package io.confluent.common.security.auth;

import java.io.IOException;
import java.security.Principal;
import java.security.cert.X509Certificate;
import java.util.Optional;
import javax.security.auth.login.LoginException;
import javax.ws.rs.container.ContainerRequestContext;
import org.apache.kafka.common.security.ssl.SslPrincipalMapper;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/confluent/common/security/auth/SslAuthenticationModule.class */
public final class SslAuthenticationModule implements AuthenticationModule {
    private static final Logger log = LoggerFactory.getLogger(SslAuthenticationModule.class);
    private final Optional<SslPrincipalMapper> principalMapperOpt;

    public SslAuthenticationModule(Optional<SslPrincipalMapper> optional) {
        this.principalMapperOpt = optional;
    }

    @Override // io.confluent.common.security.auth.AuthenticationModule
    public Principal authenticate(ContainerRequestContext containerRequestContext) throws LoginException {
        if (containerRequestContext.getSecurityContext() != null) {
            Principal userPrincipal = containerRequestContext.getSecurityContext().getUserPrincipal();
            if (userPrincipal instanceof CertificatePrincipal) {
                return userPrincipal;
            }
        }
        X509Certificate[] x509CertificateArr = (X509Certificate[]) containerRequestContext.getProperty("javax.servlet.request.X509Certificate");
        if (x509CertificateArr == null || x509CertificateArr.length == 0) {
            throw new LoginException("Auth Certificate couldn't be found");
        }
        return new RestUserPrincipal(mapPrincipalName(x509CertificateArr[0].getSubjectX500Principal().getName()));
    }

    private String mapPrincipalName(String str) throws LoginException {
        try {
            return this.principalMapperOpt.isPresent() ? this.principalMapperOpt.get().getName(str) : str;
        } catch (IOException e) {
            log.error("Failed to map distinguished name {} to principal using custom rules", str, e);
            throw new LoginException("Failed to map distinguished name " + str + " to principal");
        }
    }

    @Override // io.confluent.common.security.auth.AuthenticationModule
    public String getAuthScheme() {
        return RestAuthType.SSL.name();
    }
}
