package org.apache.storm.security.auth;

import java.security.AccessControlException;
import java.util.List;
import java.util.Map;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.naming.InvalidNameException;
import javax.naming.ldap.LdapName;
import javax.naming.ldap.Rdn;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/storm/security/auth/X509CertPrincipalToLocal.class */
public class X509CertPrincipalToLocal implements IPrincipalToLocal {
    private static final Logger LOG = LoggerFactory.getLogger(X509CertPrincipalToLocal.class);
    public static final String X509_CERT_PRINCIPAL_TO_LOCAL_REGEX = "x509.cert.principal.to.local.regex";
    private Pattern pattern;

    private static String extractCn(String str) {
        if (str == null) {
            return null;
        }
        try {
            List rdns = new LdapName(str).getRdns();
            for (int size = rdns.size() - 1; size >= 0; size--) {
                Rdn rdn = (Rdn) rdns.get(size);
                if (rdn.getType().equals("CN")) {
                    return String.valueOf(rdn.getValue());
                }
            }
            return null;
        } catch (InvalidNameException e) {
            throw new AccessControlException(str + " is not a valid X500 distinguished name");
        }
    }

    @Override // org.apache.storm.security.auth.IPrincipalToLocal
    public void prepare(Map<String, Object> map) {
        if (map.get(X509_CERT_PRINCIPAL_TO_LOCAL_REGEX) == null) {
            throw new IllegalStateException("x509.cert.principal.to.local.regex is not configured");
        }
        this.pattern = Pattern.compile(map.get(X509_CERT_PRINCIPAL_TO_LOCAL_REGEX).toString());
    }

    @Override // org.apache.storm.security.auth.IPrincipalToLocal
    public String toLocal(String str) {
        Matcher matcher = this.pattern.matcher(extractCn(str));
        if (matcher.find()) {
            for (int i = 1; i <= matcher.groupCount(); i++) {
                if (matcher.group(i) != null) {
                    return matcher.group(i);
                }
            }
        }
        throw new AccessControlException("Invalid principal " + str);
    }
}
