package com.yahoo.athenz.auth.impl;

import com.yahoo.athenz.auth.Authority;
import com.yahoo.athenz.auth.AuthorityConsts;
import com.yahoo.athenz.auth.Principal;
import com.yahoo.athenz.auth.util.Crypto;
import com.yahoo.athenz.auth.util.GlobStringsMatcher;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.HashSet;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/yahoo/athenz/auth/impl/CertificateAuthority.class */
public class CertificateAuthority implements Authority {
    private static final Logger LOG = LoggerFactory.getLogger(CertificateAuthority.class);
    private static final String ATHENZ_PROP_EXCLUDED_PRINCIPALS = "athenz.auth.certificate.excluded_principals";
    private static final String ATHENZ_PROP_EXCLUDE_ROLE_CERTIFICATES = "athenz.auth.certificate.exclude_role_certificates";
    private static final String ATHENZ_AUTH_CHALLENGE = "AthenzX509Certificate realm=\"athenz\"";
    private CertificateIdentityParser certificateIdentityParser = null;
    private final GlobStringsMatcher globStringsMatcher = new GlobStringsMatcher(AuthorityConsts.ATHENZ_PROP_RESTRICTED_OU);

    @Override // com.yahoo.athenz.auth.Authority
    public void initialize() {
        HashSet hashSet = null;
        String property = System.getProperty(ATHENZ_PROP_EXCLUDED_PRINCIPALS);
        if (property != null && !property.isEmpty()) {
            hashSet = new HashSet(Arrays.asList(property.split(",")));
        }
        this.certificateIdentityParser = new CertificateIdentityParser(hashSet, Boolean.parseBoolean(System.getProperty(ATHENZ_PROP_EXCLUDE_ROLE_CERTIFICATES, "false")), new CertificateAuthorityValidator());
    }

    @Override // com.yahoo.athenz.auth.Authority
    public String getID() {
        return "Auth-X509";
    }

    @Override // com.yahoo.athenz.auth.Authority
    public String getDomain() {
        return null;
    }

    @Override // com.yahoo.athenz.auth.Authority
    public String getHeader() {
        return null;
    }

    @Override // com.yahoo.athenz.auth.Authority
    public String getAuthenticateChallenge() {
        return ATHENZ_AUTH_CHALLENGE;
    }

    @Override // com.yahoo.athenz.auth.Authority
    public Principal authenticate(String str, String str2, String str3, StringBuilder sb) {
        return null;
    }

    @Override // com.yahoo.athenz.auth.Authority
    public Authority.CredSource getCredSource() {
        return Authority.CredSource.CERTIFICATE;
    }

    void reportError(String str, boolean z, StringBuilder sb) {
        if (LOG.isDebugEnabled()) {
            LOG.debug(str);
        }
        if (!z || sb == null) {
            return;
        }
        sb.append(str);
    }

    @Override // com.yahoo.athenz.auth.Authority
    public Principal authenticate(X509Certificate[] x509CertificateArr, StringBuilder sb) {
        if (LOG.isTraceEnabled() && x509CertificateArr != null) {
            for (X509Certificate x509Certificate : x509CertificateArr) {
                LOG.trace("CertificateAuthority: TLS Certificate: {}", x509Certificate);
            }
        }
        try {
            CertificateIdentity parse = this.certificateIdentityParser.parse(x509CertificateArr);
            X509Certificate x509Certificate2 = parse.getX509Certificate();
            SimplePrincipal simplePrincipal = (SimplePrincipal) SimplePrincipal.create(parse.getDomain(), parse.getService(), x509Certificate2.toString(), this);
            simplePrincipal.setUnsignedCreds(x509Certificate2.getSubjectX500Principal().toString());
            simplePrincipal.setX509Certificate(x509Certificate2);
            if (parse.getRoles() != null) {
                simplePrincipal.setRoles(parse.getRoles());
                simplePrincipal.setRolePrincipalName(parse.getRolePrincipalName());
            }
            simplePrincipal.setMtlsRestricted(Crypto.isRestrictedCertificate(x509Certificate2, this.globStringsMatcher));
            return simplePrincipal;
        } catch (CertificateIdentityException e) {
            reportError("CertificateAuthority: " + e.getMessage(), e.isReportError(), sb);
            return null;
        }
    }
}
