package org.eclipse.hono.adapter.auth.device;

import io.opentracing.Span;
import io.opentracing.SpanContext;
import io.opentracing.Tracer;
import io.opentracing.noop.NoopTracerFactory;
import io.opentracing.tag.Tags;
import io.vertx.core.Future;
import io.vertx.core.json.JsonObject;
import java.security.cert.Certificate;
import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;
import java.util.HashMap;
import java.util.LinkedList;
import java.util.List;
import java.util.Objects;
import java.util.Set;
import org.eclipse.hono.adapter.client.registry.TenantClient;
import org.eclipse.hono.client.ClientErrorException;
import org.eclipse.hono.service.auth.X509CertificateChainValidator;
import org.eclipse.hono.tracing.TracingHelper;
import org.eclipse.hono.util.TenantObject;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/eclipse/hono/adapter/auth/device/TenantServiceBasedX509Authentication.class */
public final class TenantServiceBasedX509Authentication implements X509Authentication {
    private static final Logger log = LoggerFactory.getLogger(TenantServiceBasedX509Authentication.class);
    private final Tracer tracer;
    private final TenantClient tenantClient;
    private final X509CertificateChainValidator certPathValidator;

    public TenantServiceBasedX509Authentication(TenantClient tenantClient) {
        this(tenantClient, NoopTracerFactory.create());
    }

    public TenantServiceBasedX509Authentication(TenantClient tenantClient, Tracer tracer) {
        this(tenantClient, tracer, new DeviceCertificateValidator());
    }

    public TenantServiceBasedX509Authentication(TenantClient tenantClient, Tracer tracer, X509CertificateChainValidator x509CertificateChainValidator) {
        this.tenantClient = (TenantClient) Objects.requireNonNull(tenantClient);
        this.tracer = (Tracer) Objects.requireNonNull(tracer);
        this.certPathValidator = (X509CertificateChainValidator) Objects.requireNonNull(x509CertificateChainValidator);
    }

    @Override // org.eclipse.hono.adapter.auth.device.X509Authentication
    public Future<JsonObject> validateClientCertificate(Certificate[] certificateArr, SpanContext spanContext) {
        Objects.requireNonNull(certificateArr);
        Span start = TracingHelper.buildChildSpan(this.tracer, spanContext, "verify device certificate", getClass().getSimpleName()).withTag(Tags.SPAN_KIND.getKey(), "client").start();
        return getX509CertificatePath(certificateArr).compose(list -> {
            X509Certificate x509Certificate = (X509Certificate) list.get(0);
            HashMap hashMap = new HashMap(3);
            hashMap.put("subject DN", x509Certificate.getSubjectX500Principal().getName());
            hashMap.put("not before", x509Certificate.getNotBefore().toString());
            hashMap.put("not after", x509Certificate.getNotAfter().toString());
            start.log(hashMap);
            Future<TenantObject> tenant = getTenant(x509Certificate, start);
            return tenant.compose(tenantObject -> {
                Set trustAnchors = tenantObject.getTrustAnchors();
                if (trustAnchors.isEmpty()) {
                    log.debug("no valid trust anchors defined for tenant [{}]", tenantObject.getTenantId());
                    return Future.failedFuture(new ClientErrorException(tenantObject.getTenantId(), 401));
                }
                return this.certPathValidator.validate(List.of(x509Certificate), trustAnchors).recover(th -> {
                    return Future.failedFuture(new ClientErrorException(tenantObject.getTenantId(), 401));
                });
            }).compose(r7 -> {
                return getCredentials(list, (TenantObject) tenant.result());
            });
        }).map(jsonObject -> {
            start.log("certificate verified successfully");
            start.finish();
            return jsonObject;
        }).recover(th -> {
            log.debug("verification of client certificate failed", th);
            TracingHelper.logError(start, th);
            start.finish();
            return Future.failedFuture(th);
        });
    }

    private Future<TenantObject> getTenant(X509Certificate x509Certificate, Span span) {
        return this.tenantClient.get(x509Certificate.getIssuerX500Principal(), span.context());
    }

    private Future<List<X509Certificate>> getX509CertificatePath(Certificate[] certificateArr) {
        LinkedList linkedList = new LinkedList();
        for (Certificate certificate : certificateArr) {
            if (!(certificate instanceof X509Certificate)) {
                log.info("cannot authenticate device using unsupported certificate type [{}]", certificate.getClass().getName());
                return Future.failedFuture(new ClientErrorException(401));
            }
            linkedList.add((X509Certificate) certificate);
        }
        return Future.succeededFuture(linkedList);
    }

    protected Future<JsonObject> getCredentials(List<X509Certificate> list, TenantObject tenantObject) {
        X509Certificate x509Certificate = list.get(0);
        String name = x509Certificate.getSubjectX500Principal().getName("RFC2253");
        log.debug("authenticating device of tenant [{}] using X509 certificate [subject DN: {}]", tenantObject.getTenantId(), name);
        JsonObject put = new JsonObject().put("subject-dn", name).put("tenant-id", tenantObject.getTenantId());
        if (tenantObject.isAutoProvisioningEnabled(x509Certificate.getIssuerX500Principal().getName("RFC2253"))) {
            try {
                put.put("client-certificate", x509Certificate.getEncoded());
            } catch (CertificateEncodingException e) {
                log.error("Encoding of device certificate failed [subject DN: {}]", name, e);
                return Future.failedFuture(e);
            }
        }
        return Future.succeededFuture(put);
    }
}
