package io.quarkus.vertx.http.runtime.security;

import io.vertx.ext.auth.impl.asn.ASN1;
import java.lang.invoke.MethodHandles;
import java.lang.invoke.MethodType;
import java.lang.runtime.ObjectMethods;
import java.nio.charset.StandardCharsets;
import java.security.cert.CertificateParsingException;
import java.security.cert.X509Certificate;
import java.util.Collection;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.function.Function;
import javax.security.auth.x500.X500Principal;
import org.jboss.logging.Logger;

/* loaded from: input_file:io/quarkus/vertx/http/runtime/security/CertificateRoleAttribute.class */
public final class CertificateRoleAttribute extends Record {
    private final Function<X509Certificate, Set<String>> rolesMapper;
    private static final Logger log = Logger.getLogger(CertificateRoleAttribute.class);
    private static final String SAN_PREFIX = "SAN_";

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/quarkus/vertx/http/runtime/security/CertificateRoleAttribute$SAN.class */
    public enum SAN {
        SAN_ANY(0),
        SAN_RFC822(1),
        SAN_URI(6);

        private final int generalNameType;

        SAN(int i) {
            this.generalNameType = i;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public CertificateRoleAttribute(String str, Map<String, Set<String>> map) {
        this(of(str.toUpperCase(), Map.copyOf(map)));
    }

    public CertificateRoleAttribute(Function<X509Certificate, Set<String>> function) {
        this.rolesMapper = function;
    }

    private static Function<X509Certificate, Set<String>> of(final String str, final Map<String, Set<String>> map) {
        return str.contains(SAN_PREFIX) ? new Function<X509Certificate, Set<String>>() { // from class: io.quarkus.vertx.http.runtime.security.CertificateRoleAttribute.1
            @Override // java.util.function.Function
            public Set<String> apply(X509Certificate x509Certificate) {
                return CertificateRoleAttribute.extractRolesFromCertSan(x509Certificate, SAN.valueOf(str).generalNameType, map);
            }
        } : new Function<X509Certificate, Set<String>>() { // from class: io.quarkus.vertx.http.runtime.security.CertificateRoleAttribute.2
            @Override // java.util.function.Function
            public Set<String> apply(X509Certificate x509Certificate) {
                return CertificateRoleAttribute.extractRolesFromCertRdn(x509Certificate, map, str);
            }
        };
    }

    private static Set<String> extractRolesFromCertRdn(X509Certificate x509Certificate, Map<String, Set<String>> map, String str) {
        Set<String> set;
        Set<String> set2;
        X500Principal subjectX500Principal = x509Certificate.getSubjectX500Principal();
        if (subjectX500Principal == null || subjectX500Principal.getName() == null) {
            return Set.of();
        }
        if ("CN".equals(str) && (set2 = map.get(subjectX500Principal.getName())) != null) {
            return set2;
        }
        String rdnValue = HttpSecurityUtils.getRdnValue(subjectX500Principal, str);
        return (rdnValue == null || (set = map.get(rdnValue)) == null) ? Set.of() : set;
    }

    private static Set<String> extractRolesFromCertSan(X509Certificate x509Certificate, int i, Map<String, Set<String>> map) {
        List<?> next;
        HashSet hashSet = new HashSet();
        try {
            Collection<List<?>> subjectAlternativeNames = x509Certificate.getSubjectAlternativeNames();
            if (subjectAlternativeNames != null && !subjectAlternativeNames.isEmpty()) {
                Iterator<List<?>> it = subjectAlternativeNames.iterator();
                while (true) {
                    if (!it.hasNext()) {
                        break;
                    }
                    next = it.next();
                    if (next == null || next.size() < 2) {
                        break;
                    }
                    Object obj = next.get(0);
                    if (!(obj instanceof Integer)) {
                        break;
                    }
                    Integer num = (Integer) obj;
                    if (num.intValue() == i) {
                        if (num.intValue() == 0) {
                            Object obj2 = next.get(1);
                            if (obj2 instanceof byte[]) {
                                ASN1.ASN parseASN1 = ASN1.parseASN1((byte[]) obj2);
                                if (parseASN1.is(16) && parseASN1.length() == 2) {
                                    ASN1.ASN object = parseASN1.object(1);
                                    while (object.length() == 1 && object.is(128)) {
                                        object = object.object(0);
                                    }
                                    if (object.is(12)) {
                                        String str = new String(object.binary(0), StandardCharsets.UTF_8);
                                        if (map.containsKey(str)) {
                                            hashSet.addAll(map.get(str));
                                            break;
                                        }
                                    }
                                }
                            }
                        }
                        for (int i2 = 1; i2 < next.size(); i2++) {
                            Object obj3 = next.get(i2);
                            if (obj3 instanceof String) {
                                String str2 = (String) obj3;
                                if (map.containsKey(str2)) {
                                    hashSet.addAll(map.get(str2));
                                }
                            }
                        }
                    }
                }
                log.tracef("Cannot map SecurityIdentity roles from '%s' due to unsupported format", next);
            }
        } catch (CertificateParsingException e) {
            log.tracef("Cannot map SecurityIdentity roles as certificate parsing failed", new Object[0]);
        }
        return Set.copyOf(hashSet);
    }

    @Override // java.lang.Record
    public final String toString() {
        return (String) ObjectMethods.bootstrap(MethodHandles.lookup(), "toString", MethodType.methodType(String.class, CertificateRoleAttribute.class), CertificateRoleAttribute.class, "rolesMapper", "FIELD:Lio/quarkus/vertx/http/runtime/security/CertificateRoleAttribute;->rolesMapper:Ljava/util/function/Function;").dynamicInvoker().invoke(this) /* invoke-custom */;
    }

    @Override // java.lang.Record
    public final int hashCode() {
        return (int) ObjectMethods.bootstrap(MethodHandles.lookup(), "hashCode", MethodType.methodType(Integer.TYPE, CertificateRoleAttribute.class), CertificateRoleAttribute.class, "rolesMapper", "FIELD:Lio/quarkus/vertx/http/runtime/security/CertificateRoleAttribute;->rolesMapper:Ljava/util/function/Function;").dynamicInvoker().invoke(this) /* invoke-custom */;
    }

    @Override // java.lang.Record
    public final boolean equals(Object obj) {
        return (boolean) ObjectMethods.bootstrap(MethodHandles.lookup(), "equals", MethodType.methodType(Boolean.TYPE, CertificateRoleAttribute.class, Object.class), CertificateRoleAttribute.class, "rolesMapper", "FIELD:Lio/quarkus/vertx/http/runtime/security/CertificateRoleAttribute;->rolesMapper:Ljava/util/function/Function;").dynamicInvoker().invoke(this, obj) /* invoke-custom */;
    }

    public Function<X509Certificate, Set<String>> rolesMapper() {
        return this.rolesMapper;
    }
}
