package org.wso2.carbon.webapp.authenticator.framework.authenticator;

import java.security.cert.X509Certificate;
import java.util.Properties;
import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.certificate.mgt.core.dto.CertificateResponse;
import org.wso2.carbon.certificate.mgt.core.exception.KeystoreException;
import org.wso2.carbon.certificate.mgt.core.scep.SCEPException;
import org.wso2.carbon.certificate.mgt.core.scep.SCEPManager;
import org.wso2.carbon.certificate.mgt.core.scep.TenantedDeviceWrapper;
import org.wso2.carbon.device.mgt.common.DeviceIdentifier;
import org.wso2.carbon.webapp.authenticator.framework.AuthenticationException;
import org.wso2.carbon.webapp.authenticator.framework.AuthenticationInfo;
import org.wso2.carbon.webapp.authenticator.framework.AuthenticatorFrameworkDataHolder;
import org.wso2.carbon.webapp.authenticator.framework.Utils.Utils;
import org.wso2.carbon.webapp.authenticator.framework.authenticator.WebappAuthenticator;

/* loaded from: input_file:org/wso2/carbon/webapp/authenticator/framework/authenticator/CertificateAuthenticator.class */
public class CertificateAuthenticator implements WebappAuthenticator {
    private static final Log log = LogFactory.getLog(CertificateAuthenticator.class);
    private static final String CERTIFICATE_AUTHENTICATOR = "CertificateAuth";
    private static final String MUTUAL_AUTH_HEADER = "mutual-auth-header";
    private static final String PROXY_MUTUAL_AUTH_HEADER = "proxy-mutual-auth-header";
    private static final String CERTIFICATE_VERIFICATION_HEADER = "Mdm-Signature";
    private static final String CLIENT_CERTIFICATE_ATTRIBUTE = "javax.servlet.request.X509Certificate";

    @Override // org.wso2.carbon.webapp.authenticator.framework.authenticator.WebappAuthenticator
    public void init() {
    }

    @Override // org.wso2.carbon.webapp.authenticator.framework.authenticator.WebappAuthenticator
    public boolean canHandle(Request request) {
        return (request.getHeader(CERTIFICATE_VERIFICATION_HEADER) == null && request.getHeader(MUTUAL_AUTH_HEADER) == null && request.getHeader(PROXY_MUTUAL_AUTH_HEADER) == null) ? false : true;
    }

    @Override // org.wso2.carbon.webapp.authenticator.framework.authenticator.WebappAuthenticator
    public AuthenticationInfo authenticate(Request request, Response response) {
        String header;
        AuthenticationInfo authenticationInfo = new AuthenticationInfo();
        String requestURI = request.getRequestURI();
        if (requestURI == null || requestURI.isEmpty()) {
            authenticationInfo.setStatus(WebappAuthenticator.Status.CONTINUE);
        }
        try {
            if (request.getHeader(PROXY_MUTUAL_AUTH_HEADER) != null) {
                authenticationInfo = checkCertificateResponse(AuthenticatorFrameworkDataHolder.getInstance().getCertificateManagementService().verifySubjectDN(request.getHeader(PROXY_MUTUAL_AUTH_HEADER)));
            } else if (request.getHeader(MUTUAL_AUTH_HEADER) != null) {
                X509Certificate[] x509CertificateArr = (X509Certificate[]) request.getAttribute(CLIENT_CERTIFICATE_ATTRIBUTE);
                if (x509CertificateArr == null || x509CertificateArr[0] == null) {
                    authenticationInfo.setStatus(WebappAuthenticator.Status.FAILURE);
                    authenticationInfo.setMessage("No client certificate is present");
                } else {
                    authenticationInfo = checkCertificateResponse(AuthenticatorFrameworkDataHolder.getInstance().getCertificateManagementService().verifyPEMSignature(x509CertificateArr[0]));
                }
            } else if (request.getHeader(CERTIFICATE_VERIFICATION_HEADER) != null && (header = request.getHeader(CERTIFICATE_VERIFICATION_HEADER)) != null && AuthenticatorFrameworkDataHolder.getInstance().getCertificateManagementService().verifySignature(header)) {
                AuthenticatorFrameworkDataHolder.getInstance().getCertificateManagementService().extractCertificateFromSignature(header);
                String extractChallengeToken = AuthenticatorFrameworkDataHolder.getInstance().getCertificateManagementService().extractChallengeToken(AuthenticatorFrameworkDataHolder.getInstance().getCertificateManagementService().extractCertificateFromSignature(header));
                if (extractChallengeToken != null) {
                    String trim = extractChallengeToken.substring(extractChallengeToken.indexOf("(") + 1).trim();
                    SCEPManager scepManager = AuthenticatorFrameworkDataHolder.getInstance().getScepManager();
                    DeviceIdentifier deviceIdentifier = new DeviceIdentifier();
                    deviceIdentifier.setId(trim);
                    deviceIdentifier.setType("ios");
                    TenantedDeviceWrapper validatedDevice = scepManager.getValidatedDevice(deviceIdentifier);
                    authenticationInfo.setTenantDomain(validatedDevice.getTenantDomain());
                    authenticationInfo.setTenantId(validatedDevice.getTenantId());
                    if (validatedDevice.getDevice() != null && validatedDevice.getDevice().getEnrolmentInfo() != null) {
                        authenticationInfo.setUsername(validatedDevice.getDevice().getEnrolmentInfo().getOwner());
                    }
                    authenticationInfo.setStatus(WebappAuthenticator.Status.CONTINUE);
                }
            }
        } catch (KeystoreException e) {
            log.error("KeystoreException occurred ", e);
        } catch (SCEPException e2) {
            log.error("SCEPException occurred ", e2);
        }
        return authenticationInfo;
    }

    private AuthenticationInfo checkCertificateResponse(CertificateResponse certificateResponse) {
        AuthenticationInfo authenticationInfo = new AuthenticationInfo();
        if (certificateResponse == null) {
            authenticationInfo.setStatus(WebappAuthenticator.Status.FAILURE);
            authenticationInfo.setMessage("Certificate sent doesn't match any certificate in the store. Unauthorized access attempt.");
        } else if (certificateResponse.getCommonName() == null || certificateResponse.getCommonName().isEmpty()) {
            authenticationInfo.setStatus(WebappAuthenticator.Status.FAILURE);
            authenticationInfo.setMessage("A matching certificate is found, but the serial number is missing in the database.");
        } else {
            authenticationInfo.setTenantId(certificateResponse.getTenantId());
            authenticationInfo.setStatus(WebappAuthenticator.Status.CONTINUE);
            authenticationInfo.setUsername(certificateResponse.getUsername());
            try {
                authenticationInfo.setTenantDomain(Utils.getTenantDomain(certificateResponse.getTenantId()));
            } catch (AuthenticationException e) {
                authenticationInfo.setStatus(WebappAuthenticator.Status.FAILURE);
                authenticationInfo.setMessage("Could not identify tenant domain.");
            }
        }
        return authenticationInfo;
    }

    @Override // org.wso2.carbon.webapp.authenticator.framework.authenticator.WebappAuthenticator
    public String getName() {
        return CERTIFICATE_AUTHENTICATOR;
    }

    @Override // org.wso2.carbon.webapp.authenticator.framework.authenticator.WebappAuthenticator
    public void setProperties(Properties properties) {
    }

    @Override // org.wso2.carbon.webapp.authenticator.framework.authenticator.WebappAuthenticator
    public Properties getProperties() {
        return null;
    }

    @Override // org.wso2.carbon.webapp.authenticator.framework.authenticator.WebappAuthenticator
    public String getProperty(String str) {
        return null;
    }
}
