package tigase.server.xmppserver.proc;

import java.nio.charset.StandardCharsets;
import java.security.cert.CertificateParsingException;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.List;
import java.util.Queue;
import java.util.concurrent.ConcurrentMap;
import java.util.logging.Level;
import java.util.logging.Logger;
import tigase.auth.mechanisms.SaslEXTERNAL;
import tigase.cert.CertCheckResult;
import tigase.cert.CertificateUtil;
import tigase.cluster.VirtualComponent;
import tigase.db.AuthRepository;
import tigase.kernel.beans.Bean;
import tigase.kernel.beans.config.ConfigField;
import tigase.net.IOService;
import tigase.server.Packet;
import tigase.server.xmppserver.CID;
import tigase.server.xmppserver.CIDConnections;
import tigase.server.xmppserver.LocalhostException;
import tigase.server.xmppserver.NotLocalhostException;
import tigase.server.xmppserver.S2SConnectionManager;
import tigase.server.xmppserver.S2SIOService;
import tigase.server.xmppserver.proc.S2SAbstractProcessor;
import tigase.stats.StatisticsList;
import tigase.util.Base64;
import tigase.util.stringprep.TigaseStringprepException;
import tigase.xml.Element;

@Bean(name = "sasl-external", parent = S2SConnectionManager.class, active = true)
/* loaded from: input_file:tigase/server/xmppserver/proc/SaslExternal.class */
public class SaslExternal extends AuthenticationProcessor {
    private static final String METHOD_NAME = "SASL-EXTERNAL";
    private static final String SASL_FAILURE_ELEMENT_NAME = "failure";
    private static final String XMLNS_SASL = "urn:ietf:params:xml:ns:xmpp-sasl";

    @ConfigField(desc = "Enable compatibility with legacy servers", alias = "legacy-compat")
    private boolean legacyCompat = true;

    @ConfigField(desc = "Skip SASL-EXTERNAL for defined domains", alias = "skip-for-domains")
    private String[] skipForDomains;
    protected static final String[] FEATURES_SASL_PATH = {"features", "mechanisms"};
    private static final Logger log = Logger.getLogger(SaslExternal.class.getName());
    private static final String SASL_SUCCESS_ELEMENT_NAME = "success";
    private static Element successElement = new Element(SASL_SUCCESS_ELEMENT_NAME, new String[]{"xmlns"}, new String[]{"urn:ietf:params:xml:ns:xmpp-sasl"});

    private static boolean isAnyMechanismsPresent(Packet packet) {
        List childrenStaticStr = packet.getElement().getChildrenStaticStr(FEATURES_SASL_PATH);
        return (!packet.isXMLNSStaticStr(FEATURES_SASL_PATH, "urn:ietf:params:xml:ns:xmpp-sasl") || childrenStaticStr == null || childrenStaticStr.isEmpty()) ? false : true;
    }

    private static boolean isTlsEstablished(CertCheckResult certCheckResult) {
        return certCheckResult == CertCheckResult.trusted || certCheckResult == CertCheckResult.untrusted || certCheckResult == CertCheckResult.self_signed;
    }

    @Override // tigase.server.xmppserver.proc.AuthenticationProcessor
    public String getMethodName() {
        return METHOD_NAME;
    }

    public void setSkipForDomains(String[] strArr) {
        this.skipForDomains = strArr != null ? (String[]) Arrays.stream(strArr).map((v0) -> {
            return v0.toLowerCase();
        }).toArray(i -> {
            return new String[i];
        }) : null;
    }

    @Override // tigase.server.xmppserver.proc.S2SAbstractProcessor, tigase.server.xmppserver.S2SProcessor
    public void streamFeatures(S2SIOService s2SIOService, List<Element> list) {
        Element element = new Element("mechanisms", new Element[]{new Element(AuthRepository.MACHANISM_KEY, SaslEXTERNAL.NAME)}, new String[]{"xmlns"}, new String[]{"urn:ietf:params:xml:ns:xmpp-sasl"});
        if (canAddSaslToFeatures(s2SIOService)) {
            list.add(element);
            authenticatorSelectorManager.getAuthenticationProcessors(s2SIOService).add(this);
        }
    }

    @Override // tigase.server.xmppserver.S2SProcessor
    public int order() {
        return S2SAbstractProcessor.Order.SaslExternal.ordinal();
    }

    @Override // tigase.server.xmppserver.proc.AuthenticationProcessor
    public void restartAuth(Packet packet, S2SIOService s2SIOService, Queue<Packet> queue) {
        try {
            sendAuthRequest(s2SIOService, queue);
        } catch (Exception e) {
            log.log(Level.WARNING, e, () -> {
                return String.format("%s, Error while restarting authentication", s2SIOService);
            });
            queue.add(failurePacket(null));
            authenticatorSelectorManager.authenticationFailed(packet, s2SIOService, this, queue);
        }
    }

    @Override // tigase.server.xmppserver.proc.AuthenticationProcessor
    public boolean canHandle(Packet packet, S2SIOService s2SIOService, Queue<Packet> queue) {
        CID cid = (CID) s2SIOService.getSessionData().get(S2SConnectionManager.CID_KEY);
        boolean z = cid != null && skipTLSForHost(cid.getRemoteHost());
        if (cid != null && (isSkippedDomain(cid.getLocalHost()) || isSkippedDomain(cid.getRemoteHost()))) {
            if (!log.isLoggable(Level.FINEST)) {
                return false;
            }
            log.log(Level.FINEST, "Skipping SASL-EXTERNAL for domain: {1} because it was ignored [{0}]", new Object[]{s2SIOService, cid});
            return false;
        }
        if (!packet.isElement("features", "http://etherx.jabber.org/streams") || packet.getElement().getChildren() == null || packet.getElement().getChildren().isEmpty()) {
            return false;
        }
        if (log.isLoggable(Level.FINEST)) {
            log.log(Level.FINEST, "Stream features received packet: {1} [{0}]", new Object[]{s2SIOService, packet});
        }
        if (!isAnyMechanismsPresent(packet)) {
            if (!log.isLoggable(Level.FINEST)) {
                return false;
            }
            log.log(Level.FINEST, "No SASL mechanisms found in features. Skipping SASL. [{0}]", new Object[]{s2SIOService, packet});
            return false;
        }
        CertCheckResult certCheckResult = (CertCheckResult) s2SIOService.getSessionData().get(IOService.CERT_CHECK_RESULT);
        if (packet.isXMLNSStaticStr(FEATURES_STARTTLS_PATH, "urn:ietf:params:xml:ns:xmpp-tls") && certCheckResult == null && !z) {
            if (!log.isLoggable(Level.FINEST)) {
                return false;
            }
            log.log(Level.FINEST, "Waiting for starttls, packet: {1} [{0}]", new Object[]{s2SIOService, packet});
            return false;
        }
        if (certCheckResult == CertCheckResult.invalid || s2SIOService.isHandshakingOnly()) {
            if (!log.isLoggable(Level.FINEST)) {
                return false;
            }
            log.log(Level.FINEST, "Connection is handshaking only: {1}, certCheckResult: {2}, packet: {3} [{0}]", new Object[]{s2SIOService, Boolean.valueOf(s2SIOService.isHandshakingOnly()), certCheckResult, packet});
            return false;
        }
        if (canAddSaslToFeatures(s2SIOService)) {
            return true;
        }
        if (!log.isLoggable(Level.FINEST)) {
            return false;
        }
        log.log(Level.FINEST, "Skipping SASL-EXTERNAL: local certificate for {1} is not trusted (self-signed or expired)  [{0}]", new Object[]{s2SIOService, cid.getLocalHost()});
        return false;
    }

    @Override // tigase.server.xmppserver.proc.S2SAbstractProcessor, tigase.stats.StatisticsProviderIfc
    public void getStatistics(String str, StatisticsList statisticsList) {
        super.getStatistics(str, statisticsList);
        authenticatorSelectorManager.getStatistics(str, statisticsList);
    }

    @Override // tigase.server.xmppserver.proc.S2SAbstractProcessor, tigase.server.xmppserver.S2SProcessor
    public boolean process(Packet packet, S2SIOService s2SIOService, Queue<Packet> queue) {
        try {
            if (authenticatorSelectorManager.isAllowed(packet, s2SIOService, this, queue)) {
                sendAuthRequest(s2SIOService, queue);
                return true;
            }
            if (packet.isElement("auth", "urn:ietf:params:xml:ns:xmpp-sasl")) {
                if (log.isLoggable(Level.FINEST)) {
                    log.log(Level.FINEST, "Received auth request: {1} [{0}]", new Object[]{s2SIOService, packet});
                }
                processAuth(packet, s2SIOService, queue);
                return true;
            }
            if (packet.isElement(SASL_SUCCESS_ELEMENT_NAME, "urn:ietf:params:xml:ns:xmpp-sasl")) {
                if (log.isLoggable(Level.FINEST)) {
                    log.log(Level.FINEST, "Received success response: {1} [{0}]", new Object[]{s2SIOService, packet});
                }
                processSuccess(packet, s2SIOService, queue);
                return true;
            }
            if (!packet.isElement(SASL_FAILURE_ELEMENT_NAME, "urn:ietf:params:xml:ns:xmpp-sasl")) {
                return false;
            }
            if (log.isLoggable(Level.FINEST)) {
                log.log(Level.FINEST, "Received failure response: {1} [{0}]", new Object[]{s2SIOService, packet});
            }
            authenticatorSelectorManager.authenticationFailed(packet, s2SIOService, this, queue);
            return true;
        } catch (Exception e) {
            log.log(Level.WARNING, e, () -> {
                return String.format("%s, Error while processing packet: %s", s2SIOService, packet);
            });
            queue.add(failurePacket(null));
            authenticatorSelectorManager.authenticationFailed(packet, s2SIOService, this, queue);
            return true;
        }
    }

    private boolean isSkippedDomain(String str) {
        return (str == null || this.skipForDomains == null || Arrays.binarySearch(this.skipForDomains, str.toLowerCase()) < 0) ? false : true;
    }

    private boolean canAddSaslToFeatures(S2SIOService s2SIOService) {
        ConcurrentMap<String, Object> sessionData = s2SIOService.getSessionData();
        CID cid = (CID) sessionData.get(S2SConnectionManager.CID_KEY);
        boolean z = cid != null && (isSkippedDomain(cid.getLocalHost()) || isSkippedDomain(cid.getRemoteHost()));
        CertCheckResult certCheckResult = (CertCheckResult) sessionData.get(IOService.CERT_CHECK_RESULT);
        boolean isTlsEstablished = isTlsEstablished(certCheckResult);
        CertCheckResult certCheckResult2 = (CertCheckResult) sessionData.get(IOService.LOCAL_CERT_CHECK_RESULT);
        boolean z2 = certCheckResult2 == CertCheckResult.trusted;
        boolean z3 = (!isTlsEstablished || !z2 || s2SIOService.isAuthenticated() || s2SIOService.isHandshakingOnly() || z) ? false : true;
        if (!z3 && log.isLoggable(Level.FINEST)) {
            log.log(Level.FINEST, "Not adding SASL-EXTERNAL feature, tlsEstablished: {1} (result: {2}), skipDomain: {3}, localCertTrusted: {4} (result: {5}) [{0}]", new Object[]{s2SIOService, Boolean.valueOf(isTlsEstablished), certCheckResult, Boolean.valueOf(z), Boolean.valueOf(z2), certCheckResult2});
        }
        return z3;
    }

    private void sendAuthRequest(S2SIOService s2SIOService, Queue<Packet> queue) throws TigaseStringprepException {
        String str = "=";
        CID cid = (CID) s2SIOService.getSessionData().get(S2SConnectionManager.CID_KEY);
        if (cid != null && this.legacyCompat) {
            str = Base64.encode(cid.getLocalHost().getBytes(StandardCharsets.UTF_8));
        }
        Element element = new Element("auth", str, new String[]{"xmlns", AuthRepository.MACHANISM_KEY}, new String[]{"urn:ietf:params:xml:ns:xmpp-sasl", SaslEXTERNAL.NAME});
        queue.add(Packet.packetInstance(element));
        if (log.isLoggable(Level.FINEST)) {
            log.log(Level.FINEST, "Starting SASL EXTERNAL: {1} [{0}]", new Object[]{s2SIOService, element});
        }
    }

    private void processSuccess(Packet packet, S2SIOService s2SIOService, Queue<Packet> queue) throws TigaseStringprepException, LocalhostException, NotLocalhostException {
        CID cid = (CID) s2SIOService.getSessionData().get(S2SConnectionManager.CID_KEY);
        if (log.isLoggable(Level.FINEST)) {
            log.log(Level.FINEST, "Sending new stream [{0}]", new Object[]{s2SIOService});
        }
        s2SIOService.xmppStreamOpen("<stream:stream xmlns:stream='http://etherx.jabber.org/streams' xmlns='jabber:server' from='" + cid.getLocalHost() + "' to='" + cid.getRemoteHost() + "' version='1.0'>");
        CIDConnections cIDConnections = this.handler.getCIDConnections(cid, true);
        if (log.isLoggable(Level.FINEST)) {
            log.log(Level.FINEST, "Making connection authenticated. cid={1}  [{0}]", new Object[]{s2SIOService, cid});
        }
        authenticatorSelectorManager.authenticateConnection(s2SIOService, cIDConnections, cid);
    }

    private void processAuth(Packet packet, S2SIOService s2SIOService, Queue<Packet> queue) throws TigaseStringprepException, LocalhostException, NotLocalhostException {
        boolean z;
        X509Certificate x509Certificate = (X509Certificate) s2SIOService.getPeerCertificate();
        if (x509Certificate == null) {
            if (log.isLoggable(Level.FINE)) {
                log.log(Level.FINE, "No peer certificate! [{0}]", new Object[]{s2SIOService});
            }
            queue.add(failurePacket("No peer certificate"));
            authenticatorSelectorManager.authenticationFailed(packet, s2SIOService, this, queue);
            return;
        }
        CertCheckResult certCheckResult = (CertCheckResult) s2SIOService.getSessionData().get(IOService.CERT_CHECK_RESULT);
        if (log.isLoggable(Level.FINEST)) {
            log.log(Level.FINEST, "Trust: {1} for peer certificate: {2}, AltNames: {3} [{0}]", new Object[]{s2SIOService, certCheckResult, x509Certificate.getSubjectDN(), CertificateUtil.getCertAltCName(x509Certificate)});
        }
        if (certCheckResult != CertCheckResult.trusted && certCheckResult != CertCheckResult.self_signed) {
            if (log.isLoggable(Level.FINE)) {
                log.log(Level.FINE, "Certificate is not trusted [{0}]", new Object[]{s2SIOService});
            }
            queue.add(failurePacket("Certificate is not trusted"));
            authenticatorSelectorManager.authenticationFailed(packet, s2SIOService, this, queue);
            return;
        }
        CID cid = (CID) s2SIOService.getSessionData().get(S2SConnectionManager.CID_KEY);
        if (cid == null) {
            if (log.isLoggable(Level.FINE)) {
                log.log(Level.FINE, "CID is unknown, can''t proceed [{0}]", new Object[]{s2SIOService});
            }
            queue.add(failurePacket("Unknown origin hostname (lack of `from` element)"));
            authenticatorSelectorManager.authenticationFailed(packet, s2SIOService, this, queue);
            return;
        }
        try {
            z = CertificateUtil.verifyCertificateForDomain(x509Certificate, cid.getRemoteHost());
        } catch (CertificateParsingException e) {
            z = false;
        }
        if (!z) {
            if (log.isLoggable(Level.FINE)) {
                log.log(Level.FINE, "Certificate name doesn't match to '{1}' [{0}]", new Object[]{s2SIOService, cid.getRemoteHost()});
            }
            queue.add(failurePacket("Certificate name doesn't match to domain name"));
            authenticatorSelectorManager.authenticationFailed(packet, s2SIOService, this, queue);
            return;
        }
        CIDConnections cIDConnections = this.handler.getCIDConnections(cid, true);
        if (log.isLoggable(Level.FINEST)) {
            log.log(Level.FINEST, "Making connection authenticated. cid={1} [{0}]", new Object[]{s2SIOService, cid});
        }
        authenticatorSelectorManager.authenticateConnection(s2SIOService, cIDConnections, cid);
        queue.add(Packet.packetInstance(successElement));
    }

    private Packet failurePacket(String str) {
        Element element = new Element(SASL_FAILURE_ELEMENT_NAME, new Element[]{new Element("invalid-authzid")}, new String[]{"xmlns"}, new String[]{"urn:ietf:params:xml:ns:xmpp-sasl"});
        if (str != null) {
            element.addChild(new Element(VirtualComponent.DISCO_TYPE_PROP_VAL, str));
        }
        return Packet.packetInstance(element, null, null);
    }

    @Override // tigase.server.xmppserver.S2SProcessor
    public boolean shouldSkipUndelivered(Packet packet) {
        return packet.getElemName() == SASL_SUCCESS_ELEMENT_NAME || packet.getXMLNS() == "urn:ietf:params:xml:ns:xmpp-sasl";
    }
}
