package tigase.auth;

import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Objects;
import java.util.logging.Level;
import java.util.logging.Logger;
import java.util.stream.Stream;
import javax.security.sasl.SaslServerFactory;
import tigase.auth.mechanisms.SaslANONYMOUS;
import tigase.auth.mechanisms.SaslEXTERNAL;
import tigase.auth.mechanisms.SaslSCRAMPlus;
import tigase.auth.mechanisms.TigaseSaslServerFactory;
import tigase.cert.CertificateUtil;
import tigase.db.AuthRepository;
import tigase.kernel.beans.Bean;
import tigase.kernel.beans.Inject;
import tigase.kernel.beans.config.ConfigField;
import tigase.vhosts.VHostItem;
import tigase.xmpp.XMPPResourceConnection;

@Bean(name = "mechanism-selector", parent = TigaseSaslProvider.class, active = true)
/* loaded from: input_file:tigase/auth/DefaultMechanismSelector.class */
public class DefaultMechanismSelector implements MechanismSelector {
    private static Logger log = Logger.getLogger(DefaultMechanismSelector.class.getName());

    @ConfigField(desc = "List of allowed SASL mechanisms", alias = "allowed-mechanisms")
    private HashSet<String> allowedMechanisms = new HashSet<>();

    @ConfigField(desc = "List of SASL mechanisms allowed with non-plain password stored in authentication repository", alias = "non-plain-password-allowed-mechanisms")
    private HashSet<String> allowedMechanismsWithNonPlainPasswordInRepository = new HashSet<>();

    @ConfigField(desc = "Disable SCRAM -PLUS mechanisms")
    private boolean disableScramPlus = false;

    @Inject
    private AuthRepository authRepository;

    public DefaultMechanismSelector() {
        Stream of = Stream.of((Object[]) new String[]{SaslANONYMOUS.NAME, "PLAIN", SaslEXTERNAL.NAME});
        HashSet<String> hashSet = this.allowedMechanismsWithNonPlainPasswordInRepository;
        Objects.requireNonNull(hashSet);
        of.forEach((v1) -> {
            r1.add(v1);
        });
    }

    @Override // tigase.auth.MechanismSelector
    public Collection<String> filterMechanisms(Enumeration<SaslServerFactory> enumeration, XMPPResourceConnection xMPPResourceConnection) {
        HashMap hashMap = new HashMap();
        ArrayList arrayList = new ArrayList();
        while (enumeration.hasMoreElements()) {
            SaslServerFactory nextElement = enumeration.nextElement();
            for (String str : nextElement.getMechanismNames(hashMap)) {
                if (!arrayList.contains(str) && match(nextElement, str, xMPPResourceConnection) && isAllowedForDomain(str, xMPPResourceConnection.getDomain())) {
                    arrayList.add(str);
                }
            }
        }
        return arrayList;
    }

    protected boolean isAllowedForDomain(String str, VHostItem vHostItem) {
        String[] saslAllowedMechanisms = vHostItem.getSaslAllowedMechanisms();
        if (saslAllowedMechanisms == null || saslAllowedMechanisms.length <= 0) {
            if (this.allowedMechanisms.isEmpty()) {
                return true;
            }
            return this.allowedMechanisms.contains(str);
        }
        for (String str2 : saslAllowedMechanisms) {
            if (str2.equals(str)) {
                return true;
            }
        }
        return false;
    }

    protected boolean match(SaslServerFactory saslServerFactory, String str, XMPPResourceConnection xMPPResourceConnection) {
        if ((xMPPResourceConnection.isTlsRequired() && !xMPPResourceConnection.isEncrypted()) || !(saslServerFactory instanceof TigaseSaslServerFactory)) {
            return false;
        }
        boolean z = -1;
        switch (str.hashCode()) {
            case -1038134325:
                if (str.equals(SaslEXTERNAL.NAME)) {
                    z = false;
                    break;
                }
                break;
            case 690783309:
                if (str.equals(SaslANONYMOUS.NAME)) {
                    z = true;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                return isJIDInCertificate(xMPPResourceConnection);
            case true:
                return xMPPResourceConnection.getDomain().isAnonymousEnabled();
            default:
                if (str.startsWith("SCRAM-") && str.endsWith("-PLUS") && (!SaslSCRAMPlus.isAvailable(xMPPResourceConnection) || this.disableScramPlus)) {
                    return false;
                }
                return this.authRepository.isMechanismSupported(xMPPResourceConnection.getDomain().getKey(), str);
        }
    }

    private boolean isJIDInCertificate(XMPPResourceConnection xMPPResourceConnection) {
        Certificate certificate = (Certificate) xMPPResourceConnection.getSessionData(SaslEXTERNAL.PEER_CERTIFICATE_KEY);
        if (certificate == null) {
            return false;
        }
        List extractXmppAddrs = CertificateUtil.extractXmppAddrs((X509Certificate) certificate);
        if (log.isLoggable(Level.FINEST)) {
            log.log(Level.FINEST, "{0}, Found authJIDs: {1} in certificate: {1}", new Object[]{xMPPResourceConnection, String.valueOf(extractXmppAddrs), CertificateUtil.getCertCName((X509Certificate) certificate)});
        }
        return (extractXmppAddrs == null || extractXmppAddrs.isEmpty()) ? false : true;
    }
}
