package com.atlassian.confluence.impl.cluster.hazelcast.interceptor.authenticator;

import aQute.lib.hex.Hex;
import com.atlassian.security.utils.ConstantTimeComparison;
import com.atlassian.util.profiling.Ticker;
import com.atlassian.util.profiling.Timers;
import com.google.common.base.MoreObjects;
import com.hazelcast.nio.ObjectDataInput;
import com.hazelcast.nio.ObjectDataOutput;
import java.io.ByteArrayOutputStream;
import java.io.DataOutputStream;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.nio.charset.StandardCharsets;
import java.security.SecureRandom;
import java.util.Random;
import org.bouncycastle.crypto.generators.SCrypt;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/atlassian/confluence/impl/cluster/hazelcast/interceptor/authenticator/SharedSecretClusterAuthenticator.class */
public class SharedSecretClusterAuthenticator implements ClusterAuthenticator {
    private static final int ITERATIONS = 32768;
    private static final int MAX_NETWORK_BYTEARRAY_SIZE = 1024;
    private static final int NONCE_BYTES = 16;
    private static final String VERIFICATION_FAILED_MESSAGE = "Cluster authentication failed. Please make sure all members share the same value for 'confluence.cluster.name' and 'confluence.cluster.authentication.secret' in confluence.cfg.xml.";
    private static final int VERSION = 2;
    private final String groupName;
    private final String sharedSecret;
    private static final Random RND = new SecureRandom();
    private static final Logger log = LoggerFactory.getLogger(SharedSecretClusterAuthenticator.class);

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/atlassian/confluence/impl/cluster/hazelcast/interceptor/authenticator/SharedSecretClusterAuthenticator$Nonce.class */
    public static final class Nonce {
        private byte[] nonceBytes;

        public Nonce() {
        }

        Nonce(byte[] bArr) {
            this.nonceBytes = bArr;
        }

        public void readData(ObjectDataInput objectDataInput) throws IOException {
            this.nonceBytes = SharedSecretClusterAuthenticator.readByteArray(objectDataInput);
        }

        public String toString() {
            return MoreObjects.toStringHelper(this).add("nonce", Hex.toHexString(this.nonceBytes)).toString();
        }

        public void writeData(ObjectDataOutput objectDataOutput) throws IOException {
            SharedSecretClusterAuthenticator.writeByteArray(objectDataOutput, this.nonceBytes);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/atlassian/confluence/impl/cluster/hazelcast/interceptor/authenticator/SharedSecretClusterAuthenticator$Response.class */
    public static final class Response {
        private byte[] proof;

        public Response() {
        }

        Response(byte[] bArr) {
            this.proof = bArr;
        }

        public void readData(ObjectDataInput objectDataInput) throws IOException {
            this.proof = SharedSecretClusterAuthenticator.readByteArray(objectDataInput);
        }

        public String toString() {
            return MoreObjects.toStringHelper(this).add("proof", Hex.toHexString(this.proof)).toString();
        }

        public void writeData(ObjectDataOutput objectDataOutput) throws IOException {
            SharedSecretClusterAuthenticator.writeByteArray(objectDataOutput, this.proof);
        }
    }

    public SharedSecretClusterAuthenticator(String str, String str2) {
        this.groupName = str;
        this.sharedSecret = str2;
    }

    @Override // com.atlassian.confluence.impl.cluster.hazelcast.interceptor.authenticator.ClusterAuthenticator
    public ClusterAuthenticationResult authenticate(ClusterJoinRequest clusterJoinRequest) throws IOException {
        Ticker start = Timers.start("Cluster member authentication mode - " + clusterJoinRequest.getJoinMode());
        try {
            ClusterAuthenticationResult runMutualChallengeResponse = runMutualChallengeResponse(clusterJoinRequest);
            if (start != null) {
                start.close();
            }
            return runMutualChallengeResponse;
        } catch (Throwable th) {
            if (start != null) {
                try {
                    start.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    private static byte[] readByteArray(ObjectDataInput objectDataInput) throws IOException {
        int readInt = objectDataInput.readInt();
        if (readInt > MAX_NETWORK_BYTEARRAY_SIZE || readInt <= 0) {
            throw new IOException("Unable to read array: invalid length: " + readInt);
        }
        byte[] bArr = new byte[readInt];
        objectDataInput.readFully(bArr);
        return bArr;
    }

    private static void writeByteArray(ObjectDataOutput objectDataOutput, byte[] bArr) throws IOException {
        objectDataOutput.writeInt(bArr.length);
        objectDataOutput.write(bArr);
    }

    private byte[] generateSalt(byte[] bArr, byte[] bArr2, String str, int i, boolean z) throws IOException {
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        try {
            DataOutputStream dataOutputStream = new DataOutputStream(byteArrayOutputStream);
            try {
                dataOutputStream.write(bArr);
                dataOutputStream.write(bArr2);
                dataOutputStream.writeBoolean(z);
                dataOutputStream.writeInt(i);
                dataOutputStream.write(str.getBytes(StandardCharsets.UTF_8));
                byte[] byteArray = byteArrayOutputStream.toByteArray();
                dataOutputStream.close();
                byteArrayOutputStream.close();
                return byteArray;
            } finally {
            }
        } catch (Throwable th) {
            try {
                byteArrayOutputStream.close();
            } catch (Throwable th2) {
                th.addSuppressed(th2);
            }
            throw th;
        }
    }

    private byte[] generateKey(byte[] bArr) throws UnsupportedEncodingException {
        Ticker start = Timers.start("Generate key");
        try {
            byte[] generate = SCrypt.generate(this.sharedSecret.getBytes(StandardCharsets.UTF_8.name()), bArr, ITERATIONS, 8, 1, 32);
            if (start != null) {
                start.close();
            }
            return generate;
        } catch (Throwable th) {
            if (start != null) {
                try {
                    start.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    private ClusterAuthenticationResult runMutualChallengeResponse(ClusterJoinRequest clusterJoinRequest) {
        try {
            log.debug("Inside runMutualChallengeResponse ... ClusterJoinRequest : {}", clusterJoinRequest);
            ObjectDataInput in = clusterJoinRequest.in();
            ObjectDataOutput out = clusterJoinRequest.out();
            boolean z = clusterJoinRequest.getJoinMode() == ClusterJoinMode.CONNECT;
            if (!verifyGroupName(in, out, z)) {
                return new ClusterAuthenticationResult(false, VERIFICATION_FAILED_MESSAGE);
            }
            out.writeInt(VERSION);
            int readInt = in.readInt();
            if (readInt == -21) {
                return new ClusterAuthenticationResult(false, "Application version is incompatible. Zero Downtime Upgrades between this application version and older versions are not supported.");
            }
            if (readInt != VERSION) {
                return new ClusterAuthenticationResult(false, "Cannot form a cluster with nodes using different Confluence versions");
            }
            Nonce generateNewNonce = generateNewNonce();
            log.trace("Generated: {}", generateNewNonce);
            Nonce nonce = new Nonce();
            Response response = new Response();
            if (z) {
                nonce.readData(in);
                generateNewNonce.writeData(out);
                response.readData(in);
                createResponse(generateNewNonce, nonce, clusterJoinRequest.getLocalAddress(), clusterJoinRequest.getLocalPort(), z).writeData(out);
            } else {
                generateNewNonce.writeData(out);
                nonce.readData(in);
                createResponse(generateNewNonce, nonce, clusterJoinRequest.getLocalAddress(), clusterJoinRequest.getLocalPort(), z).writeData(out);
                response.readData(in);
            }
            return verifyResponse(response, generateNewNonce, nonce, z, clusterJoinRequest.getRemoteAddress(), clusterJoinRequest.getRemotePort());
        } catch (IOException e) {
            return new ClusterAuthenticationResult(false, "Unexpected bytes from remote node, closing socket");
        }
    }

    private Response createResponse(Nonce nonce, Nonce nonce2, String str, int i, boolean z) throws IOException {
        Response response = new Response(generateKey(generateSalt(nonce.nonceBytes, nonce2.nonceBytes, str, i, z)));
        log.debug("Created: {}", response);
        return response;
    }

    private Nonce generateNewNonce() {
        byte[] bArr = new byte[NONCE_BYTES];
        RND.nextBytes(bArr);
        return new Nonce(bArr);
    }

    private ClusterAuthenticationResult verifyResponse(Response response, Nonce nonce, Nonce nonce2, boolean z, String str, int i) throws IOException {
        byte[] bArr = response.proof;
        byte[] generateKey = generateKey(generateSalt(nonce2.nonceBytes, nonce.nonceBytes, str, i, !z));
        if (log.isTraceEnabled()) {
            log.trace("Verification: remote proof: {}", Hex.toHexString(bArr));
            log.trace("Verification: local proof:  {}", Hex.toHexString(generateKey));
        }
        return new ClusterAuthenticationResult(ConstantTimeComparison.isEqual(generateKey, bArr), VERIFICATION_FAILED_MESSAGE);
    }

    private boolean verifyGroupName(ObjectDataInput objectDataInput, ObjectDataOutput objectDataOutput, boolean z) throws IOException {
        if (z) {
            objectDataOutput.writeUTF(this.groupName);
            return this.groupName.equals(objectDataInput.readUTF());
        }
        boolean equals = this.groupName.equals(objectDataInput.readUTF());
        if (equals) {
            objectDataOutput.writeUTF(this.groupName);
        } else {
            objectDataOutput.writeUTF("");
        }
        return equals;
    }
}
