package fr.in2p3.jsaga.adaptor.security;

import eu.emi.security.authn.x509.CrlCheckingMode;
import eu.emi.security.authn.x509.StoreUpdateListener;
import eu.emi.security.authn.x509.ValidationErrorListener;
import eu.emi.security.authn.x509.X509CertChainValidatorExt;
import eu.emi.security.authn.x509.X509Credential;
import eu.emi.security.authn.x509.helpers.proxy.ExtendedProxyType;
import eu.emi.security.authn.x509.helpers.proxy.ProxyHelper;
import eu.emi.security.authn.x509.proxy.ProxyCertificate;
import eu.emi.security.authn.x509.proxy.ProxyCertificateOptions;
import eu.emi.security.authn.x509.proxy.ProxyChainInfo;
import eu.emi.security.authn.x509.proxy.ProxyChainType;
import eu.emi.security.authn.x509.proxy.ProxyGenerator;
import eu.emi.security.authn.x509.proxy.ProxyPolicy;
import eu.emi.security.authn.x509.proxy.ProxyType;
import eu.emi.security.authn.x509.proxy.ProxyUtils;
import java.io.ByteArrayOutputStream;
import java.io.File;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.io.RandomAccessFile;
import java.net.URI;
import java.net.URISyntaxException;
import java.nio.ByteBuffer;
import java.nio.channels.FileChannel;
import java.security.cert.CertificateException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Calendar;
import java.util.Collections;
import java.util.Date;
import java.util.LinkedHashSet;
import java.util.List;
import java.util.Map;
import java.util.concurrent.TimeUnit;
import org.bouncycastle.asn1.x509.AttributeCertificate;
import org.italiangrid.voms.VOMSError;
import org.italiangrid.voms.VOMSValidators;
import org.italiangrid.voms.ac.VOMSACValidator;
import org.italiangrid.voms.ac.ValidationResultListener;
import org.italiangrid.voms.clients.ProxyInitParams;
import org.italiangrid.voms.clients.impl.InitListenerAdapter;
import org.italiangrid.voms.clients.impl.ProxyCreationListener;
import org.italiangrid.voms.clients.strategies.ProxyInitStrategy;
import org.italiangrid.voms.clients.strategies.VOMSCommandsParsingStrategy;
import org.italiangrid.voms.credential.LoadCredentialsEventListener;
import org.italiangrid.voms.credential.LoadCredentialsStrategy;
import org.italiangrid.voms.credential.impl.DefaultLoadCredentialsStrategy;
import org.italiangrid.voms.request.VOMSESLookupStrategy;
import org.italiangrid.voms.request.VOMSProtocolListener;
import org.italiangrid.voms.request.VOMSRequestListener;
import org.italiangrid.voms.request.VOMSServerInfoStoreListener;
import org.italiangrid.voms.request.impl.BaseVOMSESLookupStrategy;
import org.italiangrid.voms.request.impl.DefaultVOMSACRequest;
import org.italiangrid.voms.request.impl.DefaultVOMSACService;
import org.italiangrid.voms.request.impl.DefaultVOMSESLookupStrategy;
import org.italiangrid.voms.request.impl.DefaultVOMSServerInfo;
import org.italiangrid.voms.request.impl.DefaultVOMSServerInfoStore;
import org.italiangrid.voms.store.VOMSTrustStoreStatusListener;
import org.italiangrid.voms.store.impl.DefaultVOMSTrustStore;
import org.italiangrid.voms.util.CertificateValidatorBuilder;
import org.italiangrid.voms.util.CredentialsUtils;
import org.italiangrid.voms.util.FilePermissionHelper;
import org.italiangrid.voms.util.VOMSFQANNamingScheme;

/* loaded from: input_file:fr/in2p3/jsaga/adaptor/security/JSAGAVOMSProxyInitBehaviour.class */
public class JSAGAVOMSProxyInitBehaviour implements ProxyInitStrategy {
    private VOMSCommandsParsingStrategy commandsParser;
    private X509CertChainValidatorExt certChainValidator;
    private VOMSACValidator vomsValidator;
    private ValidationResultListener validationResultListener;
    private VOMSRequestListener requestListener;
    private ProxyCreationListener proxyCreationListener;
    private VOMSServerInfoStoreListener serverInfoStoreListener;
    private LoadCredentialsEventListener loadCredentialsEventListener;
    private ValidationErrorListener certChainValidationErrorListener;
    private VOMSTrustStoreStatusListener vomsTrustStoreListener;
    private StoreUpdateListener storeUpdateListener;
    private VOMSProtocolListener protocolListener;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: fr.in2p3.jsaga.adaptor.security.JSAGAVOMSProxyInitBehaviour$1, reason: invalid class name */
    /* loaded from: input_file:fr/in2p3/jsaga/adaptor/security/JSAGAVOMSProxyInitBehaviour$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$eu$emi$security$authn$x509$helpers$proxy$ExtendedProxyType = new int[ExtendedProxyType.values().length];

        static {
            try {
                $SwitchMap$eu$emi$security$authn$x509$helpers$proxy$ExtendedProxyType[ExtendedProxyType.DRAFT_RFC.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$eu$emi$security$authn$x509$helpers$proxy$ExtendedProxyType[ExtendedProxyType.LEGACY.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$eu$emi$security$authn$x509$helpers$proxy$ExtendedProxyType[ExtendedProxyType.RFC3820.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
        }
    }

    public JSAGAVOMSProxyInitBehaviour(VOMSCommandsParsingStrategy vOMSCommandsParsingStrategy, InitListenerAdapter initListenerAdapter) {
        this.commandsParser = vOMSCommandsParsingStrategy;
        this.validationResultListener = initListenerAdapter;
        this.requestListener = initListenerAdapter;
        this.proxyCreationListener = initListenerAdapter;
        this.serverInfoStoreListener = initListenerAdapter;
        this.loadCredentialsEventListener = initListenerAdapter;
        this.certChainValidationErrorListener = initListenerAdapter;
        this.vomsTrustStoreListener = initListenerAdapter;
        this.storeUpdateListener = initListenerAdapter;
        this.protocolListener = initListenerAdapter;
    }

    protected void validateUserCredential(ProxyInitParams proxyInitParams, X509Credential x509Credential) {
        if (!this.certChainValidator.validate(x509Credential.getCertificateChain()).isValid()) {
            throw new VOMSError("User credential is not valid!");
        }
    }

    private void init(ProxyInitParams proxyInitParams) {
        boolean z = (proxyInitParams.getVomsCommands() == null || proxyInitParams.getVomsCommands().isEmpty()) ? false : true;
        if (z) {
            proxyInitParams.setValidateUserCredential(true);
        }
        if (proxyInitParams.validateUserCredential() || z) {
            initCertChainValidator(proxyInitParams);
        }
        if (proxyInitParams.verifyAC()) {
            initVOMSValidator(proxyInitParams);
        }
    }

    public void initProxy(ProxyInitParams proxyInitParams) {
        init(proxyInitParams);
        X509Credential lookupCredential = lookupCredential(proxyInitParams);
        if (lookupCredential == null) {
            if (this.requestListener.getError() == null) {
                throw new VOMSError("No credentials found!");
            }
            throw new VOMSError(this.requestListener.getError());
        }
        if (proxyInitParams.validateUserCredential()) {
            validateUserCredential(proxyInitParams, lookupCredential);
        }
        List<AttributeCertificate> emptyList = Collections.emptyList();
        if (proxyInitParams.getVomsCommands() != null && !proxyInitParams.getVomsCommands().isEmpty()) {
            initCertChainValidator(proxyInitParams);
            emptyList = getAttributeCertificates(proxyInitParams, lookupCredential);
        }
        if (proxyInitParams.verifyAC() && !emptyList.isEmpty()) {
            verifyACs(proxyInitParams, emptyList);
        }
        createProxy(proxyInitParams, lookupCredential, emptyList);
    }

    private void directorySanityChecks(String str, String str2) {
        File file = new File(str);
        String str3 = String.format("%s: '%s'", str2, str) + " (%s)";
        if (!file.exists()) {
            FileNotFoundException fileNotFoundException = new FileNotFoundException(String.format(str3, "file not found"));
            throw new VOMSError(fileNotFoundException.getMessage(), fileNotFoundException);
        }
        if (!file.isDirectory()) {
            throw new VOMSError(String.format(str3, "not a directory"));
        }
        if (!file.canRead()) {
            throw new VOMSError(String.format(str3, "not readable"));
        }
    }

    private void initCertChainValidator(ProxyInitParams proxyInitParams) {
        if (this.certChainValidator == null) {
            String str = System.getenv("X509_CERT_DIR") != null ? System.getenv("X509_CERT_DIR") : "/etc/grid-security/certificates";
            if (proxyInitParams.getTrustAnchorsDir() != null) {
                str = proxyInitParams.getTrustAnchorsDir();
            }
            directorySanityChecks(str, "Invalid trust anchors location");
            this.certChainValidator = CertificateValidatorBuilder.buildCertificateValidator(str, this.certChainValidationErrorListener, this.storeUpdateListener, 0L, CertificateValidatorBuilder.DEFAULT_NS_CHECKS, CrlCheckingMode.IF_VALID, CertificateValidatorBuilder.DEFAULT_OCSP_CHECKS);
        }
    }

    private VOMSACValidator initVOMSValidator(ProxyInitParams proxyInitParams) {
        if (this.vomsValidator != null) {
            return this.vomsValidator;
        }
        String str = System.getenv("X509_VOMS_DIR") != null ? System.getenv("X509_VOMS_DIR") : "/etc/grid-security/vomsdir";
        if (proxyInitParams.getVomsdir() != null) {
            str = proxyInitParams.getVomsdir();
        }
        directorySanityChecks(str, "Invalid vomsdir location");
        this.vomsValidator = VOMSValidators.newValidator(new DefaultVOMSTrustStore(Arrays.asList(str), this.vomsTrustStoreListener), this.certChainValidator, this.validationResultListener);
        return this.vomsValidator;
    }

    private void verifyACs(ProxyInitParams proxyInitParams, List<AttributeCertificate> list) {
        initVOMSValidator(proxyInitParams).validateACs(list);
    }

    private ProxyType extendedProxyTypeAsProxyType(ExtendedProxyType extendedProxyType) {
        switch (AnonymousClass1.$SwitchMap$eu$emi$security$authn$x509$helpers$proxy$ExtendedProxyType[extendedProxyType.ordinal()]) {
            case 1:
                return ProxyType.DRAFT_RFC;
            case 2:
                return ProxyType.LEGACY;
            case 3:
                return ProxyType.RFC3820;
            default:
                return null;
        }
    }

    private void ensureProxyTypeIsCompatibleWithIssuingCredential(ProxyCertificateOptions proxyCertificateOptions, X509Credential x509Credential, List<String> list) {
        if (ProxyUtils.isProxy(x509Credential.getCertificateChain())) {
            ProxyType extendedProxyTypeAsProxyType = extendedProxyTypeAsProxyType(ProxyHelper.getProxyType(x509Credential.getCertificateChain()[0]));
            if (!extendedProxyTypeAsProxyType.equals(proxyCertificateOptions.getType())) {
                list.add("forced " + extendedProxyTypeAsProxyType.name() + " proxy type to be compatible with the type of the issuing proxy.");
                proxyCertificateOptions.setType(extendedProxyTypeAsProxyType);
            }
            try {
                if (ProxyHelper.isLimited(x509Credential.getCertificateChain()[0]) && !proxyCertificateOptions.isLimited()) {
                    list.add("forced the creation of a limited proxy to be compatible with the type of the issuing proxy.");
                    limitProxy(proxyCertificateOptions);
                }
            } catch (IOException e) {
                throw new VOMSError(e.getMessage(), e);
            }
        }
    }

    private void checkMixedProxyChain(X509Credential x509Credential) {
        if (ProxyUtils.isProxy(x509Credential.getCertificateChain())) {
            try {
                if (new ProxyChainInfo(x509Credential.getCertificateChain()).getProxyType().equals(ProxyChainType.MIXED)) {
                    throw new VOMSError("Cannot generate a proxy certificate starting from a mixed type proxy chain.");
                }
            } catch (CertificateException e) {
                throw new VOMSError(e.getMessage(), e);
            }
        }
    }

    private void ensureProxyLifetimeIsConsistentWithIssuingCredential(ProxyCertificateOptions proxyCertificateOptions, X509Credential x509Credential, List<String> list) {
        Calendar calendar = Calendar.getInstance();
        calendar.add(12, -5);
        Date time = calendar.getTime();
        Calendar calendar2 = Calendar.getInstance();
        calendar2.add(13, proxyCertificateOptions.getLifetime());
        Date time2 = calendar2.getTime();
        Date notAfter = x509Credential.getCertificate().getNotAfter();
        proxyCertificateOptions.setValidityBounds(time, time2);
        if (time2.after(notAfter)) {
            list.add("proxy lifetime limited to issuing credential lifetime.");
            proxyCertificateOptions.setValidityBounds(time, notAfter);
        }
    }

    private void limitProxy(ProxyCertificateOptions proxyCertificateOptions) {
        proxyCertificateOptions.setLimited(true);
        if (proxyCertificateOptions.getType().equals(ProxyType.RFC3820) || proxyCertificateOptions.getType().equals(ProxyType.DRAFT_RFC)) {
            proxyCertificateOptions.setPolicy(new ProxyPolicy("1.3.6.1.4.1.3536.1.1.1.9"));
        }
    }

    private void createProxy(ProxyInitParams proxyInitParams, X509Credential x509Credential, List<AttributeCertificate> list) {
        ArrayList arrayList = new ArrayList();
        String generatedProxyFile = proxyInitParams.getGeneratedProxyFile();
        ProxyCertificateOptions proxyCertificateOptions = new ProxyCertificateOptions(x509Credential.getCertificateChain());
        proxyCertificateOptions.setProxyPathLimit(proxyInitParams.getPathLenConstraint());
        proxyCertificateOptions.setLimited(proxyInitParams.isLimited());
        proxyCertificateOptions.setLifetime(proxyInitParams.getProxyLifetimeInSeconds());
        proxyCertificateOptions.setType(proxyInitParams.getProxyType());
        proxyCertificateOptions.setKeyLength(proxyInitParams.getKeySize());
        if (proxyInitParams.isEnforcingChainIntegrity()) {
            checkMixedProxyChain(x509Credential);
            ensureProxyTypeIsCompatibleWithIssuingCredential(proxyCertificateOptions, x509Credential, arrayList);
            ensureProxyLifetimeIsConsistentWithIssuingCredential(proxyCertificateOptions, x509Credential, arrayList);
        }
        if (proxyInitParams.isLimited()) {
            limitProxy(proxyCertificateOptions);
        }
        if (list != null && !list.isEmpty()) {
            proxyCertificateOptions.setAttributeCertificates((AttributeCertificate[]) list.toArray(new AttributeCertificate[list.size()]));
        }
        try {
            ProxyCertificate generate = ProxyGenerator.generate(proxyCertificateOptions, x509Credential.getKey());
            RandomAccessFile randomAccessFile = new RandomAccessFile(new File(generatedProxyFile), "rws");
            FileChannel channel = randomAccessFile.getChannel();
            if (!System.getProperty("os.name").startsWith("Windows")) {
                FilePermissionHelper.setProxyPermissions(generatedProxyFile);
            }
            channel.truncate(0L);
            ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
            CredentialsUtils.saveProxyCredentials(byteArrayOutputStream, generate.getCredential(), CredentialsUtils.DEFAULT_ENCONDING);
            byteArrayOutputStream.close();
            channel.write(ByteBuffer.wrap(byteArrayOutputStream.toByteArray()));
            channel.close();
            randomAccessFile.close();
            this.proxyCreationListener.proxyCreated(generatedProxyFile, generate, arrayList);
        } catch (Throwable th) {
            throw new VOMSError("Error creating proxy certificate: " + th.getMessage(), th);
        }
    }

    protected List<String> sortFQANsIfRequested(ProxyInitParams proxyInitParams, List<String> list) {
        if (proxyInitParams.getFqanOrder() == null || proxyInitParams.getFqanOrder().isEmpty()) {
            return list;
        }
        LinkedHashSet linkedHashSet = new LinkedHashSet();
        for (String str : proxyInitParams.getFqanOrder()) {
            if (VOMSFQANNamingScheme.isGroup(str)) {
                linkedHashSet.add(str);
            }
            if (VOMSFQANNamingScheme.isQualifiedRole(str) && list.contains(str)) {
                linkedHashSet.add(str);
            }
        }
        linkedHashSet.addAll(list);
        return new ArrayList(linkedHashSet);
    }

    protected VOMSESLookupStrategy getVOMSESLookupStrategyFromParams(ProxyInitParams proxyInitParams) {
        return (proxyInitParams.getVomsesLocations() == null || proxyInitParams.getVomsesLocations().isEmpty()) ? new DefaultVOMSESLookupStrategy() : new BaseVOMSESLookupStrategy(proxyInitParams.getVomsesLocations());
    }

    protected List<AttributeCertificate> getAttributeCertificates(ProxyInitParams proxyInitParams, X509Credential x509Credential) {
        List vomsCommands = proxyInitParams.getVomsCommands();
        if (vomsCommands == null || vomsCommands.isEmpty()) {
            return Collections.emptyList();
        }
        Map parseCommands = this.commandsParser.parseCommands(proxyInitParams.getVomsCommands());
        ArrayList arrayList = new ArrayList();
        for (String str : parseCommands.keySet()) {
            DefaultVOMSACRequest build = new DefaultVOMSACRequest.Builder(str).fqans(sortFQANsIfRequested(proxyInitParams, (List) parseCommands.get(str))).targets(proxyInitParams.getTargets()).lifetime(proxyInitParams.getAcLifetimeInSeconds()).build();
            DefaultVOMSACService.Builder readTimeout = new DefaultVOMSACService.Builder(this.certChainValidator).requestListener(this.requestListener).vomsesLookupStrategy(getVOMSESLookupStrategyFromParams(proxyInitParams)).serverInfoStoreListener(this.serverInfoStoreListener).protocolListener(this.protocolListener).connectTimeout((int) TimeUnit.SECONDS.toMillis(proxyInitParams.getTimeoutInSeconds())).readTimeout((int) TimeUnit.SECONDS.toMillis(proxyInitParams.getTimeoutInSeconds()));
            if (((JSAGAProxyInitParams) proxyInitParams).getServer() != null) {
                String server = ((JSAGAProxyInitParams) proxyInitParams).getServer();
                try {
                    URI uri = new URI(server.replaceAll(" ", "%20"));
                    if (uri.getHost() == null) {
                        throw new VOMSError("Attribute Server has no host name: " + uri.toString());
                    }
                    DefaultVOMSServerInfo defaultVOMSServerInfo = new DefaultVOMSServerInfo();
                    defaultVOMSServerInfo.setURL(uri);
                    defaultVOMSServerInfo.setVOMSServerDN(uri.getPath());
                    defaultVOMSServerInfo.setVoName(((JSAGAProxyInitParams) proxyInitParams).getVOName());
                    DefaultVOMSServerInfoStore build2 = new DefaultVOMSServerInfoStore.Builder().build();
                    build2.addVOMSServerInfo(defaultVOMSServerInfo);
                    readTimeout.serverInfoStore(build2);
                } catch (URISyntaxException e) {
                    throw new VOMSError("Unable to build URI: " + server);
                }
            }
            AttributeCertificate vOMSAttributeCertificate = readTimeout.build().getVOMSAttributeCertificate(x509Credential, build);
            if (this.requestListener.getError() != null) {
                throw new VOMSError(this.requestListener.getError());
            }
            if (vOMSAttributeCertificate != null) {
                arrayList.add(vOMSAttributeCertificate);
            }
        }
        if (parseCommands.keySet().isEmpty() || !arrayList.isEmpty()) {
            return arrayList;
        }
        throw new VOMSError("User's request for VOMS attributes could not be fulfilled.");
    }

    private LoadCredentialsStrategy strategyFromParams(ProxyInitParams proxyInitParams) {
        return (!proxyInitParams.isNoRegen() || proxyInitParams.getCertFile() == null) ? (proxyInitParams.getCertFile() == null || proxyInitParams.getKeyFile() != null) ? (proxyInitParams.getCertFile() == null || proxyInitParams.getKeyFile() == null) ? new DefaultLoadCredentialsStrategy(System.getProperty("user.home"), "java.io.tmpdir", this.loadCredentialsEventListener) : new JSAGALoadUserCredential(this.loadCredentialsEventListener, proxyInitParams.getCertFile(), proxyInitParams.getKeyFile()) : new JSAGALoadUserCredential(this.loadCredentialsEventListener, proxyInitParams.getCertFile()) : new JSAGALoadProxyCredential(this.loadCredentialsEventListener, proxyInitParams.getCertFile());
    }

    private X509Credential lookupCredential(ProxyInitParams proxyInitParams) {
        return strategyFromParams(proxyInitParams).loadCredentials(((JSAGAProxyInitParams) proxyInitParams).getPasswordFinder());
    }
}
