package org.eclipse.hono.adapter.http;

import io.opentracing.Span;
import io.opentracing.Tracer;
import io.opentracing.contrib.vertx.ext.web.TracingHandler;
import io.opentracing.noop.NoopTracerFactory;
import io.opentracing.tag.Tags;
import io.vertx.core.AsyncResult;
import io.vertx.core.Future;
import io.vertx.core.Handler;
import io.vertx.core.json.JsonObject;
import io.vertx.ext.web.RoutingContext;
import io.vertx.ext.web.handler.impl.HttpStatusException;
import java.security.GeneralSecurityException;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.Collections;
import java.util.HashMap;
import java.util.LinkedList;
import java.util.List;
import java.util.Objects;
import javax.net.ssl.SSLPeerUnverifiedException;
import org.eclipse.hono.client.HonoClient;
import org.eclipse.hono.service.auth.device.DeviceCertificateValidator;
import org.eclipse.hono.service.auth.device.HonoAuthHandler;
import org.eclipse.hono.service.auth.device.HonoClientBasedAuthProvider;
import org.eclipse.hono.tracing.TracingHelper;
import org.eclipse.hono.util.TenantObject;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/eclipse/hono/adapter/http/X509AuthHandler.class */
public class X509AuthHandler extends HonoAuthHandler {
    private static final Logger LOG = LoggerFactory.getLogger(X509AuthHandler.class);
    private static final HttpStatusException UNAUTHORIZED = new HttpStatusException(401);
    private final HonoClient tenantServiceClient;
    private final DeviceCertificateValidator certPathValidator;
    private final Tracer tracer;

    public X509AuthHandler(HonoClientBasedAuthProvider honoClientBasedAuthProvider, HonoClient honoClient) {
        this(honoClientBasedAuthProvider, honoClient, null);
    }

    public X509AuthHandler(HonoClientBasedAuthProvider honoClientBasedAuthProvider, HonoClient honoClient, Tracer tracer) {
        this(honoClientBasedAuthProvider, honoClient, tracer, new DeviceCertificateValidator());
    }

    public X509AuthHandler(HonoClientBasedAuthProvider honoClientBasedAuthProvider, HonoClient honoClient, Tracer tracer, DeviceCertificateValidator deviceCertificateValidator) {
        super(honoClientBasedAuthProvider);
        this.tenantServiceClient = (HonoClient) Objects.requireNonNull(honoClient);
        this.certPathValidator = (DeviceCertificateValidator) Objects.requireNonNull(deviceCertificateValidator);
        if (tracer == null) {
            this.tracer = NoopTracerFactory.create();
        } else {
            this.tracer = tracer;
        }
    }

    public final void parseCredentials(RoutingContext routingContext, Handler<AsyncResult<JsonObject>> handler) {
        Objects.requireNonNull(routingContext);
        Objects.requireNonNull(handler);
        if (!routingContext.request().isSSL()) {
            handler.handle(Future.failedFuture(UNAUTHORIZED));
            return;
        }
        Span start = this.tracer.buildSpan("verify device certificate").asChildOf(TracingHandler.serverSpanContext(routingContext)).ignoreActiveSpan().withTag(Tags.SPAN_KIND.getKey(), "client").withTag(Tags.COMPONENT.getKey(), getClass().getSimpleName()).start();
        try {
            getX509CertificatePath(routingContext.request().sslSession().getPeerCertificates()).compose(list -> {
                X509Certificate x509Certificate = (X509Certificate) list.get(0);
                HashMap hashMap = new HashMap(3);
                hashMap.put("subject DN", x509Certificate.getSubjectX500Principal().getName());
                hashMap.put("not before", x509Certificate.getNotBefore().toString());
                hashMap.put("not after", x509Certificate.getNotAfter().toString());
                start.log(hashMap);
                Future<TenantObject> tenant = getTenant(x509Certificate, start);
                List singletonList = Collections.singletonList(x509Certificate);
                return tenant.compose(tenantObject -> {
                    try {
                        return this.certPathValidator.validate(singletonList, tenantObject.getTrustAnchor());
                    } catch (GeneralSecurityException e) {
                        return Future.failedFuture(e);
                    }
                }).compose(r7 -> {
                    return getCredentials(list, (TenantObject) tenant.result());
                });
            }).setHandler(asyncResult -> {
                if (asyncResult.succeeded()) {
                    start.log("certificate verified successfully");
                    handler.handle(asyncResult);
                } else {
                    LOG.debug("verification of client certificate failed: {}", asyncResult.cause().getMessage());
                    TracingHelper.logError(start, asyncResult.cause());
                    handler.handle(Future.failedFuture(UNAUTHORIZED));
                }
                start.finish();
            });
        } catch (SSLPeerUnverifiedException e) {
            TracingHelper.logError(start, e);
            start.finish();
            handler.handle(Future.failedFuture(UNAUTHORIZED));
        }
    }

    private Future<TenantObject> getTenant(X509Certificate x509Certificate, Span span) {
        return this.tenantServiceClient.getOrCreateTenantClient().compose(tenantClient -> {
            return tenantClient.get(x509Certificate.getIssuerX500Principal(), span.context());
        });
    }

    private Future<List<X509Certificate>> getX509CertificatePath(Certificate[] certificateArr) {
        LinkedList linkedList = new LinkedList();
        for (Certificate certificate : certificateArr) {
            if (!(certificate instanceof X509Certificate)) {
                LOG.info("cannot authenticate device using unsupported certificate type [{}]", certificate.getClass().getName());
                return Future.failedFuture(UNAUTHORIZED);
            }
            linkedList.add((X509Certificate) certificate);
        }
        return Future.succeededFuture(linkedList);
    }

    protected Future<JsonObject> getCredentials(List<X509Certificate> list, TenantObject tenantObject) {
        String name = list.get(0).getSubjectX500Principal().getName("RFC2253");
        LOG.debug("authenticating device of tenant [{}] using X509 certificate [subject DN: {}]", tenantObject.getTenantId(), name);
        return Future.succeededFuture(new JsonObject().put("subject-dn", name).put("tenant-id", tenantObject.getTenantId()));
    }
}
