package org.seedstack.seed.security.internal.realms;

import java.security.cert.X509Certificate;
import java.util.Collection;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Set;
import javax.inject.Inject;
import javax.inject.Named;
import javax.naming.InvalidNameException;
import javax.naming.ldap.LdapName;
import javax.naming.ldap.Rdn;
import org.seedstack.seed.security.AuthenticationException;
import org.seedstack.seed.security.AuthenticationInfo;
import org.seedstack.seed.security.AuthenticationToken;
import org.seedstack.seed.security.IncorrectCredentialsException;
import org.seedstack.seed.security.Realm;
import org.seedstack.seed.security.RoleMapping;
import org.seedstack.seed.security.RolePermissionResolver;
import org.seedstack.seed.security.UnsupportedTokenException;
import org.seedstack.seed.security.X509CertificateToken;
import org.seedstack.seed.security.principals.PrincipalProvider;
import org.seedstack.seed.security.principals.Principals;
import org.seedstack.seed.security.principals.X509CertificatePrincipalProvider;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/seedstack/seed/security/internal/realms/X509CertificateRealm.class */
public class X509CertificateRealm implements Realm {
    private static final Logger LOGGER = LoggerFactory.getLogger(X509CertificateRealm.class);
    private static final String UID = "UID";
    private static final String CN = "CN";
    private RoleMapping roleMapping;
    private RolePermissionResolver rolePermissionResolver;

    public AuthenticationInfo getAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
        AuthenticationInfo authenticationInfo;
        if (!(authenticationToken instanceof X509CertificateToken)) {
            throw new UnsupportedTokenException();
        }
        X509Certificate[] authenticatingCertificates = ((X509CertificateToken) authenticationToken).getAuthenticatingCertificates();
        if (authenticatingCertificates.length == 0) {
            throw new IncorrectCredentialsException();
        }
        String str = null;
        String str2 = null;
        try {
            for (Rdn rdn : new LdapName(authenticatingCertificates[0].getSubjectX500Principal().getName("RFC2253")).getRdns()) {
                if (rdn.getType().equalsIgnoreCase(UID)) {
                    str = rdn.getValue().toString();
                } else if (rdn.getType().equalsIgnoreCase(CN)) {
                    str2 = rdn.getValue().toString();
                }
            }
            X509CertificatePrincipalProvider x509CertificatePrincipalProvider = new X509CertificatePrincipalProvider(authenticatingCertificates);
            if (str == null) {
                authenticationInfo = new AuthenticationInfo(x509CertificatePrincipalProvider, authenticatingCertificates);
            } else {
                authenticationInfo = new AuthenticationInfo(str, authenticatingCertificates);
                authenticationInfo.getOtherPrincipals().add(x509CertificatePrincipalProvider);
            }
            if (str2 != null) {
                authenticationInfo.getOtherPrincipals().add(Principals.fullNamePrincipal(str2));
            }
            return authenticationInfo;
        } catch (InvalidNameException e) {
            throw new IncorrectCredentialsException("Certificate does not have a valid DN for user", e);
        }
    }

    public Set<String> getRealmRoles(PrincipalProvider<?> principalProvider, Collection<PrincipalProvider<?>> collection) {
        HashSet hashSet = new HashSet();
        Collection principalsByType = Principals.getPrincipalsByType(collection, X509Certificate[].class);
        if (principalsByType.isEmpty()) {
            return Collections.emptySet();
        }
        for (X509Certificate x509Certificate : (X509Certificate[]) ((PrincipalProvider) principalsByType.iterator().next()).getPrincipal()) {
            String name = x509Certificate.getIssuerX500Principal().getName("RFC2253");
            try {
                Iterator it = new LdapName(name).getRdns().iterator();
                while (true) {
                    if (it.hasNext()) {
                        Rdn rdn = (Rdn) it.next();
                        if (rdn.getType().equalsIgnoreCase(CN)) {
                            hashSet.add(rdn.getValue().toString());
                            break;
                        }
                    }
                }
            } catch (InvalidNameException e) {
                LOGGER.error("Certificate issuer does not have valid DN: " + name, e);
            }
        }
        return hashSet;
    }

    public RoleMapping getRoleMapping() {
        return this.roleMapping;
    }

    @Inject
    public void setRoleMapping(@Named("X509CertificateRealm-role-mapping") RoleMapping roleMapping) {
        this.roleMapping = roleMapping;
    }

    public RolePermissionResolver getRolePermissionResolver() {
        return this.rolePermissionResolver;
    }

    @Inject
    public void setRolePermissionResolver(@Named("X509CertificateRealm-role-permission-resolver") RolePermissionResolver rolePermissionResolver) {
        this.rolePermissionResolver = rolePermissionResolver;
    }

    public Class<? extends AuthenticationToken> supportedToken() {
        return X509CertificateToken.class;
    }
}
