package com.hazelcast.security.loginimpl;

import com.hazelcast.security.CertificatesCallback;
import com.hazelcast.security.ClusterLoginModule;
import com.hazelcast.security.impl.LdapUtils;
import java.io.IOException;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.Iterator;
import javax.naming.NamingException;
import javax.naming.ldap.LdapName;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.FailedLoginException;
import javax.security.auth.login.LoginException;

/* loaded from: input_file:WEB-INF/lib/hazelcast-jet-enterprise-4.3.jar:com/hazelcast/security/loginimpl/X509CertificateLoginModule.class */
public class X509CertificateLoginModule extends ClusterLoginModule {
    public static final String OPTION_ROLE_ATTRIBUTE = "roleAttribute";
    public static final String DEFAULT_ROLE_ATTRIBUTE = "cn";
    private String name;

    @Override // com.hazelcast.security.ClusterLoginModule
    public boolean onLogin() throws LoginException {
        CertificatesCallback certificatesCallback = new CertificatesCallback();
        try {
            this.callbackHandler.handle(new Callback[]{certificatesCallback});
            Certificate[] certificates = certificatesCallback.getCertificates();
            if (certificates == null || certificates.length == 0 || !(certificates[0] instanceof X509Certificate)) {
                throw new FailedLoginException("No valid X.509 certificate found");
            }
            X509Certificate x509Certificate = (X509Certificate) certificates[0];
            String stringOption = getStringOption(OPTION_ROLE_ATTRIBUTE, DEFAULT_ROLE_ATTRIBUTE);
            this.name = x509Certificate.getSubjectX500Principal().getName();
            if (isSkipRole()) {
                return true;
            }
            try {
                Iterator<String> it = LdapUtils.getAttributeValues(new LdapName(this.name), stringOption).iterator();
                while (it.hasNext()) {
                    addRole(it.next());
                }
                return true;
            } catch (NamingException e) {
                throw new FailedLoginException("Unable to parse Subject name from the X.509 certificate" + this.name);
            }
        } catch (IOException | UnsupportedCallbackException e2) {
            throw new FailedLoginException("Unable to retrieve Certificates. " + e2.getMessage());
        }
    }

    @Override // com.hazelcast.security.ClusterLoginModule
    protected String getName() {
        return this.name;
    }
}
