package io.hops.kafka;

import java.io.IOException;
import java.security.Principal;
import java.security.cert.Certificate;
import java.security.cert.CertificateParsingException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.List;
import java.util.stream.Collectors;
import org.apache.kafka.common.KafkaException;
import org.apache.kafka.common.security.auth.AuthenticationContext;
import org.apache.kafka.common.security.auth.KafkaPrincipal;
import org.apache.kafka.common.security.auth.SslAuthenticationContext;
import org.apache.kafka.common.security.authenticator.DefaultKafkaPrincipalBuilder;
import org.apache.kafka.common.security.kerberos.KerberosShortNamer;
import org.apache.kafka.common.security.ssl.SslPrincipalMapper;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import sun.security.x509.X500Name;

/* loaded from: input_file:io/hops/kafka/HopsPrincipalBuilder.class */
public class HopsPrincipalBuilder extends DefaultKafkaPrincipalBuilder {
    private static final Logger LOGGER = LoggerFactory.getLogger("kafka.authorizer.logger");

    public HopsPrincipalBuilder() {
        super((KerberosShortNamer) null, (SslPrincipalMapper) null);
    }

    public KafkaPrincipal build(AuthenticationContext authenticationContext) {
        try {
            SslAuthenticationContext sslAuthenticationContext = (SslAuthenticationContext) authenticationContext;
            Principal principal = getPrincipal(sslAuthenticationContext);
            String name = principal.getName();
            if (name.equalsIgnoreCase(Consts.ANONYMOUS)) {
                return KafkaPrincipal.ANONYMOUS;
            }
            String str = principal.toString().split(Consts.COLON_SEPARATOR)[0];
            String commonName = new X500Name(name).getCommonName();
            for (String str2 : getAlternativeNames(sslAuthenticationContext)) {
                if (!commonName.equals(str2)) {
                    commonName = commonName.concat(Consts.SEMI_COLON + str2);
                }
            }
            return new KafkaPrincipal(str, commonName);
        } catch (IOException e) {
            throw new KafkaException("Failed to build Kafka principal due to: ", e);
        }
    }

    protected Principal getPrincipal(SslAuthenticationContext sslAuthenticationContext) throws IOException {
        return sslAuthenticationContext.session().getPeerPrincipal();
    }

    protected List<String> getAlternativeNames(SslAuthenticationContext sslAuthenticationContext) {
        ArrayList arrayList = new ArrayList();
        try {
            for (Certificate certificate : sslAuthenticationContext.session().getPeerCertificates()) {
                if (certificate instanceof X509Certificate) {
                    arrayList.addAll(getSubjectAlternativeNames((X509Certificate) certificate));
                }
            }
        } catch (Exception e) {
            LOGGER.error("Failed to get subject alternative names", (Throwable) e);
        }
        return arrayList;
    }

    private List<String> getSubjectAlternativeNames(X509Certificate x509Certificate) throws CertificateParsingException {
        Collection<List<?>> subjectAlternativeNames = x509Certificate.getSubjectAlternativeNames();
        return subjectAlternativeNames == null ? Collections.emptyList() : (List) subjectAlternativeNames.stream().map(list -> {
            return list.get(1).toString();
        }).collect(Collectors.toList());
    }
}
