package org.ow2.petals.bc.gateway.commons.handlers;

import io.netty.channel.Channel;
import io.netty.channel.ChannelHandler;
import io.netty.channel.ChannelHandlerContext;
import io.netty.channel.SimpleChannelInboundHandler;
import io.netty.handler.codec.DecoderException;
import io.netty.handler.logging.LogLevel;
import io.netty.handler.logging.LoggingHandler;
import io.netty.handler.ssl.ClientAuth;
import io.netty.handler.ssl.IdentityCipherSuiteFilter;
import io.netty.handler.ssl.SslContextBuilder;
import io.netty.handler.ssl.SslHandler;
import io.netty.handler.ssl.SslProvider;
import io.netty.util.concurrent.Future;
import io.netty.util.concurrent.FutureListener;
import java.io.Serializable;
import java.util.logging.Logger;
import javax.net.ssl.SSLException;
import javax.net.ssl.SSLHandshakeException;
import org.eclipse.jdt.annotation.Nullable;
import org.ow2.petals.bc.gateway.commons.AbstractDomain;
import org.ow2.petals.bc.gateway.inbound.ConsumerDomain;
import org.ow2.petals.bc.gateway.jbidescriptor.generated.JbiConsumerDomain;
import org.ow2.petals.bc.gateway.jbidescriptor.generated.JbiProviderDomain;
import org.ow2.petals.bc.gateway.outbound.ProviderDomain;
import org.ow2.petals.bc.gateway.utils.JbiGatewayJBIHelper;
import org.ow2.petals.commons.log.Level;
import org.ow2.petals.component.framework.su.ServiceUnitDataHandler;
import org.ow2.petals.component.framework.util.ServiceUnitUtil;

/* loaded from: input_file:org/ow2/petals/bc/gateway/commons/handlers/AuthenticatorSSLHandler.class */
public class AuthenticatorSSLHandler extends SimpleChannelInboundHandler<AuthMessage> {
    private final JbiGatewayJBIHelper.Either<ProviderDomain, ConsumerAuthenticator> pdOrAuth;
    private Logger logger;
    private final DomainHandlerBuilder<AbstractDomain> dhb;
    static final /* synthetic */ boolean $assertionsDisabled;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/ow2/petals/bc/gateway/commons/handlers/AuthenticatorSSLHandler$AuthAccept.class */
    public static class AuthAccept implements AuthMessage {
        private static final long serialVersionUID = 511548153508643571L;

        AuthAccept() {
        }
    }

    /* loaded from: input_file:org/ow2/petals/bc/gateway/commons/handlers/AuthenticatorSSLHandler$AuthMessage.class */
    interface AuthMessage extends Serializable {
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/ow2/petals/bc/gateway/commons/handlers/AuthenticatorSSLHandler$AuthRefuse.class */
    public static class AuthRefuse implements AuthMessage {
        private static final long serialVersionUID = 689355936708210289L;
        public final String message;

        public AuthRefuse(String str) {
            this.message = str;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/ow2/petals/bc/gateway/commons/handlers/AuthenticatorSSLHandler$AuthRequest.class */
    public static class AuthRequest implements AuthMessage {
        private static final long serialVersionUID = -5247784429778231571L;
        public final String authName;
        public final SSLType sslType;

        public AuthRequest(String str, SSLType sSLType) {
            this.authName = str;
            this.sslType = sSLType;
        }
    }

    /* loaded from: input_file:org/ow2/petals/bc/gateway/commons/handlers/AuthenticatorSSLHandler$ConsumerAuthenticator.class */
    public interface ConsumerAuthenticator {
        @Nullable
        ConsumerDomain authenticate(String str);
    }

    /* loaded from: input_file:org/ow2/petals/bc/gateway/commons/handlers/AuthenticatorSSLHandler$DomainHandlerBuilder.class */
    public interface DomainHandlerBuilder<T extends AbstractDomain> {
        ChannelHandler build(T t);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/ow2/petals/bc/gateway/commons/handlers/AuthenticatorSSLHandler$SSLType.class */
    public enum SSLType {
        NONE,
        SERVER,
        CLIENTSERVER
    }

    public AuthenticatorSSLHandler(ProviderDomain providerDomain, Logger logger, DomainHandlerBuilder<ProviderDomain> domainHandlerBuilder) {
        this((JbiGatewayJBIHelper.Either<ProviderDomain, ConsumerAuthenticator>) JbiGatewayJBIHelper.Either.ofA(providerDomain), logger, domainHandlerBuilder);
    }

    public AuthenticatorSSLHandler(ConsumerAuthenticator consumerAuthenticator, Logger logger, DomainHandlerBuilder<ConsumerDomain> domainHandlerBuilder) {
        this((JbiGatewayJBIHelper.Either<ProviderDomain, ConsumerAuthenticator>) JbiGatewayJBIHelper.Either.ofB(consumerAuthenticator), logger, domainHandlerBuilder);
    }

    /* JADX WARN: Multi-variable type inference failed */
    private AuthenticatorSSLHandler(JbiGatewayJBIHelper.Either<ProviderDomain, ConsumerAuthenticator> either, Logger logger, DomainHandlerBuilder<? extends AbstractDomain> domainHandlerBuilder) {
        this.dhb = domainHandlerBuilder;
        this.pdOrAuth = either;
        this.logger = logger;
    }

    public void channelActive(@Nullable ChannelHandlerContext channelHandlerContext) throws Exception {
        if (!$assertionsDisabled && channelHandlerContext == null) {
            throw new AssertionError();
        }
        if (this.pdOrAuth.isA()) {
            JbiProviderDomain jpd = this.pdOrAuth.getA().getJPD();
            String remoteCertificate = jpd.getRemoteCertificate();
            boolean z = (jpd.getCertificate() == null || jpd.getKey() == null) ? false : true;
            boolean z2 = remoteCertificate != null;
            String remoteAuthName = jpd.getRemoteAuthName();
            if (!$assertionsDisabled && remoteAuthName == null) {
                throw new AssertionError();
            }
            AuthRequest authRequest = new AuthRequest(remoteAuthName, z ? SSLType.CLIENTSERVER : z2 ? SSLType.SERVER : SSLType.NONE);
            if (this.logger.isLoggable(Level.FINE)) {
                this.logger.fine("Sending an AuthRequest (" + channelHandlerContext.channel().remoteAddress() + ") for auth name " + authRequest.authName + " and type " + authRequest.sslType);
            }
            channelHandlerContext.writeAndFlush(authRequest);
        }
        channelHandlerContext.fireChannelActive();
    }

    public void exceptionCaught(@Nullable ChannelHandlerContext channelHandlerContext, @Nullable Throwable th) throws Exception {
        if (!(th instanceof DecoderException) || !(th.getCause() instanceof SSLHandshakeException)) {
            super.exceptionCaught(channelHandlerContext, th);
        } else if (this.logger.isLoggable(Level.FINE)) {
            this.logger.log(Level.FINE, "TLS handshake exception", th);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void channelRead0(@Nullable ChannelHandlerContext channelHandlerContext, @Nullable AuthMessage authMessage) throws Exception {
        if (!$assertionsDisabled && channelHandlerContext == null) {
            throw new AssertionError();
        }
        if (!$assertionsDisabled && authMessage == null) {
            throw new AssertionError();
        }
        if (!this.pdOrAuth.isB() || !(authMessage instanceof AuthRequest)) {
            if (this.pdOrAuth.isA() && (authMessage instanceof AuthAccept)) {
                ProviderDomain a = this.pdOrAuth.getA();
                if (this.logger.isLoggable(Level.FINE)) {
                    this.logger.fine("Received (" + channelHandlerContext.channel().remoteAddress() + ") an AuthAccept");
                }
                JbiProviderDomain jpd = a.getJPD();
                setUpHandlers(channelHandlerContext, a, jpd.getCertificate(), jpd.getKey(), jpd.getPassphrase(), jpd.getRemoteCertificate());
                return;
            }
            if (!this.pdOrAuth.isA() || !(authMessage instanceof AuthRefuse)) {
                throw new IllegalArgumentException("Impossible case: client=" + this.pdOrAuth.isA() + " and msg type is " + authMessage.getClass().getName());
            }
            this.logger.severe("Can't connect to the provider domain " + this.pdOrAuth.getA().getId() + " (server said: " + ((AuthRefuse) authMessage).message + "): fix the problem and either stop/start the component, undeploy/deploy the SU or fix/reload the placeholders if it applies");
            channelHandlerContext.close();
            return;
        }
        AuthRequest authRequest = (AuthRequest) authMessage;
        ConsumerAuthenticator b = this.pdOrAuth.getB();
        if (this.logger.isLoggable(Level.FINE)) {
            this.logger.fine("Received (" + channelHandlerContext.channel().remoteAddress() + ") an AuthRequest for auth name " + authRequest.authName + " and type " + authRequest.sslType);
        }
        ConsumerDomain authenticate = b.authenticate(authRequest.authName);
        if (authenticate == null) {
            if (this.logger.isLoggable(Level.FINE)) {
                this.logger.fine("Sending (" + channelHandlerContext.channel().remoteAddress() + ") an AuthRefuse because I don't know the auth name " + authRequest.authName);
            }
            channelHandlerContext.writeAndFlush(new AuthRefuse("unknown auth-name '" + authRequest.authName + "'"));
            channelHandlerContext.close();
            return;
        }
        this.logger = Logger.getLogger(this.logger.getName() + "." + authenticate.getId());
        JbiConsumerDomain jcd = authenticate.getJCD();
        String certificate = jcd.getCertificate();
        String remoteCertificate = jcd.getRemoteCertificate();
        boolean z = certificate != null;
        boolean z2 = remoteCertificate != null;
        String str = null;
        if (z) {
            if (z2) {
                if (authRequest.sslType != SSLType.CLIENTSERVER) {
                    str = "expecting server and client certificates";
                }
            } else if (authRequest.sslType == SSLType.NONE) {
                str = "expecting a server certificate";
            } else if (authRequest.sslType == SSLType.CLIENTSERVER) {
                str = "expecting only a server certificate";
            }
        } else if (authRequest.sslType != SSLType.NONE) {
            str = "expecting a server certificate";
        }
        if (str == null) {
            setUpHandlers(channelHandlerContext, authenticate, certificate, jcd.getKey(), jcd.getPassphrase(), remoteCertificate);
            return;
        }
        if (this.logger.isLoggable(Level.FINE)) {
            this.logger.fine("Sending (" + channelHandlerContext.channel().remoteAddress() + ") an AuthRefuse because I'm " + str);
        }
        channelHandlerContext.writeAndFlush(new AuthRefuse(str));
        channelHandlerContext.close();
    }

    private void setUpHandlers(final ChannelHandlerContext channelHandlerContext, final AbstractDomain abstractDomain, @Nullable String str, @Nullable String str2, @Nullable String str3, @Nullable String str4) throws SSLException {
        SslHandler sslHandler;
        if (this.pdOrAuth.isB() && str != null && str2 != null) {
            ServiceUnitDataHandler sUHandler = abstractDomain.getSUHandler();
            SslContextBuilder sessionTimeout = SslContextBuilder.forServer(ServiceUnitUtil.getFile(sUHandler.getInstallRoot(), str), ServiceUnitUtil.getFile(sUHandler.getInstallRoot(), str2), str3).sslProvider(SslProvider.JDK).ciphers((Iterable) null, IdentityCipherSuiteFilter.INSTANCE).sessionCacheSize(0L).sessionTimeout(0L);
            if (str4 != null) {
                sessionTimeout.trustManager(ServiceUnitUtil.getFile(sUHandler.getInstallRoot(), str4)).clientAuth(ClientAuth.REQUIRE);
            }
            sslHandler = new SslHandler(sessionTimeout.build().newEngine(channelHandlerContext.alloc()), true);
        } else if (!this.pdOrAuth.isA() || str4 == null) {
            sslHandler = null;
        } else {
            String installRoot = abstractDomain.getSUHandler().getInstallRoot();
            SslContextBuilder sessionTimeout2 = SslContextBuilder.forClient().sslProvider(SslProvider.JDK).trustManager(ServiceUnitUtil.getFile(installRoot, str4)).ciphers((Iterable) null, IdentityCipherSuiteFilter.INSTANCE).sessionCacheSize(0L).sessionTimeout(0L);
            if (str != null && str2 != null) {
                sessionTimeout2.keyManager(ServiceUnitUtil.getFile(installRoot, str), ServiceUnitUtil.getFile(installRoot, str2), str3);
            }
            sslHandler = sessionTimeout2.build().newHandler(channelHandlerContext.alloc());
        }
        String name = this.logger.getName();
        channelHandlerContext.pipeline().replace(HandlerConstants.LOG_DEBUG_HANDLER, HandlerConstants.LOG_DEBUG_HANDLER, new LoggingHandler(name, LogLevel.TRACE));
        channelHandlerContext.pipeline().replace(HandlerConstants.LOG_ERRORS_HANDLER, HandlerConstants.LOG_ERRORS_HANDLER, new LastLoggingHandler(name + ".errors"));
        if (sslHandler != null) {
            sslHandler.handshakeFuture().addListener(new FutureListener<Channel>() { // from class: org.ow2.petals.bc.gateway.commons.handlers.AuthenticatorSSLHandler.1
                static final /* synthetic */ boolean $assertionsDisabled;

                public void operationComplete(@Nullable Future<Channel> future) throws Exception {
                    if (!$assertionsDisabled && future == null) {
                        throw new AssertionError();
                    }
                    if (future.isSuccess()) {
                        channelHandlerContext.pipeline().replace(HandlerConstants.DOMAIN_HANDLER, HandlerConstants.DOMAIN_HANDLER, AuthenticatorSSLHandler.this.dhb.build(abstractDomain));
                        return;
                    }
                    if (AuthenticatorSSLHandler.this.logger.isLoggable(Level.WARNING)) {
                        AuthenticatorSSLHandler.this.logger.log(Level.WARNING, "TLS handshake failed for " + (AuthenticatorSSLHandler.this.pdOrAuth.isA() ? "provider" : "consumer") + " domain " + abstractDomain.getId() + " (" + channelHandlerContext.channel().remoteAddress() + "): " + future.cause());
                    }
                    channelHandlerContext.close();
                }

                static {
                    $assertionsDisabled = !AuthenticatorSSLHandler.class.desiredAssertionStatus();
                }
            });
            channelHandlerContext.pipeline().addAfter(HandlerConstants.LOG_DEBUG_HANDLER, HandlerConstants.SSL_HANDLER, sslHandler);
        }
        if (this.pdOrAuth.isB()) {
            if (this.logger.isLoggable(Level.FINE)) {
                this.logger.fine("Sending an Accept (" + channelHandlerContext.channel().remoteAddress() + ")");
            }
            channelHandlerContext.writeAndFlush(new AuthAccept());
        }
        if (sslHandler == null) {
            channelHandlerContext.pipeline().replace(HandlerConstants.DOMAIN_HANDLER, HandlerConstants.DOMAIN_HANDLER, this.dhb.build(abstractDomain));
        }
    }

    static {
        $assertionsDisabled = !AuthenticatorSSLHandler.class.desiredAssertionStatus();
    }
}
