package fish.payara.security.realm.mechanisms;

import fish.payara.security.realm.CertificateCredentialImpl;
import jakarta.enterprise.inject.Typed;
import jakarta.inject.Inject;
import jakarta.security.enterprise.AuthenticationException;
import jakarta.security.enterprise.AuthenticationStatus;
import jakarta.security.enterprise.authentication.mechanism.http.HttpAuthenticationMechanism;
import jakarta.security.enterprise.authentication.mechanism.http.HttpMessageContext;
import jakarta.security.enterprise.identitystore.CredentialValidationResult;
import jakarta.security.enterprise.identitystore.IdentityStoreHandler;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.security.cert.X509Certificate;
import java.util.ResourceBundle;
import java.util.logging.Level;
import java.util.logging.Logger;
import org.apache.catalina.LogFacade;
import org.glassfish.soteria.Utils;

@Typed({CertificateAuthenticationMechanism.class})
/* loaded from: input_file:MICRO-INF/runtime/realm-stores.jar:fish/payara/security/realm/mechanisms/CertificateAuthenticationMechanism.class */
public class CertificateAuthenticationMechanism implements HttpAuthenticationMechanism {

    @Inject
    private IdentityStoreHandler identityStoreHandler;
    private static final Logger LOGGER = Logger.getLogger(CertificateAuthenticationMechanism.class.getName());
    protected static final ResourceBundle SERVLET_CONTAINER_BUNDLE = LogFacade.getLogger().getResourceBundle();

    @Override // jakarta.security.enterprise.authentication.mechanism.http.HttpAuthenticationMechanism
    public AuthenticationStatus validateRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, HttpMessageContext httpMessageContext) throws AuthenticationException {
        X509Certificate[] certificates = getCertificates(httpServletRequest);
        if (!Utils.isEmpty(certificates) && certificates.length != 0) {
            CredentialValidationResult validate = this.identityStoreHandler.validate(new CertificateCredentialImpl(certificates));
            if (validate.getStatus() == CredentialValidationResult.Status.VALID) {
                return httpMessageContext.notifyContainerAboutLogin(validate.getCallerPrincipal(), validate.getCallerGroups());
            }
        }
        if (httpMessageContext.isProtected()) {
            if (!Utils.isEmpty(certificates) && certificates.length != 0) {
                return httpMessageContext.responseUnauthorized();
            }
            try {
                httpServletResponse.sendError(400, SERVLET_CONTAINER_BUNDLE.getString(LogFacade.NO_CLIENT_CERTIFICATE_CHAIN));
                return AuthenticationStatus.SEND_FAILURE;
            } catch (IOException e) {
                LOGGER.log(Level.SEVERE, (String) null, (Throwable) e);
            }
        }
        return httpMessageContext.doNothing();
    }

    private X509Certificate[] getCertificates(HttpServletRequest httpServletRequest) {
        X509Certificate[] x509CertificateArr = (X509Certificate[]) httpServletRequest.getAttribute("jakarta.servlet.request.X509Certificate");
        if (x509CertificateArr == null || x509CertificateArr.length < 1) {
            x509CertificateArr = (X509Certificate[]) httpServletRequest.getAttribute("org.apache.coyote.request.X509Certificate");
        }
        return x509CertificateArr;
    }
}
