package io.questdb.cutlass.line.tcp;

import io.questdb.cairo.CairoException;
import io.questdb.cutlass.line.tcp.LineTcpConnectionContext;
import io.questdb.cutlass.line.tcp.LineTcpMeasurementScheduler;
import io.questdb.log.Log;
import io.questdb.log.LogFactory;
import io.questdb.std.ThreadLocal;
import io.questdb.std.Unsafe;
import io.questdb.std.str.DirectByteCharSequence;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.security.SecureRandom;
import java.security.Signature;
import java.security.SignatureException;
import java.util.Base64;

/* loaded from: input_file:io/questdb/cutlass/line/tcp/LineTcpAuthConnectionContext.class */
class LineTcpAuthConnectionContext extends LineTcpConnectionContext {
    private static final Log LOG;
    private static final int CHALLENGE_LEN = 512;
    private static final int MIN_BUF_SIZE = 513;
    private static final ThreadLocal<SecureRandom> tlSrand;
    private final AuthDb authDb;
    private static final ThreadLocal<Signature> tlSigDER;
    private static final ThreadLocal<Signature> tlSigP1363;
    private final DirectByteCharSequence charSeq;
    private final byte[] challengeBytes;
    private PublicKey pubKey;
    private boolean authenticated;
    private AuthState authState;
    static final /* synthetic */ boolean $assertionsDisabled;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/questdb/cutlass/line/tcp/LineTcpAuthConnectionContext$AuthState.class */
    public enum AuthState {
        WAITING_FOR_KEY_ID(LineTcpConnectionContext.IOContextResult.NEEDS_READ),
        SENDING_CHALLENGE(LineTcpConnectionContext.IOContextResult.NEEDS_WRITE),
        WAITING_FOR_RESPONSE(LineTcpConnectionContext.IOContextResult.NEEDS_READ),
        COMPLETE(LineTcpConnectionContext.IOContextResult.NEEDS_READ),
        FAILED(LineTcpConnectionContext.IOContextResult.NEEDS_DISCONNECT);

        private final LineTcpConnectionContext.IOContextResult ioContextResult;

        AuthState(LineTcpConnectionContext.IOContextResult iOContextResult) {
            this.ioContextResult = iOContextResult;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public LineTcpAuthConnectionContext(LineTcpReceiverConfiguration lineTcpReceiverConfiguration, AuthDb authDb, LineTcpMeasurementScheduler lineTcpMeasurementScheduler) {
        super(lineTcpReceiverConfiguration, lineTcpMeasurementScheduler);
        this.charSeq = new DirectByteCharSequence();
        this.challengeBytes = new byte[CHALLENGE_LEN];
        if (lineTcpReceiverConfiguration.getNetMsgBufferSize() < MIN_BUF_SIZE) {
            throw CairoException.instance(0).put("Minimum buffer length is ").put(513L);
        }
        this.authDb = authDb;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Override // io.questdb.cutlass.line.tcp.LineTcpConnectionContext
    public LineTcpConnectionContext.IOContextResult handleIO(LineTcpMeasurementScheduler.NetworkIOJob networkIOJob) {
        return this.authenticated ? super.handleIO(networkIOJob) : handleAuth();
    }

    private LineTcpConnectionContext.IOContextResult handleAuth() {
        switch (this.authState) {
            case WAITING_FOR_KEY_ID:
                readKeyId();
                break;
            case SENDING_CHALLENGE:
                sendChallenge();
                break;
            case WAITING_FOR_RESPONSE:
                waitForResponse();
                break;
        }
        return this.authState.ioContextResult;
    }

    private void readKeyId() {
        int findLineEnd = findLineEnd();
        if (findLineEnd != -1) {
            this.charSeq.of(this.recvBufStart, this.recvBufStart + findLineEnd);
            LOG.info().$('[').$(this.fd).$((CharSequence) "] authentication read key id [keyId=").$((CharSequence) this.charSeq).$(']').$();
            this.pubKey = this.authDb.getPublicKey(this.charSeq);
            this.recvBufPos = this.recvBufStart;
            int i = 0;
            SecureRandom secureRandom = tlSrand.get();
            while (i < CHALLENGE_LEN) {
                if (!$assertionsDisabled && this.recvBufStart + i >= this.recvBufEnd) {
                    throw new AssertionError();
                }
                int nextDouble = ((int) (secureRandom.nextDouble() * 95.0d)) + 32;
                Unsafe.getUnsafe().putByte(this.recvBufStart + i, (byte) nextDouble);
                this.challengeBytes[i] = (byte) nextDouble;
                i++;
            }
            Unsafe.getUnsafe().putByte(this.recvBufStart + i, (byte) 10);
            this.authState = AuthState.SENDING_CHALLENGE;
        }
    }

    private void sendChallenge() {
        int i = MIN_BUF_SIZE - ((int) (this.recvBufPos - this.recvBufStart));
        if (!$assertionsDisabled && i <= 0) {
            throw new AssertionError();
        }
        while (true) {
            int send = this.nf.send(this.fd, this.recvBufPos, i);
            if (send <= 0) {
                if (send == 0) {
                    return;
                }
                LOG.info().$('[').$(this.fd).$((CharSequence) "] authentication peer disconnected when challenge was being sent").$();
                this.authState = AuthState.FAILED;
                return;
            }
            if (i == send) {
                this.recvBufPos = this.recvBufStart;
                this.authState = AuthState.WAITING_FOR_RESPONSE;
                return;
            }
            this.recvBufPos += send;
        }
    }

    private void waitForResponse() {
        boolean z;
        int findLineEnd = findLineEnd();
        if (findLineEnd != -1) {
            if (null == this.pubKey) {
                LOG.info().$('[').$(this.fd).$((CharSequence) "] authentication failed, unknown key id").$();
                this.authState = AuthState.FAILED;
                return;
            }
            byte[] bArr = new byte[findLineEnd];
            for (int i = 0; i < findLineEnd; i++) {
                bArr[i] = Unsafe.getUnsafe().getByte(this.recvBufStart + i);
            }
            this.authState = AuthState.FAILED;
            byte[] decode = Base64.getDecoder().decode(bArr);
            Signature signature = decode.length == 64 ? tlSigP1363.get() : tlSigDER.get();
            try {
                signature.initVerify(this.pubKey);
                signature.update(this.challengeBytes);
                z = signature.verify(decode);
            } catch (InvalidKeyException | SignatureException e) {
                LOG.info().$('[').$(this.fd).$((CharSequence) "] authentication exception ").$(e).$();
                z = false;
            }
            if (!z) {
                LOG.info().$('[').$(this.fd).$((CharSequence) "] authentication failed, signature was not verified").$();
                this.authState = AuthState.FAILED;
            } else {
                this.authenticated = true;
                this.authState = AuthState.COMPLETE;
                compactBuffer(this.recvBufStart + findLineEnd + 1);
                LOG.info().$('[').$(this.fd).$((CharSequence) "] authentication success").$();
            }
        }
    }

    private int findLineEnd() {
        read();
        int i = (int) (this.recvBufPos - this.recvBufStart);
        int i2 = 0;
        int i3 = -1;
        while (true) {
            if (i2 >= i) {
                break;
            }
            if (Unsafe.getUnsafe().getByte(this.recvBufStart + i2) == 10) {
                i3 = i2;
                break;
            }
            i2++;
        }
        if (i3 != -1) {
            return i3;
        }
        if (this.recvBufPos == this.recvBufEnd) {
            LOG.info().$('[').$(this.fd).$((CharSequence) "] authentication token is too long").$();
            this.authState = AuthState.FAILED;
            return -1;
        }
        if (!this.peerDisconnected) {
            return -1;
        }
        LOG.info().$('[').$(this.fd).$((CharSequence) "] authentication disconnected by peer when reading token").$();
        this.authState = AuthState.FAILED;
        return -1;
    }

    @Override // io.questdb.cutlass.line.tcp.LineTcpConnectionContext, io.questdb.std.Mutable
    public void clear() {
        this.authenticated = false;
        this.authState = AuthState.WAITING_FOR_KEY_ID;
        this.pubKey = null;
        super.clear();
    }

    static {
        $assertionsDisabled = !LineTcpAuthConnectionContext.class.desiredAssertionStatus();
        LOG = LogFactory.getLog(LineTcpAuthConnectionContext.class);
        tlSrand = new ThreadLocal<>(SecureRandom::new);
        tlSigDER = new ThreadLocal<>(() -> {
            try {
                return Signature.getInstance(AuthDb.SIGNATURE_TYPE_DER);
            } catch (NoSuchAlgorithmException e) {
                throw new Error(e);
            }
        });
        tlSigP1363 = new ThreadLocal<>(() -> {
            try {
                return Signature.getInstance(AuthDb.SIGNATURE_TYPE_P1363);
            } catch (NoSuchAlgorithmException e) {
                throw new Error(e);
            }
        });
    }
}
