package io.confluent.common.security.jetty;

import java.security.cert.X509Certificate;
import java.util.Objects;
import org.eclipse.jetty.security.AuthenticationState;
import org.eclipse.jetty.security.LoginService;
import org.eclipse.jetty.security.ServerAuthException;
import org.eclipse.jetty.security.UserIdentity;
import org.eclipse.jetty.security.authentication.LoginAuthenticator;
import org.eclipse.jetty.server.Request;
import org.eclipse.jetty.server.Response;
import org.eclipse.jetty.util.Callback;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/confluent/common/security/jetty/CertificateAuthenticator.class */
public class CertificateAuthenticator extends LoginAuthenticator {
    private static final Logger log = LoggerFactory.getLogger(CertificateAuthenticator.class);

    public String getAuthenticationType() {
        return "CLIENT_CERT";
    }

    public AuthenticationState validateRequest(Request request, Response response, Callback callback) throws ServerAuthException {
        log.debug("Processing certificate authentication");
        X509Certificate[] x509CertificateArr = (X509Certificate[]) request.getAttribute("jakarta.servlet.request.X509Certificate");
        if (x509CertificateArr == null) {
            x509CertificateArr = new X509Certificate[0];
        }
        for (X509Certificate x509Certificate : x509CertificateArr) {
            if (x509Certificate != null) {
                log.debug("Trying presented certificate: {}", x509Certificate.getSubjectX500Principal());
                String name = x509Certificate.getSubjectX500Principal().getName();
                LoginService loginService = getLoginService();
                Objects.requireNonNull(request);
                UserIdentity login = loginService.login(name, x509Certificate, request, (v1) -> {
                    return r4.getSession(v1);
                });
                if (login != null) {
                    log.debug("Found eligible certificate: {}", x509Certificate.getSubjectX500Principal());
                    return new LoginAuthenticator.UserAuthenticationSucceeded(getAuthenticationType(), login);
                }
            }
        }
        log.debug("No eligible certificates found");
        return AuthenticationState.CHALLENGE;
    }
}
