package fish.payara.security.realm.identitystores;

import com.sun.enterprise.security.auth.WebAndEjbToJaasBridge;
import com.sun.enterprise.security.auth.login.ClientCertificateLoginModule;
import com.sun.enterprise.security.auth.login.common.LoginException;
import com.sun.enterprise.security.auth.realm.certificate.CertificateRealm;
import fish.payara.security.api.CertificateCredential;
import fish.payara.security.realm.config.CertificateRealmIdentityStoreConfiguration;
import jakarta.enterprise.inject.Typed;
import jakarta.security.enterprise.credential.Credential;
import jakarta.security.enterprise.identitystore.CredentialValidationResult;
import jakarta.security.enterprise.identitystore.IdentityStore;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Set;
import java.util.stream.Collectors;
import javax.security.auth.Subject;
import org.glassfish.security.common.Group;

@Typed({CertificateRealmIdentityStore.class})
/* loaded from: input_file:fish/payara/security/realm/identitystores/CertificateRealmIdentityStore.class */
public class CertificateRealmIdentityStore implements IdentityStore {
    private CertificateRealmIdentityStoreConfiguration configuration;
    public static final Class<CertificateRealm> REALM_CLASS = CertificateRealm.class;
    public static final Class<ClientCertificateLoginModule> REALM_LOGIN_MODULE_CLASS = ClientCertificateLoginModule.class;

    public void init(CertificateRealmIdentityStoreConfiguration certificateRealmIdentityStoreConfiguration) {
        this.configuration = certificateRealmIdentityStoreConfiguration;
    }

    @Override // jakarta.security.enterprise.identitystore.IdentityStore
    public CredentialValidationResult validate(Credential credential) {
        return credential instanceof CertificateCredential ? validate((CertificateCredential) credential, this.configuration.getName()) : CredentialValidationResult.NOT_VALIDATED_RESULT;
    }

    public static CredentialValidationResult validate(CertificateCredential certificateCredential, String str) {
        try {
            return new CredentialValidationResult(certificateCredential.getPrincipal(), (Set<String>) login(certificateCredential, str).getPrincipals(Group.class).stream().map(group -> {
                return group.getName();
            }).collect(Collectors.toSet()));
        } catch (LoginException e) {
            return CredentialValidationResult.INVALID_RESULT;
        }
    }

    private static Subject login(CertificateCredential certificateCredential, String str) {
        Subject createSubjectWithCerts = createSubjectWithCerts(certificateCredential.getCertificates());
        WebAndEjbToJaasBridge.doX500Login(createSubjectWithCerts, str, null);
        return createSubjectWithCerts;
    }

    private static Subject createSubjectWithCerts(X509Certificate[] x509CertificateArr) {
        Subject subject = new Subject();
        subject.getPublicCredentials().add(x509CertificateArr[0].getSubjectX500Principal());
        subject.getPublicCredentials().add(Arrays.asList(x509CertificateArr));
        return subject;
    }
}
