package org.apache.geronimo.tomcat.security.authentication;

import java.io.IOException;
import java.security.cert.X509Certificate;
import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response;
import org.apache.catalina.util.StringManager;
import org.apache.coyote.ActionCode;
import org.apache.geronimo.tomcat.security.AuthResult;
import org.apache.geronimo.tomcat.security.Authenticator;
import org.apache.geronimo.tomcat.security.LoginService;
import org.apache.geronimo.tomcat.security.ServerAuthException;
import org.apache.geronimo.tomcat.security.TomcatAuthStatus;
import org.apache.geronimo.tomcat.security.UserIdentity;

/* loaded from: input_file:org/apache/geronimo/tomcat/security/authentication/ClientCertAuthenticator.class */
public class ClientCertAuthenticator implements Authenticator {
    protected static final StringManager sm = StringManager.getManager("org.apache.catalina.authenticator");
    private final LoginService loginService;
    private final UserIdentity unauthenticatedIdentity;

    public ClientCertAuthenticator(LoginService loginService, UserIdentity userIdentity) {
        this.loginService = loginService;
        this.unauthenticatedIdentity = userIdentity;
    }

    @Override // org.apache.geronimo.tomcat.security.Authenticator
    public AuthResult validateRequest(Request request, Response response, boolean z) throws ServerAuthException {
        X509Certificate[] x509CertificateArr = (X509Certificate[]) request.getAttribute("javax.servlet.request.X509Certificate");
        if (x509CertificateArr == null || x509CertificateArr.length < 1) {
            request.getCoyoteRequest().action(ActionCode.ACTION_REQ_SSL_CERTIFICATE, (Object) null);
            x509CertificateArr = (X509Certificate[]) request.getAttribute("javax.servlet.request.X509Certificate");
        }
        if (x509CertificateArr != null) {
            try {
                if (x509CertificateArr.length >= 1) {
                    UserIdentity login = this.loginService.login(x509CertificateArr);
                    if (login != null) {
                        return new AuthResult(TomcatAuthStatus.SUCCESS, login);
                    }
                    if (!z) {
                        return new AuthResult(TomcatAuthStatus.SUCCESS, this.unauthenticatedIdentity);
                    }
                    response.sendError(401, sm.getString("authenticator.unauthorized"));
                    return new AuthResult(TomcatAuthStatus.SEND_CONTINUE, null);
                }
            } catch (IOException e) {
                throw new ServerAuthException(e);
            }
        }
        if (!z) {
            return new AuthResult(TomcatAuthStatus.SUCCESS, this.unauthenticatedIdentity);
        }
        response.sendError(400, sm.getString("authenticator.certificates"));
        return new AuthResult(TomcatAuthStatus.SEND_FAILURE, null);
    }

    @Override // org.apache.geronimo.tomcat.security.Authenticator
    public boolean secureResponse(Request request, Response response, AuthResult authResult) throws ServerAuthException {
        return true;
    }

    @Override // org.apache.geronimo.tomcat.security.Authenticator
    public String getAuthType() {
        return "CLIENT_CERT";
    }
}
