package com.couchbase.client.dcp.transport.netty;

import com.couchbase.client.core.deps.io.netty.buffer.ByteBuf;
import com.couchbase.client.core.deps.io.netty.channel.ChannelHandlerContext;
import com.couchbase.client.core.deps.io.netty.channel.ChannelPromise;
import com.couchbase.client.core.deps.io.netty.handler.ssl.SslHandler;
import com.couchbase.client.core.io.netty.kv.sasl.CouchbaseSaslClientFactory;
import com.couchbase.client.core.util.Bytes;
import com.couchbase.client.dcp.Credentials;
import com.couchbase.client.dcp.core.endpoint.kv.AuthenticationException;
import com.couchbase.client.dcp.core.logging.RedactableArgument;
import com.couchbase.client.dcp.core.utils.CbCollections;
import com.couchbase.client.dcp.message.MessageUtil;
import com.couchbase.client.dcp.message.ResponseStatus;
import com.couchbase.client.dcp.message.SaslAuthRequest;
import com.couchbase.client.dcp.message.SaslAuthResponse;
import com.couchbase.client.dcp.message.SaslListMechsRequest;
import com.couchbase.client.dcp.message.SaslListMechsResponse;
import com.couchbase.client.dcp.message.SaslStepRequest;
import com.couchbase.client.dcp.message.SaslStepResponse;
import java.io.IOException;
import java.net.SocketAddress;
import java.util.ArrayList;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.sasl.SaslClient;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/couchbase/client/dcp/transport/netty/AuthHandler.class */
public class AuthHandler extends ConnectInterceptingHandler<ByteBuf> implements CallbackHandler {
    private static final Logger LOGGER = LoggerFactory.getLogger(AuthHandler.class);
    private static final Set<String> secureSaslMechanisms = CbCollections.setOf("SCRAM-SHA1", "SCRAM-SHA256", "SCRAM-SHA512");
    private final Credentials credentials;
    private SaslClient saslClient;
    private String selectedMechanism;

    public AuthHandler(Credentials credentials) {
        this.credentials = (Credentials) Objects.requireNonNull(credentials);
    }

    public void channelActive(ChannelHandlerContext channelHandlerContext) throws Exception {
        if (channelHandlerContext.pipeline().get(SslHandler.class) != null) {
            LOGGER.debug("Using SASL mechanism PLAIN because connection is secure.");
            selectMechanismAndStartAuth(channelHandlerContext, com.couchbase.client.core.util.CbCollections.listOf(new String[]{"PLAIN"}));
        } else {
            ByteBuf buffer = channelHandlerContext.alloc().buffer();
            SaslListMechsRequest.init(buffer);
            send(channelHandlerContext, buffer);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void channelRead0(ChannelHandlerContext channelHandlerContext, ByteBuf byteBuf) throws Exception {
        if (SaslListMechsResponse.is(byteBuf)) {
            handleListMechsResponse(channelHandlerContext, byteBuf);
        } else {
            if (!SaslAuthResponse.is(byteBuf) && !SaslStepResponse.is(byteBuf)) {
                throw new IllegalStateException("Received unexpected packet during SASL exchange! " + MessageUtil.humanize(byteBuf));
            }
            handleSaslResponse(channelHandlerContext, byteBuf);
        }
    }

    private void handleSaslResponse(ChannelHandlerContext channelHandlerContext, ByteBuf byteBuf) {
        try {
            ResponseStatus responseStatus = MessageUtil.getResponseStatus(byteBuf);
            if (responseStatus.isSuccess()) {
                if (!this.saslClient.isComplete()) {
                    this.saslClient.evaluateChallenge(MessageUtil.getContentAsByteArray(byteBuf));
                    if (!this.saslClient.isComplete()) {
                        throw new IllegalStateException("SASL exchange incomplete");
                    }
                }
                LOGGER.debug("Successfully authenticated against node {}", channelHandlerContext.channel().remoteAddress());
                channelHandlerContext.pipeline().remove(this);
                originalPromise().setSuccess();
                channelHandlerContext.fireChannelActive();
            } else {
                if (responseStatus != ResponseStatus.AUTH_CONTINUE) {
                    if (responseStatus != ResponseStatus.AUTH_ERROR) {
                        throw new AuthenticationException("Unhandled SASL auth status: " + responseStatus);
                    }
                    throw new AuthenticationException("SASL Authentication Failure");
                }
                byte[] evaluateChallenge = this.saslClient.evaluateChallenge(MessageUtil.getContentAsByteArray(byteBuf));
                ByteBuf buffer = channelHandlerContext.alloc().buffer();
                SaslStepRequest.init(buffer);
                SaslStepRequest.mechanism(this.selectedMechanism, buffer);
                SaslStepRequest.challengeResponse(evaluateChallenge, buffer);
                send(channelHandlerContext, buffer);
            }
        } catch (Throwable th) {
            fail(th);
        }
    }

    private void handleListMechsResponse(ChannelHandlerContext channelHandlerContext, ByteBuf byteBuf) {
        try {
            List<String> supportedMechs = SaslListMechsResponse.supportedMechs(byteBuf);
            if (supportedMechs.isEmpty()) {
                throw new AuthenticationException("Server advertised no SASL mechanisms: " + RedactableArgument.system(channelHandlerContext.channel().remoteAddress()));
            }
            ArrayList arrayList = new ArrayList(supportedMechs);
            arrayList.retainAll(secureSaslMechanisms);
            if (arrayList.isEmpty()) {
                throw new AuthenticationException("Server advertised only insecure or unsupported SASL mechanisms: " + supportedMechs + "; required one of " + secureSaslMechanisms + "; " + RedactableArgument.system(channelHandlerContext.channel().remoteAddress()));
            }
            selectMechanismAndStartAuth(channelHandlerContext, arrayList);
        } catch (Throwable th) {
            fail(th);
        }
    }

    private void selectMechanismAndStartAuth(ChannelHandlerContext channelHandlerContext, List<String> list) {
        try {
            this.saslClient = new CouchbaseSaslClientFactory().createSaslClient((String[]) list.toArray(new String[0]), (String) null, "couchbase", channelHandlerContext.channel().remoteAddress().toString(), (Map) null, this);
            if (this.saslClient == null) {
                throw new AuthenticationException("Failed to create a SASL client for any of the negotiated mechanisms: " + list);
            }
            this.selectedMechanism = this.saslClient.getMechanismName();
            LOGGER.debug("Selected SASL mechanism: {}", this.selectedMechanism);
            byte[] evaluateChallenge = this.saslClient.hasInitialResponse() ? this.saslClient.evaluateChallenge(Bytes.EMPTY_BYTE_ARRAY) : Bytes.EMPTY_BYTE_ARRAY;
            ByteBuf buffer = channelHandlerContext.alloc().buffer();
            SaslAuthRequest.init(buffer);
            SaslAuthRequest.mechanism(this.selectedMechanism, buffer);
            SaslAuthRequest.challengeResponse(evaluateChallenge, buffer);
            send(channelHandlerContext, buffer);
        } catch (Throwable th) {
            fail(th);
        }
    }

    @Override // javax.security.auth.callback.CallbackHandler
    public void handle(Callback[] callbackArr) throws IOException, UnsupportedCallbackException {
        for (Callback callback : callbackArr) {
            if (callback instanceof NameCallback) {
                ((NameCallback) callback).setName(this.credentials.getUsername());
            } else {
                if (!(callback instanceof PasswordCallback)) {
                    throw new AuthenticationException("SASLClient requested unsupported callback: " + callback);
                }
                ((PasswordCallback) callback).setPassword(this.credentials.getPassword().toCharArray());
            }
        }
    }

    private void fail(Throwable th) {
        originalPromise().setFailure(th);
    }

    private void send(ChannelHandlerContext channelHandlerContext, ByteBuf byteBuf) {
        channelHandlerContext.writeAndFlush(byteBuf).addListener(future -> {
            if (future.isSuccess()) {
                return;
            }
            LOGGER.warn("Error during SASL Auth negotiation phase.", future.cause());
            fail(future.cause());
        });
    }

    @Override // com.couchbase.client.dcp.transport.netty.ConnectInterceptingHandler
    public /* bridge */ /* synthetic */ void channelInactive(ChannelHandlerContext channelHandlerContext) throws Exception {
        super.channelInactive(channelHandlerContext);
    }

    @Override // com.couchbase.client.dcp.transport.netty.ConnectInterceptingHandler
    public /* bridge */ /* synthetic */ void userEventTriggered(ChannelHandlerContext channelHandlerContext, Object obj) throws Exception {
        super.userEventTriggered(channelHandlerContext, obj);
    }

    @Override // com.couchbase.client.dcp.transport.netty.ConnectInterceptingHandler
    public /* bridge */ /* synthetic */ void exceptionCaught(ChannelHandlerContext channelHandlerContext, Throwable th) throws Exception {
        super.exceptionCaught(channelHandlerContext, th);
    }

    @Override // com.couchbase.client.dcp.transport.netty.ConnectInterceptingHandler
    public /* bridge */ /* synthetic */ void flush(ChannelHandlerContext channelHandlerContext) throws Exception {
        super.flush(channelHandlerContext);
    }

    @Override // com.couchbase.client.dcp.transport.netty.ConnectInterceptingHandler
    public /* bridge */ /* synthetic */ void write(ChannelHandlerContext channelHandlerContext, Object obj, ChannelPromise channelPromise) throws Exception {
        super.write(channelHandlerContext, obj, channelPromise);
    }

    @Override // com.couchbase.client.dcp.transport.netty.ConnectInterceptingHandler
    public /* bridge */ /* synthetic */ void read(ChannelHandlerContext channelHandlerContext) throws Exception {
        super.read(channelHandlerContext);
    }

    @Override // com.couchbase.client.dcp.transport.netty.ConnectInterceptingHandler
    public /* bridge */ /* synthetic */ void deregister(ChannelHandlerContext channelHandlerContext, ChannelPromise channelPromise) throws Exception {
        super.deregister(channelHandlerContext, channelPromise);
    }

    @Override // com.couchbase.client.dcp.transport.netty.ConnectInterceptingHandler
    public /* bridge */ /* synthetic */ void close(ChannelHandlerContext channelHandlerContext, ChannelPromise channelPromise) throws Exception {
        super.close(channelHandlerContext, channelPromise);
    }

    @Override // com.couchbase.client.dcp.transport.netty.ConnectInterceptingHandler
    public /* bridge */ /* synthetic */ void disconnect(ChannelHandlerContext channelHandlerContext, ChannelPromise channelPromise) throws Exception {
        super.disconnect(channelHandlerContext, channelPromise);
    }

    @Override // com.couchbase.client.dcp.transport.netty.ConnectInterceptingHandler
    public /* bridge */ /* synthetic */ void bind(ChannelHandlerContext channelHandlerContext, SocketAddress socketAddress, ChannelPromise channelPromise) throws Exception {
        super.bind(channelHandlerContext, socketAddress, channelPromise);
    }

    @Override // com.couchbase.client.dcp.transport.netty.ConnectInterceptingHandler
    public /* bridge */ /* synthetic */ void connect(ChannelHandlerContext channelHandlerContext, SocketAddress socketAddress, SocketAddress socketAddress2, ChannelPromise channelPromise) throws Exception {
        super.connect(channelHandlerContext, socketAddress, socketAddress2, channelPromise);
    }
}
