package com.mongodb.internal.connection;

import com.helger.phoss.smp.CSMPServer;
import com.mongodb.AuthenticationMechanism;
import com.mongodb.AwsCredential;
import com.mongodb.MongoClientException;
import com.mongodb.MongoCredential;
import com.mongodb.MongoException;
import com.mongodb.ServerAddress;
import com.mongodb.ServerApi;
import com.mongodb.assertions.Assertions;
import com.mongodb.connection.ClusterConnectionMode;
import com.mongodb.connection.ConnectionDescription;
import com.mongodb.internal.authentication.AwsCredentialHelper;
import com.mongodb.lang.Nullable;
import java.security.SecureRandom;
import java.time.Instant;
import java.time.ZoneId;
import java.time.format.DateTimeFormatter;
import java.util.Arrays;
import java.util.function.Supplier;
import javax.security.sasl.SaslClient;
import javax.security.sasl.SaslException;
import org.bson.BsonBinary;
import org.bson.BsonBinaryWriter;
import org.bson.BsonDocument;
import org.bson.BsonInt32;
import org.bson.BsonString;
import org.bson.BsonWriter;
import org.bson.RawBsonDocument;
import org.bson.codecs.BsonDocumentCodec;
import org.bson.codecs.EncoderContext;
import org.bson.io.BasicOutputBuffer;

/* loaded from: input_file:WEB-INF/lib/mongodb-driver-core-4.7.1.jar:com/mongodb/internal/connection/AwsAuthenticator.class */
public class AwsAuthenticator extends SaslAuthenticator {
    private static final String MONGODB_AWS_MECHANISM_NAME = "MONGODB-AWS";
    private static final int RANDOM_LENGTH = 32;

    /* loaded from: input_file:WEB-INF/lib/mongodb-driver-core-4.7.1.jar:com/mongodb/internal/connection/AwsAuthenticator$AwsSaslClient.class */
    private static class AwsSaslClient implements SaslClient {
        private final MongoCredential credential;
        private final byte[] clientNonce = new byte[32];
        private int step = -1;

        AwsSaslClient(MongoCredential mongoCredential) {
            this.credential = mongoCredential;
        }

        public String getMechanismName() {
            AuthenticationMechanism authenticationMechanism = this.credential.getAuthenticationMechanism();
            if (authenticationMechanism == null) {
                throw new IllegalArgumentException("Authentication mechanism cannot be null");
            }
            return authenticationMechanism.getMechanismName();
        }

        public boolean hasInitialResponse() {
            return true;
        }

        public byte[] evaluateChallenge(byte[] bArr) throws SaslException {
            this.step++;
            if (this.step == 0) {
                return computeClientFirstMessage();
            }
            if (this.step == 1) {
                return computeClientFinalMessage(bArr);
            }
            throw new SaslException(String.format("Too many steps involved in the %s negotiation.", getMechanismName()));
        }

        public boolean isComplete() {
            return this.step == 1;
        }

        public byte[] unwrap(byte[] bArr, int i, int i2) {
            throw new UnsupportedOperationException("Not implemented yet!");
        }

        public byte[] wrap(byte[] bArr, int i, int i2) {
            throw new UnsupportedOperationException("Not implemented yet!");
        }

        public Object getNegotiatedProperty(String str) {
            throw new UnsupportedOperationException("Not implemented yet!");
        }

        public void dispose() {
        }

        private byte[] computeClientFirstMessage() {
            new SecureRandom().nextBytes(this.clientNonce);
            return toBson(new BsonDocument().append("r", new BsonBinary(this.clientNonce)).append("p", new BsonInt32(110)));
        }

        private byte[] computeClientFinalMessage(byte[] bArr) throws SaslException {
            RawBsonDocument rawBsonDocument = new RawBsonDocument(bArr);
            String value = rawBsonDocument.getString("h").getValue();
            byte[] data = rawBsonDocument.getBinary("s").getData();
            if (data.length != 64) {
                throw new SaslException(String.format("Server nonce must be %d bytes", 64));
            }
            if (!Arrays.equals(Arrays.copyOf(data, 32), this.clientNonce)) {
                throw new SaslException(String.format("The first %d bytes of the server nonce must be the client nonce", 32));
            }
            String format = DateTimeFormatter.ofPattern("yyyyMMdd'T'HHmmss'Z'").withZone(ZoneId.of(CSMPServer.DEFAULT_TIMEZONE)).format(Instant.now());
            AwsCredential createAwsCredential = createAwsCredential();
            String sessionToken = createAwsCredential.getSessionToken();
            AuthorizationHeader build = AuthorizationHeader.builder().setAccessKeyID(createAwsCredential.getAccessKeyId()).setSecretKey(createAwsCredential.getSecretAccessKey()).setSessionToken(sessionToken).setHost(value).setNonce(data).setTimestamp(format).build();
            BsonDocument append = new BsonDocument().append("a", new BsonString(build.toString())).append("d", new BsonString(build.getTimestamp()));
            if (sessionToken != null) {
                append.append("t", new BsonString(sessionToken));
            }
            return toBson(append);
        }

        private AwsCredential createAwsCredential() {
            AwsCredential obtainFromEnvironment;
            if (this.credential.getUserName() != null) {
                if (this.credential.getPassword() == null) {
                    throw new MongoClientException("secretAccessKey is required for AWS credential");
                }
                obtainFromEnvironment = new AwsCredential((String) Assertions.assertNotNull(this.credential.getUserName()), new String((char[]) Assertions.assertNotNull(this.credential.getPassword())), (String) this.credential.getMechanismProperty(MongoCredential.AWS_SESSION_TOKEN_KEY, null));
            } else if (this.credential.getMechanismProperty(MongoCredential.AWS_CREDENTIAL_PROVIDER_KEY, null) != null) {
                obtainFromEnvironment = (AwsCredential) ((Supplier) Assertions.assertNotNull((Supplier) this.credential.getMechanismProperty(MongoCredential.AWS_CREDENTIAL_PROVIDER_KEY, null))).get();
                if (obtainFromEnvironment == null) {
                    throw new MongoClientException("AWS_CREDENTIAL_PROVIDER_KEY must return an AwsCredential instance");
                }
            } else {
                obtainFromEnvironment = AwsCredentialHelper.obtainFromEnvironment();
                if (obtainFromEnvironment == null) {
                    throw new MongoClientException("Unable to obtain AWS credential from the environment");
                }
            }
            return obtainFromEnvironment;
        }

        private byte[] toBson(BsonDocument bsonDocument) {
            BasicOutputBuffer basicOutputBuffer = new BasicOutputBuffer();
            new BsonDocumentCodec().encode((BsonWriter) new BsonBinaryWriter(basicOutputBuffer), bsonDocument, EncoderContext.builder().build());
            byte[] bArr = new byte[basicOutputBuffer.size()];
            System.arraycopy(basicOutputBuffer.getInternalBuffer(), 0, bArr, 0, basicOutputBuffer.getSize());
            return bArr;
        }
    }

    public AwsAuthenticator(MongoCredentialWithCache mongoCredentialWithCache, ClusterConnectionMode clusterConnectionMode, @Nullable ServerApi serverApi) {
        super(mongoCredentialWithCache, clusterConnectionMode, serverApi);
        if (getMongoCredential().getAuthenticationMechanism() != AuthenticationMechanism.MONGODB_AWS) {
            throw new MongoException("Incorrect mechanism: " + getMongoCredential().getMechanism());
        }
    }

    @Override // com.mongodb.internal.connection.SaslAuthenticator
    public String getMechanismName() {
        return MONGODB_AWS_MECHANISM_NAME;
    }

    @Override // com.mongodb.internal.connection.SaslAuthenticator
    protected SaslClient createSaslClient(ServerAddress serverAddress) {
        return new AwsSaslClient(getMongoCredential());
    }

    @Override // com.mongodb.internal.connection.SaslAuthenticator, com.mongodb.internal.connection.Authenticator
    public /* bridge */ /* synthetic */ void authenticate(InternalConnection internalConnection, ConnectionDescription connectionDescription) {
        super.authenticate(internalConnection, connectionDescription);
    }
}
