package org.eclipse.hono.service.auth;

import io.vertx.core.Future;
import io.vertx.core.Handler;
import io.vertx.core.json.JsonObject;
import io.vertx.core.net.NetSocket;
import io.vertx.proton.ProtonConnection;
import io.vertx.proton.sasl.ProtonSaslAuthenticator;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Objects;
import java.util.Optional;
import java.util.function.Consumer;
import javax.net.ssl.SSLPeerUnverifiedException;
import org.apache.qpid.proton.engine.Sasl;
import org.apache.qpid.proton.engine.Transport;
import org.eclipse.hono.auth.HonoUser;
import org.eclipse.hono.client.ServiceInvocationException;
import org.eclipse.hono.client.amqp.connection.AmqpUtils;
import org.eclipse.hono.service.auth.AuthenticationService;
import org.eclipse.hono.util.AuthenticationConstants;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/eclipse/hono/service/auth/HonoSaslAuthenticator.class */
public final class HonoSaslAuthenticator implements ProtonSaslAuthenticator {
    private static final Logger LOG = LoggerFactory.getLogger(HonoSaslAuthenticator.class);
    private final AuthenticationService authenticationService;
    private final Consumer<AuthenticationService.AuthenticationAttemptOutcome> authenticationAttemptMeter;
    private Sasl sasl;
    private boolean succeeded;
    private ProtonConnection protonConnection;
    private X509Certificate clientCertificate;

    public HonoSaslAuthenticator(AuthenticationService authenticationService) {
        this(authenticationService, null);
    }

    public HonoSaslAuthenticator(AuthenticationService authenticationService, Consumer<AuthenticationService.AuthenticationAttemptOutcome> consumer) {
        this.authenticationService = (AuthenticationService) Objects.requireNonNull(authenticationService);
        this.authenticationAttemptMeter = (Consumer) Optional.ofNullable(consumer).orElse(authenticationAttemptOutcome -> {
        });
    }

    public void init(NetSocket netSocket, ProtonConnection protonConnection, Transport transport) {
        LOG.debug("initializing SASL authenticator");
        this.protonConnection = protonConnection;
        this.sasl = transport.sasl();
        this.sasl.server();
        this.sasl.allowSkip(false);
        this.sasl.setMechanisms(this.authenticationService.getSupportedSaslMechanisms());
        if (netSocket.isSsl() && Arrays.asList(this.authenticationService.getSupportedSaslMechanisms()).contains("EXTERNAL")) {
            LOG.debug("client connected using TLS, extracting client certificate chain");
            try {
                Certificate certificate = netSocket.sslSession().getPeerCertificates()[0];
                if (certificate instanceof X509Certificate) {
                    this.clientCertificate = (X509Certificate) certificate;
                }
            } catch (SSLPeerUnverifiedException e) {
                LOG.debug("could not extract client certificate chain, maybe client uses other mechanism than SASL EXTERNAL");
            }
        }
    }

    public void process(Handler<Boolean> handler) {
        String[] remoteMechanisms = this.sasl.getRemoteMechanisms();
        if (remoteMechanisms.length == 0) {
            LOG.debug("client provided an empty list of SASL mechanisms [hostname: {}, state: {}]", this.sasl.getHostname(), this.sasl.getState().name());
            handler.handle(false);
            return;
        }
        String str = remoteMechanisms[0];
        LOG.debug("client wants to authenticate using SASL [mechanism: {}, host: {}, state: {}]", new Object[]{str, this.sasl.getHostname(), this.sasl.getState().name()});
        byte[] bArr = new byte[this.sasl.pending()];
        this.sasl.recv(bArr, 0, bArr.length);
        verify(str, bArr).map(honoUser -> {
            LOG.debug("authentication of client [authorization ID: {}] succeeded", honoUser.getName());
            AmqpUtils.setClientPrincipal(this.protonConnection, honoUser);
            this.succeeded = true;
            return Sasl.SaslOutcome.PN_SASL_OK;
        }).otherwise(th -> {
            int extractStatusCode = ServiceInvocationException.extractStatusCode(th);
            if (th instanceof ServiceInvocationException) {
                LOG.debug("authentication check failed: {} (status {})", th.getMessage(), Integer.valueOf(extractStatusCode));
            } else {
                LOG.debug("authentication check failed (no status code given in exception)", th);
            }
            return handleError(extractStatusCode);
        }).onSuccess(saslOutcome -> {
            LOG.debug("finishing SASL handshake with outcome {}", saslOutcome);
            this.sasl.done(saslOutcome);
        }).onFailure(th2 -> {
            LOG.error("failed to perform STEP of SASL handshake", th2);
            this.sasl.done(Sasl.SaslOutcome.PN_SASL_SYS);
        }).onComplete(asyncResult -> {
            handler.handle(Boolean.TRUE);
        });
    }

    private Sasl.SaslOutcome handleError(int i) {
        Sasl.SaslOutcome saslOutcome;
        switch (i) {
            case 400:
            case 401:
                this.authenticationAttemptMeter.accept(AuthenticationService.AuthenticationAttemptOutcome.UNAUTHORIZED);
                saslOutcome = Sasl.SaslOutcome.PN_SASL_AUTH;
                break;
            case 500:
                this.authenticationAttemptMeter.accept(AuthenticationService.AuthenticationAttemptOutcome.UNAVAILABLE);
                saslOutcome = Sasl.SaslOutcome.PN_SASL_SYS;
                break;
            case 503:
                this.authenticationAttemptMeter.accept(AuthenticationService.AuthenticationAttemptOutcome.UNAVAILABLE);
                saslOutcome = Sasl.SaslOutcome.PN_SASL_TEMP;
                break;
            default:
                if (i >= 400 && i < 500) {
                    this.authenticationAttemptMeter.accept(AuthenticationService.AuthenticationAttemptOutcome.UNAUTHORIZED);
                    saslOutcome = Sasl.SaslOutcome.PN_SASL_PERM;
                    break;
                } else {
                    this.authenticationAttemptMeter.accept(AuthenticationService.AuthenticationAttemptOutcome.UNAVAILABLE);
                    saslOutcome = Sasl.SaslOutcome.PN_SASL_TEMP;
                    break;
                }
        }
        return saslOutcome;
    }

    public boolean succeeded() {
        return this.succeeded;
    }

    private Future<HonoUser> verify(String str, byte[] bArr) {
        JsonObject authenticationRequest = AuthenticationConstants.getAuthenticationRequest(str, bArr);
        if (this.clientCertificate != null) {
            String name = this.clientCertificate.getSubjectX500Principal().getName("RFC2253");
            LOG.debug("client has provided X.509 certificate [subject DN: {}]", name);
            authenticationRequest.put("subject-dn", name);
        }
        return this.authenticationService.authenticate(authenticationRequest);
    }
}
