package com.yahoo.athenz.auth.impl;

import com.yahoo.athenz.auth.Authority;
import com.yahoo.athenz.auth.Principal;
import com.yahoo.athenz.auth.util.Crypto;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/yahoo/athenz/auth/impl/CertificateAuthority.class */
public class CertificateAuthority implements Authority {
    private static final Logger LOG = LoggerFactory.getLogger(CertificateAuthority.class);
    static final String ATHENZ_PROP_EXCLUDED_PRINCIPALS = "athenz.auth.certificate.excluded_principals";
    Set<String> excludedPrincipalSet = null;

    @Override // com.yahoo.athenz.auth.Authority
    public void initialize() {
        String property = System.getProperty(ATHENZ_PROP_EXCLUDED_PRINCIPALS);
        if (property == null || property.isEmpty()) {
            return;
        }
        this.excludedPrincipalSet = new HashSet(Arrays.asList(property.split(",")));
    }

    @Override // com.yahoo.athenz.auth.Authority
    public String getDomain() {
        return null;
    }

    @Override // com.yahoo.athenz.auth.Authority
    public String getHeader() {
        return null;
    }

    @Override // com.yahoo.athenz.auth.Authority
    public Principal authenticate(String str, String str2, String str3, StringBuilder sb) {
        return null;
    }

    @Override // com.yahoo.athenz.auth.Authority
    public Authority.CredSource getCredSource() {
        return Authority.CredSource.CERTIFICATE;
    }

    @Override // com.yahoo.athenz.auth.Authority
    public Principal authenticate(X509Certificate[] x509CertificateArr, StringBuilder sb) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("CertificateAuthority:authenticate: TLS Certificates: " + x509CertificateArr);
            if (x509CertificateArr != null) {
                for (X509Certificate x509Certificate : x509CertificateArr) {
                    LOG.debug("CertificateAuthority:authenticate: TLS Certificate: " + x509Certificate);
                }
            }
        }
        StringBuilder sb2 = sb == null ? new StringBuilder(512) : sb;
        if (x509CertificateArr == null || x509CertificateArr[0] == null) {
            sb2.append("CertificateAuthority:authenticate: No certificate available in request");
            return null;
        }
        X509Certificate x509Certificate2 = x509CertificateArr[0];
        String extractX509CertCommonName = Crypto.extractX509CertCommonName(x509Certificate2);
        if (extractX509CertCommonName == null || extractX509CertCommonName.isEmpty()) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("CertificateAuthority:authenticate: Certificate principal is empty");
            }
            sb2.append("CertificateAuthority:authenticate: Certificate principal is empty");
            return null;
        }
        if (this.excludedPrincipalSet != null && this.excludedPrincipalSet.contains(extractX509CertCommonName)) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("CertificateAuthority:authenticate: Principal is excluded");
            }
            sb2.append("CertificateAuthority:authenticate: Principal is excluded");
            return null;
        }
        ArrayList arrayList = null;
        if (extractX509CertCommonName.indexOf(":role.") != -1) {
            arrayList = new ArrayList();
            arrayList.add(extractX509CertCommonName);
            List<String> extractX509CertEmails = Crypto.extractX509CertEmails(x509Certificate2);
            if (extractX509CertEmails.isEmpty()) {
                sb2.append("CertificateAuthority:authenticate: Invalid role cert, no email SAN entry" + extractX509CertCommonName);
                return null;
            }
            String str = extractX509CertEmails.get(0);
            int indexOf = str.indexOf(64);
            if (indexOf == -1) {
                sb2.append("CertificateAuthority:authenticate: Invalid role cert, invalid email SAN entry" + extractX509CertCommonName);
                return null;
            }
            extractX509CertCommonName = str.substring(0, indexOf);
        }
        int lastIndexOf = extractX509CertCommonName.lastIndexOf(46);
        if (lastIndexOf == -1) {
            sb2.append("CertificateAuthority:authenticate: Principal is not a valid service identity: " + extractX509CertCommonName);
            return null;
        }
        SimplePrincipal simplePrincipal = (SimplePrincipal) SimplePrincipal.create(extractX509CertCommonName.substring(0, lastIndexOf).toLowerCase(), extractX509CertCommonName.substring(lastIndexOf + 1).toLowerCase(), x509Certificate2.toString(), this);
        simplePrincipal.setUnsignedCreds(x509Certificate2.getSubjectX500Principal().toString());
        simplePrincipal.setX509Certificate(x509Certificate2);
        simplePrincipal.setRoles(arrayList);
        return simplePrincipal;
    }
}
