package com.yahoo.security.tls;

import com.yahoo.security.SubjectAlternativeName;
import com.yahoo.security.X509CertificateUtils;
import java.lang.invoke.MethodHandles;
import java.lang.invoke.MethodType;
import java.lang.runtime.ObjectMethods;
import java.security.cert.X509Certificate;
import java.util.List;
import java.util.Optional;
import java.util.Set;
import java.util.logging.Logger;

/* loaded from: input_file:com/yahoo/security/tls/ConnectionAuthContext.class */
public final class ConnectionAuthContext extends Record {
    private final List<X509Certificate> peerCertificateChain;
    private final CapabilitySet capabilities;
    private final Set<String> matchedPolicies;
    private final CapabilityMode capabilityMode;
    private static final Logger log = Logger.getLogger(ConnectionAuthContext.class.getName());

    public ConnectionAuthContext(List<X509Certificate> list, CapabilitySet capabilitySet, Set<String> set, CapabilityMode capabilityMode) {
        List<X509Certificate> copyOf = List.copyOf(list);
        Set<String> copyOf2 = Set.copyOf(set);
        this.peerCertificateChain = copyOf;
        this.capabilities = capabilitySet;
        this.matchedPolicies = copyOf2;
        this.capabilityMode = capabilityMode;
    }

    private ConnectionAuthContext(List<X509Certificate> list, CapabilityMode capabilityMode) {
        this(list, CapabilitySet.all(), Set.of(), capabilityMode);
    }

    public boolean authorized() {
        return !this.capabilities.hasNone();
    }

    public void verifyCapabilities(CapabilitySet capabilitySet) throws MissingCapabilitiesException {
        verifyCapabilities(capabilitySet, null, null, null);
    }

    public void verifyCapabilities(CapabilitySet capabilitySet, String str, String str2, String str3) throws MissingCapabilitiesException {
        if (this.capabilityMode == CapabilityMode.DISABLE || this.capabilities.has(capabilitySet)) {
            return;
        }
        String createPermissionDeniedErrorMessage = createPermissionDeniedErrorMessage(capabilitySet, str, str2, str3);
        if (this.capabilityMode == CapabilityMode.LOG_ONLY) {
            log.info(createPermissionDeniedErrorMessage);
        } else {
            log.fine(createPermissionDeniedErrorMessage);
            throw new MissingCapabilitiesException(createPermissionDeniedErrorMessage);
        }
    }

    String createPermissionDeniedErrorMessage(CapabilitySet capabilitySet, String str, String str2, String str3) {
        StringBuilder sb = new StringBuilder();
        if (this.capabilityMode == CapabilityMode.LOG_ONLY) {
            sb.append("Dry-run: ");
        }
        sb.append("Permission denied");
        if (str2 != null) {
            sb.append(" for '");
            if (str != null) {
                sb.append(str).append("' on '");
            }
            sb.append(str2).append("'");
        }
        sb.append(". Peer ");
        if (str3 != null) {
            sb.append("'").append(str3).append("' ");
        }
        return sb.append("with ").append(peerCertificateString().orElse("<missing-certificate>")).append(". Requires capabilities ").append(capabilitySet.toNames()).append(" but peer has ").append(this.capabilities.toNames()).append(".").toString();
    }

    public Optional<X509Certificate> peerCertificate() {
        return this.peerCertificateChain.isEmpty() ? Optional.empty() : Optional.of(this.peerCertificateChain.get(0));
    }

    public Optional<String> peerCertificateString() {
        X509Certificate orElse = peerCertificate().orElse(null);
        if (orElse == null) {
            return Optional.empty();
        }
        StringBuilder sb = new StringBuilder("[");
        String orElse2 = X509CertificateUtils.getSubjectCommonName(orElse).orElse(null);
        if (orElse2 != null) {
            sb.append("CN='").append(orElse2).append("'");
        }
        List<SubjectAlternativeName> subjectAlternativeNames = X509CertificateUtils.getSubjectAlternativeNames(orElse);
        List list = subjectAlternativeNames.stream().filter(subjectAlternativeName -> {
            return subjectAlternativeName.getType() == SubjectAlternativeName.Type.DNS;
        }).map((v0) -> {
            return v0.getValue();
        }).toList();
        if (!list.isEmpty()) {
            if (orElse2 != null) {
                sb.append(", ");
            }
            sb.append("SAN_DNS=").append(list);
        }
        List list2 = subjectAlternativeNames.stream().filter(subjectAlternativeName2 -> {
            return subjectAlternativeName2.getType() == SubjectAlternativeName.Type.URI;
        }).map((v0) -> {
            return v0.getValue();
        }).toList();
        if (!list2.isEmpty()) {
            if (orElse2 != null || !list.isEmpty()) {
                sb.append(", ");
            }
            sb.append("SAN_URI=").append(list2);
        }
        return Optional.of(sb.append("]").toString());
    }

    public static ConnectionAuthContext defaultAllCapabilities() {
        return new ConnectionAuthContext(List.of(), CapabilityMode.DISABLE);
    }

    public static ConnectionAuthContext defaultAllCapabilities(List<X509Certificate> list) {
        return new ConnectionAuthContext(list, CapabilityMode.DISABLE);
    }

    @Override // java.lang.Record
    public final String toString() {
        return (String) ObjectMethods.bootstrap(MethodHandles.lookup(), "toString", MethodType.methodType(String.class, ConnectionAuthContext.class), ConnectionAuthContext.class, "peerCertificateChain;capabilities;matchedPolicies;capabilityMode", "FIELD:Lcom/yahoo/security/tls/ConnectionAuthContext;->peerCertificateChain:Ljava/util/List;", "FIELD:Lcom/yahoo/security/tls/ConnectionAuthContext;->capabilities:Lcom/yahoo/security/tls/CapabilitySet;", "FIELD:Lcom/yahoo/security/tls/ConnectionAuthContext;->matchedPolicies:Ljava/util/Set;", "FIELD:Lcom/yahoo/security/tls/ConnectionAuthContext;->capabilityMode:Lcom/yahoo/security/tls/CapabilityMode;").dynamicInvoker().invoke(this) /* invoke-custom */;
    }

    @Override // java.lang.Record
    public final int hashCode() {
        return (int) ObjectMethods.bootstrap(MethodHandles.lookup(), "hashCode", MethodType.methodType(Integer.TYPE, ConnectionAuthContext.class), ConnectionAuthContext.class, "peerCertificateChain;capabilities;matchedPolicies;capabilityMode", "FIELD:Lcom/yahoo/security/tls/ConnectionAuthContext;->peerCertificateChain:Ljava/util/List;", "FIELD:Lcom/yahoo/security/tls/ConnectionAuthContext;->capabilities:Lcom/yahoo/security/tls/CapabilitySet;", "FIELD:Lcom/yahoo/security/tls/ConnectionAuthContext;->matchedPolicies:Ljava/util/Set;", "FIELD:Lcom/yahoo/security/tls/ConnectionAuthContext;->capabilityMode:Lcom/yahoo/security/tls/CapabilityMode;").dynamicInvoker().invoke(this) /* invoke-custom */;
    }

    @Override // java.lang.Record
    public final boolean equals(Object obj) {
        return (boolean) ObjectMethods.bootstrap(MethodHandles.lookup(), "equals", MethodType.methodType(Boolean.TYPE, ConnectionAuthContext.class, Object.class), ConnectionAuthContext.class, "peerCertificateChain;capabilities;matchedPolicies;capabilityMode", "FIELD:Lcom/yahoo/security/tls/ConnectionAuthContext;->peerCertificateChain:Ljava/util/List;", "FIELD:Lcom/yahoo/security/tls/ConnectionAuthContext;->capabilities:Lcom/yahoo/security/tls/CapabilitySet;", "FIELD:Lcom/yahoo/security/tls/ConnectionAuthContext;->matchedPolicies:Ljava/util/Set;", "FIELD:Lcom/yahoo/security/tls/ConnectionAuthContext;->capabilityMode:Lcom/yahoo/security/tls/CapabilityMode;").dynamicInvoker().invoke(this, obj) /* invoke-custom */;
    }

    public List<X509Certificate> peerCertificateChain() {
        return this.peerCertificateChain;
    }

    public CapabilitySet capabilities() {
        return this.capabilities;
    }

    public Set<String> matchedPolicies() {
        return this.matchedPolicies;
    }

    public CapabilityMode capabilityMode() {
        return this.capabilityMode;
    }
}
