package org.switchyard.security.login;

import java.io.IOException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.Principal;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.Iterator;
import java.util.Properties;
import java.util.Set;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.LoginException;
import org.springframework.util.Log4jConfigurer;
import org.switchyard.common.io.pull.PropertiesPuller;
import org.switchyard.common.io.pull.Puller;
import org.switchyard.common.lang.Strings;
import org.switchyard.security.BaseSecurityMessages;
import org.switchyard.security.callback.CertificateCallback;
import org.switchyard.security.crypto.PublicCrypto;
import org.switchyard.security.principal.GroupPrincipal;
import org.switchyard.security.principal.RolePrincipal;
import org.switchyard.security.principal.UserPrincipal;
import org.switchyard.security.pull.KeyStorePuller;

/* loaded from: input_file:META-INF/repository/fuse-eap-distro-6.2.1.redhat-343-06.zip:modules/system/layers/soa/org/switchyard/security/main/switchyard-security-2.0.1.redhat-621343-06.jar:org/switchyard/security/login/CertificateLoginModule.class */
public class CertificateLoginModule extends SwitchYardLoginModule {
    private X509Certificate _verifiedCallerCertificate;

    @Override // org.switchyard.security.login.SwitchYardLoginModule
    public boolean login() throws LoginException {
        Callback nameCallback = new NameCallback("alias");
        CertificateCallback certificateCallback = new CertificateCallback();
        try {
            getCallbackHandler().handle(new Callback[]{nameCallback, certificateCallback});
            X509Certificate callerCertificate = getCallerCertificate(certificateCallback);
            try {
                try {
                    callerCertificate.verify(getKeyStore().getCertificate(nameCallback.getName()).getPublicKey());
                    this._verifiedCallerCertificate = callerCertificate;
                    return true;
                } catch (Exception e) {
                    throw BaseSecurityMessages.MESSAGES.problemVerifyingCallerCert(e.getMessage());
                }
            } catch (KeyStoreException e2) {
                throw BaseSecurityMessages.MESSAGES.problemAccessingKeystore(e2.getMessage());
            }
        } catch (IOException e3) {
            throw BaseSecurityMessages.MESSAGES.failedInvokeCallback(e3.getMessage(), e3);
        } catch (UnsupportedCallbackException e4) {
            throw BaseSecurityMessages.MESSAGES.callbackHandlerNoSupport(e4.getCallback().toString());
        }
    }

    @Override // org.switchyard.security.login.SwitchYardLoginModule
    public boolean commit() throws LoginException {
        if (this._verifiedCallerCertificate == null) {
            return false;
        }
        Set<Principal> principals = getSubject().getPrincipals();
        String name = this._verifiedCallerCertificate.getSubjectX500Principal().getName();
        String substring = name.substring(name.indexOf(61) + 1, name.indexOf(44));
        principals.add(new UserPrincipal(substring));
        Properties rolesProperties = getRolesProperties();
        if (rolesProperties == null) {
            return true;
        }
        Set<GroupPrincipal> principals2 = getSubject().getPrincipals(GroupPrincipal.class);
        Iterator<String> it = Strings.uniqueSplitTrimToNull(rolesProperties.getProperty(substring), ",").iterator();
        while (it.hasNext()) {
            RolePrincipal rolePrincipal = new RolePrincipal(it.next());
            if (principals2.isEmpty()) {
                GroupPrincipal groupPrincipal = new GroupPrincipal("Roles");
                groupPrincipal.addMember(rolePrincipal);
                getSubject().getPrincipals().add(groupPrincipal);
            } else {
                for (GroupPrincipal groupPrincipal2 : principals2) {
                    if ("Roles".equals(groupPrincipal2.getName())) {
                        groupPrincipal2.addMember(rolePrincipal);
                    }
                }
            }
        }
        return true;
    }

    @Override // org.switchyard.security.login.SwitchYardLoginModule
    public boolean logout() throws LoginException {
        this._verifiedCallerCertificate = null;
        return true;
    }

    private X509Certificate getCallerCertificate(CertificateCallback certificateCallback) throws LoginException {
        X509Certificate x509Certificate = null;
        Iterator<Certificate> it = certificateCallback.getCertificates().iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            Certificate next = it.next();
            if (next instanceof X509Certificate) {
                x509Certificate = (X509Certificate) next;
                break;
            }
        }
        if (x509Certificate == null) {
            throw BaseSecurityMessages.MESSAGES.noCallerCertificateProvided();
        }
        return x509Certificate;
    }

    private KeyStore getKeyStore() throws LoginException {
        String option = getOption(PublicCrypto.KEYSTORE_LOCATION, true);
        String option2 = getOption(PublicCrypto.KEYSTORE_TYPE, false);
        String option3 = getOption(PublicCrypto.KEYSTORE_PASSWORD, false);
        return new KeyStorePuller(option2, option3 != null ? option3.toCharArray() : null).pullPath(option, getClass(), Puller.PathType.values());
    }

    private Properties getRolesProperties() {
        String option = getOption("rolesProperties", false);
        if (option != null) {
            return new PropertiesPuller(option.endsWith(Log4jConfigurer.XML_FILE_EXTENSION) ? PropertiesPuller.PropertiesType.XML : PropertiesPuller.PropertiesType.PROPERTIES).pullPath(option, getClass(), Puller.PathType.values());
        }
        return null;
    }
}
