package org.thingsboard.server.dao.device;

import org.eclipse.leshan.core.SecurityMode;
import org.eclipse.leshan.core.util.SecurityUtil;
import org.hibernate.exception.ConstraintViolationException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Service;
import org.springframework.transaction.event.TransactionalEventListener;
import org.thingsboard.common.util.JacksonUtil;
import org.thingsboard.server.common.data.StringUtils;
import org.thingsboard.server.common.data.device.credentials.BasicMqttCredentials;
import org.thingsboard.server.common.data.device.credentials.lwm2m.LwM2MBootstrapClientCredential;
import org.thingsboard.server.common.data.device.credentials.lwm2m.LwM2MBootstrapClientCredentials;
import org.thingsboard.server.common.data.device.credentials.lwm2m.LwM2MClientCredential;
import org.thingsboard.server.common.data.device.credentials.lwm2m.LwM2MDeviceCredentials;
import org.thingsboard.server.common.data.device.credentials.lwm2m.LwM2MSecurityMode;
import org.thingsboard.server.common.data.device.credentials.lwm2m.PSKBootstrapClientCredential;
import org.thingsboard.server.common.data.device.credentials.lwm2m.PSKClientCredential;
import org.thingsboard.server.common.data.device.credentials.lwm2m.RPKBootstrapClientCredential;
import org.thingsboard.server.common.data.device.credentials.lwm2m.RPKClientCredential;
import org.thingsboard.server.common.data.device.credentials.lwm2m.X509BootstrapClientCredential;
import org.thingsboard.server.common.data.device.credentials.lwm2m.X509ClientCredential;
import org.thingsboard.server.common.data.id.DeviceId;
import org.thingsboard.server.common.data.id.TenantId;
import org.thingsboard.server.common.data.id.UUIDBased;
import org.thingsboard.server.common.data.security.DeviceCredentials;
import org.thingsboard.server.common.data.security.DeviceCredentialsType;
import org.thingsboard.server.common.msg.EncryptionUtil;
import org.thingsboard.server.dao.entity.AbstractCachedEntityService;
import org.thingsboard.server.dao.exception.DataValidationException;
import org.thingsboard.server.dao.exception.DeviceCredentialsValidationException;
import org.thingsboard.server.dao.service.DataValidator;
import org.thingsboard.server.dao.service.Validator;

@Service
/* loaded from: input_file:org/thingsboard/server/dao/device/DeviceCredentialsServiceImpl.class */
public class DeviceCredentialsServiceImpl extends AbstractCachedEntityService<String, DeviceCredentials, DeviceCredentialsEvictEvent> implements DeviceCredentialsService {
    private static final Logger log = LoggerFactory.getLogger(DeviceCredentialsServiceImpl.class);

    @Autowired
    private DeviceCredentialsDao deviceCredentialsDao;

    @Autowired
    private DataValidator<DeviceCredentials> credentialsValidator;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: org.thingsboard.server.dao.device.DeviceCredentialsServiceImpl$1, reason: invalid class name */
    /* loaded from: input_file:org/thingsboard/server/dao/device/DeviceCredentialsServiceImpl$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$thingsboard$server$common$data$security$DeviceCredentialsType;
        static final /* synthetic */ int[] $SwitchMap$org$thingsboard$server$common$data$device$credentials$lwm2m$LwM2MSecurityMode = new int[LwM2MSecurityMode.values().length];

        static {
            try {
                $SwitchMap$org$thingsboard$server$common$data$device$credentials$lwm2m$LwM2MSecurityMode[LwM2MSecurityMode.NO_SEC.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$thingsboard$server$common$data$device$credentials$lwm2m$LwM2MSecurityMode[LwM2MSecurityMode.RPK.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$org$thingsboard$server$common$data$device$credentials$lwm2m$LwM2MSecurityMode[LwM2MSecurityMode.PSK.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$org$thingsboard$server$common$data$device$credentials$lwm2m$LwM2MSecurityMode[LwM2MSecurityMode.X509.ordinal()] = 4;
            } catch (NoSuchFieldError e4) {
            }
            $SwitchMap$org$thingsboard$server$common$data$security$DeviceCredentialsType = new int[DeviceCredentialsType.values().length];
            try {
                $SwitchMap$org$thingsboard$server$common$data$security$DeviceCredentialsType[DeviceCredentialsType.X509_CERTIFICATE.ordinal()] = 1;
            } catch (NoSuchFieldError e5) {
            }
            try {
                $SwitchMap$org$thingsboard$server$common$data$security$DeviceCredentialsType[DeviceCredentialsType.MQTT_BASIC.ordinal()] = 2;
            } catch (NoSuchFieldError e6) {
            }
            try {
                $SwitchMap$org$thingsboard$server$common$data$security$DeviceCredentialsType[DeviceCredentialsType.LWM2M_CREDENTIALS.ordinal()] = 3;
            } catch (NoSuchFieldError e7) {
            }
        }
    }

    @Override // org.thingsboard.server.dao.entity.AbstractCachedEntityService
    @TransactionalEventListener(classes = {DeviceCredentialsEvictEvent.class})
    public void handleEvictEvent(DeviceCredentialsEvictEvent deviceCredentialsEvictEvent) {
        this.cache.evict(deviceCredentialsEvictEvent.getNewCedentialsId());
        if (!StringUtils.isNotEmpty(deviceCredentialsEvictEvent.getOldCredentialsId()) || deviceCredentialsEvictEvent.getNewCedentialsId().equals(deviceCredentialsEvictEvent.getOldCredentialsId())) {
            return;
        }
        this.cache.evict(deviceCredentialsEvictEvent.getOldCredentialsId());
    }

    public DeviceCredentials findDeviceCredentialsByDeviceId(TenantId tenantId, DeviceId deviceId) {
        log.trace("Executing findDeviceCredentialsByDeviceId [{}]", deviceId);
        Validator.validateId((UUIDBased) deviceId, "Incorrect deviceId " + deviceId);
        return this.deviceCredentialsDao.findByDeviceId(tenantId, deviceId.getId());
    }

    public DeviceCredentials findDeviceCredentialsByCredentialsId(String str) {
        log.trace("Executing findDeviceCredentialsByCredentialsId [{}]", str);
        Validator.validateString(str, "Incorrect credentialsId " + str);
        return this.cache.getAndPutInTransaction(str, () -> {
            return this.deviceCredentialsDao.findByCredentialsId(TenantId.SYS_TENANT_ID, str);
        }, false);
    }

    public DeviceCredentials updateDeviceCredentials(TenantId tenantId, DeviceCredentials deviceCredentials) {
        return saveOrUpdate(tenantId, deviceCredentials);
    }

    public DeviceCredentials createDeviceCredentials(TenantId tenantId, DeviceCredentials deviceCredentials) {
        return saveOrUpdate(tenantId, deviceCredentials);
    }

    private DeviceCredentials saveOrUpdate(TenantId tenantId, DeviceCredentials deviceCredentials) {
        if (deviceCredentials.getCredentialsType() == null) {
            throw new DataValidationException("Device credentials type should be specified");
        }
        formatCredentials(deviceCredentials);
        log.trace("Executing updateDeviceCredentials [{}]", deviceCredentials);
        this.credentialsValidator.validate(deviceCredentials, deviceCredentials2 -> {
            return tenantId;
        });
        DeviceCredentials deviceCredentials3 = null;
        if (deviceCredentials.getDeviceId() != null) {
            deviceCredentials3 = this.deviceCredentialsDao.findByDeviceId(tenantId, deviceCredentials.getDeviceId().getId());
        }
        try {
            DeviceCredentials saveAndFlush = this.deviceCredentialsDao.saveAndFlush(tenantId, deviceCredentials);
            publishEvictEvent(new DeviceCredentialsEvictEvent(saveAndFlush.getCredentialsId(), deviceCredentials3 != null ? deviceCredentials3.getCredentialsId() : null));
            return saveAndFlush;
        } catch (Exception e) {
            handleEvictEvent(new DeviceCredentialsEvictEvent(deviceCredentials.getCredentialsId(), deviceCredentials3 != null ? deviceCredentials3.getCredentialsId() : null));
            ConstraintViolationException orElse = extractConstraintViolationException(e).orElse(null);
            if (orElse == null || orElse.getConstraintName() == null || !(orElse.getConstraintName().equalsIgnoreCase("device_credentials_id_unq_key") || orElse.getConstraintName().equalsIgnoreCase("device_credentials_device_id_unq_key"))) {
                throw e;
            }
            throw new DataValidationException("Specified credentials are already registered!");
        }
    }

    public void formatCredentials(DeviceCredentials deviceCredentials) {
        switch (AnonymousClass1.$SwitchMap$org$thingsboard$server$common$data$security$DeviceCredentialsType[deviceCredentials.getCredentialsType().ordinal()]) {
            case 1:
                formatCertData(deviceCredentials);
                return;
            case 2:
                formatSimpleMqttCredentials(deviceCredentials);
                return;
            case 3:
                formatAndValidateSimpleLwm2mCredentials(deviceCredentials);
                return;
            default:
                return;
        }
    }

    private void formatSimpleMqttCredentials(DeviceCredentials deviceCredentials) {
        try {
            BasicMqttCredentials basicMqttCredentials = (BasicMqttCredentials) JacksonUtil.fromString(deviceCredentials.getCredentialsValue(), BasicMqttCredentials.class);
            if (basicMqttCredentials == null) {
                throw new IllegalArgumentException();
            }
            if (StringUtils.isEmpty(basicMqttCredentials.getClientId()) && StringUtils.isEmpty(basicMqttCredentials.getUserName())) {
                throw new DeviceCredentialsValidationException("Both mqtt client id and user name are empty!");
            }
            if (StringUtils.isNotEmpty(basicMqttCredentials.getClientId()) && StringUtils.isNotEmpty(basicMqttCredentials.getPassword()) && StringUtils.isEmpty(basicMqttCredentials.getUserName())) {
                throw new DeviceCredentialsValidationException("Password cannot be specified along with client id");
            }
            if (StringUtils.isEmpty(basicMqttCredentials.getClientId())) {
                deviceCredentials.setCredentialsId(basicMqttCredentials.getUserName());
            } else if (StringUtils.isEmpty(basicMqttCredentials.getUserName())) {
                deviceCredentials.setCredentialsId(EncryptionUtil.getSha3Hash(basicMqttCredentials.getClientId()));
            } else {
                deviceCredentials.setCredentialsId(EncryptionUtil.getSha3Hash("|", new String[]{basicMqttCredentials.getClientId(), basicMqttCredentials.getUserName()}));
            }
            if (StringUtils.isNotEmpty(basicMqttCredentials.getPassword())) {
                basicMqttCredentials.setPassword(basicMqttCredentials.getPassword());
            }
            deviceCredentials.setCredentialsValue(JacksonUtil.toString(basicMqttCredentials));
        } catch (IllegalArgumentException e) {
            throw new DeviceCredentialsValidationException("Invalid credentials body for simple mqtt credentials!");
        }
    }

    private void formatCertData(DeviceCredentials deviceCredentials) {
        String certTrimNewLines = EncryptionUtil.certTrimNewLines(deviceCredentials.getCredentialsValue());
        deviceCredentials.setCredentialsId(EncryptionUtil.getSha3Hash(certTrimNewLines));
        deviceCredentials.setCredentialsValue(certTrimNewLines);
    }

    private void formatAndValidateSimpleLwm2mCredentials(DeviceCredentials deviceCredentials) {
        try {
            LwM2MDeviceCredentials lwM2MDeviceCredentials = (LwM2MDeviceCredentials) JacksonUtil.fromString(deviceCredentials.getCredentialsValue(), LwM2MDeviceCredentials.class);
            validateLwM2MDeviceCredentials(lwM2MDeviceCredentials);
            String str = null;
            PSKClientCredential client = lwM2MDeviceCredentials.getClient();
            switch (AnonymousClass1.$SwitchMap$org$thingsboard$server$common$data$device$credentials$lwm2m$LwM2MSecurityMode[client.getSecurityConfigClientMode().ordinal()]) {
                case 1:
                case 2:
                    deviceCredentials.setCredentialsValue(JacksonUtil.toString(lwM2MDeviceCredentials));
                    str = client.getEndpoint();
                    break;
                case 3:
                    str = client.getIdentity();
                    break;
                case 4:
                    deviceCredentials.setCredentialsValue(JacksonUtil.toString(lwM2MDeviceCredentials));
                    X509ClientCredential x509ClientCredential = (X509ClientCredential) client;
                    if (!StringUtils.isNotBlank(x509ClientCredential.getCert())) {
                        str = x509ClientCredential.getEndpoint();
                        break;
                    } else {
                        str = EncryptionUtil.getSha3Hash(x509ClientCredential.getCert());
                        break;
                    }
            }
            if (str == null) {
                throw new DeviceCredentialsValidationException("Invalid credentials body for LwM2M credentials!");
            }
            deviceCredentials.setCredentialsId(str);
        } catch (IllegalArgumentException e) {
            throw new DeviceCredentialsValidationException("Invalid credentials body for LwM2M credentials!");
        }
    }

    private void validateLwM2MDeviceCredentials(LwM2MDeviceCredentials lwM2MDeviceCredentials) {
        if (lwM2MDeviceCredentials == null) {
            throw new DeviceCredentialsValidationException("LwM2M credentials must be specified!");
        }
        LwM2MClientCredential client = lwM2MDeviceCredentials.getClient();
        if (client == null) {
            throw new DeviceCredentialsValidationException("LwM2M client credentials must be specified!");
        }
        validateLwM2MClientCredentials(client);
        LwM2MBootstrapClientCredentials bootstrap = lwM2MDeviceCredentials.getBootstrap();
        if (bootstrap == null) {
            throw new DeviceCredentialsValidationException("LwM2M bootstrap credentials must be specified!");
        }
        LwM2MBootstrapClientCredential bootstrapServer = bootstrap.getBootstrapServer();
        if (bootstrapServer == null) {
            throw new DeviceCredentialsValidationException("LwM2M bootstrap server credentials must be specified!");
        }
        validateServerCredentials(bootstrapServer, "Bootstrap server");
        LwM2MBootstrapClientCredential lwm2mServer = bootstrap.getLwm2mServer();
        if (lwm2mServer == null) {
            throw new DeviceCredentialsValidationException("LwM2M lwm2m server credentials must be specified!");
        }
        validateServerCredentials(lwm2mServer, "LwM2M server");
    }

    private void validateLwM2MClientCredentials(LwM2MClientCredential lwM2MClientCredential) {
        if (StringUtils.isBlank(lwM2MClientCredential.getEndpoint())) {
            throw new DeviceCredentialsValidationException("LwM2M client endpoint must be specified!");
        }
        switch (AnonymousClass1.$SwitchMap$org$thingsboard$server$common$data$device$credentials$lwm2m$LwM2MSecurityMode[lwM2MClientCredential.getSecurityConfigClientMode().ordinal()]) {
            case 1:
            default:
                return;
            case 2:
                RPKClientCredential rPKClientCredential = (RPKClientCredential) lwM2MClientCredential;
                if (StringUtils.isBlank(rPKClientCredential.getKey())) {
                    throw new DeviceCredentialsValidationException("LwM2M client RPK key must be specified!");
                }
                try {
                    rPKClientCredential.setKey(EncryptionUtil.pubkTrimNewLines(rPKClientCredential.getKey()));
                    SecurityUtil.publicKey.decode(rPKClientCredential.getDecoded());
                    return;
                } catch (Exception e) {
                    throw new DeviceCredentialsValidationException("LwM2M client RPK key must be in standard [RFC7250] and support only EC algorithm and then encoded to Base64 format!");
                }
            case 3:
                PSKClientCredential pSKClientCredential = (PSKClientCredential) lwM2MClientCredential;
                if (StringUtils.isBlank(pSKClientCredential.getIdentity())) {
                    throw new DeviceCredentialsValidationException("LwM2M client PSK identity must be specified and must be an utf8 string!");
                }
                if (pSKClientCredential.getIdentity().equals(SecurityMode.NO_SEC.toString())) {
                    throw new DeviceCredentialsValidationException("The PSK ID of the LwM2M client must not be '" + SecurityMode.NO_SEC + "'!");
                }
                String key = pSKClientCredential.getKey();
                if (StringUtils.isBlank(key)) {
                    throw new DeviceCredentialsValidationException("LwM2M client PSK key must be specified!");
                }
                if (!key.matches("-?[0-9a-fA-F]+")) {
                    throw new DeviceCredentialsValidationException("LwM2M client PSK key must be random sequence in hex encoding!");
                }
                if (key.length() % 32 != 0 || key.length() > 128) {
                    throw new DeviceCredentialsValidationException("LwM2M client PSK key length = " + key.length() + ". Key must be HexDec format: 32, 64, 128 characters!");
                }
                return;
            case 4:
                X509ClientCredential x509ClientCredential = (X509ClientCredential) lwM2MClientCredential;
                if (StringUtils.isNotEmpty(x509ClientCredential.getCert())) {
                    try {
                        x509ClientCredential.setCert(EncryptionUtil.certTrimNewLines(x509ClientCredential.getCert()));
                        SecurityUtil.certificate.decode(x509ClientCredential.getDecoded());
                        return;
                    } catch (Exception e2) {
                        throw new DeviceCredentialsValidationException("LwM2M client X509 certificate must be in DER-encoded X509v3 format and support only EC algorithm and then encoded to Base64 format!");
                    }
                }
                return;
        }
    }

    private void validateServerCredentials(LwM2MBootstrapClientCredential lwM2MBootstrapClientCredential, String str) {
        switch (AnonymousClass1.$SwitchMap$org$thingsboard$server$common$data$device$credentials$lwm2m$LwM2MSecurityMode[lwM2MBootstrapClientCredential.getSecurityMode().ordinal()]) {
            case 1:
            default:
                return;
            case 2:
                RPKBootstrapClientCredential rPKBootstrapClientCredential = (RPKBootstrapClientCredential) lwM2MBootstrapClientCredential;
                if (StringUtils.isEmpty(rPKBootstrapClientCredential.getClientPublicKeyOrId())) {
                    throw new DeviceCredentialsValidationException(str + " client RPK public key or id must be specified!");
                }
                try {
                    rPKBootstrapClientCredential.setClientPublicKeyOrId(EncryptionUtil.pubkTrimNewLines(rPKBootstrapClientCredential.getClientPublicKeyOrId()));
                    SecurityUtil.publicKey.decode(rPKBootstrapClientCredential.getDecodedClientPublicKeyOrId());
                    if (StringUtils.isEmpty(rPKBootstrapClientCredential.getClientSecretKey())) {
                        throw new DeviceCredentialsValidationException(str + " client RPK secret key must be specified!");
                    }
                    try {
                        rPKBootstrapClientCredential.setClientSecretKey(EncryptionUtil.prikTrimNewLines(rPKBootstrapClientCredential.getClientSecretKey()));
                        SecurityUtil.privateKey.decode(rPKBootstrapClientCredential.getDecodedClientSecretKey());
                        return;
                    } catch (Exception e) {
                        throw new DeviceCredentialsValidationException(str + " client RPK secret key must be in PKCS#8 format (DER encoding, standard [RFC5958]) and then encoded to Base64 format!");
                    }
                } catch (Exception e2) {
                    throw new DeviceCredentialsValidationException(str + " client RPK public key or id must be in standard [RFC7250 ] and then encoded to Base64 format!");
                }
            case 3:
                PSKBootstrapClientCredential pSKBootstrapClientCredential = (PSKBootstrapClientCredential) lwM2MBootstrapClientCredential;
                if (StringUtils.isBlank(pSKBootstrapClientCredential.getClientPublicKeyOrId())) {
                    throw new DeviceCredentialsValidationException(str + " client PSK public key or id must be specified and must be an utf8 string!");
                }
                if (pSKBootstrapClientCredential.getClientPublicKeyOrId().equals(SecurityMode.NO_SEC.toString())) {
                    throw new DeviceCredentialsValidationException(str + " client PSK public key or id must not be '" + SecurityMode.NO_SEC + "'!");
                }
                String clientSecretKey = pSKBootstrapClientCredential.getClientSecretKey();
                if (StringUtils.isBlank(clientSecretKey)) {
                    throw new DeviceCredentialsValidationException(str + " client PSK key must be specified!");
                }
                if (!clientSecretKey.matches("-?[0-9a-fA-F]+")) {
                    throw new DeviceCredentialsValidationException(str + " client PSK key must be random sequence in hex encoding!");
                }
                if (clientSecretKey.length() % 32 != 0 || clientSecretKey.length() > 128) {
                    throw new DeviceCredentialsValidationException(str + " client PSK key length = " + clientSecretKey.length() + ". Key must be HexDec format: 32, 64, 128 characters!");
                }
                return;
            case 4:
                X509BootstrapClientCredential x509BootstrapClientCredential = (X509BootstrapClientCredential) lwM2MBootstrapClientCredential;
                if (StringUtils.isBlank(x509BootstrapClientCredential.getClientPublicKeyOrId())) {
                    throw new DeviceCredentialsValidationException(str + " client X509 public key or id must be specified!");
                }
                try {
                    x509BootstrapClientCredential.setClientPublicKeyOrId(EncryptionUtil.certTrimNewLines(x509BootstrapClientCredential.getClientPublicKeyOrId()));
                    SecurityUtil.certificate.decode(x509BootstrapClientCredential.getDecodedClientPublicKeyOrId());
                    if (StringUtils.isBlank(x509BootstrapClientCredential.getClientSecretKey())) {
                        throw new DeviceCredentialsValidationException(str + " client X509 secret key must be specified!");
                    }
                    try {
                        x509BootstrapClientCredential.setClientSecretKey(EncryptionUtil.prikTrimNewLines(x509BootstrapClientCredential.getClientSecretKey()));
                        SecurityUtil.privateKey.decode(x509BootstrapClientCredential.getDecodedClientSecretKey());
                        return;
                    } catch (Exception e3) {
                        throw new DeviceCredentialsValidationException(str + " client X509 secret key must be in PKCS#8 format (DER encoding, standard [RFC5958]) and then encoded to Base64 format!");
                    }
                } catch (Exception e4) {
                    throw new DeviceCredentialsValidationException(str + " client X509 public key or id must be in DER-encoded X509v3 format  and support only EC algorithm and then encoded to Base64 format!");
                }
        }
    }

    public void deleteDeviceCredentials(TenantId tenantId, DeviceCredentials deviceCredentials) {
        log.trace("Executing deleteDeviceCredentials [{}]", deviceCredentials);
        this.deviceCredentialsDao.removeById(tenantId, deviceCredentials.getUuidId());
        publishEvictEvent(new DeviceCredentialsEvictEvent(deviceCredentials.getCredentialsId(), null));
    }
}
