package org.gridgain.grid.security.certificate;

import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.Collections;
import java.util.Iterator;
import java.util.LinkedHashMap;
import java.util.Map;
import org.apache.ignite.IgniteCheckedException;
import org.apache.ignite.IgniteLogger;
import org.apache.ignite.internal.processors.authentication.IgniteAccessControlException;
import org.apache.ignite.internal.util.typedef.internal.S;
import org.apache.ignite.lang.IgnitePredicate;
import org.apache.ignite.plugin.security.AuthenticationContext;
import org.apache.ignite.plugin.security.SecurityCredentials;
import org.apache.ignite.plugin.security.SecurityCredentialsProvider;
import org.apache.ignite.plugin.security.SecurityPermissionSet;
import org.apache.ignite.plugin.security.SecuritySubject;
import org.apache.ignite.plugin.security.SecuritySubjectType;
import org.apache.ignite.resources.LoggerResource;
import org.gridgain.grid.internal.processors.security.AllowAllPermissionSet;
import org.gridgain.grid.internal.util.security.GridSecurityPermissionSetJsonParser;
import org.gridgain.grid.security.Authenticator;
import org.gridgain.grid.security.SecuritySubjectAdapter;

/* loaded from: input_file:org/gridgain/grid/security/certificate/CertificateAuthenticator.class */
public class CertificateAuthenticator implements Authenticator, SecurityCredentialsProvider {
    private Map<? extends IgnitePredicate<Certificate[]>, SecurityPermissionSet> permsMap;
    private boolean alwaysAcceptServerNodes = true;

    @LoggerResource
    private IgniteLogger log;
    static final /* synthetic */ boolean $assertionsDisabled;

    public void setPermissions(Map<? extends IgnitePredicate<Certificate[]>, SecurityPermissionSet> map) {
        this.permsMap = Collections.unmodifiableMap(map);
    }

    public <P extends IgnitePredicate<Certificate[]>> void setPermissionsJson(Map<P, String> map) throws IgniteCheckedException {
        LinkedHashMap linkedHashMap = new LinkedHashMap();
        for (Map.Entry<P, String> entry : map.entrySet()) {
            linkedHashMap.put(entry.getKey(), new GridSecurityPermissionSetJsonParser(entry.getValue()).parse());
        }
        setPermissions(linkedHashMap);
    }

    public void setAlwaysAcceptServerNodes(boolean z) {
        this.alwaysAcceptServerNodes = z;
    }

    @Override // org.gridgain.grid.security.Authenticator
    public boolean supported(SecuritySubjectType securitySubjectType) {
        if ($assertionsDisabled || securitySubjectType != null) {
            return this.alwaysAcceptServerNodes || securitySubjectType == SecuritySubjectType.REMOTE_CLIENT;
        }
        throw new AssertionError();
    }

    @Override // org.gridgain.grid.security.Authenticator
    public SecuritySubject authenticate(AuthenticationContext authenticationContext) throws IgniteCheckedException {
        if (authenticationContext.subjectType() == SecuritySubjectType.REMOTE_NODE) {
            if (this.alwaysAcceptServerNodes) {
                return new SecuritySubjectAdapter(authenticationContext.subjectId(), authenticationContext.subjectType(), "", authenticationContext.address(), new AllowAllPermissionSet(), null);
            }
            throw new IgniteAccessControlException("Remote nodes cannot be authenticated using certificates.");
        }
        Certificate[] certificates = authenticationContext.certificates();
        if (certificates == null || certificates.length == 0) {
            throw new IgniteAccessControlException("No client certificates supplied! Please check that SSL and peer certificate checking are enabled.");
        }
        if (this.permsMap == null || this.permsMap.isEmpty()) {
            throw new IgniteAccessControlException("No certificate matchers specified! Please call setPermissions().");
        }
        SecurityPermissionSet securityPermissionSet = null;
        String str = null;
        Iterator<Map.Entry<? extends IgnitePredicate<Certificate[]>, SecurityPermissionSet>> it = this.permsMap.entrySet().iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            Map.Entry<? extends IgnitePredicate<Certificate[]>, SecurityPermissionSet> next = it.next();
            if (str == null) {
                str = certificateName(certificates[0]);
            }
            IgnitePredicate<Certificate[]> key = next.getKey();
            if (key.apply(certificates)) {
                str = certificateName(certificates[0]);
                securityPermissionSet = next.getValue();
                if (this.log.isDebugEnabled()) {
                    this.log.debug("Matched certificate with predicate [subjectDnName=" + str + ", predicate=" + key + "]");
                }
            }
        }
        if (securityPermissionSet == null) {
            throw new IgniteAccessControlException("No predicates matched by client certificate(s) [subjectDnName=" + str + "].");
        }
        return new SecuritySubjectAdapter(authenticationContext.subjectId(), authenticationContext.subjectType(), str, authenticationContext.address(), securityPermissionSet, authenticationContext.certificates());
    }

    private String certificateName(Certificate certificate) {
        return certificate instanceof X509Certificate ? ((X509Certificate) certificate).getSubjectDN().getName() : certificate == null ? "null" : certificate.toString();
    }

    @Override // org.gridgain.grid.security.Authenticator
    public boolean isGlobalNodeAuthentication() {
        return false;
    }

    public String toString() {
        return S.toString(CertificateAuthenticator.class, this);
    }

    public SecurityCredentials credentials() {
        if (this.alwaysAcceptServerNodes) {
            return new SecurityCredentials("", "");
        }
        return null;
    }

    static {
        $assertionsDisabled = !CertificateAuthenticator.class.desiredAssertionStatus();
    }
}
