package com.mware.web;

import com.mware.core.exception.BcException;
import com.mware.core.model.user.UserNameAuthorizationContext;
import com.mware.core.model.user.UserRepository;
import com.mware.core.user.User;
import com.mware.core.util.BcLogger;
import com.mware.core.util.BcLoggerFactory;
import com.mware.ge.Graph;
import com.mware.web.framework.HandlerChain;
import java.io.IOException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.X509Certificate;
import java.util.List;
import javax.naming.InvalidNameException;
import javax.naming.ldap.LdapName;
import javax.naming.ldap.Rdn;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

/* loaded from: input_file:com/mware/web/X509AuthenticationHandler.class */
public class X509AuthenticationHandler extends AuthenticationHandler {
    public static final String CERTIFICATE_REQUEST_ATTRIBUTE = "javax.servlet.request.X509Certificate";
    private static final BcLogger LOGGER = BcLoggerFactory.getLogger(X509AuthenticationHandler.class);
    private final UserRepository userRepository;
    private final Graph graph;

    protected X509AuthenticationHandler(UserRepository userRepository, Graph graph) {
        this.userRepository = userRepository;
        this.graph = graph;
    }

    @Override // com.mware.web.AuthenticationHandler, com.mware.web.framework.RequestResponseHandler
    public void handle(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, HandlerChain handlerChain) throws Exception {
        if (CurrentUser.get(httpServletRequest).getUserId() == null) {
            X509Certificate extractCertificate = extractCertificate(httpServletRequest);
            if (isInvalid(extractCertificate)) {
                respondWithAuthenticationFailure(httpServletResponse);
                return;
            }
            User user = getUser(httpServletRequest, extractCertificate);
            if (user == null) {
                respondWithAuthenticationFailure(httpServletResponse);
                return;
            } else {
                this.userRepository.updateUser(user, new UserNameAuthorizationContext(user.getUsername(), getRemoteAddr(httpServletRequest)));
                CurrentUser.set(httpServletRequest, user);
            }
        }
        handlerChain.next(httpServletRequest, httpServletResponse);
    }

    protected User getUser(HttpServletRequest httpServletRequest, X509Certificate x509Certificate) {
        String displayName;
        String username = getUsername(x509Certificate);
        if (username == null || username.trim().equals("") || (displayName = getDisplayName(x509Certificate)) == null || displayName.trim().equals("")) {
            return null;
        }
        return this.userRepository.findOrAddUser(username, displayName, (String) null, UserRepository.createRandomPassword());
    }

    protected boolean isInvalid(X509Certificate x509Certificate) {
        if (x509Certificate == null) {
            return true;
        }
        try {
            x509Certificate.checkValidity();
            return false;
        } catch (CertificateExpiredException e) {
            LOGGER.warn("Authentication attempt with expired certificate: %s", new Object[]{x509Certificate.getSubjectDN()});
            return true;
        } catch (CertificateNotYetValidException e2) {
            LOGGER.warn("Authentication attempt with certificate that's not yet valid: %s", new Object[]{x509Certificate.getSubjectDN()});
            return true;
        }
    }

    protected X509Certificate extractCertificate(HttpServletRequest httpServletRequest) {
        X509Certificate[] x509CertificateArr = (X509Certificate[]) httpServletRequest.getAttribute(CERTIFICATE_REQUEST_ATTRIBUTE);
        if (null == x509CertificateArr || x509CertificateArr.length <= 0) {
            return null;
        }
        return x509CertificateArr[0];
    }

    protected String getUsername(X509Certificate x509Certificate) {
        String dn = getDn(x509Certificate);
        if (dn != null) {
            return dn;
        }
        throw new BcException("failed to get DN from cert for username");
    }

    protected String getDisplayName(X509Certificate x509Certificate) {
        String cn = getCn(x509Certificate);
        if (cn != null) {
            return cn;
        }
        throw new BcException("failed to get CN from cert for displayName");
    }

    private String getDn(X509Certificate x509Certificate) {
        String name = x509Certificate.getSubjectX500Principal().getName();
        LOGGER.debug("certificate DN is [%s]", new Object[]{name});
        return name;
    }

    private String getCn(X509Certificate x509Certificate) {
        try {
            List rdns = new LdapName(getDn(x509Certificate)).getRdns();
            for (int size = rdns.size() - 1; size >= 0; size--) {
                Rdn rdn = (Rdn) rdns.get(size);
                if (rdn.getType().equalsIgnoreCase("CN")) {
                    String obj = rdn.getValue().toString();
                    LOGGER.debug("certificate CN is [%s]", new Object[]{obj});
                    return obj;
                }
            }
            return null;
        } catch (InvalidNameException e) {
            return null;
        }
    }

    protected void respondWithAuthenticationFailure(HttpServletResponse httpServletResponse) throws IOException {
        httpServletResponse.sendError(403);
    }

    protected UserRepository getUserRepository() {
        return this.userRepository;
    }

    protected Graph getGraph() {
        return this.graph;
    }
}
