package org.eclipse.hono.server;

import io.vertx.core.Handler;
import io.vertx.core.Vertx;
import io.vertx.core.eventbus.Message;
import io.vertx.core.json.JsonObject;
import io.vertx.core.net.NetSocket;
import io.vertx.proton.ProtonConnection;
import io.vertx.proton.sasl.ProtonSaslAuthenticator;
import java.security.Principal;
import java.util.Objects;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.net.ssl.SSLPeerUnverifiedException;
import javax.security.cert.X509Certificate;
import org.apache.qpid.proton.engine.Sasl;
import org.apache.qpid.proton.engine.Transport;
import org.eclipse.hono.authentication.AuthenticationConstants;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/eclipse/hono/server/HonoSaslAuthenticator.class */
public final class HonoSaslAuthenticator implements ProtonSaslAuthenticator {
    private static final Logger LOG = LoggerFactory.getLogger(HonoSaslAuthenticator.class);
    private static final Pattern PATTERN_CN = Pattern.compile("^CN=(.+?)(?:,\\s*[A-Z]{1,2}=.+|$)");
    private final Vertx vertx;
    private Sasl sasl;
    private boolean succeeded;
    private ProtonConnection protonConnection;
    private X509Certificate[] peerCertificateChain;

    public HonoSaslAuthenticator(Vertx vertx) {
        this.vertx = (Vertx) Objects.requireNonNull(vertx);
    }

    public void init(NetSocket netSocket, ProtonConnection protonConnection, Transport transport) {
        LOG.debug("initializing SASL authenticator");
        this.protonConnection = protonConnection;
        this.sasl = transport.sasl();
        this.sasl.server();
        this.sasl.allowSkip(false);
        this.sasl.setMechanisms(new String[]{"PLAIN", "EXTERNAL"});
        if (netSocket.isSsl()) {
            LOG.debug("client connected using TLS, extracting client certificate chain");
            try {
                this.peerCertificateChain = netSocket.peerCertificateChain();
                LOG.debug("client identity is {}", this.peerCertificateChain[0].getSubjectDN());
            } catch (SSLPeerUnverifiedException e) {
                LOG.debug("could not extract client certificate chain, maybe client auth is not required");
            }
        }
    }

    public void process(Handler<Boolean> handler) {
        String[] remoteMechanisms = this.sasl.getRemoteMechanisms();
        if (remoteMechanisms.length <= 0) {
            LOG.debug("client provided an empty list of SASL mechanisms [hostname: {}, state: {}]", this.sasl.getHostname(), this.sasl.getState().name());
            handler.handle(false);
            return;
        }
        String str = remoteMechanisms[0];
        LOG.debug("client wants to use {} SASL mechanism [host: {}, state: {}]", new Object[]{str, this.sasl.getHostname(), this.sasl.getState().name()});
        if ("PLAIN".equals(str)) {
            evaluatePlainResponse(handler);
        } else {
            if ("EXTERNAL".equals(str)) {
                evaluateExternalResponse(handler);
                return;
            }
            LOG.info("client wants to use unsupported {} SASL mechanism [host: {}, state: {}]", new Object[]{str, this.sasl.getHostname(), this.sasl.getState().name()});
            this.sasl.done(Sasl.SaslOutcome.PN_SASL_AUTH);
            handler.handle(true);
        }
    }

    public boolean succeeded() {
        return this.succeeded;
    }

    private void evaluateExternalResponse(Handler<Boolean> handler) {
        if (this.peerCertificateChain == null) {
            LOG.debug("SASL EXTERNAL authentication of client failed, client did not provide certificate chain");
            this.sasl.done(Sasl.SaslOutcome.PN_SASL_AUTH);
        } else {
            String commonName = getCommonName(this.peerCertificateChain[0].getSubjectDN().getName());
            if (commonName == null) {
                LOG.debug("SASL EXTERNAL authentication of client failed, could not determine authorization ID");
                this.sasl.done(Sasl.SaslOutcome.PN_SASL_AUTH);
            } else {
                addPrincipal(commonName);
            }
        }
        handler.handle(true);
    }

    private void evaluatePlainResponse(Handler<Boolean> handler) {
        byte[] bArr = new byte[this.sasl.pending()];
        this.sasl.recv(bArr, 0, bArr.length);
        this.vertx.eventBus().send(AuthenticationConstants.EVENT_BUS_ADDRESS_AUTHENTICATION_IN, AuthenticationConstants.getAuthenticationRequest("PLAIN", bArr), asyncResult -> {
            if (asyncResult.succeeded()) {
                handleAuthenticationResult((JsonObject) ((Message) asyncResult.result()).body());
            } else {
                LOG.warn("could not process SASL PLAIN response from client", asyncResult.cause());
            }
            handler.handle(true);
        });
    }

    private void handleAuthenticationResult(JsonObject jsonObject) {
        LOG.debug("received result of authentication request: {}", jsonObject);
        String string = jsonObject.getString(AuthenticationConstants.FIELD_ERROR);
        if (string == null) {
            addPrincipal(jsonObject.getString(AuthenticationConstants.FIELD_AUTHORIZATION_ID));
        } else {
            LOG.debug("authentication of client failed", string);
            this.sasl.done(Sasl.SaslOutcome.PN_SASL_AUTH);
        }
    }

    private void addPrincipal(final String str) {
        addPrincipal(new Principal() { // from class: org.eclipse.hono.server.HonoSaslAuthenticator.1
            @Override // java.security.Principal
            public String getName() {
                return str;
            }
        });
    }

    private void addPrincipal(Principal principal) {
        this.succeeded = true;
        this.protonConnection.attachments().set("CLIENT_PRINCIPAL", Principal.class, principal);
        LOG.debug("authentication of client [authorization ID: {}] succeeded", principal.getName());
        this.sasl.done(Sasl.SaslOutcome.PN_SASL_OK);
    }

    private String getCommonName(String str) {
        Matcher matcher = PATTERN_CN.matcher(str);
        if (matcher.matches()) {
            return matcher.group(1);
        }
        LOG.debug("could not extract common name from client certificate's subject DN");
        return null;
    }
}
