package org.eclipse.hono.adapter.amqp;

import io.opentracing.Span;
import io.vertx.core.Context;
import io.vertx.core.Future;
import io.vertx.core.Handler;
import io.vertx.core.Vertx;
import io.vertx.core.net.NetSocket;
import io.vertx.proton.ProtonConnection;
import io.vertx.proton.sasl.ProtonSaslAuthenticator;
import io.vertx.proton.sasl.ProtonSaslAuthenticatorFactory;
import java.util.ArrayList;
import java.util.Objects;
import java.util.Optional;
import java.util.function.Supplier;
import javax.net.ssl.SSLPeerUnverifiedException;
import javax.net.ssl.SSLSession;
import javax.security.auth.login.CredentialException;
import javax.security.auth.login.LoginException;
import org.apache.qpid.proton.engine.Sasl;
import org.apache.qpid.proton.engine.Transport;
import org.eclipse.hono.client.ClientErrorException;
import org.eclipse.hono.service.auth.DeviceUser;
import org.eclipse.hono.service.metric.MetricsTags;
import org.eclipse.hono.tracing.TracingHelper;
import org.eclipse.hono.util.AuthenticationConstants;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/eclipse/hono/adapter/amqp/AmqpAdapterSaslAuthenticatorFactory.class */
public class AmqpAdapterSaslAuthenticatorFactory implements ProtonSaslAuthenticatorFactory {
    private final AmqpAdapterMetrics metrics;
    private final Supplier<Span> spanFactory;
    private final SaslPlainAuthHandler saslPlainAuthHandler;
    private final SaslExternalAuthHandler saslExternalAuthHandler;

    /* loaded from: input_file:org/eclipse/hono/adapter/amqp/AmqpAdapterSaslAuthenticatorFactory$AmqpAdapterSaslAuthenticator.class */
    final class AmqpAdapterSaslAuthenticator implements ProtonSaslAuthenticator {
        private final Logger LOG = LoggerFactory.getLogger(getClass());
        private final Span currentSpan;
        private Sasl sasl;
        private boolean succeeded;
        private ProtonConnection protonConnection;
        private SSLSession sslSession;

        AmqpAdapterSaslAuthenticator(Span span) {
            this.currentSpan = span;
        }

        private String[] getSupportedMechanisms() {
            ArrayList arrayList = new ArrayList(2);
            if (AmqpAdapterSaslAuthenticatorFactory.this.saslPlainAuthHandler != null) {
                arrayList.add("PLAIN");
            }
            if (AmqpAdapterSaslAuthenticatorFactory.this.saslExternalAuthHandler != null) {
                arrayList.add("EXTERNAL");
            }
            return (String[]) arrayList.toArray(i -> {
                return new String[i];
            });
        }

        public void init(NetSocket netSocket, ProtonConnection protonConnection, Transport transport) {
            this.LOG.trace("initializing SASL authenticator");
            this.protonConnection = protonConnection;
            this.sasl = transport.sasl();
            this.sasl.server();
            this.sasl.allowSkip(false);
            this.sasl.setMechanisms(getSupportedMechanisms());
            if (netSocket.isSsl()) {
                this.LOG.trace("client connected through a secured port");
                this.sslSession = netSocket.sslSession();
            }
        }

        public void process(Handler<Boolean> handler) {
            String[] remoteMechanisms = this.sasl.getRemoteMechanisms();
            if (remoteMechanisms.length == 0) {
                this.LOG.trace("client device provided an empty list of SASL mechanisms [hostname: {}, state: {}]", this.sasl.getHostname(), this.sasl.getState());
                handler.handle(Boolean.FALSE);
                return;
            }
            String str = remoteMechanisms[0];
            this.LOG.debug("client device wants to authenticate using SASL [mechanism: {}, host: {}, state: {}]", new Object[]{str, this.sasl.getHostname(), this.sasl.getState()});
            Context currentContext = Vertx.currentContext();
            byte[] bArr = new byte[this.sasl.pending()];
            this.sasl.recv(bArr, 0, bArr.length);
            String str2 = (String) Optional.ofNullable(this.sslSession).map((v0) -> {
                return v0.getCipherSuite();
            }).orElse(null);
            buildSaslResponseContext(str, bArr).compose(saslResponseContext -> {
                return verify(saslResponseContext);
            }).onSuccess(deviceUser -> {
                this.currentSpan.log("credentials verified successfully");
                this.protonConnection.attachments().set(AmqpAdapterConstants.KEY_CURRENT_SPAN, Span.class, this.currentSpan);
                this.protonConnection.attachments().set(AmqpAdapterConstants.KEY_CLIENT_DEVICE, DeviceUser.class, deviceUser);
                Optional.ofNullable(str2).ifPresent(str3 -> {
                    this.protonConnection.attachments().set(AmqpAdapterConstants.KEY_TLS_CIPHER_SUITE, String.class, str3);
                });
                this.succeeded = true;
                this.sasl.done(Sasl.SaslOutcome.PN_SASL_OK);
            }).onFailure(th -> {
                TracingHelper.logError(this.currentSpan, th);
                this.currentSpan.finish();
                this.LOG.debug("SASL handshake or early stage checks failed", th);
                String tenant = th instanceof ClientErrorException ? ((ClientErrorException) th).getTenant() : null;
                if ((th instanceof ClientErrorException) || (th instanceof LoginException)) {
                    AmqpAdapterSaslAuthenticatorFactory.this.metrics.reportConnectionAttempt(MetricsTags.ConnectionAttemptOutcome.UNAUTHORIZED, tenant, str2);
                    this.sasl.done(Sasl.SaslOutcome.PN_SASL_AUTH);
                } else {
                    AmqpAdapterSaslAuthenticatorFactory.this.metrics.reportConnectionAttempt(MetricsTags.ConnectionAttemptOutcome.UNAVAILABLE, null, str2);
                    this.sasl.done(Sasl.SaslOutcome.PN_SASL_TEMP);
                }
            }).onComplete(asyncResult -> {
                if (currentContext == null) {
                    handler.handle(Boolean.TRUE);
                } else {
                    currentContext.runOnContext(r4 -> {
                        handler.handle(Boolean.TRUE);
                    });
                }
            });
        }

        private Future<SaslResponseContext> buildSaslResponseContext(String str, byte[] bArr) {
            if ("PLAIN".equals(str)) {
                return parseSaslResponse(bArr).map(strArr -> {
                    return SaslResponseContext.forMechanismPlain(this.protonConnection, strArr, this.currentSpan, this.sslSession);
                });
            }
            if (!"EXTERNAL".equals(str)) {
                return Future.failedFuture("Unsupported SASL mechanism: " + str);
            }
            try {
                return Future.succeededFuture(SaslResponseContext.forMechanismExternal(this.protonConnection, this.currentSpan, this.sslSession));
            } catch (SSLPeerUnverifiedException e) {
                this.LOG.debug("device's certificate chain cannot be read: {}", e.getMessage());
                return Future.failedFuture(e);
            }
        }

        private Future<String[]> parseSaslResponse(byte[] bArr) {
            try {
                return Future.succeededFuture(AuthenticationConstants.parseSaslResponse(bArr));
            } catch (CredentialException e) {
                TracingHelper.logError(this.currentSpan, e);
                return Future.failedFuture(e);
            }
        }

        public boolean succeeded() {
            return this.succeeded;
        }

        private Future<DeviceUser> verify(SaslResponseContext saslResponseContext) {
            if ("PLAIN".equals(saslResponseContext.getRemoteMechanism())) {
                this.currentSpan.log("authenticating device using SASL PLAIN");
                return AmqpAdapterSaslAuthenticatorFactory.this.saslPlainAuthHandler.authenticateDevice(saslResponseContext);
            }
            if (!"EXTERNAL".equals(saslResponseContext.getRemoteMechanism())) {
                return Future.failedFuture(new ClientErrorException(400, "Unsupported SASL mechanism: " + saslResponseContext.getRemoteMechanism()));
            }
            this.currentSpan.log("authenticating device using SASL EXTERNAL");
            return AmqpAdapterSaslAuthenticatorFactory.this.saslExternalAuthHandler.authenticateDevice(saslResponseContext);
        }
    }

    public AmqpAdapterSaslAuthenticatorFactory(AmqpAdapterMetrics amqpAdapterMetrics, Supplier<Span> supplier, SaslPlainAuthHandler saslPlainAuthHandler, SaslExternalAuthHandler saslExternalAuthHandler) {
        this.metrics = (AmqpAdapterMetrics) Objects.requireNonNull(amqpAdapterMetrics);
        this.spanFactory = (Supplier) Objects.requireNonNull(supplier);
        this.saslPlainAuthHandler = saslPlainAuthHandler;
        this.saslExternalAuthHandler = saslExternalAuthHandler;
    }

    public ProtonSaslAuthenticator create() {
        return new AmqpAdapterSaslAuthenticator(this.spanFactory.get());
    }
}
