package org.wso2.carbon.andes.extensions.device.mgt.mqtt.authorization;

import feign.Client;
import feign.Feign;
import feign.FeignException;
import feign.Logger;
import feign.gson.GsonDecoder;
import feign.gson.GsonEncoder;
import feign.jaxrs.JAXRSContract;
import feign.slf4j.Slf4jLogger;
import java.security.KeyManagementException;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.List;
import java.util.concurrent.TimeUnit;
import javax.cache.Cache;
import javax.cache.CacheConfiguration;
import javax.cache.Caching;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSession;
import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509TrustManager;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.dna.mqtt.moquette.server.IAuthorizer;
import org.wso2.andes.configuration.enums.MQTTAuthoriztionPermissionLevel;
import org.wso2.andes.mqtt.MQTTAuthorizationSubject;
import org.wso2.carbon.andes.extensions.device.mgt.mqtt.authorization.client.OAuthRequestInterceptor;
import org.wso2.carbon.andes.extensions.device.mgt.mqtt.authorization.client.dto.AuthorizationRequest;
import org.wso2.carbon.andes.extensions.device.mgt.mqtt.authorization.client.dto.DeviceAccessAuthorizationAdminService;
import org.wso2.carbon.andes.extensions.device.mgt.mqtt.authorization.client.dto.DeviceIdentifier;
import org.wso2.carbon.andes.extensions.device.mgt.mqtt.authorization.config.AuthorizationConfigurationManager;
import org.wso2.carbon.andes.extensions.device.mgt.mqtt.authorization.internal.AuthorizationDataHolder;
import org.wso2.carbon.andes.extensions.device.mgt.mqtt.authorization.util.AuthorizationCacheKey;
import org.wso2.carbon.context.PrivilegedCarbonContext;
import org.wso2.carbon.user.api.UserRealm;
import org.wso2.carbon.user.api.UserStoreException;

/* loaded from: input_file:org/wso2/carbon/andes/extensions/device/mgt/mqtt/authorization/DeviceAccessBasedMQTTAuthorizer.class */
public class DeviceAccessBasedMQTTAuthorizer implements IAuthorizer {
    private static final String UI_EXECUTE = "ui.execute";
    private static Log log = LogFactory.getLog(DeviceAccessBasedMQTTAuthorizer.class);
    private AuthorizationConfigurationManager MQTTAuthorizationConfiguration;
    private static final String CDMF_SERVER_BASE_CONTEXT = "/api/device-mgt/v1.0";
    private static final String CACHE_MANAGER_NAME = "mqttAuthorizationCacheManager";
    private static final String CACHE_NAME = "mqttAuthorizationCache";
    private static DeviceAccessAuthorizationAdminService deviceAccessAuthorizationAdminService;
    private static OAuthRequestInterceptor oAuthRequestInterceptor;
    private static final String GATEWAY_ERROR_CODE = "<am:code>404</am:code>";

    public DeviceAccessBasedMQTTAuthorizer() {
        oAuthRequestInterceptor = new OAuthRequestInterceptor();
        this.MQTTAuthorizationConfiguration = AuthorizationConfigurationManager.getInstance();
        deviceAccessAuthorizationAdminService = (DeviceAccessAuthorizationAdminService) Feign.builder().client(getSSLClient()).logger(new Slf4jLogger()).logLevel(Logger.Level.FULL).requestInterceptor(oAuthRequestInterceptor).contract(new JAXRSContract()).encoder(new GsonEncoder()).decoder(new GsonDecoder()).target(DeviceAccessAuthorizationAdminService.class, this.MQTTAuthorizationConfiguration.getDeviceMgtServerUrl() + CDMF_SERVER_BASE_CONTEXT);
    }

    public boolean isAuthorizedForTopic(MQTTAuthorizationSubject mQTTAuthorizationSubject, String str, MQTTAuthoriztionPermissionLevel mQTTAuthoriztionPermissionLevel) {
        String[] split;
        String str2;
        PrivilegedCarbonContext.startTenantFlow();
        PrivilegedCarbonContext.getThreadLocalCarbonContext().setTenantDomain("carbon.super", true);
        try {
            split = str.split("/");
            str2 = split[0];
        } catch (Throwable th) {
            PrivilegedCarbonContext.endTenantFlow();
            throw th;
        }
        if (!str2.equals(mQTTAuthorizationSubject.getTenantDomain())) {
            PrivilegedCarbonContext.endTenantFlow();
            return false;
        }
        Cache<AuthorizationCacheKey, Boolean> cache = getCache();
        if (split.length < 3) {
            AuthorizationCacheKey authorizationCacheKey = new AuthorizationCacheKey(str2, mQTTAuthorizationSubject.getUsername(), "", "");
            if (cache.get(authorizationCacheKey) != null && ((Boolean) cache.get(authorizationCacheKey)).booleanValue()) {
                PrivilegedCarbonContext.endTenantFlow();
                return true;
            }
            AuthorizationRequest authorizationRequest = new AuthorizationRequest();
            authorizationRequest.setTenantDomain(str2);
            try {
                if (deviceAccessAuthorizationAdminService.isAuthorized(authorizationRequest) == null) {
                    PrivilegedCarbonContext.endTenantFlow();
                    return false;
                }
                cache.put(authorizationCacheKey, true);
                PrivilegedCarbonContext.endTenantFlow();
                return true;
            } catch (FeignException e) {
                oAuthRequestInterceptor.resetApiApplicationKey();
                if (e.getMessage().contains(GATEWAY_ERROR_CODE)) {
                    log.error("Failed to connect to the device authorization service.");
                } else {
                    log.error(e.getMessage(), e);
                }
                PrivilegedCarbonContext.endTenantFlow();
                return false;
            }
        }
        String str3 = split[1];
        String str4 = split[2];
        AuthorizationCacheKey authorizationCacheKey2 = new AuthorizationCacheKey(str2, mQTTAuthorizationSubject.getUsername(), str4, str3);
        if (cache.get(authorizationCacheKey2) != null && ((Boolean) cache.get(authorizationCacheKey2)).booleanValue()) {
            PrivilegedCarbonContext.endTenantFlow();
            return true;
        }
        List<String> subscriberPermissions = mQTTAuthoriztionPermissionLevel == MQTTAuthoriztionPermissionLevel.SUBSCRIBE ? this.MQTTAuthorizationConfiguration.getSubscriberPermissions() : this.MQTTAuthorizationConfiguration.getPublisherPermissions();
        AuthorizationRequest authorizationRequest2 = new AuthorizationRequest();
        authorizationRequest2.setTenantDomain(str2);
        if (subscriberPermissions != null) {
            authorizationRequest2.setPermissions(subscriberPermissions);
        }
        authorizationRequest2.setUsername(mQTTAuthorizationSubject.getUsername());
        DeviceIdentifier deviceIdentifier = new DeviceIdentifier();
        deviceIdentifier.setId(str4);
        deviceIdentifier.setType(str3);
        ArrayList arrayList = new ArrayList();
        arrayList.add(deviceIdentifier);
        authorizationRequest2.setDeviceIdentifiers(arrayList);
        try {
            List<DeviceIdentifier> authorizedDevices = deviceAccessAuthorizationAdminService.isAuthorized(authorizationRequest2).getAuthorizedDevices();
            if (authorizedDevices != null && authorizedDevices.size() > 0) {
                DeviceIdentifier deviceIdentifier2 = authorizedDevices.get(0);
                if (deviceIdentifier2.getId().equals(str4) && deviceIdentifier2.getType().equals(str3)) {
                    cache.put(authorizationCacheKey2, true);
                    PrivilegedCarbonContext.endTenantFlow();
                    return true;
                }
            }
        } catch (FeignException e2) {
            oAuthRequestInterceptor.resetApiApplicationKey();
            if (e2.getMessage().contains(GATEWAY_ERROR_CODE)) {
                log.error("Failed to connect to the device authorization service.", e2);
            } else {
                log.error(e2.getMessage(), e2);
            }
        }
        PrivilegedCarbonContext.endTenantFlow();
        return false;
        PrivilegedCarbonContext.endTenantFlow();
        throw th;
    }

    public boolean isAuthorizedToConnect(MQTTAuthorizationSubject mQTTAuthorizationSubject) {
        if (this.MQTTAuthorizationConfiguration.getConnectionPermission() == null || this.MQTTAuthorizationConfiguration.getConnectionPermission().isEmpty()) {
            return true;
        }
        return isUserAuthorized(mQTTAuthorizationSubject, this.MQTTAuthorizationConfiguration.getConnectionPermission(), UI_EXECUTE);
    }

    private boolean isUserAuthorized(MQTTAuthorizationSubject mQTTAuthorizationSubject, String str, String str2) {
        String username = mQTTAuthorizationSubject.getUsername();
        try {
            try {
                PrivilegedCarbonContext.startTenantFlow();
                PrivilegedCarbonContext.getThreadLocalCarbonContext().setTenantDomain(mQTTAuthorizationSubject.getTenantDomain(), true);
                UserRealm tenantUserRealm = AuthorizationDataHolder.getInstance().getRealmService().getTenantUserRealm(PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantId());
                boolean z = (tenantUserRealm == null || tenantUserRealm.getAuthorizationManager() == null || !tenantUserRealm.getAuthorizationManager().isUserAuthorized(username, str, str2)) ? false : true;
                PrivilegedCarbonContext.endTenantFlow();
                return z;
            } catch (UserStoreException e) {
                log.error(String.format("Unable to authorize the user : %s", username), e);
                PrivilegedCarbonContext.endTenantFlow();
                return false;
            }
        } catch (Throwable th) {
            PrivilegedCarbonContext.endTenantFlow();
            throw th;
        }
    }

    private synchronized Cache<AuthorizationCacheKey, Boolean> getCache() {
        PrivilegedCarbonContext.startTenantFlow();
        PrivilegedCarbonContext.getThreadLocalCarbonContext().setTenantDomain("carbon.super", true);
        try {
            if (this.MQTTAuthorizationConfiguration.getCacheDuration() == 0) {
                Cache<AuthorizationCacheKey, Boolean> cache = Caching.getCacheManagerFactory().getCacheManager(CACHE_MANAGER_NAME).getCache(CACHE_NAME);
                PrivilegedCarbonContext.endTenantFlow();
                return cache;
            }
            Cache<AuthorizationCacheKey, Boolean> build = Caching.getCacheManagerFactory().getCacheManager(CACHE_MANAGER_NAME).createCacheBuilder(CACHE_NAME).setExpiry(CacheConfiguration.ExpiryType.MODIFIED, new CacheConfiguration.Duration(TimeUnit.SECONDS, this.MQTTAuthorizationConfiguration.getCacheDuration())).setStoreByValue(false).build();
            PrivilegedCarbonContext.endTenantFlow();
            return build;
        } catch (Throwable th) {
            PrivilegedCarbonContext.endTenantFlow();
            throw th;
        }
    }

    private static Client getSSLClient() {
        return new Client.Default(getTrustedSSLSocketFactory(), new HostnameVerifier() { // from class: org.wso2.carbon.andes.extensions.device.mgt.mqtt.authorization.DeviceAccessBasedMQTTAuthorizer.1
            @Override // javax.net.ssl.HostnameVerifier
            public boolean verify(String str, SSLSession sSLSession) {
                return true;
            }
        });
    }

    private static SSLSocketFactory getTrustedSSLSocketFactory() {
        try {
            TrustManager[] trustManagerArr = {new X509TrustManager() { // from class: org.wso2.carbon.andes.extensions.device.mgt.mqtt.authorization.DeviceAccessBasedMQTTAuthorizer.2
                @Override // javax.net.ssl.X509TrustManager
                public X509Certificate[] getAcceptedIssuers() {
                    return null;
                }

                @Override // javax.net.ssl.X509TrustManager
                public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) {
                }

                @Override // javax.net.ssl.X509TrustManager
                public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) {
                }
            }};
            SSLContext sSLContext = SSLContext.getInstance("SSL");
            sSLContext.init(null, trustManagerArr, new SecureRandom());
            return sSLContext.getSocketFactory();
        } catch (KeyManagementException | NoSuchAlgorithmException e) {
            return null;
        }
    }
}
