package org.thingsboard.server.dao.device;

import org.eclipse.leshan.core.util.Base64;
import org.eclipse.leshan.core.util.SecurityUtil;
import org.hibernate.exception.ConstraintViolationException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.cache.annotation.CacheEvict;
import org.springframework.cache.annotation.Cacheable;
import org.springframework.stereotype.Service;
import org.thingsboard.common.util.JacksonUtil;
import org.thingsboard.server.common.data.StringUtils;
import org.thingsboard.server.common.data.device.credentials.BasicMqttCredentials;
import org.thingsboard.server.common.data.device.credentials.lwm2m.LwM2MBootstrapCredentials;
import org.thingsboard.server.common.data.device.credentials.lwm2m.LwM2MClientCredentials;
import org.thingsboard.server.common.data.device.credentials.lwm2m.LwM2MDeviceCredentials;
import org.thingsboard.server.common.data.device.credentials.lwm2m.LwM2MSecurityMode;
import org.thingsboard.server.common.data.device.credentials.lwm2m.LwM2MServerCredentials;
import org.thingsboard.server.common.data.device.credentials.lwm2m.PSKClientCredentials;
import org.thingsboard.server.common.data.device.credentials.lwm2m.PSKServerCredentials;
import org.thingsboard.server.common.data.device.credentials.lwm2m.RPKClientCredentials;
import org.thingsboard.server.common.data.device.credentials.lwm2m.RPKServerCredentials;
import org.thingsboard.server.common.data.device.credentials.lwm2m.X509ClientCredentials;
import org.thingsboard.server.common.data.device.credentials.lwm2m.X509ServerCredentials;
import org.thingsboard.server.common.data.id.DeviceId;
import org.thingsboard.server.common.data.id.EntityId;
import org.thingsboard.server.common.data.id.TenantId;
import org.thingsboard.server.common.data.id.UUIDBased;
import org.thingsboard.server.common.data.security.DeviceCredentials;
import org.thingsboard.server.common.data.security.DeviceCredentialsType;
import org.thingsboard.server.common.msg.EncryptionUtil;
import org.thingsboard.server.dao.entity.AbstractEntityService;
import org.thingsboard.server.dao.exception.DataValidationException;
import org.thingsboard.server.dao.exception.DeviceCredentialsValidationException;
import org.thingsboard.server.dao.service.DataValidator;
import org.thingsboard.server.dao.service.Validator;

@Service
/* loaded from: input_file:org/thingsboard/server/dao/device/DeviceCredentialsServiceImpl.class */
public class DeviceCredentialsServiceImpl extends AbstractEntityService implements DeviceCredentialsService {
    private static final Logger log = LoggerFactory.getLogger(DeviceCredentialsServiceImpl.class);

    @Autowired
    private DeviceCredentialsDao deviceCredentialsDao;

    @Autowired
    private DeviceService deviceService;
    private DataValidator<DeviceCredentials> credentialsValidator = new DataValidator<DeviceCredentials>() { // from class: org.thingsboard.server.dao.device.DeviceCredentialsServiceImpl.1
        /* JADX INFO: Access modifiers changed from: protected */
        @Override // org.thingsboard.server.dao.service.DataValidator
        public void validateCreate(TenantId tenantId, DeviceCredentials deviceCredentials) {
            if (DeviceCredentialsServiceImpl.this.deviceCredentialsDao.findByDeviceId(tenantId, deviceCredentials.getDeviceId().getId()) != null) {
                throw new DeviceCredentialsValidationException("Credentials for this device are already specified!");
            }
            if (DeviceCredentialsServiceImpl.this.deviceCredentialsDao.findByCredentialsId(tenantId, deviceCredentials.getCredentialsId()) != null) {
                throw new DeviceCredentialsValidationException("Device credentials are already assigned to another device!");
            }
        }

        /* JADX INFO: Access modifiers changed from: protected */
        @Override // org.thingsboard.server.dao.service.DataValidator
        public void validateUpdate(TenantId tenantId, DeviceCredentials deviceCredentials) {
            if (DeviceCredentialsServiceImpl.this.deviceCredentialsDao.findById(tenantId, deviceCredentials.getUuidId()) == null) {
                throw new DeviceCredentialsValidationException("Unable to update non-existent device credentials!");
            }
            DeviceCredentials findByCredentialsId = DeviceCredentialsServiceImpl.this.deviceCredentialsDao.findByCredentialsId(tenantId, deviceCredentials.getCredentialsId());
            if (findByCredentialsId != null && !findByCredentialsId.getId().equals(deviceCredentials.getId())) {
                throw new DeviceCredentialsValidationException("Device credentials are already assigned to another device!");
            }
        }

        /* JADX INFO: Access modifiers changed from: protected */
        @Override // org.thingsboard.server.dao.service.DataValidator
        public void validateDataImpl(TenantId tenantId, DeviceCredentials deviceCredentials) {
            if (deviceCredentials.getDeviceId() == null) {
                throw new DeviceCredentialsValidationException("Device credentials should be assigned to device!");
            }
            if (deviceCredentials.getCredentialsType() == null) {
                throw new DeviceCredentialsValidationException("Device credentials type should be specified!");
            }
            if (StringUtils.isEmpty(deviceCredentials.getCredentialsId())) {
                throw new DeviceCredentialsValidationException("Device credentials id should be specified!");
            }
            if (DeviceCredentialsServiceImpl.this.deviceService.findDeviceById(tenantId, deviceCredentials.getDeviceId()) == null) {
                throw new DeviceCredentialsValidationException("Can't assign device credentials to non-existent device!");
            }
        }
    };

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: org.thingsboard.server.dao.device.DeviceCredentialsServiceImpl$2, reason: invalid class name */
    /* loaded from: input_file:org/thingsboard/server/dao/device/DeviceCredentialsServiceImpl$2.class */
    public static /* synthetic */ class AnonymousClass2 {
        static final /* synthetic */ int[] $SwitchMap$org$thingsboard$server$common$data$security$DeviceCredentialsType;
        static final /* synthetic */ int[] $SwitchMap$org$thingsboard$server$common$data$device$credentials$lwm2m$LwM2MSecurityMode = new int[LwM2MSecurityMode.values().length];

        static {
            try {
                $SwitchMap$org$thingsboard$server$common$data$device$credentials$lwm2m$LwM2MSecurityMode[LwM2MSecurityMode.NO_SEC.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$thingsboard$server$common$data$device$credentials$lwm2m$LwM2MSecurityMode[LwM2MSecurityMode.RPK.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$org$thingsboard$server$common$data$device$credentials$lwm2m$LwM2MSecurityMode[LwM2MSecurityMode.PSK.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$org$thingsboard$server$common$data$device$credentials$lwm2m$LwM2MSecurityMode[LwM2MSecurityMode.X509.ordinal()] = 4;
            } catch (NoSuchFieldError e4) {
            }
            $SwitchMap$org$thingsboard$server$common$data$security$DeviceCredentialsType = new int[DeviceCredentialsType.values().length];
            try {
                $SwitchMap$org$thingsboard$server$common$data$security$DeviceCredentialsType[DeviceCredentialsType.X509_CERTIFICATE.ordinal()] = 1;
            } catch (NoSuchFieldError e5) {
            }
            try {
                $SwitchMap$org$thingsboard$server$common$data$security$DeviceCredentialsType[DeviceCredentialsType.MQTT_BASIC.ordinal()] = 2;
            } catch (NoSuchFieldError e6) {
            }
            try {
                $SwitchMap$org$thingsboard$server$common$data$security$DeviceCredentialsType[DeviceCredentialsType.LWM2M_CREDENTIALS.ordinal()] = 3;
            } catch (NoSuchFieldError e7) {
            }
        }
    }

    public DeviceCredentials findDeviceCredentialsByDeviceId(TenantId tenantId, DeviceId deviceId) {
        log.trace("Executing findDeviceCredentialsByDeviceId [{}]", deviceId);
        Validator.validateId((UUIDBased) deviceId, "Incorrect deviceId " + deviceId);
        return this.deviceCredentialsDao.findByDeviceId(tenantId, deviceId.getId());
    }

    @Cacheable(cacheNames = {"deviceCredentials"}, key = "'deviceCredentials_' + #credentialsId", unless = "#result == null")
    public DeviceCredentials findDeviceCredentialsByCredentialsId(String str) {
        log.trace("Executing findDeviceCredentialsByCredentialsId [{}]", str);
        Validator.validateString(str, "Incorrect credentialsId " + str);
        return this.deviceCredentialsDao.findByCredentialsId(new TenantId(EntityId.NULL_UUID), str);
    }

    @CacheEvict(cacheNames = {"deviceCredentials"}, keyGenerator = "previousDeviceCredentialsId", beforeInvocation = true)
    public DeviceCredentials updateDeviceCredentials(TenantId tenantId, DeviceCredentials deviceCredentials) {
        return saveOrUpdate(tenantId, deviceCredentials);
    }

    public DeviceCredentials createDeviceCredentials(TenantId tenantId, DeviceCredentials deviceCredentials) {
        return saveOrUpdate(tenantId, deviceCredentials);
    }

    private DeviceCredentials saveOrUpdate(TenantId tenantId, DeviceCredentials deviceCredentials) {
        if (deviceCredentials.getCredentialsType() == null) {
            throw new DataValidationException("Device credentials type should be specified");
        }
        formatCredentials(deviceCredentials);
        log.trace("Executing updateDeviceCredentials [{}]", deviceCredentials);
        this.credentialsValidator.validate(deviceCredentials, deviceCredentials2 -> {
            return tenantId;
        });
        try {
            return this.deviceCredentialsDao.saveAndFlush(tenantId, deviceCredentials);
        } catch (Exception e) {
            ConstraintViolationException orElse = extractConstraintViolationException(e).orElse(null);
            if (orElse == null || orElse.getConstraintName() == null || !(orElse.getConstraintName().equalsIgnoreCase("device_credentials_id_unq_key") || orElse.getConstraintName().equalsIgnoreCase("device_credentials_device_id_unq_key"))) {
                throw e;
            }
            throw new DataValidationException("Specified credentials are already registered!");
        }
    }

    public void formatCredentials(DeviceCredentials deviceCredentials) {
        switch (AnonymousClass2.$SwitchMap$org$thingsboard$server$common$data$security$DeviceCredentialsType[deviceCredentials.getCredentialsType().ordinal()]) {
            case 1:
                formatCertData(deviceCredentials);
                return;
            case 2:
                formatSimpleMqttCredentials(deviceCredentials);
                return;
            case 3:
                formatSimpleLwm2mCredentials(deviceCredentials);
                return;
            default:
                return;
        }
    }

    private void formatSimpleMqttCredentials(DeviceCredentials deviceCredentials) {
        try {
            BasicMqttCredentials basicMqttCredentials = (BasicMqttCredentials) JacksonUtil.fromString(deviceCredentials.getCredentialsValue(), BasicMqttCredentials.class);
            if (basicMqttCredentials == null) {
                throw new IllegalArgumentException();
            }
            if (StringUtils.isEmpty(basicMqttCredentials.getClientId()) && StringUtils.isEmpty(basicMqttCredentials.getUserName())) {
                throw new DeviceCredentialsValidationException("Both mqtt client id and user name are empty!");
            }
            if (StringUtils.isNotEmpty(basicMqttCredentials.getClientId()) && StringUtils.isNotEmpty(basicMqttCredentials.getPassword()) && StringUtils.isEmpty(basicMqttCredentials.getUserName())) {
                throw new DeviceCredentialsValidationException("Password cannot be specified along with client id");
            }
            if (StringUtils.isEmpty(basicMqttCredentials.getClientId())) {
                deviceCredentials.setCredentialsId(basicMqttCredentials.getUserName());
            } else if (StringUtils.isEmpty(basicMqttCredentials.getUserName())) {
                deviceCredentials.setCredentialsId(EncryptionUtil.getSha3Hash(basicMqttCredentials.getClientId()));
            } else {
                deviceCredentials.setCredentialsId(EncryptionUtil.getSha3Hash("|", new String[]{basicMqttCredentials.getClientId(), basicMqttCredentials.getUserName()}));
            }
            if (StringUtils.isNotEmpty(basicMqttCredentials.getPassword())) {
                basicMqttCredentials.setPassword(basicMqttCredentials.getPassword());
            }
            deviceCredentials.setCredentialsValue(JacksonUtil.toString(basicMqttCredentials));
        } catch (IllegalArgumentException e) {
            throw new DeviceCredentialsValidationException("Invalid credentials body for simple mqtt credentials!");
        }
    }

    private void formatCertData(DeviceCredentials deviceCredentials) {
        String trimNewLines = EncryptionUtil.trimNewLines(deviceCredentials.getCredentialsValue());
        deviceCredentials.setCredentialsId(EncryptionUtil.getSha3Hash(trimNewLines));
        deviceCredentials.setCredentialsValue(trimNewLines);
    }

    private void formatSimpleLwm2mCredentials(DeviceCredentials deviceCredentials) {
        try {
            LwM2MDeviceCredentials lwM2MDeviceCredentials = (LwM2MDeviceCredentials) JacksonUtil.fromString(deviceCredentials.getCredentialsValue(), LwM2MDeviceCredentials.class);
            validateLwM2MDeviceCredentials(lwM2MDeviceCredentials);
            String str = null;
            PSKClientCredentials client = lwM2MDeviceCredentials.getClient();
            switch (AnonymousClass2.$SwitchMap$org$thingsboard$server$common$data$device$credentials$lwm2m$LwM2MSecurityMode[client.getSecurityConfigClientMode().ordinal()]) {
                case 1:
                case 2:
                    str = client.getEndpoint();
                    break;
                case 3:
                    str = client.getIdentity();
                    break;
                case 4:
                    X509ClientCredentials x509ClientCredentials = (X509ClientCredentials) client;
                    if (x509ClientCredentials.getCert() == null) {
                        str = x509ClientCredentials.getEndpoint();
                        break;
                    } else {
                        String trimNewLines = EncryptionUtil.trimNewLines(x509ClientCredentials.getCert());
                        String sha3Hash = EncryptionUtil.getSha3Hash(trimNewLines);
                        x509ClientCredentials.setCert(trimNewLines);
                        ((X509ClientCredentials) client).setCert(trimNewLines);
                        deviceCredentials.setCredentialsValue(JacksonUtil.toString(lwM2MDeviceCredentials));
                        str = sha3Hash;
                        break;
                    }
            }
            if (str == null) {
                throw new DeviceCredentialsValidationException("Invalid credentials body for LwM2M credentials!");
            }
            deviceCredentials.setCredentialsId(str);
        } catch (IllegalArgumentException e) {
            throw new DeviceCredentialsValidationException("Invalid credentials body for LwM2M credentials!");
        }
    }

    private void validateLwM2MDeviceCredentials(LwM2MDeviceCredentials lwM2MDeviceCredentials) {
        if (lwM2MDeviceCredentials == null) {
            throw new DeviceCredentialsValidationException("LwM2M credentials should be specified!");
        }
        LwM2MClientCredentials client = lwM2MDeviceCredentials.getClient();
        if (client == null) {
            throw new DeviceCredentialsValidationException("LwM2M client credentials should be specified!");
        }
        validateLwM2MClientCredentials(client);
        LwM2MBootstrapCredentials bootstrap = lwM2MDeviceCredentials.getBootstrap();
        if (bootstrap == null) {
            throw new DeviceCredentialsValidationException("LwM2M bootstrap credentials should be specified!");
        }
        LwM2MServerCredentials bootstrapServer = bootstrap.getBootstrapServer();
        if (bootstrapServer == null) {
            throw new DeviceCredentialsValidationException("LwM2M bootstrap server credentials should be specified!");
        }
        validateServerCredentials(bootstrapServer, "Bootstrap server");
        LwM2MServerCredentials lwm2mServer = bootstrap.getLwm2mServer();
        if (lwm2mServer == null) {
            throw new DeviceCredentialsValidationException("LwM2M lwm2m server credentials should be specified!");
        }
        validateServerCredentials(lwm2mServer, "LwM2M server");
    }

    private void validateLwM2MClientCredentials(LwM2MClientCredentials lwM2MClientCredentials) {
        if (StringUtils.isEmpty(lwM2MClientCredentials.getEndpoint())) {
            throw new DeviceCredentialsValidationException("LwM2M client endpoint should be specified!");
        }
        switch (AnonymousClass2.$SwitchMap$org$thingsboard$server$common$data$device$credentials$lwm2m$LwM2MSecurityMode[lwM2MClientCredentials.getSecurityConfigClientMode().ordinal()]) {
            case 1:
            default:
                return;
            case 2:
                RPKClientCredentials rPKClientCredentials = (RPKClientCredentials) lwM2MClientCredentials;
                if (StringUtils.isEmpty(rPKClientCredentials.getKey())) {
                    throw new DeviceCredentialsValidationException("LwM2M client RPK key should be specified!");
                }
                try {
                    SecurityUtil.publicKey.decode(rPKClientCredentials.getDecodedKey());
                    return;
                } catch (Exception e) {
                    throw new DeviceCredentialsValidationException("LwM2M client RPK key should be in RFC7250 standard!");
                }
            case 3:
                PSKClientCredentials pSKClientCredentials = (PSKClientCredentials) lwM2MClientCredentials;
                if (StringUtils.isEmpty(pSKClientCredentials.getIdentity())) {
                    throw new DeviceCredentialsValidationException("LwM2M client PSK identity should be specified!");
                }
                String key = pSKClientCredentials.getKey();
                if (StringUtils.isEmpty(key)) {
                    throw new DeviceCredentialsValidationException("LwM2M client PSK key should be specified!");
                }
                if (!key.matches("-?[0-9a-fA-F]+")) {
                    throw new DeviceCredentialsValidationException("LwM2M client PSK key should be HexDecimal format!");
                }
                if (key.length() % 32 != 0 || key.length() > 128) {
                    throw new DeviceCredentialsValidationException("LwM2M client PSK key must be 32, 64, 128 characters!");
                }
                return;
            case 4:
                X509ClientCredentials x509ClientCredentials = (X509ClientCredentials) lwM2MClientCredentials;
                if (StringUtils.isNotEmpty(x509ClientCredentials.getCert())) {
                    try {
                        SecurityUtil.certificate.decode(Base64.decodeBase64(x509ClientCredentials.getCert()));
                        return;
                    } catch (Exception e2) {
                        throw new DeviceCredentialsValidationException("LwM2M client X509 certificate should be in DER-encoded X.509 format!");
                    }
                }
                return;
        }
    }

    private void validateServerCredentials(LwM2MServerCredentials lwM2MServerCredentials, String str) {
        switch (AnonymousClass2.$SwitchMap$org$thingsboard$server$common$data$device$credentials$lwm2m$LwM2MSecurityMode[lwM2MServerCredentials.getSecurityMode().ordinal()]) {
            case 1:
            default:
                return;
            case 2:
                RPKServerCredentials rPKServerCredentials = (RPKServerCredentials) lwM2MServerCredentials;
                if (StringUtils.isEmpty(rPKServerCredentials.getClientPublicKeyOrId())) {
                    throw new DeviceCredentialsValidationException(str + " client RPK public key or id should be specified!");
                }
                try {
                    SecurityUtil.publicKey.decode(rPKServerCredentials.getDecodedClientPublicKeyOrId());
                    if (StringUtils.isEmpty(rPKServerCredentials.getClientSecretKey())) {
                        throw new DeviceCredentialsValidationException(str + " client RPK secret key should be specified!");
                    }
                    try {
                        SecurityUtil.privateKey.decode(rPKServerCredentials.getDecodedClientSecretKey());
                        return;
                    } catch (Exception e) {
                        throw new DeviceCredentialsValidationException(str + " client RPK secret key should be in RFC5958 standard!");
                    }
                } catch (Exception e2) {
                    throw new DeviceCredentialsValidationException(str + " client RPK public key or id should be in RFC7250 standard!");
                }
            case 3:
                PSKServerCredentials pSKServerCredentials = (PSKServerCredentials) lwM2MServerCredentials;
                if (StringUtils.isEmpty(pSKServerCredentials.getClientPublicKeyOrId())) {
                    throw new DeviceCredentialsValidationException(str + " client PSK public key or id should be specified!");
                }
                String clientSecretKey = pSKServerCredentials.getClientSecretKey();
                if (StringUtils.isEmpty(clientSecretKey)) {
                    throw new DeviceCredentialsValidationException(str + " client PSK key should be specified!");
                }
                if (!clientSecretKey.matches("-?[0-9a-fA-F]+")) {
                    throw new DeviceCredentialsValidationException(str + " client PSK key should be HexDecimal format!");
                }
                if (clientSecretKey.length() % 32 != 0 || clientSecretKey.length() > 128) {
                    throw new DeviceCredentialsValidationException(str + " client PSK key must be 32, 64, 128 characters!");
                }
                return;
            case 4:
                X509ServerCredentials x509ServerCredentials = (X509ServerCredentials) lwM2MServerCredentials;
                if (StringUtils.isEmpty(x509ServerCredentials.getClientPublicKeyOrId())) {
                    throw new DeviceCredentialsValidationException(str + " client X509 public key or id should be specified!");
                }
                try {
                    SecurityUtil.certificate.decode(x509ServerCredentials.getDecodedClientPublicKeyOrId());
                    if (StringUtils.isEmpty(x509ServerCredentials.getClientSecretKey())) {
                        throw new DeviceCredentialsValidationException(str + " client X509 secret key should be specified!");
                    }
                    try {
                        SecurityUtil.privateKey.decode(x509ServerCredentials.getDecodedClientSecretKey());
                        return;
                    } catch (Exception e3) {
                        throw new DeviceCredentialsValidationException(str + " client X509 secret key should be in RFC5958 standard!");
                    }
                } catch (Exception e4) {
                    throw new DeviceCredentialsValidationException(str + " client X509 public key or id should be in DER-encoded X.509 format!");
                }
        }
    }

    @CacheEvict(cacheNames = {"deviceCredentials"}, key = "'deviceCredentials_' + #deviceCredentials.credentialsId")
    public void deleteDeviceCredentials(TenantId tenantId, DeviceCredentials deviceCredentials) {
        log.trace("Executing deleteDeviceCredentials [{}]", deviceCredentials);
        this.deviceCredentialsDao.removeById(tenantId, deviceCredentials.getUuidId());
    }
}
