package org.xillium.gear.auth;

import java.io.ByteArrayInputStream;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.TreeMap;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.naming.InvalidNameException;
import javax.naming.ldap.LdapName;
import javax.naming.ldap.Rdn;
import javax.servlet.http.HttpServletRequest;
import javax.xml.bind.DatatypeConverter;
import org.springframework.core.io.Resource;
import org.springframework.core.io.support.PathMatchingResourcePatternResolver;
import org.springframework.transaction.annotation.Transactional;
import org.xillium.base.beans.Beans;
import org.xillium.base.beans.DefaultObjectFactory;
import org.xillium.base.beans.XMLBeanAssembler;
import org.xillium.core.AuthenticationRequiredException;
import org.xillium.core.AuthorizationException;
import org.xillium.core.Persistence;
import org.xillium.data.DataBinder;

/* loaded from: input_file:org/xillium/gear/auth/X509CertificateAuthenticator.class */
public class X509CertificateAuthenticator extends PageAwareAuthenticator {
    private static final Logger _logger = Logger.getLogger(X509CertificateAuthenticator.class.getName());
    private final Persistence _persistence;
    private final String _identityName;
    private final String _qRolesByCredential;
    private final Map<Credential, List<Role>> _roles;
    private String _headerHoldingCert;
    private boolean _useFullSubjectName;

    public X509CertificateAuthenticator(Persistence persistence, String str, String str2) {
        this._persistence = persistence;
        this._identityName = str;
        this._qRolesByCredential = str2;
        this._roles = null;
    }

    public X509CertificateAuthenticator(String str, List<String> list) throws Exception {
        this._persistence = null;
        this._identityName = str;
        this._qRolesByCredential = null;
        this._roles = new TreeMap();
        PathMatchingResourcePatternResolver pathMatchingResourcePatternResolver = new PathMatchingResourcePatternResolver();
        XMLBeanAssembler xMLBeanAssembler = new XMLBeanAssembler(new DefaultObjectFactory());
        Iterator<String> it = list.iterator();
        while (it.hasNext()) {
            try {
                for (Resource resource : pathMatchingResourcePatternResolver.getResources(it.next())) {
                    try {
                        for (Authorization authorization : (List) xMLBeanAssembler.build(resource.getInputStream())) {
                            this._roles.put(authorization.credential, authorization.roles);
                        }
                    } catch (Exception e) {
                        _logger.log(Level.WARNING, e.getMessage(), (Throwable) e);
                    }
                }
            } catch (Exception e2) {
                _logger.log(Level.WARNING, e2.getMessage(), (Throwable) e2);
            }
        }
    }

    public void setUseFullSubjectName(boolean z) {
        this._useFullSubjectName = z;
    }

    public void setCertificateHeader(String str) {
        this._headerHoldingCert = str;
    }

    @Override // org.xillium.gear.auth.Authenticator
    @Transactional(readOnly = true)
    public List<Role> authenticate(DataBinder dataBinder) throws AuthorizationException {
        try {
            X509Certificate x509Certificate = null;
            HttpServletRequest httpServletRequest = (HttpServletRequest) dataBinder.getNamedObject("#servlet_req#");
            X509Certificate[] x509CertificateArr = (X509Certificate[]) httpServletRequest.getAttribute("javax.servlet.request.X509Certificate");
            if (x509CertificateArr != null && x509CertificateArr.length > 0) {
                x509Certificate = x509CertificateArr[0];
            } else if (this._headerHoldingCert != null) {
                ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(DatatypeConverter.parseBase64Binary(httpServletRequest.getHeader(this._headerHoldingCert)));
                x509Certificate = (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(byteArrayInputStream);
                byteArrayInputStream.close();
            }
            _logger.fine(x509Certificate.toString());
            if (x509Certificate == null) {
                _logger.info("no client certificate in request");
                throw new AuthenticationRequiredException("AuthenticationRequired");
            }
            Credential credential = new Credential((String) dataBinder.get(this._identityName), getPrincipalIdentity(x509Certificate.getSubjectX500Principal().getName()));
            _logger.fine(Beans.toString(credential));
            List<Role> results = this._persistence != null ? this._persistence.getResults(this._qRolesByCredential, credential, Role.class) : this._roles.get(credential);
            if (results == null || results.size() <= 0) {
                throw new AuthorizationException("InvalidCertificateIdentity{" + credential.password + '}');
            }
            return results;
        } catch (Exception e) {
            redirectToAuthenticationPage(dataBinder);
            throw new AuthorizationException(e.getMessage(), e);
        } catch (AuthorizationException e2) {
            redirectToAuthenticationPage(dataBinder);
            throw e2;
        }
    }

    private final String getPrincipalIdentity(String str) throws InvalidNameException {
        if (this._useFullSubjectName) {
            return str;
        }
        for (Rdn rdn : new LdapName(str).getRdns()) {
            if ("CN".equalsIgnoreCase(rdn.getType())) {
                return rdn.getValue().toString();
            }
        }
        throw new InvalidNameException("NoCommonNameInSubjectName");
    }
}
