package org.eclipse.hono.service.auth.impl;

import io.vertx.proton.ProtonConnection;
import io.vertx.proton.ProtonHelper;
import io.vertx.proton.ProtonReceiver;
import io.vertx.proton.ProtonSender;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.stream.Collectors;
import org.apache.qpid.proton.amqp.Symbol;
import org.apache.qpid.proton.amqp.transport.AmqpError;
import org.apache.qpid.proton.amqp.transport.Source;
import org.eclipse.hono.auth.Authorities;
import org.eclipse.hono.auth.HonoUser;
import org.eclipse.hono.config.ServiceConfigProperties;
import org.eclipse.hono.service.amqp.AmqpEndpoint;
import org.eclipse.hono.service.amqp.AmqpServiceBase;
import org.eclipse.hono.util.Constants;
import org.eclipse.hono.util.ResourceIdentifier;
import org.springframework.beans.factory.annotation.Autowired;

/* loaded from: input_file:org/eclipse/hono/service/auth/impl/SimpleAuthenticationServer.class */
public final class SimpleAuthenticationServer extends AmqpServiceBase<ServiceConfigProperties> {
    private static final Symbol CAPABILITY_ADDRESS_AUTHZ = Symbol.valueOf("ADDRESS-AUTHZ");
    private static final Symbol PROPERTY_ADDRESS_AUTHZ = Symbol.valueOf("address-authz");
    private static final Symbol PROPERTY_AUTH_IDENTITY = Symbol.valueOf("authenticated-identity");
    private static final int IDX_MAJOR_VERSION = 0;
    private static final int IDX_MINOR_VERSION = 1;
    private static final int IDX_PATCH_VERSION = 2;

    @Autowired
    public void setConfig(ServiceConfigProperties serviceConfigProperties) {
        setSpecificConfig(serviceConfigProperties);
    }

    protected String getServiceName() {
        return "hono-auth";
    }

    protected void setRemoteConnectionOpenHandler(ProtonConnection protonConnection) {
        protonConnection.sessionOpenHandler(protonSession -> {
            handleSessionOpen(protonConnection, protonSession);
        });
        protonConnection.senderOpenHandler(protonSender -> {
            handleSenderOpen(protonConnection, protonSender);
        });
        protonConnection.disconnectHandler(protonConnection2 -> {
            protonConnection2.close();
            protonConnection2.disconnect();
        });
        protonConnection.closeHandler(asyncResult -> {
            protonConnection.close();
            protonConnection.disconnect();
        });
        protonConnection.openHandler(asyncResult2 -> {
            if (asyncResult2.failed()) {
                this.LOG.debug("ignoring peer's open frame containing error", asyncResult2.cause());
            } else {
                processRemoteOpen((ProtonConnection) asyncResult2.result());
            }
        });
    }

    protected void processRemoteOpen(ProtonConnection protonConnection) {
        if (Arrays.stream(protonConnection.getRemoteDesiredCapabilities()).anyMatch(symbol -> {
            return symbol.equals(CAPABILITY_ADDRESS_AUTHZ);
        })) {
            this.LOG.debug("client [container: {}] requests transfer of authenticated user's authorities in open frame", protonConnection.getRemoteContainer());
            processAddressAuthzCapability(protonConnection);
        }
        protonConnection.open();
        this.vertx.setTimer(5000L, l -> {
            if (protonConnection.isDisconnected()) {
                return;
            }
            this.LOG.debug("connection with client [{}] timed out after 5 seconds, closing connection", protonConnection.getRemoteContainer());
            protonConnection.setCondition(ProtonHelper.condition(Constants.AMQP_ERROR_INACTIVITY, "client must retrieve token within 5 secs after opening connection")).close();
        });
    }

    private void processAddressAuthzCapability(ProtonConnection protonConnection) {
        Map remoteProperties;
        if (this.LOG.isDebugEnabled() && (remoteProperties = protonConnection.getRemoteProperties()) != null) {
            this.LOG.debug("client connection [container: {}] includes properties: {}", protonConnection.getRemoteContainer(), (String) remoteProperties.entrySet().stream().map(entry -> {
                return String.format("[%s: %s]", entry.getKey(), entry.getValue().toString());
            }).collect(Collectors.joining(", ")));
        }
        HonoUser clientPrincipal = Constants.getClientPrincipal(protonConnection);
        Map<String, String[]> permissionsFromAuthorities = getPermissionsFromAuthorities(clientPrincipal.getAuthorities());
        HashMap hashMap = new HashMap();
        boolean isLegacyClient = isLegacyClient(protonConnection);
        if (isLegacyClient) {
            hashMap.put(PROPERTY_AUTH_IDENTITY, clientPrincipal.getName());
        } else {
            hashMap.put(PROPERTY_AUTH_IDENTITY, Collections.singletonMap("sub", clientPrincipal.getName()));
        }
        hashMap.put(PROPERTY_ADDRESS_AUTHZ, permissionsFromAuthorities);
        protonConnection.setProperties(hashMap);
        protonConnection.setOfferedCapabilities(new Symbol[]{CAPABILITY_ADDRESS_AUTHZ});
        this.LOG.debug("transfering {} permissions of client [container: {}, user: {}] in open frame [legacy format: {}]", new Object[]{Integer.valueOf(permissionsFromAuthorities.size()), protonConnection.getRemoteContainer(), clientPrincipal.getName(), Boolean.valueOf(isLegacyClient)});
    }

    private boolean isLegacyClient(ProtonConnection protonConnection) {
        return ((Boolean) Optional.ofNullable(protonConnection.getRemoteProperties()).map(map -> {
            Object obj = map.get(Symbol.getSymbol("version"));
            if (!(obj instanceof String)) {
                return false;
            }
            int[] parseVersionString = parseVersionString((String) obj);
            return Boolean.valueOf(parseVersionString[IDX_MAJOR_VERSION] == IDX_MINOR_VERSION && parseVersionString[IDX_MINOR_VERSION] < 4);
        }).orElse(false)).booleanValue();
    }

    private int[] parseVersionString(String str) {
        int[] iArr = {IDX_MAJOR_VERSION, IDX_MAJOR_VERSION, IDX_MAJOR_VERSION};
        String[] split = str.split(".", 3);
        try {
            switch (split.length) {
                case IDX_MINOR_VERSION /* 1 */:
                    iArr[IDX_MAJOR_VERSION] = Integer.parseInt(split[IDX_MAJOR_VERSION]);
                case IDX_PATCH_VERSION /* 2 */:
                    iArr[IDX_MINOR_VERSION] = Integer.parseInt(split[IDX_MINOR_VERSION]);
                case 3:
                    iArr[IDX_PATCH_VERSION] = Integer.parseInt(split[IDX_PATCH_VERSION]);
            }
        } catch (NumberFormatException e) {
        }
        return iArr;
    }

    private Map<String, String[]> getPermissionsFromAuthorities(Authorities authorities) {
        return (Map) authorities.asMap().entrySet().stream().filter(entry -> {
            return ((String) entry.getKey()).startsWith("r:");
        }).collect(Collectors.toMap(entry2 -> {
            return ((String) entry2.getKey()).substring("r:".length());
        }, entry3 -> {
            return getAuthorities((String) entry3.getValue());
        }));
    }

    private String[] getAuthorities(String str) {
        return (String[]) ((Set) str.chars().mapToObj(i -> {
            switch (i) {
                case 82:
                    return "recv";
                case 87:
                    return "send";
                default:
                    return null;
            }
        }).filter((v0) -> {
            return Objects.nonNull(v0);
        }).collect(Collectors.toSet())).toArray(i2 -> {
            return new String[i2];
        });
    }

    protected void handleReceiverOpen(ProtonConnection protonConnection, ProtonReceiver protonReceiver) {
        protonReceiver.setCondition(ProtonHelper.condition(AmqpError.NOT_ALLOWED, "cannot write to node"));
        protonReceiver.close();
    }

    protected void handleSenderOpen(ProtonConnection protonConnection, ProtonSender protonSender) {
        Source remoteSource = protonSender.getRemoteSource();
        this.LOG.debug("client [{}] wants to open a link for receiving messages [address: {}]", protonConnection.getRemoteContainer(), remoteSource);
        try {
            ResourceIdentifier resourceIdentifier = getResourceIdentifier(remoteSource.getAddress());
            AmqpEndpoint endpoint = getEndpoint(resourceIdentifier);
            if (endpoint == null) {
                this.LOG.debug("no endpoint registered for node [{}]", resourceIdentifier);
                protonConnection.setCondition(ProtonHelper.condition(AmqpError.NOT_FOUND, "no such node")).close();
            } else if ("ANONYMOUS".equals(Constants.getClientPrincipal(protonConnection).getName())) {
                protonConnection.setCondition(ProtonHelper.condition(AmqpError.UNAUTHORIZED_ACCESS, "client must authenticate using SASL")).close();
            } else {
                Constants.copyProperties(protonConnection, protonSender);
                protonSender.setSource(protonSender.getRemoteSource());
                endpoint.onLinkAttach(protonConnection, protonSender, resourceIdentifier);
            }
        } catch (IllegalArgumentException e) {
            this.LOG.debug("client has provided invalid resource identifier as source address", e);
            protonConnection.setCondition(ProtonHelper.condition(AmqpError.INVALID_FIELD, "malformed source address")).close();
        }
    }
}
