package org.wso2.carbon.apimgt.gateway.handlers.security.authenticator;

import java.util.ArrayList;
import java.util.HashMap;
import javax.naming.InvalidNameException;
import javax.naming.ldap.LdapName;
import javax.naming.ldap.Rdn;
import javax.security.cert.X509Certificate;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.synapse.MessageContext;
import org.apache.synapse.core.SynapseEnvironment;
import org.apache.synapse.core.axis2.Axis2MessageContext;
import org.wso2.carbon.apimgt.api.APIManagementException;
import org.wso2.carbon.apimgt.api.model.APIIdentifier;
import org.wso2.carbon.apimgt.gateway.APIMgtGatewayConstants;
import org.wso2.carbon.apimgt.gateway.handlers.Utils;
import org.wso2.carbon.apimgt.gateway.handlers.security.APISecurityConstants;
import org.wso2.carbon.apimgt.gateway.handlers.security.APISecurityException;
import org.wso2.carbon.apimgt.gateway.handlers.security.APISecurityUtils;
import org.wso2.carbon.apimgt.gateway.handlers.security.AuthenticationContext;
import org.wso2.carbon.apimgt.gateway.handlers.security.AuthenticationResponse;
import org.wso2.carbon.apimgt.gateway.handlers.security.Authenticator;
import org.wso2.carbon.apimgt.gateway.internal.ServiceReferenceHolder;
import org.wso2.carbon.apimgt.gateway.utils.GatewayUtils;
import org.wso2.carbon.apimgt.impl.dto.VerbInfoDTO;
import org.wso2.carbon.apimgt.impl.utils.APIUtil;
import org.wso2.carbon.apimgt.keymgt.model.entity.API;

/* loaded from: input_file:org/wso2/carbon/apimgt/gateway/handlers/security/authenticator/MutualSSLAuthenticator.class */
public class MutualSSLAuthenticator implements Authenticator {
    private static final Log log = LogFactory.getLog(MutualSSLAuthenticator.class);
    private String apiLevelPolicy;
    private String requestOrigin;
    private static String challengeString;
    private boolean isMandatory;
    private HashMap<String, String> certificates = new HashMap<>();

    public MutualSSLAuthenticator(String str, boolean z, String str2) {
        this.apiLevelPolicy = str;
        if (StringUtils.isNotEmpty(str2)) {
            for (String str3 : str2.substring(1, str2.length() - 1).split(APIMgtGatewayConstants.CUSTOM_ANALYTICS_PROPERTY_SEPARATOR)) {
                int lastIndexOf = str3.lastIndexOf("=");
                if (lastIndexOf > 0) {
                    this.certificates.put(str3.substring(0, lastIndexOf).trim(), str3.substring(lastIndexOf + 1));
                }
            }
        }
        this.isMandatory = z;
    }

    @Override // org.wso2.carbon.apimgt.gateway.handlers.security.Authenticator
    public void init(SynapseEnvironment synapseEnvironment) {
    }

    @Override // org.wso2.carbon.apimgt.gateway.handlers.security.Authenticator
    public void destroy() {
    }

    @Override // org.wso2.carbon.apimgt.gateway.handlers.security.Authenticator
    public AuthenticationResponse authenticate(MessageContext messageContext) {
        try {
            X509Certificate clientCertificate = Utils.getClientCertificate(((Axis2MessageContext) messageContext).getAxis2MessageContext());
            if (!APIUtil.isCertificateExistsInListenerTrustStore(clientCertificate)) {
                log.debug("Certificate in Header didn't exist in truststore");
                clientCertificate = null;
            }
            if (clientCertificate != null) {
                try {
                    setAuthContext(messageContext, clientCertificate);
                    return new AuthenticationResponse(true, this.isMandatory, true, 0, null);
                } catch (APISecurityException e) {
                    return new AuthenticationResponse(false, this.isMandatory, !this.isMandatory, e.getErrorCode(), e.getMessage());
                }
            }
            if (log.isDebugEnabled()) {
                log.debug("Mutual SSL authentication has not happened in the transport level for the API " + getAPIIdentifier(messageContext).toString() + ", hence API invocation is not allowed");
            }
            if (this.isMandatory) {
                log.error("Mutual SSL authentication failure");
            }
            return new AuthenticationResponse(false, this.isMandatory, !this.isMandatory, APISecurityConstants.API_AUTH_INVALID_CREDENTIALS, "Invalid Credentials");
        } catch (APIManagementException e2) {
            return new AuthenticationResponse(false, this.isMandatory, !this.isMandatory, 900900, e2.getMessage());
        }
    }

    private void setAuthContext(MessageContext messageContext, X509Certificate x509Certificate) throws APISecurityException {
        String name = x509Certificate.getSubjectDN().getName();
        String trim = (x509Certificate.getSerialNumber() + "_" + x509Certificate.getIssuerDN()).replaceAll(APIMgtGatewayConstants.CUSTOM_ANALYTICS_PROPERTY_SEPARATOR, "#").replaceAll("\"", "'").trim();
        String str = this.certificates.get(trim);
        if (StringUtils.isEmpty(str)) {
            if (log.isDebugEnabled()) {
                log.debug("The client certificate presented is available in gateway, however it was not added against the API " + getAPIIdentifier(messageContext));
            }
            if (this.isMandatory) {
                log.error("Mutual SSL authentication failure. API is not associated with the certificate");
            }
            throw new APISecurityException(APISecurityConstants.API_AUTH_INVALID_CREDENTIALS, "Invalid Credentials");
        }
        AuthenticationContext authenticationContext = new AuthenticationContext();
        authenticationContext.setAuthenticated(true);
        authenticationContext.setUsername(name);
        try {
            for (Rdn rdn : new LdapName(name).getRdns()) {
                if ("CN".equalsIgnoreCase(rdn.getType())) {
                    authenticationContext.setUsername((String) rdn.getValue());
                }
            }
        } catch (InvalidNameException e) {
            log.warn("Cannot get the CN name from certificate:" + e.getMessage() + ". Please make sure the certificate to include a proper common name that follows naming convention.");
            authenticationContext.setUsername(name);
        }
        authenticationContext.setApiTier(this.apiLevelPolicy);
        APIIdentifier aPIIdentifier = getAPIIdentifier(messageContext);
        authenticationContext.setKeyType("PRODUCTION");
        authenticationContext.setStopOnQuotaReach(true);
        authenticationContext.setApiKey(trim + "_" + aPIIdentifier.toString());
        authenticationContext.setTier(str);
        ArrayList arrayList = new ArrayList(1);
        VerbInfoDTO verbInfoDTO = new VerbInfoDTO();
        verbInfoDTO.setThrottling("Unlimited");
        arrayList.add(verbInfoDTO);
        messageContext.setProperty("VERB_INFO", arrayList);
        if (log.isDebugEnabled()) {
            log.debug("Auth context for the API " + getAPIIdentifier(messageContext) + ": Username[" + authenticationContext.getUsername() + "APIKey[(" + authenticationContext.getApiKey() + "] Tier[" + authenticationContext.getTier() + "]");
        }
        APISecurityUtils.setAuthenticationContext(messageContext, authenticationContext, null);
    }

    private APIIdentifier getAPIIdentifier(MessageContext messageContext) {
        API api = GatewayUtils.getAPI(messageContext);
        return new APIIdentifier(api.getApiProvider(), api.getApiName(), api.getApiVersion());
    }

    @Override // org.wso2.carbon.apimgt.gateway.handlers.security.Authenticator
    public String getChallengeString() {
        return "Mutual SSL realm=\"" + ServiceReferenceHolder.getInstance().getServerConfigurationService().getFirstProperty("Name") + "\"";
    }

    @Override // org.wso2.carbon.apimgt.gateway.handlers.security.Authenticator
    public String getRequestOrigin() {
        return this.requestOrigin;
    }

    @Override // org.wso2.carbon.apimgt.gateway.handlers.security.Authenticator
    public int getPriority() {
        return 0;
    }
}
