package org.jivesoftware.openfire.nio;

import io.netty.channel.ChannelHandlerContext;
import io.netty.handler.ssl.SslHandshakeCompletionEvent;
import java.nio.charset.StandardCharsets;
import java.security.cert.CertificateException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.CertificateRevokedException;
import java.time.Duration;
import org.dom4j.Document;
import org.dom4j.DocumentHelper;
import org.dom4j.Element;
import org.dom4j.Namespace;
import org.dom4j.QName;
import org.jivesoftware.openfire.Connection;
import org.jivesoftware.openfire.XMPPServer;
import org.jivesoftware.openfire.net.RespondingServerStanzaHandler;
import org.jivesoftware.openfire.net.SASLAuthentication;
import org.jivesoftware.openfire.net.StanzaHandler;
import org.jivesoftware.openfire.server.ServerDialback;
import org.jivesoftware.openfire.session.ConnectionSettings;
import org.jivesoftware.openfire.session.DomainPair;
import org.jivesoftware.openfire.session.LocalOutgoingServerSession;
import org.jivesoftware.openfire.spi.ConnectionConfiguration;
import org.jivesoftware.util.JiveGlobals;
import org.jivesoftware.util.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/jivesoftware/openfire/nio/NettyOutboundConnectionHandler.class */
public class NettyOutboundConnectionHandler extends NettyConnectionHandler {
    private static final Logger Log = LoggerFactory.getLogger(NettyOutboundConnectionHandler.class);
    private final DomainPair domainPair;
    private final int port;

    public NettyOutboundConnectionHandler(ConnectionConfiguration connectionConfiguration, DomainPair domainPair, int i) {
        super(connectionConfiguration);
        this.domainPair = domainPair;
        this.port = i;
    }

    public void channelActive(ChannelHandlerContext channelHandlerContext) throws Exception {
        if (this.sslInitDone) {
            super.channelActive(channelHandlerContext);
        }
    }

    @Override // org.jivesoftware.openfire.nio.NettyConnectionHandler
    NettyConnection createNettyConnection(ChannelHandlerContext channelHandlerContext) {
        return new NettyConnection(channelHandlerContext, null, this.configuration);
    }

    @Override // org.jivesoftware.openfire.nio.NettyConnectionHandler
    StanzaHandler createStanzaHandler(NettyConnection nettyConnection) {
        return new RespondingServerStanzaHandler(XMPPServer.getInstance().getPacketRouter(), nettyConnection, this.domainPair);
    }

    private static boolean configRequiresStrictCertificateValidation() {
        return JiveGlobals.getBooleanProperty(ConnectionSettings.Server.STRICT_CERTIFICATE_VALIDATION, true);
    }

    @Override // org.jivesoftware.openfire.nio.NettyConnectionHandler
    public Duration getMaxIdleTime() {
        return ConnectionSettings.Server.IDLE_TIMEOUT_PROPERTY.getValue();
    }

    @Override // org.jivesoftware.openfire.nio.NettyConnectionHandler
    public void handlerAdded(ChannelHandlerContext channelHandlerContext) {
        Log.trace("Adding NettyOutboundConnectionHandler");
        super.handlerAdded(channelHandlerContext);
    }

    @Override // org.jivesoftware.openfire.nio.NettyConnectionHandler
    public void userEventTriggered(ChannelHandlerContext channelHandlerContext, Object obj) throws Exception {
        if (this.sslInitDone || !(obj instanceof SslHandshakeCompletionEvent)) {
            return;
        }
        SslHandshakeCompletionEvent sslHandshakeCompletionEvent = (SslHandshakeCompletionEvent) obj;
        RespondingServerStanzaHandler respondingServerStanzaHandler = (RespondingServerStanzaHandler) channelHandlerContext.channel().attr(NettyConnectionHandler.HANDLER).get();
        if (sslHandshakeCompletionEvent.isSuccess()) {
            this.sslInitDone = true;
            NettyConnection nettyConnection = (NettyConnection) channelHandlerContext.channel().attr(NettyConnectionHandler.CONNECTION).get();
            if (SASLAuthentication.verifyCertificates(nettyConnection.getPeerCertificates(), this.domainPair.getRemote(), true)) {
                Log.debug("TLS negotiation with '{}' was successful. Connection encrypted. Proceeding with authentication.", this.domainPair.getRemote());
                sendNewStreamHeader(nettyConnection);
                nettyConnection.setEncrypted(true);
                channelHandlerContext.fireChannelActive();
                return;
            }
            Log.debug("TLS negotiation with '{}' was successful, but peer's certificates are not valid for its domain.", this.domainPair.getRemote());
            if (JiveGlobals.getBooleanProperty(ConnectionSettings.Server.STRICT_CERTIFICATE_VALIDATION, true)) {
                Log.warn("Strict certificate validation is enabled. Aborting session with '{}' as its certificates are not valid for its domain.", this.domainPair.getRemote());
                respondingServerStanzaHandler.setSession(null);
                respondingServerStanzaHandler.setAttemptedAllAuthenticationMethods();
                channelHandlerContext.channel().close();
                return;
            }
            if (ServerDialback.isEnabled() || ServerDialback.isEnabledForSelfSigned()) {
                Log.warn("As peer's certificates are not valid for its domain ('{}'), the SASL EXTERNAL authentication mechanism cannot be used. The Server Dialback authentication mechanism is available.", this.domainPair.getRemote());
                sendNewStreamHeader(nettyConnection);
                nettyConnection.setEncrypted(true);
                channelHandlerContext.fireChannelActive();
                return;
            }
            Log.warn("As peer's certificates are not valid for its domain ('{}'), the SASL EXTERNAL authentication mechanism cannot be used. The Server Dialback authentication mechanism is disabled by configuration. Aborting session, as this leaves no available authentication mechanisms.", this.domainPair.getRemote());
            respondingServerStanzaHandler.setSession(null);
            respondingServerStanzaHandler.setAttemptedAllAuthenticationMethods();
            channelHandlerContext.channel().close();
            return;
        }
        Log.debug("TLS negotiation with '{}' was unsuccessful", this.domainPair.getRemote(), sslHandshakeCompletionEvent.cause());
        if (isCertificateException(sslHandshakeCompletionEvent) && configRequiresStrictCertificateValidation()) {
            Object obj2 = "caused by an issue with its TLS certificate";
            if (hasCauseOfType(sslHandshakeCompletionEvent.cause(), CertificateExpiredException.class)) {
                obj2 = "because its TLS certificate expired (the certificate's 'not-after' condition fails)";
            } else if (hasCauseOfType(sslHandshakeCompletionEvent.cause(), CertificateNotYetValidException.class)) {
                obj2 = "because its TLS certificate is not yet valid (the certificate's 'not-before' condition fails)";
            } else if (hasCauseOfType(sslHandshakeCompletionEvent.cause(), CertificateRevokedException.class)) {
                obj2 = "because its TLS certificate was revoked by the Certificate Authority that issued it";
            }
            Log.warn("TLS negotiation with '{}' was unsuccessful, {}. Aborting session, as by configuration Openfire is prohibited to set up a connection with a peer that provides an invalid certificate. A full stack trace will be logged on the ‘debug’ level.", this.domainPair.getRemote(), obj2);
            respondingServerStanzaHandler.setSession(null);
            respondingServerStanzaHandler.setAttemptedAllAuthenticationMethods();
            channelHandlerContext.channel().close();
            return;
        }
        if (!ServerDialback.isEnabled() || !connectionConfigDoesNotRequireTls()) {
            Log.warn("TLS negotiation with '{}' was unsuccessful. Unable to create a new session: exhausted all options", this.domainPair.getRemote());
            respondingServerStanzaHandler.setSession(null);
            respondingServerStanzaHandler.setAttemptedAllAuthenticationMethods();
            channelHandlerContext.channel().close();
            return;
        }
        Log.debug("By configuration, TLS is not required. As the Server Dialback authentication mechanism is available, it may be used for authentication over a plain connection.");
        LocalOutgoingServerSession createOutgoingSession = new ServerDialback(this.domainPair).createOutgoingSession(this.port);
        if (createOutgoingSession != null) {
            Log.info("TLS negotiation with '{}' was unsuccessful, but Server Dialback authentication over a plain connection (as a fallback) succeeded. Session successfully established on an unencrypted connection.", this.domainPair.getRemote());
            respondingServerStanzaHandler.setSession(createOutgoingSession);
            respondingServerStanzaHandler.setSessionAuthenticated();
            channelHandlerContext.fireChannelActive();
            return;
        }
        Log.warn("TLS negotiation with '{}' was unsuccessful, and Server Dialback over a plain connection (as a fallback) failed. Aborting session.", this.domainPair.getRemote());
        respondingServerStanzaHandler.setSession(null);
        respondingServerStanzaHandler.setAttemptedAllAuthenticationMethods();
        channelHandlerContext.channel().close();
    }

    private static boolean isCertificateException(SslHandshakeCompletionEvent sslHandshakeCompletionEvent) {
        return sslHandshakeCompletionEvent.cause().getCause() instanceof CertificateException;
    }

    private static boolean hasCauseOfType(Throwable th, Class<? extends Throwable> cls) {
        if (cls.isAssignableFrom(th.getClass())) {
            return true;
        }
        if (th.getCause() != null) {
            return hasCauseOfType(th.getCause(), cls);
        }
        return false;
    }

    private void sendNewStreamHeader(NettyConnection nettyConnection) {
        Element createElement = DocumentHelper.createElement(QName.get("stream", "stream", "http://etherx.jabber.org/streams"));
        Document createDocument = DocumentHelper.createDocument(createElement);
        createDocument.setXMLEncoding(StandardCharsets.UTF_8.toString());
        createElement.add(Namespace.get("", "jabber:server"));
        if (ServerDialback.isEnabled() || ServerDialback.isEnabledForSelfSigned()) {
            createElement.add(Namespace.get("db", "jabber:server:dialback"));
        }
        createElement.addAttribute("from", this.domainPair.getLocal());
        createElement.addAttribute("to", this.domainPair.getRemote());
        createElement.addAttribute("version", "1.0");
        nettyConnection.deliverRawText(StringUtils.asUnclosedStream(createDocument));
    }

    private boolean connectionConfigDoesNotRequireTls() {
        return this.configuration.getTlsPolicy() != Connection.TLSPolicy.required;
    }

    public DomainPair getDomainPair() {
        return this.domainPair;
    }

    public int getPort() {
        return this.port;
    }

    @Override // org.jivesoftware.openfire.nio.NettyConnectionHandler
    public String toString() {
        return "NettyOutboundConnectionHandler{domainPair=" + String.valueOf(this.domainPair) + ", port=" + this.port + ", sslInitDone=" + this.sslInitDone + ", configuration=" + String.valueOf(this.configuration) + "}";
    }
}
