package net.shibboleth.idp.authn.impl;

import java.io.IOException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.Iterator;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import net.shibboleth.utilities.java.support.annotation.constraint.NonnullElements;
import net.shibboleth.utilities.java.support.annotation.constraint.NotEmpty;
import net.shibboleth.utilities.java.support.primitive.StringSupport;
import org.opensaml.security.messaging.ServletRequestX509CredentialAdapter;
import org.opensaml.security.x509.X509Support;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/idp-authn-impl-4.1.6.jar:net/shibboleth/idp/authn/impl/X509ProxyFilter.class */
public class X509ProxyFilter implements Filter {

    @NotEmpty
    @Nonnull
    public static final String LEAF_HEADER_PARAM = "leafHeader";

    @NotEmpty
    @Nonnull
    public static final String CHAIN_HEADERS_PARAM = "chainHeaders";

    @NotEmpty
    @Nonnull
    private static final String APACHE_NULL = "(null)";

    @NotEmpty
    @Nullable
    private String leafHeader;

    @Nonnull
    private final Logger log = LoggerFactory.getLogger((Class<?>) X509ProxyFilter.class);

    @NonnullElements
    @Nonnull
    private Collection<String> chainHeaders = Collections.emptyList();

    public void init(FilterConfig filterConfig) throws ServletException {
        String[] split;
        this.leafHeader = filterConfig.getInitParameter(LEAF_HEADER_PARAM);
        if (this.leafHeader == null) {
            throw new ServletException("Required init-parameter leafHeader missing");
        }
        this.log.info("X509ProxyFilter will check for the end-entity certificate in: {}", this.leafHeader);
        String initParameter = filterConfig.getInitParameter(CHAIN_HEADERS_PARAM);
        if (initParameter != null && (split = initParameter.split(" ")) != null) {
            this.chainHeaders = StringSupport.normalizeStringCollection(Arrays.asList(split));
        }
        this.log.info("X509ProxyFilter will check for chain certificates in: {}", this.chainHeaders);
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        try {
            try {
                X509Certificate[] x509CertificateArr = (X509Certificate[]) servletRequest.getAttribute(ServletRequestX509CredentialAdapter.X509_CERT_REQUEST_ATTRIBUTE);
                if (null == x509CertificateArr || 0 == x509CertificateArr.length) {
                    x509CertificateArr = (X509Certificate[]) servletRequest.getAttribute("jakarta.servlet.request.X509Certificate");
                }
                if (null == x509CertificateArr || 0 == x509CertificateArr.length) {
                    ArrayList arrayList = new ArrayList();
                    if (this.leafHeader == null) {
                        this.log.warn("No end-entity certificate found");
                        filterChain.doFilter(servletRequest, servletResponse);
                        return;
                    }
                    String header = httpServletRequest.getHeader(this.leafHeader);
                    if (header == null || header.isEmpty() || APACHE_NULL.equals(header)) {
                        this.log.warn("No end-entity certificate found");
                        filterChain.doFilter(servletRequest, servletResponse);
                        return;
                    }
                    arrayList.add(X509Support.decodeCertificate(header.getBytes()));
                    Iterator<String> it = this.chainHeaders.iterator();
                    while (it.hasNext()) {
                        String header2 = httpServletRequest.getHeader(it.next());
                        if (header2 != null && !header2.isEmpty() && !APACHE_NULL.equals(header2)) {
                            arrayList.add(X509Support.decodeCertificate(header2.getBytes()));
                        }
                    }
                    if (!arrayList.isEmpty()) {
                        servletRequest.setAttribute(ServletRequestX509CredentialAdapter.X509_CERT_REQUEST_ATTRIBUTE, arrayList.toArray(new X509Certificate[arrayList.size()]));
                    }
                }
                filterChain.doFilter(servletRequest, servletResponse);
            } catch (Exception e) {
                this.log.error(e.getMessage());
                filterChain.doFilter(servletRequest, servletResponse);
            }
        } catch (Throwable th) {
            filterChain.doFilter(servletRequest, servletResponse);
            throw th;
        }
    }

    public void destroy() {
    }
}
