package com.amazon.opendistroforelasticsearch.security.http;

import com.amazon.opendistroforelasticsearch.security.auth.HTTPAuthenticator;
import com.amazon.opendistroforelasticsearch.security.support.ConfigConstants;
import com.amazon.opendistroforelasticsearch.security.user.AuthCredentials;
import java.nio.file.Path;
import java.util.ArrayList;
import java.util.Collections;
import java.util.List;
import javax.naming.InvalidNameException;
import javax.naming.ldap.LdapName;
import javax.naming.ldap.Rdn;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.common.Strings;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.rest.RestChannel;
import org.elasticsearch.rest.RestRequest;

/* loaded from: input_file:com/amazon/opendistroforelasticsearch/security/http/HTTPClientCertAuthenticator.class */
public class HTTPClientCertAuthenticator implements HTTPAuthenticator {
    protected final Logger log = LogManager.getLogger(getClass());
    protected final Settings settings;

    public HTTPClientCertAuthenticator(Settings settings, Path path) {
        this.settings = settings;
    }

    @Override // com.amazon.opendistroforelasticsearch.security.auth.HTTPAuthenticator
    public AuthCredentials extractCredentials(RestRequest restRequest, ThreadContext threadContext) {
        String str = (String) threadContext.getTransient(ConfigConstants.OPENDISTRO_SECURITY_SSL_PRINCIPAL);
        if (Strings.isNullOrEmpty(str)) {
            this.log.trace("No CLIENT CERT, send 401");
            return null;
        }
        String str2 = this.settings.get(com.amazon.dlic.auth.ldap.util.ConfigConstants.LDAP_AUTHC_USERNAME_ATTRIBUTE);
        String str3 = this.settings.get("roles_attribute");
        try {
            LdapName ldapName = new LdapName(str);
            String trim = str.trim();
            String[] strArr = null;
            if (str2 != null && str2.length() > 0) {
                List<String> dnAttribute = getDnAttribute(ldapName, str2);
                if (!dnAttribute.isEmpty()) {
                    trim = dnAttribute.get(0);
                }
            }
            if (str3 != null && str3.length() > 0) {
                List<String> dnAttribute2 = getDnAttribute(ldapName, str3);
                if (!dnAttribute2.isEmpty()) {
                    strArr = (String[]) dnAttribute2.toArray(new String[0]);
                }
            }
            return new AuthCredentials(trim, strArr).markComplete();
        } catch (InvalidNameException e) {
            this.log.error("Client cert had no properly formed DN (was: {})", str);
            return null;
        }
    }

    @Override // com.amazon.opendistroforelasticsearch.security.auth.HTTPAuthenticator
    public boolean reRequestAuthentication(RestChannel restChannel, AuthCredentials authCredentials) {
        return false;
    }

    @Override // com.amazon.opendistroforelasticsearch.security.auth.HTTPAuthenticator
    public String getType() {
        return "clientcert";
    }

    private List<String> getDnAttribute(LdapName ldapName, String str) {
        ArrayList arrayList = new ArrayList(ldapName.size());
        ArrayList<Rdn> arrayList2 = new ArrayList(ldapName.getRdns());
        Collections.reverse(arrayList2);
        for (Rdn rdn : arrayList2) {
            if (rdn.getType().equalsIgnoreCase(str)) {
                arrayList.add(rdn.getValue().toString());
            }
        }
        return Collections.unmodifiableList(arrayList);
    }
}
