package org.wildfly.security.http.cert;

import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Map;
import java.util.Objects;
import java.util.concurrent.ConcurrentHashMap;
import java.util.function.BooleanSupplier;
import java.util.function.Function;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;
import org.wildfly.security.auth.callback.AuthenticationCompleteCallback;
import org.wildfly.security.auth.callback.CachedIdentityAuthorizeCallback;
import org.wildfly.security.auth.callback.EvidenceDecodePrincipalCallback;
import org.wildfly.security.auth.callback.EvidenceVerifyCallback;
import org.wildfly.security.auth.callback.PrincipalAuthorizeCallback;
import org.wildfly.security.auth.server.SecurityDomain;
import org.wildfly.security.auth.server.SecurityIdentity;
import org.wildfly.security.cache.CachedIdentity;
import org.wildfly.security.cache.IdentityCache;
import org.wildfly.security.evidence.X509PeerCertificateChainEvidence;
import org.wildfly.security.http.HttpAuthenticationException;
import org.wildfly.security.http.HttpScope;
import org.wildfly.security.http.HttpServerAuthenticationMechanism;
import org.wildfly.security.http.HttpServerRequest;
import org.wildfly.security.http.Scope;
import org.wildfly.security.mechanism.AuthenticationMechanismException;
import org.wildfly.security.mechanism._private.ElytronMessages;
import org.wildfly.security.mechanism._private.MechanismUtil;
import org.wildfly.security.x500.X500;

/* JADX WARN: Classes with same name are omitted:
  input_file:WEB-INF/lib/wildfly-elytron-1.15.5.Final.jar:org/wildfly/security/http/cert/ClientCertAuthenticationMechanism.class
 */
/* loaded from: input_file:WEB-INF/lib/wildfly-elytron-http-cert-1.15.5.Final.jar:org/wildfly/security/http/cert/ClientCertAuthenticationMechanism.class */
final class ClientCertAuthenticationMechanism implements HttpServerAuthenticationMechanism {
    private final CallbackHandler callbackHandler;
    private final boolean skipVerification;

    /* JADX INFO: Access modifiers changed from: package-private */
    public ClientCertAuthenticationMechanism(CallbackHandler callbackHandler, boolean z) {
        this.callbackHandler = callbackHandler;
        this.skipVerification = z;
    }

    @Override // org.wildfly.security.http.HttpServerAuthenticationMechanism
    public String getMechanismName() {
        return "CLIENT_CERT";
    }

    @Override // org.wildfly.security.http.HttpServerAuthenticationMechanism
    public void evaluateRequest(HttpServerRequest httpServerRequest) throws HttpAuthenticationException {
        Function<SecurityDomain, IdentityCache> createIdentityCacheFunction = createIdentityCacheFunction(httpServerRequest);
        if (createIdentityCacheFunction != null && attemptReAuthentication(httpServerRequest, createIdentityCacheFunction)) {
            ElytronMessages.httpClientCert.trace("Re-authentication succeed");
        } else {
            if (attemptAuthentication(httpServerRequest, createIdentityCacheFunction)) {
                return;
            }
            ElytronMessages.httpClientCert.trace("Both, re-authentication and authentication, failed");
            fail(httpServerRequest);
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    private boolean attemptAuthentication(HttpServerRequest httpServerRequest, Function<SecurityDomain, IdentityCache> function) throws HttpAuthenticationException {
        BooleanSupplier booleanSupplier;
        PrincipalAuthorizeCallback principalAuthorizeCallback;
        Certificate[] peerCertificates = httpServerRequest.getPeerCertificates();
        if (peerCertificates == null) {
            ElytronMessages.httpClientCert.trace("Peer Unverified");
            httpServerRequest.noAuthenticationInProgress();
            return true;
        }
        X509Certificate[] asX509CertificateArray = X500.asX509CertificateArray(peerCertificates);
        X509PeerCertificateChainEvidence x509PeerCertificateChainEvidence = new X509PeerCertificateChainEvidence(asX509CertificateArray);
        if (ElytronMessages.httpClientCert.isTraceEnabled()) {
            ElytronMessages.httpClientCert.tracef("Authenticating using following certificates: [%s]", Arrays.toString(asX509CertificateArray));
        }
        EvidenceVerifyCallback evidenceVerifyCallback = new EvidenceVerifyCallback(x509PeerCertificateChainEvidence);
        try {
            if (this.skipVerification) {
                MechanismUtil.handleCallbacks(ElytronMessages.httpClientCert, this.callbackHandler, new EvidenceDecodePrincipalCallback(x509PeerCertificateChainEvidence));
            } else {
                MechanismUtil.handleCallbacks(ElytronMessages.httpClientCert, this.callbackHandler, evidenceVerifyCallback);
            }
            boolean isVerified = evidenceVerifyCallback.isVerified();
            ElytronMessages.httpClientCert.tracef("X509PeerCertificateChainEvidence was verified by EvidenceVerifyCallback handler: %b  verification skipped: %b", Boolean.valueOf(isVerified), Boolean.valueOf(this.skipVerification));
            if (!isVerified && !this.skipVerification) {
                return false;
            }
            if (function != null) {
                CachedIdentityAuthorizeCallback cachedIdentityAuthorizeCallback = new CachedIdentityAuthorizeCallback(x509PeerCertificateChainEvidence.getDecodedPrincipal(), function, true);
                Objects.requireNonNull(cachedIdentityAuthorizeCallback);
                booleanSupplier = cachedIdentityAuthorizeCallback::isAuthorized;
                principalAuthorizeCallback = cachedIdentityAuthorizeCallback;
            } else {
                PrincipalAuthorizeCallback principalAuthorizeCallback2 = new PrincipalAuthorizeCallback(x509PeerCertificateChainEvidence.getDecodedPrincipal());
                Objects.requireNonNull(principalAuthorizeCallback2);
                booleanSupplier = principalAuthorizeCallback2::isAuthorized;
                principalAuthorizeCallback = principalAuthorizeCallback2;
            }
            try {
                MechanismUtil.handleCallbacks(ElytronMessages.httpClientCert, this.callbackHandler, principalAuthorizeCallback);
                boolean asBoolean = booleanSupplier.getAsBoolean();
                ElytronMessages.httpClientCert.tracef("X509PeerCertificateChainEvidence was authorized by CachedIdentityAuthorizeCallback(%s) handler: %b", x509PeerCertificateChainEvidence.getDecodedPrincipal(), Boolean.valueOf(asBoolean));
                if (!asBoolean || !succeed(httpServerRequest)) {
                    return false;
                }
                ElytronMessages.httpClientCert.trace("Authentication succeed");
                return true;
            } catch (UnsupportedCallbackException e) {
                throw ElytronMessages.httpClientCert.mechCallbackHandlerFailedForUnknownReason(e).toHttpAuthenticationException();
            } catch (AuthenticationMechanismException e2) {
                throw e2.toHttpAuthenticationException();
            }
        } catch (UnsupportedCallbackException e3) {
            throw ElytronMessages.httpClientCert.mechCallbackHandlerFailedForUnknownReason(e3).toHttpAuthenticationException();
        } catch (AuthenticationMechanismException e4) {
            throw e4.toHttpAuthenticationException();
        }
    }

    private boolean succeed(HttpServerRequest httpServerRequest) throws HttpAuthenticationException {
        try {
            MechanismUtil.handleCallbacks(ElytronMessages.httpClientCert, this.callbackHandler, AuthenticationCompleteCallback.SUCCEEDED);
            httpServerRequest.authenticationComplete();
            return true;
        } catch (UnsupportedCallbackException e) {
            return false;
        } catch (AuthenticationMechanismException e2) {
            throw e2.toHttpAuthenticationException();
        }
    }

    private void fail(HttpServerRequest httpServerRequest) throws HttpAuthenticationException {
        try {
            MechanismUtil.handleCallbacks(ElytronMessages.httpClientCert, this.callbackHandler, AuthenticationCompleteCallback.FAILED);
            httpServerRequest.authenticationFailed(ElytronMessages.httpClientCert.authenticationFailed());
        } catch (UnsupportedCallbackException e) {
        } catch (AuthenticationMechanismException e2) {
            throw e2.toHttpAuthenticationException();
        }
    }

    private boolean attemptReAuthentication(HttpServerRequest httpServerRequest, Function<SecurityDomain, IdentityCache> function) throws HttpAuthenticationException {
        CachedIdentityAuthorizeCallback cachedIdentityAuthorizeCallback = new CachedIdentityAuthorizeCallback(function, true);
        try {
            MechanismUtil.handleCallbacks(ElytronMessages.httpClientCert, this.callbackHandler, cachedIdentityAuthorizeCallback);
            boolean isAuthorized = cachedIdentityAuthorizeCallback.isAuthorized();
            ElytronMessages.httpClientCert.tracef("Identity was authorized by CachedIdentityAuthorizeCallback handler: %b", Boolean.valueOf(isAuthorized));
            if (isAuthorized) {
                return succeed(httpServerRequest);
            }
            return false;
        } catch (UnsupportedCallbackException e) {
            throw ElytronMessages.httpClientCert.mechCallbackHandlerFailedForUnknownReason(e).toHttpAuthenticationException();
        } catch (AuthenticationMechanismException e2) {
            throw e2.toHttpAuthenticationException();
        }
    }

    private Function<SecurityDomain, IdentityCache> createIdentityCacheFunction(HttpServerRequest httpServerRequest) {
        HttpScope scope = httpServerRequest.getScope(Scope.SSL_SESSION);
        if (scope == null) {
            return null;
        }
        return securityDomain -> {
            return new IdentityCache() { // from class: org.wildfly.security.http.cert.ClientCertAuthenticationMechanism.1
                final Map identities;

                {
                    this.identities = (Map) MechanismUtil.computeIfAbsent(scope, "org.wildfly.elytron.identity-cache", str -> {
                        return new ConcurrentHashMap();
                    });
                }

                @Override // org.wildfly.security.cache.IdentityCache
                public void put(SecurityIdentity securityIdentity) {
                    CachedIdentity cachedIdentity = new CachedIdentity("CLIENT_CERT", false, securityIdentity);
                    ElytronMessages.httpClientCert.tracef("storing into cache: %s", cachedIdentity);
                    this.identities.putIfAbsent(securityDomain, cachedIdentity);
                }

                @Override // org.wildfly.security.cache.IdentityCache
                public CachedIdentity get() {
                    CachedIdentity cachedIdentity = (CachedIdentity) this.identities.get(securityDomain);
                    ElytronMessages.httpClientCert.tracef("loading from cache: %s", cachedIdentity);
                    return cachedIdentity;
                }

                @Override // org.wildfly.security.cache.IdentityCache
                public CachedIdentity remove() {
                    ElytronMessages.httpClientCert.tracef("clearing identity cache", new Object[0]);
                    return (CachedIdentity) this.identities.remove(securityDomain);
                }
            };
        };
    }
}
