package ca.nrc.cadc.cred.server;

import ca.nrc.cadc.auth.AuthMethod;
import ca.nrc.cadc.auth.AuthenticationUtil;
import ca.nrc.cadc.auth.X509CertificateChain;
import ca.nrc.cadc.cred.server.actions.DelegationActionFactory;
import ca.nrc.cadc.io.ByteCountWriter;
import ca.nrc.cadc.log.ServletLogInfo;
import ca.nrc.cadc.log.WebServiceLogInfo;
import ca.nrc.cadc.net.ResourceNotFoundException;
import java.io.BufferedWriter;
import java.io.IOException;
import java.io.PrintWriter;
import java.security.AccessControlException;
import java.security.PrivilegedActionException;
import java.util.Collections;
import java.util.HashMap;
import java.util.Map;
import java.util.StringTokenizer;
import javax.naming.InitialContext;
import javax.naming.NamingException;
import javax.security.auth.Subject;
import javax.security.auth.x500.X500Principal;
import javax.servlet.ServletConfig;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.log4j.Logger;
import org.bouncycastle.openssl.PEMWriter;

/* loaded from: input_file:ca/nrc/cadc/cred/server/ProxyServlet.class */
public class ProxyServlet extends HttpServlet {
    public static final String TRUSTED_PRINCIPALS_PARAM = "trustedPrincipals";
    public static final String DSNAME = "datasource";
    public static final String CATALOG = "catalog";
    public static final String SCHEMA = "schema";
    static final String CERTIFICATE_CONTENT_TYPE = "application/x-pem-file";
    static final String CERTIFICATE_FILENAME = "cadcproxy.pem";
    private static final long serialVersionUID = 2740612605831266225L;
    private static Logger LOGGER = Logger.getLogger(ProxyServlet.class);
    private Map<X500Principal, Float> trustedPrincipals = new HashMap();
    private String dataSourceName = "jdbc/cred";
    private String database = null;
    private String schema = "cred";

    public void init(ServletConfig servletConfig) throws ServletException {
        String trim;
        Float valueOf;
        super.init(servletConfig);
        try {
            CredConfig credConfig = (CredConfig) new InitialContext().lookup(CredConfig.JDNI_KEY);
            LOGGER.info("JDNI config: " + credConfig);
            if (credConfig != null) {
                for (X500Principal x500Principal : credConfig.getProxyUsers()) {
                    this.trustedPrincipals.put(x500Principal, Float.valueOf(credConfig.proxyMaxDaysValid));
                    LOGGER.info("trusted: " + x500Principal + " " + credConfig.proxyMaxDaysValid);
                }
            }
        } catch (NamingException e) {
            LOGGER.debug("BUG: unable to lookup CredConfig with key cred-runtime-config", e);
            String initParameter = servletConfig.getInitParameter(TRUSTED_PRINCIPALS_PARAM);
            if (initParameter != null) {
                StringTokenizer stringTokenizer = new StringTokenizer(initParameter, "\n\t\r", false);
                while (stringTokenizer.hasMoreTokens()) {
                    String nextToken = stringTokenizer.nextToken();
                    StringTokenizer stringTokenizer2 = new StringTokenizer(nextToken, ":", false);
                    if (stringTokenizer2.countTokens() == 1) {
                        trim = nextToken.trim();
                        valueOf = Float.valueOf(30.0f);
                    } else {
                        if (stringTokenizer2.countTokens() != 2) {
                            throw new IllegalArgumentException("Cannot parse trusted principal from servlet config: " + nextToken);
                        }
                        trim = stringTokenizer2.nextToken().trim();
                        valueOf = Float.valueOf(Float.parseFloat(stringTokenizer2.nextToken().trim()));
                        if (valueOf.floatValue() <= 0.0f) {
                            throw new IllegalArgumentException("Maximum valid days must be positive, " + valueOf);
                        }
                    }
                    if (trim != null) {
                        String replaceAll = trim.replaceAll("\"", "");
                        LOGGER.info("trusted: " + replaceAll + " , max days valid: " + valueOf);
                        this.trustedPrincipals.put(new X500Principal(replaceAll), valueOf);
                    }
                }
            }
            this.dataSourceName = servletConfig.getInitParameter(DSNAME);
            this.database = servletConfig.getInitParameter(CATALOG);
            this.schema = servletConfig.getInitParameter(SCHEMA);
            LOGGER.info("persistence: " + this.dataSourceName + " " + this.database + " " + this.schema);
        }
    }

    Subject getCurrentSubject(HttpServletRequest httpServletRequest) throws IOException {
        Subject subject = AuthenticationUtil.getSubject(httpServletRequest, false);
        if (!AuthMethod.CERT.equals(AuthenticationUtil.getAuthMethod(subject))) {
            AuthenticationUtil.augmentSubject(subject);
        }
        return subject;
    }

    X509CertificateChain getX509CertificateChain(HttpServletRequest httpServletRequest, Subject subject) throws Exception {
        AuthMethod authMethod = AuthenticationUtil.getAuthMethod(subject);
        if (authMethod == null || AuthMethod.ANON.equals(authMethod)) {
            throw new AccessControlException("permission denied");
        }
        try {
            X509CertificateChain x509CertificateChain = (X509CertificateChain) Subject.doAs(subject, new DelegationActionFactory(httpServletRequest, this.trustedPrincipals, this.dataSourceName, this.database, this.schema).getDelegationAction());
            if (x509CertificateChain.getChain() == null) {
                throw new ResourceNotFoundException("No signed certificate");
            }
            return x509CertificateChain;
        } catch (PrivilegedActionException e) {
            throw e.getException();
        }
    }

    void writeCertificateChain(X509CertificateChain x509CertificateChain, HttpServletResponse httpServletResponse, WebServiceLogInfo webServiceLogInfo) throws Exception {
        httpServletResponse.setStatus(200);
        httpServletResponse.setContentType(CERTIFICATE_CONTENT_TYPE);
        httpServletResponse.setHeader("Content-Disposition", "attachment; filename=cadcproxy.pem");
        ByteCountWriter byteCountWriter = new ByteCountWriter(new BufferedWriter(httpServletResponse.getWriter(), 8192));
        PEMWriter pEMWriter = new PEMWriter(byteCountWriter);
        try {
            writePEM(x509CertificateChain, pEMWriter);
        } finally {
            try {
                pEMWriter.close();
            } catch (IOException e) {
            }
            webServiceLogInfo.setBytes(Long.valueOf(byteCountWriter.getByteCount()));
        }
    }

    void writePEM(X509CertificateChain x509CertificateChain, PEMWriter pEMWriter) throws IOException {
        pEMWriter.writeObject(x509CertificateChain.getChain()[0]);
        pEMWriter.writeObject(x509CertificateChain.getPrivateKey());
        for (int i = 1; i < x509CertificateChain.getChain().length; i++) {
            pEMWriter.writeObject(x509CertificateChain.getChain()[i]);
        }
        pEMWriter.flush();
    }

    protected void doGet(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        ServletLogInfo servletLogInfo = new ServletLogInfo(httpServletRequest);
        LOGGER.info(servletLogInfo.start());
        long currentTimeMillis = System.currentTimeMillis();
        try {
            try {
                try {
                    try {
                        try {
                            Subject currentSubject = getCurrentSubject(httpServletRequest);
                            servletLogInfo.setSubject(currentSubject);
                            writeCertificateChain(getX509CertificateChain(httpServletRequest, currentSubject), httpServletResponse, servletLogInfo);
                            servletLogInfo.setElapsedTime(Long.valueOf(System.currentTimeMillis() - currentTimeMillis));
                            LOGGER.info(servletLogInfo.end());
                        } catch (IllegalArgumentException e) {
                            servletLogInfo.setMessage(e.getMessage());
                            servletLogInfo.setSuccess(true);
                            LOGGER.debug("invalid input", e);
                            writeError(httpServletResponse, 400, e.getMessage());
                            servletLogInfo.setElapsedTime(Long.valueOf(System.currentTimeMillis() - currentTimeMillis));
                            LOGGER.info(servletLogInfo.end());
                        }
                    } catch (AccessControlException e2) {
                        servletLogInfo.setMessage(e2.getMessage());
                        servletLogInfo.setSuccess(true);
                        LOGGER.debug("unauthorized", e2);
                        writeError(httpServletResponse, 401, e2.getMessage());
                        servletLogInfo.setElapsedTime(Long.valueOf(System.currentTimeMillis() - currentTimeMillis));
                        LOGGER.info(servletLogInfo.end());
                    }
                } catch (Throwable th) {
                    String message = th.getMessage();
                    servletLogInfo.setMessage(message);
                    servletLogInfo.setSuccess(false);
                    LOGGER.error(message, th);
                    writeError(httpServletResponse, 500, message);
                    servletLogInfo.setElapsedTime(Long.valueOf(System.currentTimeMillis() - currentTimeMillis));
                    LOGGER.info(servletLogInfo.end());
                }
            } catch (ResourceNotFoundException e3) {
                servletLogInfo.setMessage(e3.getMessage());
                servletLogInfo.setSuccess(true);
                LOGGER.debug("certificate not found", e3);
                writeError(httpServletResponse, 404, e3.getMessage());
                servletLogInfo.setElapsedTime(Long.valueOf(System.currentTimeMillis() - currentTimeMillis));
                LOGGER.info(servletLogInfo.end());
            } catch (UnsupportedOperationException e4) {
                servletLogInfo.setMessage(e4.getMessage());
                servletLogInfo.setSuccess(true);
                LOGGER.debug("unsupported", e4);
                writeError(httpServletResponse, 501, e4.getMessage());
                servletLogInfo.setElapsedTime(Long.valueOf(System.currentTimeMillis() - currentTimeMillis));
                LOGGER.info(servletLogInfo.end());
            }
        } catch (Throwable th2) {
            servletLogInfo.setElapsedTime(Long.valueOf(System.currentTimeMillis() - currentTimeMillis));
            LOGGER.info(servletLogInfo.end());
            throw th2;
        }
    }

    private void writeError(HttpServletResponse httpServletResponse, int i, String str) throws IOException {
        httpServletResponse.setContentType("text/plain");
        httpServletResponse.setStatus(i);
        PrintWriter printWriter = new PrintWriter(httpServletResponse.getWriter());
        printWriter.println(str);
        printWriter.flush();
        printWriter.close();
    }

    public Map<X500Principal, Float> getTrustedPrincipals() {
        return Collections.unmodifiableMap(this.trustedPrincipals);
    }
}
