package org.seedstack.seed.web.security.filters;

import java.io.IOException;
import java.security.cert.X509Certificate;
import javax.servlet.Filter;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletResponse;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.web.filter.authc.AuthenticatingFilter;
import org.seedstack.seed.security.api.X509CertificateToken;
import org.seedstack.seed.security.internal.realms.AuthenticationTokenWrapper;
import org.seedstack.seed.web.api.security.SecurityFilter;

@SecurityFilter("cert")
/* loaded from: input_file:org/seedstack/seed/web/security/filters/X509CertificateFilter.class */
public class X509CertificateFilter extends AuthenticatingFilter implements Filter {
    private static final String OPTIONAL = "optional";
    private boolean optional;

    protected AuthenticationToken createToken(ServletRequest servletRequest, ServletResponse servletResponse) throws Exception {
        return new AuthenticationTokenWrapper(new X509CertificateToken((X509Certificate[]) servletRequest.getAttribute("javax.servlet.request.X509Certificate")));
    }

    protected boolean onAccessDenied(ServletRequest servletRequest, ServletResponse servletResponse) throws Exception {
        return executeLogin(servletRequest, servletResponse);
    }

    protected boolean onLoginFailure(AuthenticationToken authenticationToken, AuthenticationException authenticationException, ServletRequest servletRequest, ServletResponse servletResponse) {
        if (this.optional) {
            return true;
        }
        try {
            ((HttpServletResponse) servletResponse).sendError(401, "A valid certificate is required to gain access");
            return false;
        } catch (IOException e) {
            throw new IllegalStateException(e);
        }
    }

    protected boolean isAccessAllowed(ServletRequest servletRequest, ServletResponse servletResponse, Object obj) {
        if (obj != null && ((String[]) obj).length != 0) {
            this.optional = OPTIONAL.equals(((String[]) obj)[0]);
        }
        return getSubject(servletRequest, servletResponse).isAuthenticated();
    }
}
