package dev.dsf.common.auth;

import jakarta.servlet.ServletRequest;
import jakarta.servlet.ServletResponse;
import jakarta.servlet.http.HttpServletRequest;
import java.security.InvalidAlgorithmParameterException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertificateException;
import java.security.cert.PKIXParameters;
import java.security.cert.X509Certificate;
import java.util.Objects;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;
import org.eclipse.jetty.security.ServerAuthException;
import org.eclipse.jetty.security.UserAuthentication;
import org.eclipse.jetty.security.authentication.LoginAuthenticator;
import org.eclipse.jetty.server.Authentication;
import org.eclipse.jetty.server.UserIdentity;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:dev/dsf/common/auth/ClientCertificateAuthenticator.class */
public class ClientCertificateAuthenticator extends LoginAuthenticator {
    private static final Logger logger = LoggerFactory.getLogger(ClientCertificateAuthenticator.class);
    private final X509TrustManager x509TrustManager;

    public ClientCertificateAuthenticator(KeyStore keyStore) {
        this.x509TrustManager = createX509TrustManager((KeyStore) Objects.requireNonNull(keyStore, "clientTrustStore"));
    }

    public String getAuthMethod() {
        return "CLIENT_CERT";
    }

    public Authentication validateRequest(ServletRequest servletRequest, ServletResponse servletResponse, boolean z) throws ServerAuthException {
        ServletRequest servletRequest2 = (HttpServletRequest) servletRequest;
        X509Certificate[] x509CertificateArr = (X509Certificate[]) servletRequest2.getAttribute("jakarta.servlet.request.X509Certificate");
        if (x509CertificateArr == null || x509CertificateArr.length <= 0) {
            logger.warn("X509Certificate could not be retrieved, sending unauthorized");
            return Authentication.UNAUTHENTICATED;
        }
        try {
            this.x509TrustManager.checkClientTrusted(x509CertificateArr, "RSA");
            UserIdentity login = login(null, x509CertificateArr, servletRequest2);
            if (login != null) {
                return new UserAuthentication(getAuthMethod(), login);
            }
            logger.warn("User '{}' not found, sending unauthorized", getSubjectDn(x509CertificateArr));
            return Authentication.UNAUTHENTICATED;
        } catch (CertificateException e) {
            logger.warn("Unable to validate client certificates, sending unauthorized: {} - {}", e.getClass().getName(), e.getMessage());
            return Authentication.UNAUTHENTICATED;
        }
    }

    private X509TrustManager createX509TrustManager(KeyStore keyStore) {
        logger.info("Using [{}] to validate client certificates", getSubjectDn(getCaCertificates(keyStore)));
        try {
            TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
            trustManagerFactory.init(keyStore);
            return (X509TrustManager) trustManagerFactory.getTrustManagers()[0];
        } catch (KeyStoreException | NoSuchAlgorithmException e) {
            logger.warn("Unable to create trust manager: {} - {}", e.getClass().getName(), e.getMessage());
            throw new RuntimeException(e);
        }
    }

    private X509Certificate[] getCaCertificates(KeyStore keyStore) {
        try {
            return (X509Certificate[]) new PKIXParameters(keyStore).getTrustAnchors().stream().map((v0) -> {
                return v0.getTrustedCert();
            }).toArray(i -> {
                return new X509Certificate[i];
            });
        } catch (InvalidAlgorithmParameterException | KeyStoreException e) {
            logger.warn("Unable to extract trust anchors: {} - {}", e.getClass().getName(), e.getMessage());
            throw new RuntimeException(e);
        }
    }

    private String getSubjectDn(X509Certificate[] x509CertificateArr) {
        return (String) Stream.of((Object[]) x509CertificateArr).map(this::getSubjectDn).collect(Collectors.joining(";"));
    }

    private String getSubjectDn(X509Certificate x509Certificate) {
        return x509Certificate.getSubjectX500Principal().getName("RFC1779");
    }

    public boolean secureResponse(ServletRequest servletRequest, ServletResponse servletResponse, boolean z, Authentication.User user) throws ServerAuthException {
        return true;
    }
}
