package com.impossibl.postgres.protocol.v30;

import com.impossibl.postgres.protocol.sasl.scram.client.ScramSession;
import com.impossibl.postgres.protocol.sasl.scram.client.ScramSessionFactory;
import com.impossibl.postgres.protocol.sasl.scram.exception.ScramException;
import com.impossibl.postgres.protocol.sasl.scram.stringprep.StringPreparations;
import com.impossibl.postgres.protocol.ssl.SSLMode;
import com.impossibl.postgres.protocol.v30.StartupRequest;
import com.impossibl.postgres.system.Configuration;
import com.impossibl.postgres.system.SystemSettings;
import com.impossibl.postgres.utils.ByteBufs;
import com.impossibl.postgres.utils.MD5Authentication;
import com.impossibl.shadow.io.netty.buffer.ByteBuf;
import com.impossibl.shadow.io.netty.channel.Channel;
import com.impossibl.shadow.io.netty.handler.ssl.SslHandler;
import com.impossibl.shadow.io.netty.util.internal.StringUtil;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.security.MessageDigest;
import java.security.cert.X509Certificate;
import java.util.List;

/* loaded from: input_file:com/impossibl/postgres/protocol/v30/AuthenticationHandler.class */
abstract class AuthenticationHandler implements StartupRequest.CompletionHandler {
    private static final String SCRAM_CHANNEL_BIND_METHOD = "tls-server-end-point";
    private final Configuration config;
    private final Channel channel;
    private ScramSession scramSession;

    /* JADX INFO: Access modifiers changed from: package-private */
    public AuthenticationHandler(Configuration configuration, Channel channel) {
        this.config = configuration;
        this.channel = channel;
    }

    @Override // com.impossibl.postgres.protocol.v30.StartupRequest.CompletionHandler
    public String authenticateClear() {
        return (String) this.config.getSetting(SystemSettings.CREDENTIALS_PASSWORD);
    }

    @Override // com.impossibl.postgres.protocol.v30.StartupRequest.CompletionHandler
    public String authenticateMD5(byte[] bArr) {
        return MD5Authentication.encode((String) this.config.getSetting(SystemSettings.CREDENTIALS_PASSWORD), (String) this.config.getSetting(SystemSettings.CREDENTIALS_USERNAME), bArr);
    }

    @Override // com.impossibl.postgres.protocol.v30.StartupRequest.CompletionHandler
    public void authenticateKerberos() {
        throw new IllegalStateException("Unsupported Authentication Method");
    }

    @Override // com.impossibl.postgres.protocol.v30.StartupRequest.CompletionHandler
    public byte authenticateSCM() {
        throw new IllegalStateException("Unsupported Authentication Method");
    }

    @Override // com.impossibl.postgres.protocol.v30.StartupRequest.CompletionHandler
    public ByteBuf authenticateGSS(ByteBuf byteBuf) {
        throw new IllegalStateException("Unsupported Authentication Method");
    }

    @Override // com.impossibl.postgres.protocol.v30.StartupRequest.CompletionHandler
    public ByteBuf authenticateGSSContinue(ByteBuf byteBuf) {
        throw new IllegalStateException("Unsupported Authentication Method");
    }

    @Override // com.impossibl.postgres.protocol.v30.StartupRequest.CompletionHandler
    public ByteBuf authenticateSSPI(ByteBuf byteBuf) {
        throw new IllegalStateException("Unsupported Authentication Method");
    }

    @Override // com.impossibl.postgres.protocol.v30.StartupRequest.CompletionHandler
    public ByteBuf authenticateSASL(List<String> list) throws IOException {
        SslHandler sslHandler = (SslHandler) this.channel.pipeline().get("ssl");
        try {
            this.scramSession = ScramSessionFactory.builder().serverAdvertisedMechanisms(list).channelBindMethod(sslHandler != null && sslHandler.engine().getSession().getPeerCertificates() != null && sslHandler.engine().getSession().getPeerCertificates().length > 0 ? SCRAM_CHANNEL_BIND_METHOD : null).stringPreparation(StringPreparations.SASL_PREPARATION).preferChannelBindingMechanism(((SSLMode) this.config.getSetting(SystemSettings.SSL_MODE)).isRequired()).build().start(StringUtil.EMPTY_STRING);
            ByteBuf buffer = this.channel.alloc().buffer();
            ByteBufs.writeCString(buffer, this.scramSession.getScramMechanismName(), StandardCharsets.UTF_8);
            byte[] clientFirstMessage = this.scramSession.clientFirstMessage(null);
            buffer.writeInt(clientFirstMessage.length);
            buffer.writeBytes(clientFirstMessage);
            return buffer;
        } catch (IllegalArgumentException e) {
            throw new IOException("No supported SASL mechanisms available");
        }
    }

    @Override // com.impossibl.postgres.protocol.v30.StartupRequest.CompletionHandler
    public ByteBuf authenticateSASLContinue(String str) throws IOException {
        byte[] bArr;
        if (!this.scramSession.requiresChannelBindData()) {
            bArr = null;
        } else {
            if (!SCRAM_CHANNEL_BIND_METHOD.equals(this.scramSession.getChannelBindMethod())) {
                throw new ScramException("Unsupported channel-bind method");
            }
            try {
                bArr = MessageDigest.getInstance("SHA-256").digest(((X509Certificate[]) ((SslHandler) this.channel.pipeline().get("ssl")).engine().getSession().getPeerCertificates())[0].getEncoded());
            } catch (Exception e) {
                throw new ScramException("Failed to generate channel-bind data", e);
            }
        }
        byte[] receiveServerFirstMessage = this.scramSession.receiveServerFirstMessage(str, bArr, (String) this.config.getSetting(SystemSettings.CREDENTIALS_PASSWORD));
        ByteBuf buffer = this.channel.alloc().buffer(receiveServerFirstMessage.length);
        buffer.writeBytes(receiveServerFirstMessage);
        return buffer;
    }

    @Override // com.impossibl.postgres.protocol.v30.StartupRequest.CompletionHandler
    public void authenticateSASLFinal(String str) throws IOException {
        this.scramSession.receiveServerFinalMessage(str);
    }
}
