package com.couchbase.client.core.io.netty.kv;

import com.couchbase.client.core.annotation.Stability;
import com.couchbase.client.core.cnc.events.io.SaslAuthenticationCompletedEvent;
import com.couchbase.client.core.cnc.events.io.SaslAuthenticationFailedEvent;
import com.couchbase.client.core.cnc.events.io.SaslAuthenticationRestartedEvent;
import com.couchbase.client.core.cnc.events.io.SaslMechanismsSelectedEvent;
import com.couchbase.client.core.deps.com.fasterxml.jackson.core.type.TypeReference;
import com.couchbase.client.core.deps.io.netty.buffer.ByteBuf;
import com.couchbase.client.core.deps.io.netty.buffer.Unpooled;
import com.couchbase.client.core.deps.io.netty.channel.ChannelDuplexHandler;
import com.couchbase.client.core.deps.io.netty.channel.ChannelHandlerContext;
import com.couchbase.client.core.deps.io.netty.channel.ChannelPromise;
import com.couchbase.client.core.deps.io.netty.util.ReferenceCountUtil;
import com.couchbase.client.core.diagnostics.AuthenticationStatus;
import com.couchbase.client.core.endpoint.EndpointContext;
import com.couchbase.client.core.env.SaslMechanism;
import com.couchbase.client.core.error.AuthenticationFailureException;
import com.couchbase.client.core.error.context.KeyValueIoErrorContext;
import com.couchbase.client.core.io.IoContext;
import com.couchbase.client.core.io.netty.kv.MemcacheProtocol;
import com.couchbase.client.core.io.netty.kv.sasl.CouchbaseSaslClientFactory;
import com.couchbase.client.core.json.Mapper;
import com.couchbase.client.core.msg.kv.BaseKeyValueRequest;
import com.couchbase.client.core.util.Bytes;
import java.net.SocketAddress;
import java.nio.charset.StandardCharsets;
import java.time.Duration;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.TimeoutException;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.sasl.SaslClient;
import javax.security.sasl.SaslException;

/* loaded from: input_file:com/couchbase/client/core/io/netty/kv/SaslAuthenticationHandler.class */
public class SaslAuthenticationHandler extends ChannelDuplexHandler implements CallbackHandler {
    private static final short STATUS_AUTH_ERROR = 32;
    private static final short STATUS_AUTH_CONTINUE = 33;
    private final Duration timeout;
    private final String username;
    private final String password;
    private final Set<SaslMechanism> allowedMechanisms;
    private final EndpointContext endpointContext;
    private IoContext ioContext;
    private SaslClient saslClient;
    private ChannelPromise interceptedConnectPromise;
    private int roundtripsToGo;

    public SaslAuthenticationHandler(EndpointContext endpointContext, String str, String str2, Set<SaslMechanism> set) {
        this.endpointContext = endpointContext;
        this.username = str;
        this.password = str2;
        this.allowedMechanisms = set;
        this.timeout = endpointContext.environment().timeoutConfig().connectTimeout();
    }

    @Stability.Internal
    public Set<SaslMechanism> allowedMechanisms() {
        return this.allowedMechanisms;
    }

    @Override // com.couchbase.client.core.deps.io.netty.channel.ChannelDuplexHandler, com.couchbase.client.core.deps.io.netty.channel.ChannelOutboundHandler
    public void connect(ChannelHandlerContext channelHandlerContext, SocketAddress socketAddress, SocketAddress socketAddress2, ChannelPromise channelPromise) {
        this.interceptedConnectPromise = channelPromise;
        ChannelPromise newPromise = channelHandlerContext.newPromise();
        newPromise.addListener2(future -> {
            if (future.isSuccess() || this.interceptedConnectPromise.isDone()) {
                return;
            }
            ConnectTimings.record(channelHandlerContext.channel(), getClass());
            this.interceptedConnectPromise.tryFailure(future.cause());
        });
        channelHandlerContext.connect(socketAddress, socketAddress2, newPromise);
    }

    @Override // com.couchbase.client.core.deps.io.netty.channel.ChannelInboundHandlerAdapter, com.couchbase.client.core.deps.io.netty.channel.ChannelInboundHandler
    public void channelActive(ChannelHandlerContext channelHandlerContext) {
        this.ioContext = new IoContext(this.endpointContext, channelHandlerContext.channel().localAddress(), channelHandlerContext.channel().remoteAddress(), this.endpointContext.bucket());
        channelHandlerContext.executor().schedule(() -> {
            if (this.interceptedConnectPromise.isDone()) {
                return;
            }
            ConnectTimings.stop(channelHandlerContext.channel(), getClass(), true);
            this.interceptedConnectPromise.tryFailure(new TimeoutException("KV SASL Negotiation timed out after " + this.timeout.toMillis() + "ms"));
        }, this.timeout.toNanos(), TimeUnit.NANOSECONDS);
        ConnectTimings.start(channelHandlerContext.channel(), getClass());
        startAuthSequence(channelHandlerContext, this.allowedMechanisms);
    }

    private void startAuthSequence(ChannelHandlerContext channelHandlerContext, Set<SaslMechanism> set) {
        try {
            this.saslClient = createSaslClient(set);
            SaslMechanism from = SaslMechanism.from(this.saslClient.getMechanismName());
            this.roundtripsToGo = from.roundtrips();
            this.endpointContext.environment().eventBus().publish(new SaslMechanismsSelectedEvent(this.ioContext, set, from));
            channelHandlerContext.writeAndFlush(buildAuthRequest(channelHandlerContext));
            maybePropagateChannelActive(channelHandlerContext);
        } catch (SaslException e) {
            failConnect(channelHandlerContext, "SASL Client could not be constructed", null, e, (short) 0);
        }
    }

    private void maybePropagateChannelActive(ChannelHandlerContext channelHandlerContext) {
        if (this.roundtripsToGo == 1) {
            channelHandlerContext.fireChannelActive();
        }
    }

    @Override // com.couchbase.client.core.deps.io.netty.channel.ChannelInboundHandlerAdapter, com.couchbase.client.core.deps.io.netty.channel.ChannelInboundHandler
    public void channelRead(ChannelHandlerContext channelHandlerContext, Object obj) {
        if (obj instanceof ByteBuf) {
            ByteBuf byteBuf = (ByteBuf) obj;
            this.roundtripsToGo--;
            if (MemcacheProtocol.successful(byteBuf) || MemcacheProtocol.status(byteBuf) == 33) {
                byte opcode = MemcacheProtocol.opcode(byteBuf);
                try {
                    if (MemcacheProtocol.Opcode.SASL_AUTH.opcode() == opcode) {
                        handleAuthResponse(channelHandlerContext, (ByteBuf) obj);
                    } else if (MemcacheProtocol.Opcode.SASL_STEP.opcode() == opcode) {
                        completeAuth(channelHandlerContext, (ByteBuf) obj);
                    }
                } catch (Exception e) {
                    failConnect(channelHandlerContext, "Unexpected error during SASL auth", byteBuf, e, MemcacheProtocol.status(byteBuf));
                }
            } else if (32 == MemcacheProtocol.status(byteBuf)) {
                maybeFailConnect(channelHandlerContext, "Authentication Failure - Potential causes: invalid credentials or if LDAP is enabled ensure PLAIN SASL mechanism is exclusively used on the PasswordAuthenticator (insecure) or TLS is used (recommended)", byteBuf, null, MemcacheProtocol.status(byteBuf));
            } else {
                failConnect(channelHandlerContext, "Unexpected Status 0x" + Integer.toHexString(MemcacheProtocol.status(byteBuf)) + " during SASL auth", byteBuf, null, MemcacheProtocol.status(byteBuf));
            }
        } else {
            failConnect(channelHandlerContext, "Unexpected response type on channel read, this is a bug - please report. " + obj, null, null, (short) 0);
        }
        ReferenceCountUtil.release(obj);
    }

    private void maybeFailConnect(ChannelHandlerContext channelHandlerContext, String str, ByteBuf byteBuf, Throwable th, short s) {
        SaslMechanism from = SaslMechanism.from(this.saslClient.getMechanismName());
        Set set = (Set) channelHandlerContext.channel().attr(ChannelAttributes.SASL_MECHS_KEY).get();
        if (set.contains(from)) {
            failConnect(channelHandlerContext, str, byteBuf, th, s);
            return;
        }
        Stream<SaslMechanism> stream = this.allowedMechanisms.stream();
        Objects.requireNonNull(set);
        Set<SaslMechanism> set2 = (Set) stream.filter((v1) -> {
            return r1.contains(v1);
        }).collect(Collectors.toSet());
        if (set2.isEmpty()) {
            failConnect(channelHandlerContext, "Could not negotiate SASL mechanism with server. If you are using LDAP you must eitherconnect via TLS (recommended), or ONLY enable PLAIN in the allowed SASL mechanisms list on the PasswordAuthenticator(this is insecure and will present the user credentials in plain-text over the wire).", byteBuf, th, s);
        } else {
            this.ioContext.environment().eventBus().publish(new SaslAuthenticationRestartedEvent(this.ioContext));
            startAuthSequence(channelHandlerContext, set2);
        }
    }

    private ByteBuf buildAuthRequest(ChannelHandlerContext channelHandlerContext) throws SaslException {
        byte[] evaluateChallenge = this.saslClient.hasInitialResponse() ? this.saslClient.evaluateChallenge(Bytes.EMPTY_BYTE_ARRAY) : null;
        ByteBuf writeBytes = evaluateChallenge != null ? channelHandlerContext.alloc().buffer().writeBytes(evaluateChallenge) : Unpooled.EMPTY_BUFFER;
        ByteBuf copiedBuffer = Unpooled.copiedBuffer(this.saslClient.getMechanismName(), StandardCharsets.UTF_8);
        ByteBuf request = MemcacheProtocol.request(channelHandlerContext.alloc(), MemcacheProtocol.Opcode.SASL_AUTH, MemcacheProtocol.noDatatype(), MemcacheProtocol.noPartition(), BaseKeyValueRequest.nextOpaque(), MemcacheProtocol.noCas(), MemcacheProtocol.noExtras(), copiedBuffer, writeBytes);
        copiedBuffer.release();
        writeBytes.release();
        return request;
    }

    private SaslClient createSaslClient(Set<SaslMechanism> set) throws SaslException {
        SaslClient createSaslClient = new CouchbaseSaslClientFactory().createSaslClient((String[]) set.stream().map((v0) -> {
            return v0.mech();
        }).toArray(i -> {
            return new String[i];
        }), null, "couchbase", this.ioContext.remoteSocket().toString(), null, this);
        if (createSaslClient == null) {
            throw new SaslException("Failed to create SASL client for any of " + set);
        }
        return createSaslClient;
    }

    private void handleAuthResponse(ChannelHandlerContext channelHandlerContext, ByteBuf byteBuf) throws SaslException {
        if (this.saslClient.isComplete()) {
            completeAuth(channelHandlerContext, byteBuf);
            return;
        }
        try {
            byte[] evaluateChallenge = this.saslClient.evaluateChallenge(MemcacheProtocol.bodyAsBytes(byteBuf));
            if (evaluateChallenge == null || evaluateChallenge.length <= 0) {
                throw new SaslException("Evaluation returned empty payload, this is unexpected!");
            }
            channelHandlerContext.writeAndFlush(buildStepRequest(channelHandlerContext, evaluateChallenge));
            maybePropagateChannelActive(channelHandlerContext);
        } catch (SaslException e) {
            failConnect(channelHandlerContext, "Failure while evaluating SASL Auth Response.", byteBuf, e, MemcacheProtocol.status(byteBuf));
        }
    }

    private ByteBuf buildStepRequest(ChannelHandlerContext channelHandlerContext, byte[] bArr) {
        String mechanismName = this.saslClient.getMechanismName();
        ByteBuf wrappedBuffer = Unpooled.wrappedBuffer(bArr);
        ByteBuf copiedBuffer = Unpooled.copiedBuffer(mechanismName, StandardCharsets.UTF_8);
        ByteBuf request = MemcacheProtocol.request(channelHandlerContext.alloc(), MemcacheProtocol.Opcode.SASL_STEP, MemcacheProtocol.noDatatype(), MemcacheProtocol.noPartition(), BaseKeyValueRequest.nextOpaque(), MemcacheProtocol.noCas(), MemcacheProtocol.noExtras(), copiedBuffer, wrappedBuffer);
        copiedBuffer.release();
        wrappedBuffer.release();
        return request;
    }

    private void completeAuth(ChannelHandlerContext channelHandlerContext, ByteBuf byteBuf) throws SaslException {
        if (!this.saslClient.isComplete()) {
            this.saslClient.evaluateChallenge(MemcacheProtocol.bodyAsBytes(byteBuf));
            if (!this.saslClient.isComplete()) {
                throw new SaslException("Incomplete SASL exchange");
            }
        }
        Optional<Duration> stop = ConnectTimings.stop(channelHandlerContext.channel(), getClass(), false);
        this.endpointContext.authenticationStatus(AuthenticationStatus.SUCCEEDED);
        this.endpointContext.environment().eventBus().publish(new SaslAuthenticationCompletedEvent(stop.orElse(Duration.ZERO), this.ioContext));
        this.interceptedConnectPromise.trySuccess();
        channelHandlerContext.pipeline().remove(this);
    }

    private void failConnect(ChannelHandlerContext channelHandlerContext, String str, ByteBuf byteBuf, Throwable th, short s) {
        Optional<Duration> stop = ConnectTimings.stop(channelHandlerContext.channel(), getClass(), false);
        byte[] bArr = Bytes.EMPTY_BYTE_ARRAY;
        Map map = null;
        if (byteBuf != null) {
            if (MemcacheProtocol.verifyResponse(byteBuf)) {
                byte[] bodyAsBytes = MemcacheProtocol.bodyAsBytes(byteBuf);
                if (bodyAsBytes.length != 0) {
                    try {
                        map = (Map) Mapper.decodeInto(bodyAsBytes, new TypeReference<Map<String, Object>>() { // from class: com.couchbase.client.core.io.netty.kv.SaslAuthenticationHandler.1
                        });
                    } catch (Exception e) {
                    }
                }
            } else {
                int readerIndex = byteBuf.readerIndex();
                byteBuf.readerIndex(byteBuf.writerIndex());
                bArr = new byte[byteBuf.readableBytes()];
                byteBuf.readBytes(bArr);
                byteBuf.readerIndex(readerIndex);
            }
        }
        KeyValueIoErrorContext keyValueIoErrorContext = new KeyValueIoErrorContext(MemcacheProtocol.decodeStatus(s), this.endpointContext, map);
        this.endpointContext.authenticationStatus(AuthenticationStatus.FAILED);
        this.endpointContext.environment().eventBus().publish(new SaslAuthenticationFailedEvent(stop.orElse(Duration.ZERO), keyValueIoErrorContext, str, bArr));
        this.interceptedConnectPromise.tryFailure(new AuthenticationFailureException(str, keyValueIoErrorContext, th));
        channelHandlerContext.pipeline().remove(this);
    }

    @Override // javax.security.auth.callback.CallbackHandler
    public void handle(Callback[] callbackArr) throws UnsupportedCallbackException {
        for (Callback callback : callbackArr) {
            if (callback instanceof NameCallback) {
                ((NameCallback) callback).setName(this.username);
            } else {
                if (!(callback instanceof PasswordCallback)) {
                    throw new UnsupportedCallbackException(callback, "Unexpected/Unsupported Callback");
                }
                ((PasswordCallback) callback).setPassword(this.password.toCharArray());
            }
        }
    }
}
