package com.atlassian.jira.cluster.distribution.localq.rmi.auth;

import aQute.lib.hex.Hex;
import com.atlassian.security.random.SecureRandomFactory;
import com.atlassian.security.utils.ConstantTimeComparison;
import com.google.common.base.Stopwatch;
import java.io.ByteArrayOutputStream;
import java.io.DataInputStream;
import java.io.DataOutputStream;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.time.Duration;
import java.util.concurrent.TimeUnit;
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/atlassian/jira/cluster/distribution/localq/rmi/auth/SharedSecretClusterAuthService.class */
public class SharedSecretClusterAuthService implements ClusterAuthService {
    private static final int NONCE_BYTES = 16;
    private static final int RESPONSE_BYTES = 32;
    private static final String HMAC_ALGORITHM = "HmacSHA256";
    private static final SecureRandom secureRandom = SecureRandomFactory.newInstance();
    private static final Logger log = LoggerFactory.getLogger(SharedSecretClusterAuthService.class);
    private final ClusterAuthSharedKeySupplier clusterAuthSharedKeySupplier;
    private final ClusterAuthStatsManager clusterAuthStatsManager;

    public SharedSecretClusterAuthService(ClusterAuthSharedKeySupplier clusterAuthSharedKeySupplier, ClusterAuthStatsManager clusterAuthStatsManager) {
        this.clusterAuthSharedKeySupplier = clusterAuthSharedKeySupplier;
        this.clusterAuthStatsManager = clusterAuthStatsManager;
    }

    @Override // com.atlassian.jira.cluster.distribution.localq.rmi.auth.ClusterAuthService
    public ClusterAuthenticationResult authenticate(ClusterJoinRequest clusterJoinRequest) {
        if (!this.clusterAuthSharedKeySupplier.get().isPresent()) {
            log.debug("{}authentication skipped", prefix(clusterJoinRequest.isServer()));
            this.clusterAuthStatsManager.notifyAuthenticationSkipped(clusterJoinRequest.isServer());
            return new ClusterAuthenticationResult(true, "Cluster authentication skipped");
        }
        log.debug("{}authentication started at {}millis", prefix(clusterJoinRequest.isServer()), 0);
        Stopwatch createStarted = Stopwatch.createStarted();
        ClusterAuthenticationResult clusterAuthenticationResult = null;
        try {
            clusterAuthenticationResult = runMutualChallengeResponse(this.clusterAuthSharedKeySupplier.get().get(), clusterJoinRequest, createStarted);
            if (!clusterAuthenticationResult.isSuccessful()) {
                this.clusterAuthSharedKeySupplier.refresh();
            }
            Duration elapsed = createStarted.elapsed();
            this.clusterAuthStatsManager.notifyAuthenticationFinished(clusterJoinRequest.isServer(), elapsed.toMillis(), clusterAuthenticationResult);
            log.debug("{}authentication finished at {}millis", prefix(clusterJoinRequest.isServer()), elapsed);
            return clusterAuthenticationResult;
        } catch (Throwable th) {
            Duration elapsed2 = createStarted.elapsed();
            this.clusterAuthStatsManager.notifyAuthenticationFinished(clusterJoinRequest.isServer(), elapsed2.toMillis(), clusterAuthenticationResult);
            log.debug("{}authentication finished at {}millis", prefix(clusterJoinRequest.isServer()), elapsed2);
            throw th;
        }
    }

    private ClusterAuthenticationResult runMutualChallengeResponse(byte[] bArr, ClusterJoinRequest clusterJoinRequest, Stopwatch stopwatch) {
        String readNonce;
        String readResponse;
        try {
            boolean isServer = clusterJoinRequest.isServer();
            DataOutputStream dataOutputStream = new DataOutputStream(clusterJoinRequest.out());
            DataInputStream dataInputStream = new DataInputStream(clusterJoinRequest.in());
            String generateNewNonce = generateNewNonce();
            log.trace("{}generated: {} at {}millis", new Object[]{prefix(isServer), generateNewNonce, Long.valueOf(stopwatch.elapsed(TimeUnit.MILLISECONDS))});
            if (clusterJoinRequest.isServer()) {
                writeNonce(dataOutputStream, generateNewNonce, isServer, stopwatch);
                readNonce = readNonce(dataInputStream, isServer, stopwatch);
                writeResponse(dataOutputStream, createResponse(bArr, generateNewNonce, readNonce, isServer, stopwatch), isServer, stopwatch);
                readResponse = readResponse(dataInputStream, isServer, stopwatch);
            } else {
                readNonce = readNonce(dataInputStream, isServer, stopwatch);
                writeNonce(dataOutputStream, generateNewNonce, isServer, stopwatch);
                readResponse = readResponse(dataInputStream, isServer, stopwatch);
                writeResponse(dataOutputStream, createResponse(bArr, generateNewNonce, readNonce, isServer, stopwatch), isServer, stopwatch);
            }
            ClusterAuthenticationResult verifyResponse = verifyResponse(bArr, readResponse, generateNewNonce, readNonce, clusterJoinRequest.isServer());
            log.trace("{}response verified at {}millis", prefix(isServer), Long.valueOf(stopwatch.elapsed(TimeUnit.MILLISECONDS)));
            return verifyResponse;
        } catch (IOException e) {
            log.debug("IOException during cluster auth challenge-response", e);
            return new ClusterAuthenticationResult(false, "Exception:" + e.toString(), e);
        }
    }

    private void writeNonce(DataOutputStream dataOutputStream, String str, boolean z, Stopwatch stopwatch) throws IOException {
        dataOutputStream.writeUTF(str);
        log.trace("{}local nonce {} send at {}millis", new Object[]{prefix(z), str, Long.valueOf(stopwatch.elapsed(TimeUnit.MILLISECONDS))});
    }

    private String readNonce(DataInputStream dataInputStream, boolean z, Stopwatch stopwatch) throws IOException {
        String readUTF = dataInputStream.readUTF();
        if (readUTF.length() != 32) {
            throw new IOException("remote nonce size mismatch");
        }
        log.trace("{}remote nonce {} received at {}millis", new Object[]{prefix(z), readUTF, Long.valueOf(stopwatch.elapsed(TimeUnit.MILLISECONDS))});
        return readUTF;
    }

    private void writeResponse(DataOutputStream dataOutputStream, String str, boolean z, Stopwatch stopwatch) throws IOException {
        dataOutputStream.writeUTF(str);
        log.trace("{}local response {} send at {}millis", new Object[]{prefix(z), str, Long.valueOf(stopwatch.elapsed(TimeUnit.MILLISECONDS))});
    }

    private String readResponse(DataInputStream dataInputStream, boolean z, Stopwatch stopwatch) throws IOException {
        String readUTF = dataInputStream.readUTF();
        if (readUTF.length() != 64) {
            throw new IOException("remote response size mismatch");
        }
        log.trace("{}remote response {} received at {}millis", new Object[]{prefix(z), readUTF, Long.valueOf(stopwatch.elapsed(TimeUnit.MILLISECONDS))});
        return readUTF;
    }

    private String createResponse(byte[] bArr, String str, String str2, boolean z, Stopwatch stopwatch) throws IOException {
        log.trace("{}create response generateSalt from: {} / {} / {} at {}millis", new Object[]{prefix(z), str, str2, Boolean.valueOf(z), Long.valueOf(stopwatch.elapsed(TimeUnit.MILLISECONDS))});
        byte[] generateSalt = generateSalt(str.getBytes(StandardCharsets.UTF_8), str2.getBytes(StandardCharsets.UTF_8), z);
        log.trace("{}create response generateSalt at {}millis", prefix(z), Long.valueOf(stopwatch.elapsed(TimeUnit.MILLISECONDS)));
        String generateKey = generateKey(bArr, generateSalt);
        if (log.isTraceEnabled()) {
            log.trace("{}create response generateKey: {} -> {} at {}millis", new Object[]{prefix(z), Hex.toHexString(generateSalt), generateKey, Long.valueOf(stopwatch.elapsed(TimeUnit.MILLISECONDS))});
        }
        return generateKey;
    }

    private ClusterAuthenticationResult verifyResponse(byte[] bArr, String str, String str2, String str3, boolean z) throws IOException {
        Logger logger = log;
        Object[] objArr = new Object[4];
        objArr[0] = prefix(z);
        objArr[1] = str3;
        objArr[2] = str2;
        objArr[3] = Boolean.valueOf(!z);
        logger.trace("{}verify response generateSalt: {} / {} / {}", objArr);
        byte[] generateSalt = generateSalt(str3.getBytes(StandardCharsets.UTF_8), str2.getBytes(StandardCharsets.UTF_8), !z);
        String generateKey = generateKey(bArr, generateSalt);
        if (log.isTraceEnabled()) {
            log.trace("{}verify response generateKey: {} -> {}", new Object[]{prefix(z), Hex.toHexString(generateSalt), generateKey});
            log.trace("{}check: {} vs {}", new Object[]{prefix(z), str, generateKey});
        }
        return !ConstantTimeComparison.isEqual(generateKey, str) ? new ClusterAuthenticationResult(false, "Key mismatch") : new ClusterAuthenticationResult(true, "Cluster authentication successful");
    }

    private String generateKey(byte[] bArr, byte[] bArr2) {
        try {
            Mac mac = Mac.getInstance(HMAC_ALGORITHM);
            mac.init(new SecretKeySpec(bArr, HMAC_ALGORITHM));
            return Hex.toHexString(mac.doFinal(bArr2));
        } catch (InvalidKeyException | NoSuchAlgorithmException e) {
            throw new RuntimeException(e);
        }
    }

    private String generateNewNonce() {
        byte[] bArr = new byte[16];
        secureRandom.nextBytes(bArr);
        return Hex.toHexString(bArr);
    }

    private byte[] generateSalt(byte[] bArr, byte[] bArr2, boolean z) throws IOException {
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        try {
            DataOutputStream dataOutputStream = new DataOutputStream(byteArrayOutputStream);
            try {
                dataOutputStream.write(bArr);
                dataOutputStream.write(bArr2);
                dataOutputStream.writeBoolean(z);
                byte[] byteArray = byteArrayOutputStream.toByteArray();
                dataOutputStream.close();
                byteArrayOutputStream.close();
                return byteArray;
            } finally {
            }
        } catch (Throwable th) {
            try {
                byteArrayOutputStream.close();
            } catch (Throwable th2) {
                th.addSuppressed(th2);
            }
            throw th;
        }
    }

    private static String prefix(boolean z) {
        return z ? "[JIRA-RMI-AUTH] [SERVER] " : "[JIRA-RMI-AUTH] [CLIENT] ";
    }
}
