package org.dcache.xrootd.security;

import io.netty.channel.Channel;
import io.netty.channel.ChannelHandler;
import io.netty.channel.ChannelHandlerContext;
import io.netty.handler.ssl.SslHandler;
import io.netty.util.concurrent.Future;
import io.netty.util.concurrent.FutureListener;
import org.dcache.xrootd.core.XrootdException;
import org.dcache.xrootd.plugins.tls.SSLHandlerFactory;
import org.dcache.xrootd.util.ServerProtocolFlags;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/dcache/xrootd/security/TLSSessionInfo.class */
public class TLSSessionInfo {
    private static final Logger LOGGER = LoggerFactory.getLogger(TLSSessionInfo.class);
    private final ServerTlsSession serverSession;
    private ClientTlsSession tpcClientSession;
    private SSLHandlerFactory serverSslHandlerFactory;
    private SSLHandlerFactory clientSslHandlerFactory;

    /* loaded from: input_file:org/dcache/xrootd/security/TLSSessionInfo$ClientTls.class */
    public enum ClientTls {
        REQUIRES,
        ABLE,
        NONE;

        public static ClientTls getMode(int i, int i2) {
            return i < 1280 ? NONE : (i2 & 4) == 4 ? REQUIRES : (i2 & 2) == 2 ? ABLE : NONE;
        }
    }

    /* loaded from: input_file:org/dcache/xrootd/security/TLSSessionInfo$ClientTlsSession.class */
    class ClientTlsSession extends TlsSession {
        protected final boolean requiresTLS;

        protected ClientTlsSession(boolean z) {
            super();
            this.requiresTLS = z;
        }

        @Override // org.dcache.xrootd.security.TLSSessionInfo.TlsSession
        protected void configure() {
            this.version = 1280;
            this.expect = 3;
            switch (TLSSessionInfo.this.serverSession.serverFlags.getMode()) {
                case OFF:
                    this.options = 1;
                    return;
                default:
                    if (this.requiresTLS) {
                        this.options = 4;
                        return;
                    } else {
                        this.options = 3;
                        return;
                    }
            }
        }

        protected void setSourceServerFlags(int i) {
            this.serverFlags = new ServerProtocolFlags(i);
        }

        @Override // org.dcache.xrootd.security.TLSSessionInfo.TlsSession
        protected boolean transitionedToTLS(int i, ChannelHandlerContext channelHandlerContext) throws XrootdException {
            if (!TLSSessionInfo.this.serverSession.serverFlags.supportsTLS() || channelHandlerContext.pipeline().get(SslHandler.class) != null) {
                return false;
            }
            if (!this.serverFlags.supportsTLS()) {
                if (this.requiresTLS) {
                    throw new XrootdException(3028, "Source is not able to accept secure connections.");
                }
                return false;
            }
            if (TLSSessionInfo.this.clientSslHandlerFactory == null) {
                throw new XrootdException(3012, "no ssl handler factory set on third-party client.");
            }
            boolean goToTLS = this.serverFlags.goToTLS();
            TlsActivation valueOf = TlsActivation.valueOf(this.serverFlags);
            if (!goToTLS) {
                switch (i) {
                    case 3007:
                        goToTLS = valueOf == TlsActivation.LOGIN;
                        break;
                    case 3024:
                        goToTLS = valueOf == TlsActivation.DATA;
                        break;
                    default:
                        goToTLS = (valueOf == TlsActivation.TPC || valueOf == TlsActivation.NONE) ? false : true;
                        break;
                }
            }
            if (goToTLS) {
                this.sslHandler = TLSSessionInfo.this.clientSslHandlerFactory.createHandler();
                this.sslHandler.engine().setNeedClientAuth(false);
                this.sslHandler.engine().setWantClientAuth(false);
                channelHandlerContext.pipeline().addFirst(new ChannelHandler[]{this.sslHandler});
                TLSSessionInfo.LOGGER.debug("PIPELINE addFirst:  SSLHandler need auth {}, want auth, {}.", Boolean.valueOf(this.sslHandler.engine().getNeedClientAuth()), Boolean.valueOf(this.sslHandler.engine().getWantClientAuth()));
                this.sslHandler.handshakeFuture().addListener(this);
                TLSSessionInfo.LOGGER.info("TPC client initiating SSL handshake");
            }
            return goToTLS;
        }

        public void operationComplete(Future<Channel> future) {
            TLSSessionInfo.operationComplete("TPC client", future);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/dcache/xrootd/security/TLSSessionInfo$ServerTlsSession.class */
    public class ServerTlsSession extends TlsSession {
        protected ServerTlsSession(ServerProtocolFlags serverProtocolFlags) {
            super(serverProtocolFlags);
        }

        protected ServerTlsSession(TlsSession tlsSession) {
            super(tlsSession);
        }

        @Override // org.dcache.xrootd.security.TLSSessionInfo.TlsSession
        protected void configure() throws XrootdException {
            ClientTls mode = ClientTls.getMode(this.version, this.options);
            if (mode == ClientTls.NONE) {
                TLSSessionInfo.LOGGER.debug("Client NOT TLS capable.");
                if (this.serverFlags.getMode() == ServerProtocolFlags.TlsMode.STRICT) {
                    throw new XrootdException(3028, "Server accepts only secure connections.");
                }
                this.serverFlags.setMode(ServerProtocolFlags.TlsMode.OFF);
                TLSSessionInfo.LOGGER.debug("TLS is OFF.");
                return;
            }
            if (this.serverFlags.getMode() == ServerProtocolFlags.TlsMode.OFF) {
                TLSSessionInfo.LOGGER.debug("TLS is OFF.");
                if (mode == ClientTls.REQUIRES) {
                    throw new XrootdException(3028, "Server is not able to accept secure connections.");
                }
                return;
            }
            if (mode == ClientTls.REQUIRES) {
                TLSSessionInfo.LOGGER.debug("Client kXR_wantTLS.");
                this.serverFlags.setRequiresTLSForLogin(true);
                this.serverFlags.setGoToTLS(true);
                TLSSessionInfo.LOGGER.debug("setLocalTlsActivation, activation is now {}.", TlsActivation.LOGIN);
                return;
            }
            if (this.serverFlags.getMode() == ServerProtocolFlags.TlsMode.OPTIONAL) {
                this.serverFlags.setRequiresTLSForData(false);
                this.serverFlags.setRequiresTLSForSession(false);
                this.serverFlags.setRequiresTLSForGPF(false);
                this.serverFlags.setRequiresTLSForGPFA(false);
                this.serverFlags.setRequiresTLSForLogin(false);
                this.serverFlags.setRequiresTLSForSession(false);
                this.serverFlags.setRequiresTLSForTPC(false);
                TLSSessionInfo.LOGGER.debug("setLocalTlsActivation, server mode is OPTIONAL, flags are turned off.");
                return;
            }
            switch (this.expect) {
                case 0:
                    TLSSessionInfo.LOGGER.debug("setLocalTlsActivation, no expect flags.");
                    return;
                case 1:
                    if (this.serverFlags.requiresTLSForData()) {
                        TLSSessionInfo.LOGGER.debug("setLocalTlsActivation, requires TLS for data, client kXR_ExpBind.");
                        this.serverFlags.setGoToTLS(true);
                        return;
                    }
                    return;
                case 2:
                    if (this.serverFlags.requiresTLSForLogin()) {
                        TLSSessionInfo.LOGGER.debug("setLocalTlsActivation, requires TLS for login, client kXR_ExpGPF.");
                        this.serverFlags.setGoToTLS(true);
                        return;
                    }
                    return;
                case 3:
                    if (this.serverFlags.requiresTLSForLogin()) {
                        TLSSessionInfo.LOGGER.debug("setLocalTlsActivation, requires TLS for login, client kXR_ExpLogin.");
                        this.serverFlags.setGoToTLS(true);
                        return;
                    }
                    return;
                case 4:
                    if (this.serverFlags.requiresTLSForLogin()) {
                        TLSSessionInfo.LOGGER.debug("setLocalTlsActivation, requires TLS for login, client kXR_ExpTPC.");
                        this.serverFlags.setGoToTLS(true);
                        return;
                    } else {
                        if (this.serverFlags.requiresTLSForTPC()) {
                            this.serverFlags.setRequiresTLSForSession(true);
                            TLSSessionInfo.LOGGER.debug("setLocalTlsActivation, requires TLS for TPC, client kXR_ExpTPC; setting TLS for session to true.");
                            return;
                        }
                        return;
                    }
                case 32:
                    if (this.serverFlags.requiresTLSForGPFA()) {
                        TLSSessionInfo.LOGGER.debug("setLocalTlsActivation, requires TLS for GPFA, client kXR_ExpGPFA.");
                        this.serverFlags.setGoToTLS(true);
                        return;
                    }
                    return;
                default:
                    return;
            }
        }

        @Override // org.dcache.xrootd.security.TLSSessionInfo.TlsSession
        protected boolean transitionedToTLS(int i, ChannelHandlerContext channelHandlerContext) throws XrootdException {
            if (TLSSessionInfo.isTLSOn(channelHandlerContext)) {
                return false;
            }
            TlsActivation valueOf = TlsActivation.valueOf(this.serverFlags);
            TLSSessionInfo.LOGGER.debug("transitionedToTLS, server tlsActivation: {}.", valueOf);
            if (valueOf == TlsActivation.NONE || valueOf == TlsActivation.TPC) {
                return false;
            }
            if (TLSSessionInfo.this.serverSslHandlerFactory == null) {
                throw new XrootdException(3012, "no ssl handler factory set on server.");
            }
            boolean goToTLS = this.serverFlags.goToTLS();
            if (!goToTLS) {
                switch (i) {
                    case 3006:
                        goToTLS = valueOf == TlsActivation.LOGIN;
                        break;
                    case 3024:
                        goToTLS = valueOf == TlsActivation.DATA;
                        break;
                    default:
                        goToTLS = true;
                        break;
                }
            }
            if (goToTLS) {
                this.serverFlags.setGoToTLS(true);
                this.sslHandler = TLSSessionInfo.this.serverSslHandlerFactory.createHandler();
                this.sslHandler.engine().setNeedClientAuth(false);
                this.sslHandler.engine().setWantClientAuth(false);
                channelHandlerContext.pipeline().addFirst(new ChannelHandler[]{this.sslHandler});
                TLSSessionInfo.LOGGER.debug("PIPELINE addFirst:  SSLHandler need auth {}, want auth {}.", Boolean.valueOf(this.sslHandler.engine().getNeedClientAuth()), Boolean.valueOf(this.sslHandler.engine().getWantClientAuth()));
                this.sslHandler.handshakeFuture().addListener(this);
            }
            return goToTLS;
        }

        public void operationComplete(Future<Channel> future) {
            TLSSessionInfo.operationComplete("Server", future);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/dcache/xrootd/security/TLSSessionInfo$TlsActivation.class */
    public enum TlsActivation {
        NONE,
        LOGIN,
        SESSION,
        DATA,
        GPF,
        TPC;

        public static TlsActivation valueOf(ServerProtocolFlags serverProtocolFlags) {
            if (serverProtocolFlags.getMode() == ServerProtocolFlags.TlsMode.OFF) {
                return NONE;
            }
            if (serverProtocolFlags.getMode() != ServerProtocolFlags.TlsMode.STRICT && !serverProtocolFlags.requiresTLSForLogin()) {
                return serverProtocolFlags.requiresTLSForData() ? DATA : serverProtocolFlags.requiresTLSForGPF() ? GPF : serverProtocolFlags.requiresTLSForSession() ? SESSION : serverProtocolFlags.requiresTLSForTPC() ? TPC : NONE;
            }
            return LOGIN;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/dcache/xrootd/security/TLSSessionInfo$TlsSession.class */
    public abstract class TlsSession implements FutureListener<Channel> {
        protected ServerProtocolFlags serverFlags;
        protected int version;
        protected int options;
        protected int expect;
        protected SslHandler sslHandler;

        protected TlsSession() {
        }

        protected TlsSession(ServerProtocolFlags serverProtocolFlags) {
            this.serverFlags = new ServerProtocolFlags(serverProtocolFlags);
        }

        protected TlsSession(TlsSession tlsSession) {
            this.serverFlags = new ServerProtocolFlags(tlsSession.serverFlags);
            this.version = tlsSession.version;
            this.options = tlsSession.options;
            this.expect = tlsSession.expect;
        }

        protected void setClientFlags(int i, int i2, int i3) {
            this.version = i;
            this.options = i2;
            this.expect = i3;
            TLSSessionInfo.LOGGER.debug("Client version {}, options {}, expect {}.", new Object[]{Integer.valueOf(i), Integer.valueOf(i2), Integer.valueOf(i3)});
        }

        protected abstract void configure() throws XrootdException;

        protected abstract boolean transitionedToTLS(int i, ChannelHandlerContext channelHandlerContext) throws XrootdException;
    }

    public static boolean isTLSOn(ChannelHandlerContext channelHandlerContext) {
        return channelHandlerContext.pipeline().get(SslHandler.class) != null;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static void operationComplete(String str, Future<Channel> future) {
        if (future.isSuccess()) {
            LOGGER.debug("{}: TLS handshake completed.", str);
        } else {
            LOGGER.warn("{}: TLS handshake failed: {}.", str, String.valueOf(future.cause()));
        }
    }

    public TLSSessionInfo(ServerProtocolFlags serverProtocolFlags) {
        this.serverSession = new ServerTlsSession(serverProtocolFlags);
    }

    public TLSSessionInfo(TLSSessionInfo tLSSessionInfo) {
        this.serverSession = new ServerTlsSession(tLSSessionInfo.serverSession);
        this.clientSslHandlerFactory = tLSSessionInfo.clientSslHandlerFactory;
        this.serverSslHandlerFactory = tLSSessionInfo.serverSslHandlerFactory;
    }

    public boolean clientTransitionedToTLS(int i, ChannelHandlerContext channelHandlerContext) throws XrootdException {
        boolean transitionedToTLS = this.tpcClientSession.transitionedToTLS(i, channelHandlerContext);
        LOGGER.debug("client transitioned to TLS ? {}.", Boolean.valueOf(transitionedToTLS));
        return transitionedToTLS;
    }

    public boolean clientUsesTls() {
        boolean z = ClientTls.getMode(this.tpcClientSession.version, this.tpcClientSession.options) != ClientTls.NONE;
        LOGGER.debug("client uses TLS ? {}.", Boolean.valueOf(z));
        return z;
    }

    public void createClientSession(boolean z) {
        this.tpcClientSession = new ClientTlsSession(z);
        this.tpcClientSession.configure();
    }

    public boolean isIncomingClientTLSCapable() {
        boolean z = ClientTls.getMode(this.serverSession.version, this.serverSession.options) != ClientTls.NONE;
        LOGGER.debug("isClientTLSCapable ? {}.", Boolean.valueOf(z));
        return z;
    }

    public void setSourceServerFlags(int i) {
        LOGGER.debug("setSourceServerFlags {}.", Integer.valueOf(i));
        this.tpcClientSession.setSourceServerFlags(i);
    }

    public int[] getClientFlags() {
        return new int[]{this.tpcClientSession.version, this.tpcClientSession.options, this.tpcClientSession.expect};
    }

    public String getClientTls() {
        return ClientTls.getMode(this.tpcClientSession.version, this.tpcClientSession.options).name();
    }

    public ServerProtocolFlags getLocalServerProtocolFlags() {
        return this.serverSession.serverFlags;
    }

    public boolean serverTransitionedToTLS(int i, ChannelHandlerContext channelHandlerContext) throws XrootdException {
        boolean transitionedToTLS = this.serverSession.transitionedToTLS(i, channelHandlerContext);
        LOGGER.debug("server transitioned to TLS ? {}.", Boolean.valueOf(transitionedToTLS));
        return transitionedToTLS;
    }

    public boolean serverUsesTls() {
        boolean z = TlsActivation.valueOf(this.serverSession.serverFlags) != TlsActivation.NONE;
        LOGGER.debug("server uses TLS ? {}.", Boolean.valueOf(z));
        return z;
    }

    public void setClientSslHandlerFactory(SSLHandlerFactory sSLHandlerFactory) {
        this.clientSslHandlerFactory = sSLHandlerFactory;
    }

    public void setLocalTlsActivation(int i, int i2, int i3) throws XrootdException {
        LOGGER.debug("setLocalTlsActivation {}, {}, {}.", new Object[]{Integer.valueOf(i), Integer.valueOf(i3), Integer.valueOf(i2)});
        this.serverSession.setClientFlags(i, i2, i3);
        this.serverSession.configure();
    }

    public void setServerSslHandlerFactory(SSLHandlerFactory sSLHandlerFactory) {
        this.serverSslHandlerFactory = sSLHandlerFactory;
    }
}
