package org.apache.james.smtpserver;

import com.google.common.annotations.VisibleForTesting;
import com.google.common.collect.ImmutableSet;
import jakarta.inject.Inject;
import jakarta.mail.MessagingException;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.function.Predicate;
import org.apache.commons.configuration2.Configuration;
import org.apache.james.core.Domain;
import org.apache.james.core.MaybeSender;
import org.apache.james.jdkim.api.PublicKeyRecordRetriever;
import org.apache.james.jdkim.api.SignatureRecord;
import org.apache.james.jdkim.exceptions.FailException;
import org.apache.james.jdkim.mailets.DKIMVerifier;
import org.apache.james.protocols.smtp.SMTPSession;
import org.apache.james.protocols.smtp.hook.HookResult;
import org.apache.james.protocols.smtp.hook.HookReturnCode;
import org.apache.mailet.Mail;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/james/smtpserver/DKIMHook.class */
public class DKIMHook implements JamesMessageHook {
    private static final Logger LOGGER = LoggerFactory.getLogger(DKIMHook.class);

    @VisibleForTesting
    private final DKIMVerifier verifier;
    private Config config;
    private SignatureRecordValidation signatureRecordValidation;
    private DKIMCheckNeeded dkimCheckNeeded;

    /* loaded from: input_file:org/apache/james/smtpserver/DKIMHook$Config.class */
    public static class Config {
        private final boolean forceCRLF;
        private final boolean signatureRequired;
        private final Optional<Domain> onlyForSenderDomain;
        private final Optional<String> expectedDToken;

        public static Config parse(Configuration configuration) {
            return new Config(configuration.getBoolean("forceCRLF", true), configuration.getBoolean("signatureRequired", true), Optional.ofNullable(configuration.getString("onlyForSenderDomain", (String) null)).map(Domain::of), Optional.ofNullable(configuration.getString("expectedDToken", (String) null)));
        }

        public Config(boolean z, boolean z2, Optional<Domain> optional, Optional<String> optional2) {
            this.forceCRLF = z;
            this.signatureRequired = z2;
            this.onlyForSenderDomain = optional;
            this.expectedDToken = optional2;
        }

        DKIMCheckNeeded dkimCheckNeeded() {
            return (DKIMCheckNeeded) this.onlyForSenderDomain.map(DKIMCheckNeeded::onlyForSenderDomain).orElse(DKIMCheckNeeded.ALL);
        }

        SignatureRecordValidation signatureRecordValidation() {
            return SignatureRecordValidation.and(SignatureRecordValidation.signatureRequired(this.signatureRequired), (SignatureRecordValidation) this.expectedDToken.map(SignatureRecordValidation::expectedDToken).orElse(SignatureRecordValidation.ALLOW_ALL));
        }

        public final boolean equals(Object obj) {
            if (!(obj instanceof Config)) {
                return false;
            }
            Config config = (Config) obj;
            return this.forceCRLF == config.forceCRLF && this.signatureRequired == config.signatureRequired && Objects.equals(this.onlyForSenderDomain, config.onlyForSenderDomain) && Objects.equals(this.expectedDToken, config.expectedDToken);
        }

        public final int hashCode() {
            return Objects.hash(Boolean.valueOf(this.forceCRLF), Boolean.valueOf(this.signatureRequired), this.onlyForSenderDomain, this.expectedDToken);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @FunctionalInterface
    /* loaded from: input_file:org/apache/james/smtpserver/DKIMHook$DKIMCheckNeeded.class */
    public interface DKIMCheckNeeded extends Predicate<Mail> {
        public static final DKIMCheckNeeded ALL = mail -> {
            return true;
        };

        static DKIMCheckNeeded onlyForSenderDomain(Domain domain) {
            return mail -> {
                Optional map = mail.getMaybeSender().asOptional().map((v0) -> {
                    return v0.getDomain();
                });
                Objects.requireNonNull(domain);
                return ((Boolean) map.map((v1) -> {
                    return r1.equals(v1);
                }).orElse(false)).booleanValue();
            };
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @FunctionalInterface
    /* loaded from: input_file:org/apache/james/smtpserver/DKIMHook$SignatureRecordValidation.class */
    public interface SignatureRecordValidation {
        public static final SignatureRecordValidation ALLOW_ALL = (maybeSender, list) -> {
            return HookResult.DECLINED;
        };

        static SignatureRecordValidation and(SignatureRecordValidation signatureRecordValidation, SignatureRecordValidation signatureRecordValidation2) {
            return (maybeSender, list) -> {
                HookResult validate = signatureRecordValidation.validate(maybeSender, list);
                return validate.equals(HookResult.DECLINED) ? signatureRecordValidation2.validate(maybeSender, list) : validate;
            };
        }

        static SignatureRecordValidation signatureRequired(boolean z) {
            return (maybeSender, list) -> {
                if (!z || (list != null && !list.isEmpty())) {
                    return HookResult.DECLINED;
                }
                DKIMHook.LOGGER.warn("DKIM check failed. Expecting DKIM signatures. Got none.");
                return HookResult.builder().hookReturnCode(HookReturnCode.deny()).smtpReturnCode("530").smtpDescription("DKIM check failed. Expecting DKIM signatures. Got none.").build();
            };
        }

        static SignatureRecordValidation expectedDToken(String str) {
            return (maybeSender, list) -> {
                if (list.stream().anyMatch(signatureRecord -> {
                    return signatureRecord.getDToken().equals(str);
                })) {
                    return HookResult.DECLINED;
                }
                DKIMHook.LOGGER.warn("DKIM check failed. Wrong d token. Expecting {}. Got {}.", str, list.stream().map((v0) -> {
                    return v0.getDToken();
                }).collect(ImmutableSet.toImmutableSet()));
                return HookResult.builder().hookReturnCode(HookReturnCode.deny()).smtpReturnCode("530").smtpDescription("DKIM check failed. Wrong d token. Expecting " + str).build();
            };
        }

        HookResult validate(MaybeSender maybeSender, List<SignatureRecord> list);
    }

    @Inject
    public DKIMHook(PublicKeyRecordRetriever publicKeyRecordRetriever) {
        this.verifier = new DKIMVerifier(publicKeyRecordRetriever);
    }

    public void init(Configuration configuration) {
        this.config = Config.parse(configuration);
        this.dkimCheckNeeded = this.config.dkimCheckNeeded();
        this.signatureRecordValidation = this.config.signatureRecordValidation();
    }

    public HookResult onMessage(SMTPSession sMTPSession, Mail mail) {
        if (!this.dkimCheckNeeded.test(mail)) {
            return HookResult.DECLINED;
        }
        try {
            return this.signatureRecordValidation.validate(mail.getMaybeSender(), this.verifier.verify(mail.getMessage(), this.config.forceCRLF));
        } catch (FailException e) {
            LOGGER.warn("DKIM check failed. Invalid signature.", e);
            return HookResult.builder().hookReturnCode(HookReturnCode.deny()).smtpReturnCode("530").smtpDescription("DKIM check failed. Invalid signature.").build();
        } catch (MessagingException e2) {
            LOGGER.warn("Error while verifying DKIM signatures", e2);
            return HookResult.builder().hookReturnCode(HookReturnCode.denySoft()).smtpReturnCode("451").smtpDescription("Failure computing DKIM signature.").build();
        }
    }
}
