package org.keycloak.services.x509;

import java.security.cert.X509Certificate;
import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;
import org.jboss.logging.Logger;
import org.keycloak.Config;
import org.keycloak.models.KeycloakSession;
import org.keycloak.truststore.TruststoreProvider;

/* loaded from: input_file:org/keycloak/services/x509/NginxProxySslClientCertificateLookupFactory.class */
public class NginxProxySslClientCertificateLookupFactory extends AbstractClientCertificateFromHttpHeadersLookupFactory {
    private static final Logger logger = Logger.getLogger(NginxProxySslClientCertificateLookupFactory.class);
    private static final String PROVIDER = "nginx";
    protected static final String TRUST_PROXY_VERIFICATION = "trust-proxy-verification";
    protected boolean trustProxyVerification;
    private volatile boolean isTruststoreLoaded;
    private Set<X509Certificate> trustedRootCerts;
    private Set<X509Certificate> intermediateCerts;

    @Override // org.keycloak.services.x509.AbstractClientCertificateFromHttpHeadersLookupFactory
    public void init(Config.Scope scope) {
        super.init(scope);
        this.trustProxyVerification = scope.getBoolean(TRUST_PROXY_VERIFICATION, false).booleanValue();
        logger.tracev("{0}: ''{1}''", TRUST_PROXY_VERIFICATION, Boolean.valueOf(this.trustProxyVerification));
        this.isTruststoreLoaded = false;
        this.trustedRootCerts = ConcurrentHashMap.newKeySet();
        this.intermediateCerts = ConcurrentHashMap.newKeySet();
    }

    /* renamed from: create, reason: merged with bridge method [inline-methods] */
    public X509ClientCertificateLookup m677create(KeycloakSession keycloakSession) {
        loadKeycloakTrustStore(keycloakSession);
        return this.trustProxyVerification ? new NginxProxyTrustedClientCertificateLookup(this.sslClientCertHttpHeader, this.sslChainHttpHeaderPrefix, this.certificateChainLength) : new NginxProxySslClientCertificateLookup(this.sslClientCertHttpHeader, this.sslChainHttpHeaderPrefix, this.certificateChainLength, this.intermediateCerts, this.trustedRootCerts, this.isTruststoreLoaded);
    }

    public String getId() {
        return PROVIDER;
    }

    private void loadKeycloakTrustStore(KeycloakSession keycloakSession) {
        if (this.isTruststoreLoaded) {
            return;
        }
        synchronized (this) {
            if (this.isTruststoreLoaded) {
                return;
            }
            logger.debug(" Loading Keycloak truststore ...");
            TruststoreProvider create = keycloakSession.getKeycloakSessionFactory().getProviderFactory(TruststoreProvider.class, "file").create(keycloakSession);
            if (create != null && create.getTruststore() != null) {
                this.trustedRootCerts.addAll(create.getRootCertificates().values());
                this.intermediateCerts.addAll(create.getIntermediateCertificates().values());
                logger.debug("Keycloak truststore loaded for NGINX x509cert-lookup provider.");
                this.isTruststoreLoaded = true;
            }
        }
    }
}
