package org.apache.qpid.jms.provider.amqp;

import java.security.Principal;
import java.util.HashSet;
import java.util.Set;
import javax.jms.JMSSecurityException;
import javax.security.sasl.SaslException;
import org.apache.qpid.jms.meta.JmsConnectionInfo;
import org.apache.qpid.jms.sasl.Mechanism;
import org.apache.qpid.jms.sasl.SaslMechanismFinder;
import org.apache.qpid.proton.engine.Sasl;

/* loaded from: input_file:lib/qpid-jms-client-0.8.0.jar:org/apache/qpid/jms/provider/amqp/AmqpSaslAuthenticator.class */
public class AmqpSaslAuthenticator {
    private final Sasl sasl;
    private final JmsConnectionInfo info;
    private Mechanism mechanism;
    private final Principal localPrincipal;
    private Set<String> mechanismsRestriction;

    public AmqpSaslAuthenticator(Sasl sasl, JmsConnectionInfo jmsConnectionInfo, Principal principal, String[] strArr) {
        this.sasl = sasl;
        this.info = jmsConnectionInfo;
        this.localPrincipal = principal;
        if (strArr != null) {
            HashSet hashSet = new HashSet();
            for (String str : strArr) {
                if (!str.trim().isEmpty()) {
                    hashSet.add(str);
                }
            }
            if (hashSet.isEmpty()) {
                return;
            }
            this.mechanismsRestriction = hashSet;
        }
    }

    public boolean authenticate() throws JMSSecurityException {
        switch (this.sasl.getState()) {
            case PN_SASL_IDLE:
                handleSaslInit();
                return false;
            case PN_SASL_STEP:
                handleSaslStep();
                return false;
            case PN_SASL_FAIL:
                handleSaslFail();
                return false;
            case PN_SASL_PASS:
                return true;
            default:
                return false;
        }
    }

    private void handleSaslInit() throws JMSSecurityException {
        try {
            String[] remoteMechanisms = this.sasl.getRemoteMechanisms();
            if (remoteMechanisms != null && remoteMechanisms.length != 0) {
                this.mechanism = SaslMechanismFinder.findMatchingMechanism(this.info.getUsername(), this.info.getPassword(), this.localPrincipal, this.mechanismsRestriction, remoteMechanisms);
                if (this.mechanism == null) {
                    throw new JMSSecurityException("Could not find a suitable SASL mechanism for the remote peer using the available credentials.");
                }
                this.mechanism.setUsername(this.info.getUsername());
                this.mechanism.setPassword(this.info.getPassword());
                this.sasl.setMechanisms(this.mechanism.getName());
                byte[] initialResponse = this.mechanism.getInitialResponse();
                if (initialResponse != null) {
                    this.sasl.send(initialResponse, 0, initialResponse.length);
                }
            }
        } catch (SaslException e) {
            JMSSecurityException jMSSecurityException = new JMSSecurityException("Exception while processing SASL init.");
            jMSSecurityException.setLinkedException(e);
            jMSSecurityException.initCause(e);
            throw jMSSecurityException;
        }
    }

    private void handleSaslStep() throws JMSSecurityException {
        try {
            if (this.sasl.pending() != 0) {
                byte[] bArr = new byte[this.sasl.pending()];
                this.sasl.recv(bArr, 0, bArr.length);
                byte[] challengeResponse = this.mechanism.getChallengeResponse(bArr);
                this.sasl.send(challengeResponse, 0, challengeResponse.length);
            }
        } catch (SaslException e) {
            JMSSecurityException jMSSecurityException = new JMSSecurityException("Exception while processing SASL step.");
            jMSSecurityException.setLinkedException(e);
            jMSSecurityException.initCause(e);
            throw jMSSecurityException;
        }
    }

    private void handleSaslFail() throws JMSSecurityException {
        throw new JMSSecurityException("Client failed to authenticate");
    }
}
