

    @Override // org.dcache.xrootd.core.XrootdRequestHandler
    protected Object getResponse(ChannelHandlerContext channelHandlerContext, XrootdRequest xrootdRequest) throws Exception {
        switch (xrootdRequest.getRequestId()) {
            case 3000:
                LOGGER.debug("XrootdSessionHandler.getResponse: Request kXR_auth");
                if (!this.inProgress.compareAndSet(false, true)) {
                    throw new XrootdException(3020, "Login in progress");
                }
                try {
                    switch (this.state) {
                        case NO_LOGIN:
                            LOGGER.debug("Request kXR_auth isInProgress: NO LOGIN");
                            throw new XrootdException(3010, "Login required");
                        case AUTH:
                            LOGGER.debug("Request kXR_auth isInProgress: AUTH");
                            throw new XrootdException(3006, "Already authenticated");
                        default:
                            xrootdRequest.setSession(this.session);
                            handleAuthentication(channelHandlerContext, (AuthenticationRequest) xrootdRequest);
                            return null;
                    }
                } finally {
                    this.inProgress.set(false);
                }
            case 3006:
                LOGGER.debug("XrootdSessionHandler.getResponse: Request kXR_protocol");
                channelHandlerContext.fireChannelRead(xrootdRequest);
                return null;
            case 3007:
                LOGGER.debug("XrootdSessionHandler.getResponse: Request kXR_login");
                return doOnLogin(channelHandlerContext, (LoginRequest) xrootdRequest);
            case 3011:
                LOGGER.debug("XrootdSessionHandler.getResponse: Request kXR_ping");
                if (!isLoginStarted()) {
                    LOGGER.debug("Request kXR_ping: NO LOGIN");
                    throw new XrootdException(3010, "Login required");
                }
                xrootdRequest.setSession(this.session);
                channelHandlerContext.fireChannelRead(xrootdRequest);
                return null;
            case 3023:
                LOGGER.debug("XrootdSessionHandler.getResponse: Request kXR_endsess");
                switch (this.state) {
                    case NO_LOGIN:
                        LOGGER.debug("Request kXR_endsess NO_LOGIN");
                        throw new XrootdException(3010, "Login required");
                    case NO_AUTH:
                        LOGGER.debug("Request kXR_endsess NO_AUTH");
                        throw new XrootdException(3010, "Authentication required");
                    default:
                        return doOnEndSession(channelHandlerContext, (EndSessionRequest) xrootdRequest);
                }
            case 3024:
                LOGGER.debug("XrootdSessionHandler.getResponse: Request kXR_bind");
                if (this.tlsSessionInfo != null && this.tlsSessionInfo.serverUsesTls()) {
                    LOGGER.debug("kXR_bind, server has now transitioned to tls? {}.", Boolean.valueOf(this.tlsSessionInfo.serverTransitionedToTLS(3024, channelHandlerContext)));
                }
                channelHandlerContext.fireChannelRead(xrootdRequest);
                return null;
            default:
                LOGGER.debug("XrootdSessionHandler.getResponse: Request {}", Integer.valueOf(xrootdRequest.getRequestId()));
                switch (this.state) {
                    case NO_LOGIN:
                        LOGGER.debug("{}, NO LOGIN", xrootdRequest);
                        throw new XrootdException(3010, "Login required");
                    case NO_AUTH:
                        LOGGER.debug("{}, NO_AUTH", xrootdRequest);
                        throw new XrootdException(3010, "Authentication required");
                    default:
                        xrootdRequest.setSession(this.session);
                        channelHandlerContext.fireChannelRead(xrootdRequest);
                        return null;
                }
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.dcache.xrootd.core.XrootdRequestHandler
    public LoginResponse doOnLogin(ChannelHandlerContext channelHandlerContext, LoginRequest loginRequest) throws XrootdException {
        if (!this.inProgress.compareAndSet(false, true)) {
            throw new XrootdException(3020, "Login in progress");
        }
        try {
            loginRequest.setUserName(UserNameUtils.checkUsernameValid(loginRequest.getUserName()));
            this.session = new XrootdSession(this.sessionId, channelHandlerContext.channel(), loginRequest);
            loginRequest.setSession(this.session);
            LoginResponse loginResponse = new LoginResponse(loginRequest, this.sessionId, protocolString());
            SESSIONS.put(this.sessionId, this.session);
            setLoginStarted();
            this.inProgress.set(false);
            return loginResponse;
        } catch (Throwable th) {
            this.inProgress.set(false);
            throw th;
        }
    }

    @Override // org.dcache.xrootd.core.XrootdRequestHandler
    protected Object doOnEndSession(ChannelHandlerContext channelHandlerContext, EndSessionRequest endSessionRequest) throws XrootdException {
        XrootdSessionIdentifier sessionId = endSessionRequest.getSessionId();
        if (sessionId.equals(CURRENT_SESSION_PLACEHOLDER)) {
            channelHandlerContext.channel().close();
            return new OkResponse(endSessionRequest);
        }
        XrootdSession xrootdSession = SESSIONS.get(sessionId);
        if (xrootdSession != null) {
            if (!xrootdSession.hasOwner(this.session.getSubject())) {
                throw new XrootdException(3010, "not session owner");
            }
            xrootdSession.getChannel().close();
        }
        return new OkResponse(endSessionRequest);
    }

    private void handleAuthentication(ChannelHandlerContext channelHandlerContext, AuthenticationRequest authenticationRequest) throws XrootdException {
        if (this.currentHandler == null) {
            this.currentProtocol = authenticationRequest.getCredType();
            this.currentHandler = this.handlerMap.get(this.currentProtocol);
            if (this.currentHandler == null) {
                throw new XrootdException(3010, "server does not support " + this.currentProtocol);
            }
            if ((this.currentHandler instanceof RequiresTLS) && !TLSSessionInfo.isTLSOn(channelHandlerContext)) {
                throw new XrootdException(3013, "TLS is required for " + this.currentProtocol);
            }
            channelHandlerContext.pipeline().addAfter(SESSION_HANDLER, this.currentProtocol, this.currentHandler);
        }
        channelHandlerContext.fireChannelRead(authenticationRequest);
    }

    public boolean isLoginStarted() {
        return this.state != State.NO_LOGIN;
    }

    public void setLoginStarted() {
        this.state = State.NO_AUTH;
    }

    public void setAuthSucceeded(ChannelHandlerContext channelHandlerContext) throws XrootdException {
        this.state = State.AUTH;
        if (this.tlsSessionInfo == null || !this.tlsSessionInfo.serverUsesTls()) {
            AuthenticationHandler handler = this.currentHandler.getHandler();
            if (!(handler instanceof NoAuthenticationHandler) && !TLSSessionInfo.isTLSOn(channelHandlerContext) && this.signingPolicy.isSigningOn()) {
                BufferDecrypter decrypter = handler.getDecrypter();
                channelHandlerContext.pipeline().addAfter("decoder", "sigverDecoder", new XrootdSigverDecoder(this.signingPolicy, decrypter));
                channelHandlerContext.pipeline().remove("decoder");
                LOGGER.debug("switched decoder to sigverDecoder, decrypter {}.", decrypter);
            }
        } else {
            LOGGER.debug("kXR_auth, server has now transitioned to tls? {}.", Boolean.valueOf(this.tlsSessionInfo.serverTransitionedToTLS(3000, channelHandlerContext)));
        }
        channelHandlerContext.pipeline().remove(this.currentHandler);
        this.currentHandler = null;
        this.currentProtocol = null;
    }

    public void setAuthFailed(ChannelHandlerContext channelHandlerContext) {
        this.state = State.NO_AUTH;
        channelHandlerContext.pipeline().remove(this.currentHandler);
        this.currentHandler = null;
        this.currentProtocol = null;
    }

    public void setSigningPolicy(SigningPolicy signingPolicy) {
        this.signingPolicy = signingPolicy;
    }

    public void setTlsSessionInfo(TLSSessionInfo tLSSessionInfo) {
        this.tlsSessionInfo = tLSSessionInfo;
    }

    private String protocolString() {
        String str = (String) this.handlerMap.values().stream().map(xrootdAuthenticationHandler -> {
            return xrootdAuthenticationHandler.getHandler();
        }).map((v0) -> {
            return v0.getProtocol();
        }).collect(Collectors.joining());
        LOGGER.debug("protocols: {}.", str);
        return str;
    }
}
