package com.sun.enterprise.security.auth.realm.certificate;

import com.sun.enterprise.security.BaseRealm;
import com.sun.enterprise.security.SecurityContext;
import com.sun.enterprise.security.auth.login.DistinguishedPrincipalCredential;
import com.sun.enterprise.security.auth.login.common.LoginException;
import com.sun.enterprise.security.auth.realm.BadRealmException;
import com.sun.enterprise.security.auth.realm.NoSuchRealmException;
import com.sun.enterprise.util.Utility;
import fish.payara.security.client.ClientCertificateValidator;
import java.lang.ref.WeakReference;
import java.security.Principal;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Collections;
import java.util.Enumeration;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Properties;
import java.util.ServiceLoader;
import java.util.Set;
import java.util.Spliterators;
import java.util.WeakHashMap;
import java.util.concurrent.atomic.AtomicReference;
import java.util.logging.Level;
import java.util.stream.Collectors;
import java.util.stream.StreamSupport;
import javax.naming.InvalidNameException;
import javax.naming.ldap.LdapName;
import javax.naming.ldap.Rdn;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.x500.X500Principal;
import org.glassfish.security.common.Group;
import org.jvnet.hk2.annotations.Service;

@Service
/* loaded from: input_file:com/sun/enterprise/security/auth/realm/certificate/CertificateRealm.class */
public final class CertificateRealm extends BaseRealm {
    private static final String COMMON_NAME_AS_PRINCIPAL_NAME = "common-name-as-principal-name";
    private static final String DN_PARTS_USED_FOR_GROUPS = "dn-parts-used-for-groups";
    private static final String VALIDATION_CHECK_PROP = "certificate-validation";
    public static final String AUTH_TYPE = "certificate";
    private final Map<ClassLoader, WeakReference<ServiceLoader<ClientCertificateValidator>>> clientCertificateValidatorMap = Collections.synchronizedMap(new WeakHashMap());

    /* loaded from: input_file:com/sun/enterprise/security/auth/realm/certificate/CertificateRealm$AppContextCallback.class */
    public static final class AppContextCallback implements Callback {
        private String moduleID;

        public String getModuleID() {
            return this.moduleID;
        }

        public void setModuleID(String str) {
            this.moduleID = str;
        }
    }

    @Override // com.sun.enterprise.security.auth.realm.AbstractStatefulRealm
    protected void init(Properties properties) throws BadRealmException, NoSuchRealmException {
        super.init(properties);
        setProperty(VALIDATION_CHECK_PROP, properties.getProperty(VALIDATION_CHECK_PROP));
        setProperty("jaas-context", properties.getProperty("jaas-context"));
        setProperty(COMMON_NAME_AS_PRINCIPAL_NAME, properties.getProperty(COMMON_NAME_AS_PRINCIPAL_NAME));
        setProperty(DN_PARTS_USED_FOR_GROUPS, properties.getProperty(DN_PARTS_USED_FOR_GROUPS));
    }

    @Override // com.sun.enterprise.security.auth.realm.AbstractRealm
    public String getAuthType() {
        return "certificate";
    }

    @Override // com.sun.enterprise.security.auth.realm.AbstractRealm
    public Enumeration<String> getGroupNames(String str) {
        String[] addAssignGroups = addAssignGroups(null);
        return addAssignGroups == null ? Collections.emptyEnumeration() : Collections.enumeration(Arrays.asList(addAssignGroups));
    }

    public String authenticate(Subject subject, X500Principal x500Principal) {
        validateSubjectViaAPI(subject, x500Principal);
        _logger.finest(() -> {
            return String.format("authenticate(subject=%s, principal=%s)", subject, x500Principal);
        });
        LdapName ldapName = getLdapName(x500Principal);
        _logger.log(Level.FINE, "dn={0}", ldapName);
        String principalName = getPrincipalName(ldapName);
        _logger.log(Level.FINE, "Certificate realm is setting up security context for principal: {0}", principalName);
        Enumeration<String> groupNames = getGroupNames(principalName);
        Set<Principal> principals = subject.getPrincipals();
        while (groupNames.hasMoreElements()) {
            principals.add(new Group(groupNames.nextElement()));
        }
        principals.addAll(getGroupNamesFromDN(ldapName));
        _logger.log(Level.FINE, "principalSet: {0}", principals);
        if (!subject.getPrincipals().isEmpty()) {
            subject.getPublicCredentials().add(new DistinguishedPrincipalCredential(x500Principal));
        }
        SecurityContext.setCurrent(new SecurityContext(principalName, subject));
        return principalName;
    }

    private void validateSubjectViaAPI(Subject subject, X500Principal x500Principal) {
        X509Certificate certificateFromSubject = getCertificateFromSubject(subject, x500Principal);
        if (certificateFromSubject == null) {
            _logger.warning(() -> {
                return String.format("No X509Certificate found(subject=%s, principal=%s)", subject, x500Principal);
            });
            return;
        }
        List<ClientCertificateValidator> emptyList = Collections.emptyList();
        try {
            emptyList = loadValidatorClasses();
        } catch (Throwable th) {
            _logger.log(Level.WARNING, "Exception while loading certificate validation class", th);
            this.clientCertificateValidatorMap.remove(Utility.getClassLoader());
        }
        emptyList.add(new ClientCertificateExpiryValidator(getProperty(VALIDATION_CHECK_PROP)));
        boolean z = false;
        Iterator<ClientCertificateValidator> it = emptyList.iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            ClientCertificateValidator next = it.next();
            if (!next.isValid(subject, x500Principal, certificateFromSubject)) {
                _logger.info(() -> {
                    return String.format("Client Certificate validation failed for (subject=%s, principal=%s) by %s", subject, x500Principal, next.getClass().getName());
                });
                z = true;
                break;
            }
        }
        if (z) {
            throw new LoginException("Certificate Validation Failed via API");
        }
    }

    private List<ClientCertificateValidator> loadValidatorClasses() {
        AtomicReference atomicReference = new AtomicReference();
        this.clientCertificateValidatorMap.compute(Utility.getClassLoader(), (classLoader, weakReference) -> {
            atomicReference.set(weakReference != null ? (ServiceLoader) weakReference.get() : null);
            if (atomicReference.get() != null) {
                return weakReference;
            }
            atomicReference.set(ServiceLoader.load(ClientCertificateValidator.class));
            return new WeakReference((ServiceLoader) atomicReference.get());
        });
        return (List) StreamSupport.stream(Spliterators.spliteratorUnknownSize(((ServiceLoader) atomicReference.get()).iterator(), 16), false).collect(Collectors.toList());
    }

    private X509Certificate getCertificateFromSubject(Subject subject, X500Principal x500Principal) {
        X509Certificate x509Certificate = null;
        for (Object obj : subject.getPublicCredentials()) {
            if (obj instanceof List) {
                for (Object obj2 : (List) obj) {
                    if ((obj2 instanceof X509Certificate) && x500Principal.equals(((X509Certificate) obj2).getIssuerX500Principal())) {
                        x509Certificate = (X509Certificate) obj2;
                    }
                }
            }
        }
        return x509Certificate;
    }

    private LdapName getLdapName(X500Principal x500Principal) {
        try {
            return new LdapName(x500Principal.getName("RFC2253", OID.getOIDMap()));
        } catch (InvalidNameException e) {
            throw new IllegalStateException("Exception extracting DN from principal:\n" + x500Principal, e);
        }
    }

    private String getPrincipalName(LdapName ldapName) {
        return Boolean.parseBoolean(getProperty(COMMON_NAME_AS_PRINCIPAL_NAME)) ? ((Rdn) ldapName.getRdns().stream().filter(rdn -> {
            return rdn.getType().equalsIgnoreCase(OID.CN.getName());
        }).findFirst().orElseThrow(() -> {
            return new IllegalStateException("common-name-as-principal-name set to true, but no CN present in " + ldapName);
        })).getValue().toString() : ldapName.toString();
    }

    private Set<Group> getGroupNamesFromDN(LdapName ldapName) {
        _logger.log(Level.FINE, "getGroupNamesFromDN(distinguishedName={0})", ldapName);
        String property = getProperty(DN_PARTS_USED_FOR_GROUPS);
        if (property == null) {
            return Collections.emptySet();
        }
        Set set = (Set) OID.toOIDS(property.split(",")).stream().map((v0) -> {
            return v0.getName();
        }).collect(Collectors.toSet());
        return (Set) ldapName.getRdns().stream().filter(rdn -> {
            return set.contains(rdn.getType());
        }).map(rdn2 -> {
            return new Group(rdn2.getValue().toString());
        }).collect(Collectors.toSet());
    }
}
