package org.gluu.oxauth.auth;

import com.google.common.base.Strings;
import java.security.cert.X509Certificate;
import javax.ejb.DependsOn;
import javax.enterprise.context.ApplicationScoped;
import javax.inject.Inject;
import javax.inject.Named;
import javax.servlet.FilterChain;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.ws.rs.WebApplicationException;
import javax.ws.rs.core.Response;
import org.apache.commons.lang.ArrayUtils;
import org.apache.commons.lang.StringUtils;
import org.gluu.oxauth.model.common.AuthenticationMethod;
import org.gluu.oxauth.model.common.Prompt;
import org.gluu.oxauth.model.common.SessionId;
import org.gluu.oxauth.model.common.SessionIdState;
import org.gluu.oxauth.model.crypto.AbstractCryptoProvider;
import org.gluu.oxauth.model.error.ErrorResponseFactory;
import org.gluu.oxauth.model.jwk.Algorithm;
import org.gluu.oxauth.model.jwk.JSONWebKey;
import org.gluu.oxauth.model.jwk.JSONWebKeySet;
import org.gluu.oxauth.model.registration.Client;
import org.gluu.oxauth.model.token.TokenErrorResponseType;
import org.gluu.oxauth.model.util.CertUtils;
import org.gluu.oxauth.model.util.JwtUtil;
import org.gluu.oxauth.service.SessionIdService;
import org.json.JSONObject;
import org.slf4j.Logger;

@DependsOn({"appInitializer"})
@ApplicationScoped
@Named
/* loaded from: input_file:org/gluu/oxauth/auth/MTLSService.class */
public class MTLSService {

    @Inject
    private Logger log;

    @Inject
    private Authenticator authenticator;

    @Inject
    private SessionIdService sessionIdService;

    @Inject
    private AbstractCryptoProvider cryptoProvider;

    @Inject
    private ErrorResponseFactory errorResponseFactory;

    public boolean processMTLS(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain, Client client) throws Exception {
        this.log.debug("Trying to authenticate client {} via {} ...", client.getClientId(), client.getAuthenticationMethod());
        String header = httpServletRequest.getHeader("X-ClientCert");
        if (StringUtils.isBlank(header)) {
            this.log.debug("Client certificate is missed in `X-ClientCert` header, client_id: {}.", client.getClientId());
            return false;
        }
        X509Certificate x509CertificateFromPem = CertUtils.x509CertificateFromPem(header);
        if (x509CertificateFromPem == null) {
            this.log.debug("Failed to parse client certificate, client_id: {}.", client.getClientId());
            return false;
        }
        String cn = CertUtils.getCN(x509CertificateFromPem);
        if (!cn.equals(client.getClientId())) {
            this.log.error("Client certificate CN does not match clientId. Reject call, CN: " + cn + ", clientId: " + client.getClientId());
            throw new WebApplicationException(Response.status(Response.Status.UNAUTHORIZED).entity(this.errorResponseFactory.getErrorAsJson(TokenErrorResponseType.INVALID_CLIENT, httpServletRequest.getParameter("state"), "")).build());
        }
        if (client.getAuthenticationMethod() == AuthenticationMethod.TLS_CLIENT_AUTH) {
            String tlsClientAuthSubjectDn = client.getAttributes().getTlsClientAuthSubjectDn();
            if (StringUtils.isBlank(tlsClientAuthSubjectDn)) {
                this.log.debug("SubjectDN is not set for client {} which is required to authenticate it via `tls_client_auth`.", client.getClientId());
                return false;
            }
            if (tlsClientAuthSubjectDn.equals(x509CertificateFromPem.getSubjectDN().getName())) {
                this.log.debug("Client {} authenticated via `tls_client_auth`.", client.getClientId());
                authenticatedSuccessfully(client, httpServletRequest);
                filterChain.doFilter(httpServletRequest, httpServletResponse);
                return true;
            }
        }
        if (client.getAuthenticationMethod() != AuthenticationMethod.SELF_SIGNED_TLS_CLIENT_AUTH) {
            return false;
        }
        byte[] encoded = x509CertificateFromPem.getPublicKey().getEncoded();
        JSONObject jSONWebKeys = Strings.isNullOrEmpty(client.getJwks()) ? JwtUtil.getJSONWebKeys(client.getJwksUri()) : new JSONObject(client.getJwks());
        if (jSONWebKeys == null) {
            this.log.debug("Unable to load json web keys for client: {}, jwks_uri: {}, jks: {}", new Object[]{client.getClientId(), client.getJwksUri(), client.getJwks()});
            return false;
        }
        for (JSONWebKey jSONWebKey : JSONWebKeySet.fromJSONObject(jSONWebKeys).getKeys()) {
            if (ArrayUtils.isEquals(encoded, this.cryptoProvider.getPublicKey(jSONWebKey.getKid(), jSONWebKeys, (Algorithm) null).getEncoded())) {
                this.log.debug("Client {} authenticated via `self_signed_tls_client_auth`, matched kid: {}.", client.getClientId(), jSONWebKey.getKid());
                authenticatedSuccessfully(client, httpServletRequest);
                filterChain.doFilter(httpServletRequest, httpServletResponse);
                return true;
            }
        }
        return false;
    }

    private void authenticatedSuccessfully(Client client, HttpServletRequest httpServletRequest) {
        SessionId sessionId;
        this.authenticator.configureSessionClient(client);
        if (Prompt.fromString(httpServletRequest.getParameter("prompt"), " ").contains(Prompt.LOGIN) || (sessionId = this.sessionIdService.getSessionId(httpServletRequest)) == null || sessionId.getState() != SessionIdState.AUTHENTICATED) {
            return;
        }
        this.authenticator.authenticateBySessionId(sessionId);
    }
}
