package org.gluu.oxauth.auth.mtls;

import com.google.common.base.Strings;
import java.io.Serializable;
import java.security.cert.X509Certificate;
import javax.annotation.Priority;
import javax.interceptor.AroundInvoke;
import javax.interceptor.Interceptor;
import javax.interceptor.InvocationContext;
import javax.servlet.FilterChain;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang.ArrayUtils;
import org.apache.commons.lang.StringUtils;
import org.gluu.oxauth.interception.MTLSInterception;
import org.gluu.oxauth.interception.MTLSInterceptionInterface;
import org.gluu.oxauth.model.common.AuthenticationMethod;
import org.gluu.oxauth.model.crypto.AbstractCryptoProvider;
import org.gluu.oxauth.model.jwk.JSONWebKey;
import org.gluu.oxauth.model.jwk.JSONWebKeySet;
import org.gluu.oxauth.model.ref.AuthenticatorReference;
import org.gluu.oxauth.model.ref.ClientReference;
import org.gluu.oxauth.model.util.CertUtils;
import org.gluu.oxauth.model.util.JwtUtil;
import org.json.JSONObject;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@MTLSInterception
@Priority(1000)
@Interceptor
/* loaded from: input_file:org/gluu/oxauth/auth/mtls/MTLSInterceptor.class */
public class MTLSInterceptor implements MTLSInterceptionInterface, Serializable {
    private static final long serialVersionUID = -6153350621622208537L;
    private static final Logger log = LoggerFactory.getLogger(MTLSInterceptor.class);

    public MTLSInterceptor() {
        log.info("MTLS Interceptor loaded.");
    }

    @AroundInvoke
    public Object processMTLS(InvocationContext invocationContext) {
        log.debug("processMTLS...");
        try {
            boolean processMTLS = processMTLS((HttpServletRequest) invocationContext.getParameters()[0], (HttpServletResponse) invocationContext.getParameters()[1], (FilterChain) invocationContext.getParameters()[2], (ClientReference) invocationContext.getParameters()[3], (AuthenticatorReference) invocationContext.getParameters()[4], (AbstractCryptoProvider) invocationContext.getParameters()[5]);
            invocationContext.proceed();
            return Boolean.valueOf(processMTLS);
        } catch (Exception e) {
            log.error("Failed to process MTLS.", e);
            return false;
        }
    }

    public boolean processMTLS(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain, ClientReference clientReference, AuthenticatorReference authenticatorReference, AbstractCryptoProvider abstractCryptoProvider) throws Exception {
        log.debug("Trying to authenticate client {} via {} ...", clientReference.getClientId(), clientReference.getAuthenticationMethod());
        String header = httpServletRequest.getHeader("X-ClientCert");
        if (StringUtils.isBlank(header)) {
            log.debug("Client certificate is missed in `X-ClientCert` header, client_id: {}.", clientReference.getClientId());
            return false;
        }
        X509Certificate x509CertificateFromPem = CertUtils.x509CertificateFromPem(header);
        if (x509CertificateFromPem == null) {
            log.debug("Failed to parse client certificate, client_id: {}.", clientReference.getClientId());
            return false;
        }
        if (clientReference.getAuthenticationMethod() == AuthenticationMethod.TLS_CLIENT_AUTH) {
            String tlsClientAuthSubjectDn = clientReference.getAttributes().getTlsClientAuthSubjectDn();
            if (StringUtils.isBlank(tlsClientAuthSubjectDn)) {
                log.debug("SubjectDN is not set for client {} which is required to authenticate it via `tls_client_auth`.", clientReference.getClientId());
                return false;
            }
            if (tlsClientAuthSubjectDn.equals(x509CertificateFromPem.getSubjectDN().getName())) {
                log.debug("Client {} authenticated via `tls_client_auth`.", clientReference.getClientId());
                authenticatorReference.configureSessionClient();
                filterChain.doFilter(httpServletRequest, httpServletResponse);
                return true;
            }
        }
        if (clientReference.getAuthenticationMethod() != AuthenticationMethod.SELF_SIGNED_TLS_CLIENT_AUTH) {
            return false;
        }
        byte[] encoded = x509CertificateFromPem.getPublicKey().getEncoded();
        JSONObject jSONWebKeys = Strings.isNullOrEmpty(clientReference.getJwks()) ? JwtUtil.getJSONWebKeys(clientReference.getJwksUri()) : new JSONObject(clientReference.getJwks());
        if (jSONWebKeys == null) {
            log.debug("Unable to load json web keys for client: {}, jwks_uri: {}, jks: {}", new Object[]{clientReference.getClientId(), clientReference.getJwksUri(), clientReference.getJwks()});
            return false;
        }
        for (JSONWebKey jSONWebKey : JSONWebKeySet.fromJSONObject(jSONWebKeys).getKeys()) {
            if (ArrayUtils.isEquals(encoded, abstractCryptoProvider.getPublicKey(jSONWebKey.getKid(), jSONWebKeys).getEncoded())) {
                log.debug("Client {} authenticated via `self_signed_tls_client_auth`, matched kid: {}.", clientReference.getClientId(), jSONWebKey.getKid());
                authenticatorReference.configureSessionClient();
                filterChain.doFilter(httpServletRequest, httpServletResponse);
                return true;
            }
        }
        return false;
    }
}
