package com.couchbase.client.dcp.transport.netty;

import com.couchbase.client.dcp.core.endpoint.kv.AuthenticationException;
import com.couchbase.client.dcp.core.security.sasl.Sasl;
import com.couchbase.client.dcp.deps.io.netty.buffer.ByteBuf;
import com.couchbase.client.dcp.deps.io.netty.buffer.Unpooled;
import com.couchbase.client.dcp.deps.io.netty.channel.ChannelHandlerContext;
import com.couchbase.client.dcp.deps.io.netty.util.concurrent.Future;
import com.couchbase.client.dcp.deps.io.netty.util.concurrent.GenericFutureListener;
import com.couchbase.client.dcp.message.MessageUtil;
import com.couchbase.client.dcp.message.ResponseStatus;
import com.couchbase.client.dcp.message.SaslAuthRequest;
import com.couchbase.client.dcp.message.SaslAuthResponse;
import com.couchbase.client.dcp.message.SaslListMechsRequest;
import com.couchbase.client.dcp.message.SaslListMechsResponse;
import com.couchbase.client.dcp.message.SaslStepRequest;
import com.couchbase.client.dcp.message.SaslStepResponse;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.sasl.SaslClient;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/couchbase/client/dcp/transport/netty/AuthHandler.class */
class AuthHandler extends ConnectInterceptingHandler<ByteBuf> implements CallbackHandler {
    private static final Logger LOGGER = LoggerFactory.getLogger(AuthHandler.class);
    private final String username;
    private final String password;
    private SaslClient saslClient;
    private String selectedMechanism;

    /* JADX INFO: Access modifiers changed from: package-private */
    public AuthHandler(String str, String str2) {
        this.username = str;
        this.password = str2;
    }

    @Override // com.couchbase.client.dcp.deps.io.netty.channel.ChannelInboundHandlerAdapter, com.couchbase.client.dcp.deps.io.netty.channel.ChannelInboundHandler
    public void channelActive(ChannelHandlerContext channelHandlerContext) throws Exception {
        ByteBuf buffer = channelHandlerContext.alloc().buffer();
        SaslListMechsRequest.init(buffer);
        channelHandlerContext.writeAndFlush(buffer);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // com.couchbase.client.dcp.deps.io.netty.channel.SimpleChannelInboundHandler
    public void channelRead0(ChannelHandlerContext channelHandlerContext, ByteBuf byteBuf) throws Exception {
        if (SaslListMechsResponse.is(byteBuf)) {
            handleListMechsResponse(channelHandlerContext, byteBuf);
        } else if (SaslAuthResponse.is(byteBuf)) {
            handleAuthResponse(channelHandlerContext, byteBuf);
        } else {
            if (!SaslStepResponse.is(byteBuf)) {
                throw new IllegalStateException("Received unexpected SASL response! " + MessageUtil.humanize(byteBuf));
            }
            checkIsAuthed(channelHandlerContext, MessageUtil.getResponseStatus(byteBuf));
        }
    }

    private void handleAuthResponse(ChannelHandlerContext channelHandlerContext, ByteBuf byteBuf) throws Exception {
        ByteBuf copiedBuffer;
        if (this.saslClient.isComplete()) {
            checkIsAuthed(channelHandlerContext, MessageUtil.getResponseStatus(byteBuf));
            return;
        }
        ByteBuf challenge = SaslAuthResponse.challenge(byteBuf);
        byte[] bArr = new byte[challenge.readableBytes()];
        challenge.readBytes(bArr);
        byte[] evaluateChallenge = this.saslClient.evaluateChallenge(bArr);
        if (evaluateChallenge == null) {
            throw new AuthenticationException("SASL Challenge evaluation returned null.");
        }
        if (this.selectedMechanism.equals("CRAM-MD5") || this.selectedMechanism.equals("PLAIN")) {
            copiedBuffer = Unpooled.copiedBuffer(this.username + "��" + new String(evaluateChallenge).split(" ")[1], StandardCharsets.UTF_8);
        } else {
            copiedBuffer = Unpooled.wrappedBuffer(evaluateChallenge);
        }
        ByteBuf buffer = channelHandlerContext.alloc().buffer();
        SaslStepRequest.init(buffer);
        SaslStepRequest.mechanism(this.selectedMechanism, buffer);
        SaslStepRequest.challengeResponse(copiedBuffer, buffer);
        channelHandlerContext.writeAndFlush(buffer).addListener2((GenericFutureListener<? extends Future<? super Void>>) new GenericFutureListener<Future<Void>>() { // from class: com.couchbase.client.dcp.transport.netty.AuthHandler.1
            @Override // com.couchbase.client.dcp.deps.io.netty.util.concurrent.GenericFutureListener
            public void operationComplete(Future<Void> future) throws Exception {
                if (future.isSuccess()) {
                    return;
                }
                AuthHandler.LOGGER.warn("Error during SASL Auth negotiation phase.", future.cause());
                AuthHandler.this.originalPromise().setFailure(future.cause());
            }
        });
    }

    private void checkIsAuthed(ChannelHandlerContext channelHandlerContext, ResponseStatus responseStatus) {
        if (responseStatus.isSuccess()) {
            LOGGER.debug("Successfully authenticated against node {}", channelHandlerContext.channel().remoteAddress());
            channelHandlerContext.pipeline().remove(this);
            originalPromise().setSuccess();
            channelHandlerContext.fireChannelActive();
            return;
        }
        if (responseStatus == ResponseStatus.AUTH_ERROR) {
            originalPromise().setFailure((Throwable) new AuthenticationException("SASL Authentication Failure"));
        } else {
            originalPromise().setFailure((Throwable) new AuthenticationException("Unhandled SASL auth status: " + responseStatus));
        }
    }

    private void handleListMechsResponse(ChannelHandlerContext channelHandlerContext, ByteBuf byteBuf) throws Exception {
        String obj = channelHandlerContext.channel().remoteAddress().toString();
        String[] supportedMechs = SaslListMechsResponse.supportedMechs(byteBuf);
        if (supportedMechs.length == 0) {
            throw new AuthenticationException("Received empty SASL mechanisms list from server: " + obj);
        }
        this.saslClient = Sasl.createSaslClient(supportedMechs, null, "couchbase", obj, null, this);
        this.selectedMechanism = this.saslClient.getMechanismName();
        byte[] evaluateChallenge = this.saslClient.hasInitialResponse() ? this.saslClient.evaluateChallenge(new byte[0]) : null;
        ByteBuf writeBytes = evaluateChallenge != null ? channelHandlerContext.alloc().buffer().writeBytes(evaluateChallenge) : Unpooled.EMPTY_BUFFER;
        ByteBuf buffer = channelHandlerContext.alloc().buffer();
        SaslAuthRequest.init(buffer);
        SaslAuthRequest.mechanism(this.selectedMechanism, buffer);
        SaslAuthRequest.challengeResponse(writeBytes, buffer);
        writeBytes.release();
        channelHandlerContext.writeAndFlush(buffer).addListener2((GenericFutureListener<? extends Future<? super Void>>) new GenericFutureListener<Future<Void>>() { // from class: com.couchbase.client.dcp.transport.netty.AuthHandler.2
            @Override // com.couchbase.client.dcp.deps.io.netty.util.concurrent.GenericFutureListener
            public void operationComplete(Future<Void> future) throws Exception {
                if (future.isSuccess()) {
                    return;
                }
                AuthHandler.LOGGER.warn("Error during SASL Auth negotiation phase.", future.cause());
                AuthHandler.this.originalPromise().setFailure(future.cause());
            }
        });
    }

    @Override // javax.security.auth.callback.CallbackHandler
    public void handle(Callback[] callbackArr) throws IOException, UnsupportedCallbackException {
        for (Callback callback : callbackArr) {
            if (callback instanceof NameCallback) {
                ((NameCallback) callback).setName(this.username);
            } else {
                if (!(callback instanceof PasswordCallback)) {
                    throw new AuthenticationException("SASLClient requested unsupported callback: " + callback);
                }
                ((PasswordCallback) callback).setPassword(this.password.toCharArray());
            }
        }
    }
}
