package org.thingsboard.server.transport.lwm2m.secure;

import java.beans.ConstructorProperties;
import java.util.Arrays;
import org.eclipse.leshan.core.SecurityMode;
import org.eclipse.leshan.core.peer.LwM2mPeer;
import org.eclipse.leshan.core.peer.X509Identity;
import org.eclipse.leshan.core.request.UplinkRequest;
import org.eclipse.leshan.server.registration.Registration;
import org.eclipse.leshan.server.security.Authorization;
import org.eclipse.leshan.server.security.Authorizer;
import org.eclipse.leshan.server.security.SecurityChecker;
import org.eclipse.leshan.server.security.SecurityInfo;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.stereotype.Component;
import org.thingsboard.server.queue.util.TbLwM2mTransportComponent;
import org.thingsboard.server.transport.lwm2m.server.client.LwM2MAuthException;
import org.thingsboard.server.transport.lwm2m.server.client.LwM2mClientContext;
import org.thingsboard.server.transport.lwm2m.server.store.TbLwM2MDtlsSessionStore;
import org.thingsboard.server.transport.lwm2m.server.store.TbMainSecurityStore;

@TbLwM2mTransportComponent
@Component
/* loaded from: input_file:org/thingsboard/server/transport/lwm2m/secure/TbLwM2MAuthorizer.class */
public class TbLwM2MAuthorizer implements Authorizer {
    private static final Logger log = LoggerFactory.getLogger(TbLwM2MAuthorizer.class);
    private final TbLwM2MDtlsSessionStore sessionStorage;
    private final TbMainSecurityStore securityStore;
    private final SecurityChecker securityChecker = new SecurityChecker();
    private final LwM2mClientContext clientContext;

    public Authorization isAuthorized(UplinkRequest<?> uplinkRequest, Registration registration, LwM2mPeer lwM2mPeer) {
        TbX509DtlsSessionInfo tbX509DtlsSessionInfo;
        SecurityInfo securityInfo = null;
        if (this.securityStore != null) {
            securityInfo = this.securityStore.getByEndpoint(registration.getEndpoint());
        }
        if (!this.securityChecker.checkSecurityInfo(registration.getEndpoint(), lwM2mPeer, securityInfo)) {
            return Authorization.declined();
        }
        if ((lwM2mPeer.getIdentity() instanceof X509Identity) && (tbX509DtlsSessionInfo = this.sessionStorage.get(registration.getEndpoint())) != null) {
            this.clientContext.registerClient(registration, tbX509DtlsSessionInfo.getCredentials());
        }
        if (securityInfo != null) {
            try {
                if (securityInfo.usePSK() && securityInfo.getEndpoint().equals(SecurityMode.NO_SEC.toString()) && securityInfo.getPskIdentity().equals(SecurityMode.NO_SEC.toString()) && Arrays.equals(SecurityMode.NO_SEC.toString().getBytes(), securityInfo.getPreSharedKey())) {
                    return Authorization.declined();
                }
            } catch (LwM2MAuthException e) {
                log.info("Registration failed: FORBIDDEN, endpointId: [{}]", registration.getEndpoint());
                return Authorization.declined();
            }
        }
        return Authorization.approved();
    }

    @ConstructorProperties({"sessionStorage", "securityStore", "clientContext"})
    public TbLwM2MAuthorizer(TbLwM2MDtlsSessionStore tbLwM2MDtlsSessionStore, TbMainSecurityStore tbMainSecurityStore, LwM2mClientContext lwM2mClientContext) {
        this.sessionStorage = tbLwM2MDtlsSessionStore;
        this.securityStore = tbMainSecurityStore;
        this.clientContext = lwM2mClientContext;
    }
}
