package org.apache.pinot.integration.tests.access;

import io.netty.channel.ChannelHandlerContext;
import io.netty.handler.ssl.SslHandler;
import java.io.ByteArrayInputStream;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.HashSet;
import java.util.Set;
import javax.net.ssl.SSLPeerUnverifiedException;
import org.apache.pinot.server.access.AccessControl;
import org.apache.pinot.server.access.AccessControlFactory;
import org.apache.pinot.server.access.RequesterIdentity;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/pinot/integration/tests/access/CertBasedTlsChannelAccessControlFactory.class */
public class CertBasedTlsChannelAccessControlFactory implements AccessControlFactory {

    /* loaded from: input_file:org/apache/pinot/integration/tests/access/CertBasedTlsChannelAccessControlFactory$CertBasedTlsChannelAccessControl.class */
    public static class CertBasedTlsChannelAccessControl implements AccessControl {
        private final Logger _logger = LoggerFactory.getLogger((Class<?>) CertBasedTlsChannelAccessControl.class);
        private final Set<String> _aclPrincipalAllowlist = new HashSet<String>() { // from class: org.apache.pinot.integration.tests.access.CertBasedTlsChannelAccessControlFactory.CertBasedTlsChannelAccessControl.1
            {
                add("CN=test-jks, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown");
                add("CN=test-p12, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown");
            }
        };

        @Override // org.apache.pinot.server.access.AccessControl
        public boolean isAuthorizedChannel(ChannelHandlerContext channelHandlerContext) {
            try {
                return this._aclPrincipalAllowlist.contains(((X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(((SslHandler) channelHandlerContext.channel().pipeline().get("ssl")).engine().getSession().getPeerCertificates()[0].getEncoded()))).getSubjectX500Principal().toString());
            } catch (CertificateException | SSLPeerUnverifiedException e) {
                this._logger.error("Access denied - caught exception while validating access to server, with channelHandlerContext:" + channelHandlerContext, e);
                return false;
            }
        }

        @Override // org.apache.pinot.server.access.AccessControl
        public boolean hasDataAccess(RequesterIdentity requesterIdentity, String str) {
            return true;
        }
    }

    @Override // org.apache.pinot.server.access.AccessControlFactory
    public AccessControl create() {
        return new CertBasedTlsChannelAccessControl();
    }
}
