package org.seedstack.seed.security.internal.realms;

import com.google.common.base.Strings;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.X509Certificate;
import java.util.Collection;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Set;
import javax.inject.Inject;
import javax.inject.Named;
import javax.naming.InvalidNameException;
import javax.naming.ldap.LdapName;
import javax.naming.ldap.Rdn;
import javax.security.auth.x500.X500Principal;
import org.seedstack.seed.security.AuthenticationException;
import org.seedstack.seed.security.AuthenticationInfo;
import org.seedstack.seed.security.AuthenticationToken;
import org.seedstack.seed.security.IncorrectCredentialsException;
import org.seedstack.seed.security.Realm;
import org.seedstack.seed.security.RoleMapping;
import org.seedstack.seed.security.RolePermissionResolver;
import org.seedstack.seed.security.UnsupportedTokenException;
import org.seedstack.seed.security.X509CertificateToken;
import org.seedstack.seed.security.principals.PrincipalProvider;
import org.seedstack.seed.security.principals.Principals;
import org.seedstack.seed.security.principals.X500PrincipalProvider;
import org.seedstack.seed.security.principals.X509CertificatePrincipalProvider;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/seedstack/seed/security/internal/realms/X509CertificateRealm.class */
public class X509CertificateRealm implements Realm {
    private static final Logger LOGGER = LoggerFactory.getLogger(X509CertificateRealm.class);
    private static final String UID = "UID";
    private static final String CN = "CN";
    private final RoleMapping roleMapping;
    private final RolePermissionResolver rolePermissionResolver;

    @Inject
    protected X509CertificateRealm(@Named("X509CertificateRealm-role-mapping") RoleMapping roleMapping, @Named("X509CertificateRealm-role-permission-resolver") RolePermissionResolver rolePermissionResolver) {
        this.roleMapping = roleMapping;
        this.rolePermissionResolver = rolePermissionResolver;
    }

    public AuthenticationInfo getAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
        AuthenticationInfo authenticationInfo;
        if (!(authenticationToken instanceof X509CertificateToken)) {
            throw new UnsupportedTokenException();
        }
        X500Principal x500Principal = (X500Principal) authenticationToken.getPrincipal();
        String str = null;
        String str2 = null;
        try {
            for (Rdn rdn : new LdapName(x500Principal.getName("RFC2253")).getRdns()) {
                if (rdn.getType().equalsIgnoreCase(UID)) {
                    str = rdn.getValue().toString();
                } else if (rdn.getType().equalsIgnoreCase(CN)) {
                    str2 = rdn.getValue().toString();
                }
            }
            X509Certificate x509Certificate = (X509Certificate) authenticationToken.getCredentials();
            try {
                x509Certificate.checkValidity();
                if (Strings.isNullOrEmpty(str)) {
                    authenticationInfo = new AuthenticationInfo(new X500PrincipalProvider(x500Principal), x509Certificate);
                } else {
                    authenticationInfo = new AuthenticationInfo(str, x509Certificate);
                    authenticationInfo.getOtherPrincipals().add(new X500PrincipalProvider(x500Principal));
                }
                if (str2 != null) {
                    authenticationInfo.getOtherPrincipals().add(Principals.fullNamePrincipal(str2));
                }
                authenticationInfo.getOtherPrincipals().add(new X509CertificatePrincipalProvider(((X509CertificateToken) authenticationToken).getAuthenticatingCertificates()));
                return authenticationInfo;
            } catch (CertificateExpiredException | CertificateNotYetValidException e) {
                throw new IncorrectCredentialsException("Subject X509 certificate is not valid", e);
            }
        } catch (InvalidNameException e2) {
            throw new IncorrectCredentialsException("Certificate does not have a valid DN for user", e2);
        }
    }

    public Set<String> getRealmRoles(PrincipalProvider<?> principalProvider, Collection<PrincipalProvider<?>> collection) {
        HashSet hashSet = new HashSet();
        Collection principalsByType = Principals.getPrincipalsByType(collection, X509Certificate[].class);
        if (principalsByType.isEmpty()) {
            return Collections.emptySet();
        }
        for (X509Certificate x509Certificate : (X509Certificate[]) ((PrincipalProvider) principalsByType.iterator().next()).getPrincipal()) {
            String name = x509Certificate.getIssuerX500Principal().getName("RFC2253");
            try {
                Iterator it = new LdapName(name).getRdns().iterator();
                while (true) {
                    if (it.hasNext()) {
                        Rdn rdn = (Rdn) it.next();
                        if (rdn.getType().equalsIgnoreCase(CN)) {
                            hashSet.add(rdn.getValue().toString());
                            break;
                        }
                    }
                }
            } catch (InvalidNameException e) {
                LOGGER.error("Certificate issuer does not have valid DN: " + name, e);
            }
        }
        return hashSet;
    }

    public RoleMapping getRoleMapping() {
        return this.roleMapping;
    }

    public RolePermissionResolver getRolePermissionResolver() {
        return this.rolePermissionResolver;
    }

    public Class<? extends AuthenticationToken> supportedToken() {
        return X509CertificateToken.class;
    }
}
