package com.oracle.bmc.auth.sasl;

import com.google.protobuf.ByteString;
import com.google.protobuf.InvalidProtocolBufferException;
import com.oracle.bmc.auth.BasicAuthenticationDetailsProvider;
import com.oracle.bmc.auth.ConfigurableRefreshOnNotAuthenticatedProvider;
import com.oracle.bmc.http.signing.internal.PEMFileRSAPrivateKeySupplier;
import com.oracle.bmc.http.signing.internal.SignatureSigner;
import com.oracle.bmc.identity.auth.sasl.messages.OciSaslMessages;
import com.oracle.bmc.util.StreamUtils;
import com.oracle.bmc.util.internal.Validate;
import java.beans.ConstructorProperties;
import java.io.IOException;
import java.io.InputStream;
import java.nio.ByteBuffer;
import java.nio.charset.StandardCharsets;
import java.security.interfaces.RSAPrivateKey;
import java.time.Duration;
import java.time.OffsetDateTime;
import java.util.Collections;
import java.util.Map;
import java.util.UUID;
import java.util.concurrent.ConcurrentHashMap;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.sasl.SaslClient;
import javax.security.sasl.SaslClientFactory;
import javax.security.sasl.SaslException;

/* loaded from: input_file:com/oracle/bmc/auth/sasl/OciSaslClient.class */
public class OciSaslClient implements SaslClient {
    public static final int MIN_CHALLENGE_SIZE = 32;
    public static final int MAX_CHALLENGE_SIZE = 256;
    private static final SignatureSigner SIGNER = new SignatureSigner();
    private final OciMechanism mechanism;
    private final BasicAuthenticationDetailsProvider authProvider;
    private final String intent;
    private OciPrivateKey currentPrivateKey;
    private State state;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/oracle/bmc/auth/sasl/OciSaslClient$AuthProviderCache.class */
    public static class AuthProviderCache {
        private static final Map<String, BasicAuthenticationDetailsProvider> authProvidersCache = new ConcurrentHashMap();

        AuthProviderCache() {
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        public static String cache(BasicAuthenticationDetailsProvider basicAuthenticationDetailsProvider) {
            String uuid = UUID.randomUUID().toString();
            authProvidersCache.put(uuid, basicAuthenticationDetailsProvider);
            return uuid;
        }

        static BasicAuthenticationDetailsProvider get(String str) {
            return authProvidersCache.get(str);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/oracle/bmc/auth/sasl/OciSaslClient$OciPrivateKey.class */
    public static final class OciPrivateKey {
        private final String keyId;
        private final InputStream privateKey;
        private final char[] passphraseCharacters;

        @ConstructorProperties({"keyId", "privateKey", "passphraseCharacters"})
        public OciPrivateKey(String str, InputStream inputStream, char[] cArr) {
            this.keyId = str;
            this.privateKey = inputStream;
            this.passphraseCharacters = cArr;
        }
    }

    /* loaded from: input_file:com/oracle/bmc/auth/sasl/OciSaslClient$OciSaslClientFactory.class */
    public static class OciSaslClientFactory implements SaslClientFactory {

        /* JADX INFO: Access modifiers changed from: private */
        /* loaded from: input_file:com/oracle/bmc/auth/sasl/OciSaslClient$OciSaslClientFactory$Credentials.class */
        public static final class Credentials {
            private final BasicAuthenticationDetailsProvider authProvider;
            private final String payload;

            private Credentials(BasicAuthenticationDetailsProvider basicAuthenticationDetailsProvider, String str) {
                this.authProvider = basicAuthenticationDetailsProvider;
                this.payload = str;
            }
        }

        public SaslClient createSaslClient(String[] strArr, String str, String str2, String str3, Map<String, ?> map, CallbackHandler callbackHandler) throws SaslException {
            OciMechanism ociMechanism = null;
            for (String str4 : strArr) {
                ociMechanism = OciMechanism.fromMechanismName(str4);
                if (ociMechanism != null) {
                    break;
                }
            }
            if (ociMechanism == null) {
                throw new SaslException(String.format("Requested mechanisms '%s' not supported. Supported mechanisms are '%s'.", Collections.singletonList(strArr), OciMechanism.mechanismNames()));
            }
            Credentials credentials = getCredentials(callbackHandler);
            return new OciSaslClient(ociMechanism, credentials.authProvider, credentials.payload);
        }

        public String[] getMechanismNames(Map<String, ?> map) {
            return (String[]) OciMechanism.mechanismNames().toArray(new String[0]);
        }

        private Credentials getCredentials(CallbackHandler callbackHandler) throws SaslException {
            NameCallback nameCallback = new NameCallback("Payload");
            PasswordCallback passwordCallback = new PasswordCallback("AuthProviderKey", false);
            OciAuthProviderCallback ociAuthProviderCallback = new OciAuthProviderCallback();
            execute(callbackHandler, nameCallback, true);
            execute(callbackHandler, passwordCallback, false);
            execute(callbackHandler, ociAuthProviderCallback, false);
            if (ociAuthProviderCallback.authProvider() == null && passwordCallback.getPassword() == null) {
                throw new SaslException("Callback handler needs to support either PasswordCallback or OciAuthProviderCallback");
            }
            return new Credentials(ociAuthProviderCallback.authProvider() != null ? ociAuthProviderCallback.authProvider() : AuthProviderCache.get(new String(passwordCallback.getPassword())), nameCallback.getName());
        }

        static <T extends Callback> void execute(CallbackHandler callbackHandler, T t, boolean z) throws SaslException {
            try {
                callbackHandler.handle(new Callback[]{t});
            } catch (IOException e) {
                throw new SaslException("Unexpected IOException during callback handler", e);
            } catch (UnsupportedCallbackException e2) {
                if (z) {
                    throw new SaslException(e2.getCallback().getClass().getSimpleName() + " is not supported by the callback handler", e2);
                }
            }
        }
    }

    /* loaded from: input_file:com/oracle/bmc/auth/sasl/OciSaslClient$State.class */
    private enum State {
        KEY_ID,
        SIGNING,
        COMPLETE
    }

    private OciSaslClient(OciMechanism ociMechanism, BasicAuthenticationDetailsProvider basicAuthenticationDetailsProvider, String str) {
        this.currentPrivateKey = null;
        this.state = State.KEY_ID;
        this.mechanism = ociMechanism;
        this.authProvider = basicAuthenticationDetailsProvider;
        this.intent = str;
    }

    public String getMechanismName() {
        return this.mechanism.mechanismName();
    }

    public byte[] evaluateChallenge(byte[] bArr) throws SaslException {
        switch (this.state) {
            case KEY_ID:
                this.state = State.SIGNING;
                return generateKeyMessage().toByteArray();
            case SIGNING:
                OciSaslMessages.Response signChallenge = signChallenge(bArr);
                this.state = State.COMPLETE;
                return signChallenge.toByteArray();
            default:
                return new byte[0];
        }
    }

    private OciSaslMessages.Key generateKeyMessage() {
        OciSaslMessages.Key m94build;
        synchronized (this.authProvider) {
            if (this.authProvider instanceof ConfigurableRefreshOnNotAuthenticatedProvider) {
                this.authProvider.refreshIfExpiringWithin(Duration.ofMinutes(5L), false);
            }
            if (this.currentPrivateKey != null) {
                StreamUtils.closeQuietly(this.currentPrivateKey.privateKey);
                this.currentPrivateKey = null;
            }
            this.currentPrivateKey = new OciPrivateKey(this.authProvider.getKeyId(), this.authProvider.getPrivateKey(), this.authProvider.getPassphraseCharacters());
            m94build = OciSaslMessages.Key.newBuilder().setKeyId(this.currentPrivateKey.keyId).setIntent(this.intent).m94build();
        }
        return m94build;
    }

    private OciSaslMessages.Response signChallenge(byte[] bArr) throws SaslException {
        Validate.isTrue(this.currentPrivateKey != null, "required: currentPrivateKey != null", new Object[0]);
        OciSaslMessages.Challenge andValidateChallenge = getAndValidateChallenge(bArr);
        long epochSecond = OffsetDateTime.now().toEpochSecond();
        PEMFileRSAPrivateKeySupplier pEMFileRSAPrivateKeySupplier = new PEMFileRSAPrivateKeySupplier(this.currentPrivateKey.privateKey, this.currentPrivateKey.passphraseCharacters);
        this.currentPrivateKey = null;
        RSAPrivateKey rSAPrivateKey = (RSAPrivateKey) pEMFileRSAPrivateKeySupplier.supplyKey().orElseThrow(() -> {
            return new SaslException("Unable to get private key");
        });
        byte[] bytes = this.intent.getBytes(StandardCharsets.UTF_8);
        ByteBuffer allocate = ByteBuffer.allocate(andValidateChallenge.getChallenge().toByteArray().length + bytes.length + 8);
        allocate.put(andValidateChallenge.getChallenge().toByteArray());
        allocate.put(bytes);
        allocate.putLong(epochSecond);
        return OciSaslMessages.Response.newBuilder().setTime(epochSecond).setSignature(ByteString.copyFrom(SIGNER.sign(rSAPrivateKey, allocate.array(), this.mechanism.algorithm().getJvmName()))).m141build();
    }

    private OciSaslMessages.Challenge getAndValidateChallenge(byte[] bArr) throws SaslException {
        try {
            OciSaslMessages.Challenge parseFrom = OciSaslMessages.Challenge.parseFrom(bArr);
            int size = parseFrom.getChallenge().size();
            if (size < 32 || size > 256) {
                throw new SaslException("Challenge sent by the server doesn't have the right size - " + size);
            }
            return parseFrom;
        } catch (InvalidProtocolBufferException e) {
            throw new SaslException("Challenge sent by the server is invalid", e);
        }
    }

    public boolean hasInitialResponse() {
        return true;
    }

    public boolean isComplete() {
        return this.state == State.COMPLETE;
    }

    public byte[] unwrap(byte[] bArr, int i, int i2) {
        return new byte[0];
    }

    public byte[] wrap(byte[] bArr, int i, int i2) {
        return new byte[0];
    }

    public Object getNegotiatedProperty(String str) {
        return null;
    }

    public void dispose() {
    }
}
