package org.eclipse.hono.adapter.amqp;

import io.opentracing.Span;
import io.vertx.core.Context;
import io.vertx.core.Future;
import io.vertx.core.Handler;
import io.vertx.core.Promise;
import io.vertx.core.Vertx;
import io.vertx.core.json.JsonObject;
import io.vertx.core.net.NetSocket;
import io.vertx.proton.ProtonConnection;
import io.vertx.proton.sasl.ProtonSaslAuthenticator;
import io.vertx.proton.sasl.ProtonSaslAuthenticatorFactory;
import java.security.cert.Certificate;
import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashMap;
import java.util.Objects;
import java.util.Set;
import java.util.function.BiFunction;
import java.util.function.Supplier;
import javax.net.ssl.SSLPeerUnverifiedException;
import javax.net.ssl.SSLSession;
import javax.security.auth.login.CredentialException;
import javax.security.auth.x500.X500Principal;
import org.apache.qpid.proton.engine.Sasl;
import org.apache.qpid.proton.engine.Transport;
import org.eclipse.hono.auth.Device;
import org.eclipse.hono.client.TenantClientFactory;
import org.eclipse.hono.config.ProtocolAdapterProperties;
import org.eclipse.hono.service.auth.DeviceUser;
import org.eclipse.hono.service.auth.device.DeviceCertificateValidator;
import org.eclipse.hono.service.auth.device.HonoClientBasedAuthProvider;
import org.eclipse.hono.service.auth.device.SubjectDnCredentials;
import org.eclipse.hono.service.auth.device.UsernamePasswordCredentials;
import org.eclipse.hono.tracing.TracingHelper;
import org.eclipse.hono.util.AuthenticationConstants;
import org.eclipse.hono.util.TenantObject;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/eclipse/hono/adapter/amqp/AmqpAdapterSaslAuthenticatorFactory.class */
public class AmqpAdapterSaslAuthenticatorFactory implements ProtonSaslAuthenticatorFactory {
    private final ProtocolAdapterProperties config;
    private final TenantClientFactory tenantClientFactory;
    private final Supplier<Span> spanFactory;
    private final DeviceCertificateValidator certValidator = new DeviceCertificateValidator();
    private final HonoClientBasedAuthProvider<UsernamePasswordCredentials> usernamePasswordAuthProvider;
    private final HonoClientBasedAuthProvider<SubjectDnCredentials> clientCertAuthProvider;
    private final BiFunction<SaslResponseContext, Span, Future<Void>> preAuthenticationHandler;

    /* loaded from: input_file:org/eclipse/hono/adapter/amqp/AmqpAdapterSaslAuthenticatorFactory$AmqpAdapterSaslAuthenticator.class */
    final class AmqpAdapterSaslAuthenticator implements ProtonSaslAuthenticator {
        private final Logger LOG = LoggerFactory.getLogger(getClass());
        private final Span currentSpan;
        private Sasl sasl;
        private boolean succeeded;
        private ProtonConnection protonConnection;
        private SSLSession sslSession;

        AmqpAdapterSaslAuthenticator(Span span) {
            this.currentSpan = span;
        }

        private String[] getSupportedMechanisms() {
            ArrayList arrayList = new ArrayList(2);
            if (AmqpAdapterSaslAuthenticatorFactory.this.usernamePasswordAuthProvider != null) {
                arrayList.add("PLAIN");
            }
            if (AmqpAdapterSaslAuthenticatorFactory.this.clientCertAuthProvider != null) {
                arrayList.add("EXTERNAL");
            }
            return (String[]) arrayList.toArray(i -> {
                return new String[i];
            });
        }

        public void init(NetSocket netSocket, ProtonConnection protonConnection, Transport transport) {
            this.LOG.trace("initializing SASL authenticator");
            this.protonConnection = protonConnection;
            this.sasl = transport.sasl();
            this.sasl.server();
            this.sasl.allowSkip(false);
            this.sasl.setMechanisms(getSupportedMechanisms());
            if (netSocket.isSsl()) {
                this.LOG.trace("client connected through a secured port");
                this.sslSession = netSocket.sslSession();
            }
        }

        public void process(Handler<Boolean> handler) {
            String[] remoteMechanisms = this.sasl.getRemoteMechanisms();
            if (remoteMechanisms.length == 0) {
                this.LOG.trace("client device provided an empty list of SASL mechanisms [hostname: {}, state: {}]", this.sasl.getHostname(), this.sasl.getState());
                handler.handle(Boolean.FALSE);
                return;
            }
            String str = remoteMechanisms[0];
            this.LOG.debug("client device wants to authenticate using SASL [mechanism: {}, host: {}, state: {}]", new Object[]{str, this.sasl.getHostname(), this.sasl.getState()});
            Context currentContext = Vertx.currentContext();
            byte[] bArr = new byte[this.sasl.pending()];
            this.sasl.recv(bArr, 0, bArr.length);
            buildSaslResponseContext(str, bArr).compose(saslResponseContext -> {
                return invokePreAuthenticationHandler(saslResponseContext, this.currentSpan);
            }).compose(saslResponseContext2 -> {
                return verify(saslResponseContext2);
            }).onComplete(asyncResult -> {
                if (asyncResult.succeeded()) {
                    this.currentSpan.log("credentials verified successfully");
                    this.protonConnection.attachments().set(AmqpAdapterConstants.KEY_CURRENT_SPAN, Span.class, this.currentSpan);
                    this.protonConnection.attachments().set(AmqpAdapterConstants.KEY_CLIENT_DEVICE, Device.class, (Device) asyncResult.result());
                    this.succeeded = true;
                    this.sasl.done(Sasl.SaslOutcome.PN_SASL_OK);
                } else {
                    TracingHelper.logError(this.currentSpan, asyncResult.cause());
                    this.currentSpan.finish();
                    this.LOG.debug("SASL handshake failed: {}", asyncResult.cause().getMessage());
                    this.sasl.done(Sasl.SaslOutcome.PN_SASL_AUTH);
                }
                if (currentContext == null) {
                    handler.handle(Boolean.TRUE);
                } else {
                    currentContext.runOnContext(r4 -> {
                        handler.handle(Boolean.TRUE);
                    });
                }
            });
        }

        private Future<SaslResponseContext> buildSaslResponseContext(String str, byte[] bArr) {
            if ("PLAIN".equals(str)) {
                return parseSaslResponse(bArr).compose(strArr -> {
                    return Future.succeededFuture(SaslResponseContext.forMechanismPlain(this.protonConnection, strArr));
                });
            }
            if (!"EXTERNAL".equals(str)) {
                return Future.failedFuture("Unsupported SASL mechanism: " + str);
            }
            Certificate[] certificateArr = null;
            try {
                certificateArr = this.sslSession.getPeerCertificates();
            } catch (SSLPeerUnverifiedException e) {
                this.LOG.debug("device's certificate chain cannot be read: {}", e.getMessage());
            }
            return Future.succeededFuture(SaslResponseContext.forMechanismExternal(this.protonConnection, certificateArr));
        }

        private Future<String[]> parseSaslResponse(byte[] bArr) {
            try {
                return Future.succeededFuture(AuthenticationConstants.parseSaslResponse(bArr));
            } catch (CredentialException e) {
                TracingHelper.logError(this.currentSpan, e);
                return Future.failedFuture(e);
            }
        }

        private Future<SaslResponseContext> invokePreAuthenticationHandler(SaslResponseContext saslResponseContext, Span span) {
            return AmqpAdapterSaslAuthenticatorFactory.this.preAuthenticationHandler == null ? Future.succeededFuture(saslResponseContext) : AmqpAdapterSaslAuthenticatorFactory.this.preAuthenticationHandler.apply(saslResponseContext, span).map(r3 -> {
                return saslResponseContext;
            });
        }

        public boolean succeeded() {
            return this.succeeded;
        }

        private Future<DeviceUser> verify(SaslResponseContext saslResponseContext) {
            return "PLAIN".equals(saslResponseContext.getRemoteMechanism()) ? verifyPlain(saslResponseContext.getSaslResponseFields()) : "EXTERNAL".equals(saslResponseContext.getRemoteMechanism()) ? verifyExternal(saslResponseContext.getPeerCertificateChain()) : Future.failedFuture("Unsupported SASL mechanism: " + saslResponseContext.getRemoteMechanism());
        }

        private Future<DeviceUser> verifyPlain(String[] strArr) {
            this.currentSpan.log("authenticating device using SASL PLAIN");
            UsernamePasswordCredentials create = UsernamePasswordCredentials.create(strArr[1], strArr[2], AmqpAdapterSaslAuthenticatorFactory.this.config.isSingleTenant());
            if (create == null) {
                return Future.failedFuture(new CredentialException("username does not comply with expected pattern [<authId>@<tenantId>]"));
            }
            HashMap hashMap = new HashMap(2);
            hashMap.put("tenant_id", create.getTenantId());
            hashMap.put("auth_id", create.getAuthId());
            this.currentSpan.log(hashMap);
            Promise promise = Promise.promise();
            AmqpAdapterSaslAuthenticatorFactory.this.usernamePasswordAuthProvider.authenticate(create, this.currentSpan.context(), promise);
            return promise.future();
        }

        private Future<DeviceUser> verifyExternal(Certificate[] certificateArr) {
            this.currentSpan.log("authenticating device using SASL EXTERNAL");
            if (certificateArr == null) {
                return Future.failedFuture(new CredentialException("Missing client certificate"));
            }
            if (!X509Certificate.class.isInstance(certificateArr[0])) {
                return Future.failedFuture(new CredentialException("Only X.509 certificates are supported"));
            }
            X509Certificate x509Certificate = (X509Certificate) certificateArr[0];
            String name = x509Certificate.getSubjectX500Principal().getName("RFC2253");
            this.LOG.debug("authenticating client certificate [Subject DN: {}]", name);
            this.currentSpan.log(Collections.singletonMap("subject-dn", name));
            return getTenantObject(x509Certificate.getIssuerX500Principal()).compose(tenantObject -> {
                Set trustAnchors = tenantObject.getTrustAnchors();
                if (!trustAnchors.isEmpty()) {
                    return AmqpAdapterSaslAuthenticatorFactory.this.certValidator.validate(Collections.singletonList(x509Certificate), trustAnchors).map(r3 -> {
                        return tenantObject;
                    });
                }
                this.LOG.debug("no valid trust anchors defined for tenant [{}]", tenantObject.getTenantId());
                return Future.failedFuture(new CredentialException("validation of client certificate failed"));
            }).compose(tenantObject2 -> {
                JsonObject jsonObject = new JsonObject();
                if (tenantObject2.isAutoProvisioningEnabled(x509Certificate.getIssuerX500Principal().getName("RFC2253"))) {
                    try {
                        jsonObject.put("client-certificate", x509Certificate.getEncoded());
                    } catch (CertificateEncodingException e) {
                        this.LOG.error("Encoding of device certificate failed [subject DN: {}]", name, e);
                        return Future.failedFuture(e);
                    }
                }
                Promise promise = Promise.promise();
                AmqpAdapterSaslAuthenticatorFactory.this.clientCertAuthProvider.authenticate(SubjectDnCredentials.create(tenantObject2.getTenantId(), x509Certificate.getSubjectX500Principal(), jsonObject), this.currentSpan.context(), promise);
                return promise.future();
            });
        }

        private Future<TenantObject> getTenantObject(X500Principal x500Principal) {
            return AmqpAdapterSaslAuthenticatorFactory.this.tenantClientFactory.getOrCreateTenantClient().compose(tenantClient -> {
                return tenantClient.get(x500Principal, this.currentSpan.context());
            });
        }
    }

    public AmqpAdapterSaslAuthenticatorFactory(TenantClientFactory tenantClientFactory, ProtocolAdapterProperties protocolAdapterProperties, Supplier<Span> supplier, HonoClientBasedAuthProvider<UsernamePasswordCredentials> honoClientBasedAuthProvider, HonoClientBasedAuthProvider<SubjectDnCredentials> honoClientBasedAuthProvider2, BiFunction<SaslResponseContext, Span, Future<Void>> biFunction) {
        this.tenantClientFactory = (TenantClientFactory) Objects.requireNonNull(tenantClientFactory, "Tenant client factory cannot be null");
        this.config = (ProtocolAdapterProperties) Objects.requireNonNull(protocolAdapterProperties, "configuration cannot be null");
        this.spanFactory = (Supplier) Objects.requireNonNull(supplier);
        this.usernamePasswordAuthProvider = honoClientBasedAuthProvider;
        this.clientCertAuthProvider = honoClientBasedAuthProvider2;
        this.preAuthenticationHandler = biFunction;
    }

    public ProtonSaslAuthenticator create() {
        return new AmqpAdapterSaslAuthenticator(this.spanFactory.get());
    }
}
