package org.eclipse.hono.service.auth.device;

import io.opentracing.Span;
import io.opentracing.SpanContext;
import io.opentracing.Tracer;
import io.opentracing.noop.NoopTracerFactory;
import io.opentracing.tag.Tags;
import io.vertx.core.Future;
import io.vertx.core.json.JsonObject;
import java.security.GeneralSecurityException;
import java.security.cert.Certificate;
import java.security.cert.TrustAnchor;
import java.security.cert.X509Certificate;
import java.util.Collections;
import java.util.HashMap;
import java.util.LinkedList;
import java.util.List;
import java.util.Objects;
import org.eclipse.hono.client.ClientErrorException;
import org.eclipse.hono.client.HonoClient;
import org.eclipse.hono.tracing.TracingHelper;
import org.eclipse.hono.util.TenantObject;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/eclipse/hono/service/auth/device/TenantServiceBasedX509Authentication.class */
public final class TenantServiceBasedX509Authentication implements X509Authentication {
    private static final ClientErrorException UNAUTHORIZED = new ClientErrorException(401);
    private static final Logger log = LoggerFactory.getLogger(TenantServiceBasedX509Authentication.class);
    private final Tracer tracer;
    private final HonoClient tenantServiceClient;
    private final DeviceCertificateValidator certPathValidator;

    public TenantServiceBasedX509Authentication(HonoClient honoClient) {
        this(honoClient, NoopTracerFactory.create());
    }

    public TenantServiceBasedX509Authentication(HonoClient honoClient, Tracer tracer) {
        this(honoClient, tracer, new DeviceCertificateValidator());
    }

    public TenantServiceBasedX509Authentication(HonoClient honoClient, Tracer tracer, DeviceCertificateValidator deviceCertificateValidator) {
        this.tenantServiceClient = (HonoClient) Objects.requireNonNull(honoClient);
        this.tracer = (Tracer) Objects.requireNonNull(tracer);
        this.certPathValidator = (DeviceCertificateValidator) Objects.requireNonNull(deviceCertificateValidator);
    }

    @Override // org.eclipse.hono.service.auth.device.X509Authentication
    public Future<JsonObject> validateClientCertificate(Certificate[] certificateArr, SpanContext spanContext) {
        Objects.requireNonNull(certificateArr);
        Span start = this.tracer.buildSpan("verify device certificate").asChildOf(spanContext).ignoreActiveSpan().withTag(Tags.SPAN_KIND.getKey(), "client").withTag(Tags.COMPONENT.getKey(), getClass().getSimpleName()).start();
        return getX509CertificatePath(certificateArr).compose(list -> {
            X509Certificate x509Certificate = (X509Certificate) list.get(0);
            HashMap hashMap = new HashMap(3);
            hashMap.put("subject DN", x509Certificate.getSubjectX500Principal().getName());
            hashMap.put("not before", x509Certificate.getNotBefore().toString());
            hashMap.put("not after", x509Certificate.getNotAfter().toString());
            start.log(hashMap);
            Future<TenantObject> tenant = getTenant(x509Certificate, start);
            return tenant.compose(tenantObject -> {
                try {
                    TrustAnchor trustAnchor = tenantObject.getTrustAnchor();
                    return this.certPathValidator.validate(Collections.singletonList(x509Certificate), trustAnchor).recover(th -> {
                        return Future.failedFuture(UNAUTHORIZED);
                    });
                } catch (GeneralSecurityException e) {
                    log.debug("cannot de-serialize trust anchor from tenant: {}", e.getMessage());
                    return Future.failedFuture(UNAUTHORIZED);
                }
            }).compose(r7 -> {
                return getCredentials(list, (TenantObject) tenant.result());
            });
        }).map(jsonObject -> {
            start.log("certificate verified successfully");
            start.finish();
            return jsonObject;
        }).recover(th -> {
            log.debug("verification of client certificate failed: {}", th.getMessage());
            TracingHelper.logError(start, th);
            start.finish();
            return Future.failedFuture(th);
        });
    }

    private Future<TenantObject> getTenant(X509Certificate x509Certificate, Span span) {
        return this.tenantServiceClient.getOrCreateTenantClient().compose(tenantClient -> {
            return tenantClient.get(x509Certificate.getIssuerX500Principal(), span.context());
        });
    }

    private Future<List<X509Certificate>> getX509CertificatePath(Certificate[] certificateArr) {
        LinkedList linkedList = new LinkedList();
        for (Certificate certificate : certificateArr) {
            if (!(certificate instanceof X509Certificate)) {
                log.info("cannot authenticate device using unsupported certificate type [{}]", certificate.getClass().getName());
                return Future.failedFuture(UNAUTHORIZED);
            }
            linkedList.add((X509Certificate) certificate);
        }
        return Future.succeededFuture(linkedList);
    }

    protected Future<JsonObject> getCredentials(List<X509Certificate> list, TenantObject tenantObject) {
        String name = list.get(0).getSubjectX500Principal().getName("RFC2253");
        log.debug("authenticating device of tenant [{}] using X509 certificate [subject DN: {}]", tenantObject.getTenantId(), name);
        return Future.succeededFuture(new JsonObject().put("subject-dn", name).put("tenant-id", tenantObject.getTenantId()));
    }
}
