package org.wso2.carbon.identity.authenticator.x509Certificate;

import java.io.IOException;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateParsingException;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Collection;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.naming.InvalidNameException;
import javax.naming.ldap.LdapName;
import javax.naming.ldap.Rdn;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.commons.ssl.asn1.ASN1InputStream;
import org.wso2.carbon.identity.application.authentication.framework.AbstractApplicationAuthenticator;
import org.wso2.carbon.identity.application.authentication.framework.LocalApplicationAuthenticator;
import org.wso2.carbon.identity.application.authentication.framework.config.model.StepConfig;
import org.wso2.carbon.identity.application.authentication.framework.context.AuthenticationContext;
import org.wso2.carbon.identity.application.authentication.framework.exception.AuthenticationFailedException;
import org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser;
import org.wso2.carbon.identity.application.authentication.framework.util.FrameworkUtils;
import org.wso2.carbon.identity.application.common.model.ClaimMapping;
import org.wso2.carbon.identity.core.util.IdentityUtil;
import org.wso2.carbon.identity.handler.event.account.lock.exception.AccountLockServiceException;
import org.wso2.carbon.user.api.UserStoreException;
import org.wso2.carbon.user.core.common.AbstractUserStoreManager;
import org.wso2.carbon.user.core.util.UserCoreUtil;
import org.wso2.carbon.utils.multitenancy.MultitenantUtils;

/* loaded from: input_file:org/wso2/carbon/identity/authenticator/x509Certificate/X509CertificateAuthenticator.class */
public class X509CertificateAuthenticator extends AbstractApplicationAuthenticator implements LocalApplicationAuthenticator {
    private Pattern alternativeNamesPatternCompiled;
    private Pattern subjectPatternCompiled;
    private String subjectAttributePattern = (String) getAuthenticatorConfig().getParameterMap().get(X509CertificateConstants.USER_NAME_REGEX);
    private String alternativeNamePattern = (String) getAuthenticatorConfig().getParameterMap().get(X509CertificateConstants.AlTN_NAMES_REGEX);
    private static final Log log = LogFactory.getLog(X509CertificateAuthenticator.class);

    public X509CertificateAuthenticator() {
        if (this.alternativeNamePattern != null) {
            this.alternativeNamesPatternCompiled = Pattern.compile(this.alternativeNamePattern);
        }
        if (this.subjectAttributePattern != null) {
            this.subjectPatternCompiled = Pattern.compile(this.subjectAttributePattern);
        }
    }

    protected void initiateAuthenticationRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationContext authenticationContext) throws AuthenticationFailedException {
        try {
            if (authenticationContext.isRetrying()) {
                String str = IdentityUtil.getServerURL(X509CertificateConstants.ERROR_PAGE, false, false) + "?sessionDataKey=" + authenticationContext.getContextIdentifier() + "&" + X509CertificateConstants.AUTHENTICATORS + "=" + getName() + X509CertificateConstants.RETRY_PARAM_FOR_CHECKING_CERTIFICATE + authenticationContext.getProperty(X509CertificateConstants.X509_CERTIFICATE_ERROR_CODE);
                authenticationContext.setProperty(X509CertificateConstants.X509_CERTIFICATE_ERROR_CODE, "");
                if (log.isDebugEnabled()) {
                    log.debug("Redirect to error page: " + str);
                }
                httpServletResponse.sendRedirect(str);
            } else {
                String str2 = (String) getAuthenticatorConfig().getParameterMap().get(X509CertificateConstants.AUTHENTICATION_ENDPOINT_PARAMETER);
                if (StringUtils.isEmpty(str2)) {
                    str2 = X509CertificateConstants.AUTHENTICATION_ENDPOINT;
                }
                String queryStringWithFrameworkContextId = FrameworkUtils.getQueryStringWithFrameworkContextId(authenticationContext.getQueryParams(), authenticationContext.getCallerSessionKey(), authenticationContext.getContextIdentifier());
                if (log.isDebugEnabled()) {
                    log.debug("Request sent to " + str2);
                }
                httpServletResponse.sendRedirect(str2 + "?" + queryStringWithFrameworkContextId);
            }
        } catch (IOException e) {
            throw new AuthenticationFailedException("Exception while redirecting to the login page", e);
        }
    }

    protected void processAuthenticationResponse(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationContext authenticationContext) throws AuthenticationFailedException {
        Object attribute = httpServletRequest.getAttribute(X509CertificateConstants.X_509_CERTIFICATE);
        if (attribute == null) {
            authenticationContext.setProperty(X509CertificateConstants.X509_CERTIFICATE_ERROR_CODE, X509CertificateConstants.X509_CERTIFICATE_NOT_FOUND_ERROR_CODE);
            throw new AuthenticationFailedException("Unable to find X509 Certificate in browser");
        }
        if (!(attribute instanceof X509Certificate[])) {
            throw new AuthenticationFailedException("Exception while casting the X509Certificate");
        }
        X509Certificate[] x509CertificateArr = (X509Certificate[]) attribute;
        if (x509CertificateArr.length <= 0) {
            throw new AuthenticationFailedException("X509Certificate object is null");
        }
        if (log.isDebugEnabled()) {
            log.debug("X509 Certificate Checking in servlet is done! ");
        }
        X509Certificate x509Certificate = x509CertificateArr[0];
        String valueOf = String.valueOf(x509Certificate.getSubjectX500Principal());
        Map<ClaimMapping, String> subjectAttributes = getSubjectAttributes(authenticationContext, valueOf);
        if (this.alternativeNamePattern != null) {
            String matchedAlternativeName = getMatchedAlternativeName(x509Certificate, authenticationContext);
            validateUsingSubject(matchedAlternativeName, authenticationContext, x509Certificate, subjectAttributes);
            if (log.isDebugEnabled()) {
                log.debug("Certificate validated using the alternative name: " + matchedAlternativeName);
            }
            authenticationContext.setProperty(X509CertificateConstants.X509_CERTIFICATE_USERNAME, matchedAlternativeName);
            return;
        }
        if (this.subjectAttributePattern != null) {
            String matchedSubjectAttribute = getMatchedSubjectAttribute(valueOf, authenticationContext);
            validateUsingSubject(matchedSubjectAttribute, authenticationContext, x509Certificate, subjectAttributes);
            if (log.isDebugEnabled()) {
                log.debug("Certificate validated using the certificate subject attribute: " + matchedSubjectAttribute);
            }
            authenticationContext.setProperty(X509CertificateConstants.X509_CERTIFICATE_USERNAME, matchedSubjectAttribute);
            return;
        }
        String str = (String) authenticationContext.getProperty(X509CertificateConstants.X509_CERTIFICATE_USERNAME);
        if (StringUtils.isEmpty(str)) {
            authenticationContext.setProperty(X509CertificateConstants.X509_CERTIFICATE_ERROR_CODE, X509CertificateConstants.USERNAME_NOT_FOUND_FOR_X509_CERTIFICATE_ATTRIBUTE);
            throw new AuthenticationFailedException("Couldn't find the username for X509Certificate's attribute");
        }
        validateUsingSubject(str, authenticationContext, x509Certificate, subjectAttributes);
        if (log.isDebugEnabled()) {
            log.debug("Certificate validated using the certificate username attribute: " + str);
        }
    }

    private String getMatchedSubjectAttribute(String str, AuthenticationContext authenticationContext) throws AuthenticationFailedException {
        try {
            LdapName ldapName = new LdapName(str);
            String str2 = (String) getAuthenticatorConfig().getParameterMap().get(X509CertificateConstants.USERNAME);
            HashSet hashSet = new HashSet();
            for (Rdn rdn : ldapName.getRdns()) {
                if (this.subjectPatternCompiled != null && str2.equals(rdn.getType())) {
                    addMatchStringsToList(this.subjectPatternCompiled.matcher(String.valueOf(rdn.getValue())), hashSet);
                }
            }
            if (hashSet.isEmpty()) {
                authenticationContext.setProperty(X509CertificateConstants.X509_CERTIFICATE_ERROR_CODE, X509CertificateConstants.X509_CERTIFICATE_SUBJECTDN_REGEX_NO_MATCHES_ERROR_CODE);
                if (log.isDebugEnabled()) {
                    log.debug(X509CertificateConstants.X509_CERTIFICATE_SUBJECTDN_REGEX_NO_MATCHES_ERROR);
                }
                throw new AuthenticationFailedException(X509CertificateConstants.X509_CERTIFICATE_SUBJECTDN_REGEX_NO_MATCHES_ERROR);
            }
            if (hashSet.size() > 1) {
                authenticationContext.setProperty(X509CertificateConstants.X509_CERTIFICATE_ERROR_CODE, X509CertificateConstants.X509_CERTIFICATE_SUBJECTDN_REGEX_MULTIPLE_MATCHES_ERROR_CODE);
                if (log.isDebugEnabled()) {
                    log.debug("More than one value matched with the given regex, matches: " + Arrays.toString(hashSet.toArray()));
                }
                throw new AuthenticationFailedException("More than one value matched with the given regex");
            }
            String str3 = ((String[]) hashSet.toArray(new String[0]))[0];
            if (log.isDebugEnabled()) {
                log.debug("Setting X509Certificate username attribute: " + str2 + " ,and value is " + str3);
            }
            authenticationContext.setProperty(X509CertificateConstants.X509_CERTIFICATE_USERNAME, str3);
            return str3;
        } catch (InvalidNameException e) {
            throw new AuthenticationFailedException("error occurred while get the certificate claims", e);
        }
    }

    private void addOrValidateCertificate(String str, AuthenticationContext authenticationContext, byte[] bArr, Map<ClaimMapping, String> map, X509Certificate x509Certificate) throws AuthenticationFailedException {
        try {
            boolean validateCertificate = X509CertificateUtil.validateCertificate(str, authenticationContext, bArr, Boolean.parseBoolean((String) getAuthenticatorConfig().getParameterMap().get(X509CertificateConstants.ENFORCE_SELF_REGISTRATION)));
            try {
                if (X509CertificateUtil.isAccountLock(str)) {
                    authenticationContext.setProperty(X509CertificateConstants.X509_CERTIFICATE_ERROR_CODE, X509CertificateConstants.USER_ACCOUNT_LOCKED);
                    throw new AuthenticationFailedException("Account is locked for user: " + str);
                }
                if (X509CertificateUtil.isAccountDisabled(getUsername(authenticationContext))) {
                    authenticationContext.setProperty(X509CertificateConstants.X509_CERTIFICATE_ERROR_CODE, X509CertificateConstants.USER_ACCOUNT_DISABLED);
                    throw new AuthenticationFailedException("Account is disabled for user: " + str);
                }
                if (!validateCertificate) {
                    authenticationContext.setProperty(X509CertificateConstants.X509_CERTIFICATE_ERROR_CODE, X509CertificateConstants.X509_CERTIFICATE_NOT_VALID_ERROR_CODE);
                    throw new AuthenticationFailedException("X509Certificate is not valid");
                }
                try {
                    String userStoreDomainName = getUserStoreDomainName(str, authenticationContext);
                    str = UserCoreUtil.addDomainToName(str, userStoreDomainName);
                    UserCoreUtil.setDomainInThreadLocal(userStoreDomainName);
                    allowUser(str, map, x509Certificate, authenticationContext);
                } catch (UserStoreException e) {
                    throw new AuthenticationFailedException("Cannot find the user realm for the username: " + str, e);
                }
            } catch (UserStoreException | AccountLockServiceException e2) {
                throw new AuthenticationFailedException("User account lock/disable validation failed for user: " + str);
            }
        } catch (AuthenticationFailedException e3) {
            authenticationContext.setProperty(X509CertificateConstants.X509_CERTIFICATE_ERROR_CODE, X509CertificateConstants.X509_CERTIFICATE_NOT_VALIDATED_ERROR_CODE);
            throw new AuthenticationFailedException("Error in validating the user certificate", e3);
        }
    }

    public boolean canHandle(HttpServletRequest httpServletRequest) {
        return httpServletRequest.getParameter(X509CertificateConstants.SUCCESS) != null;
    }

    public String getContextIdentifier(HttpServletRequest httpServletRequest) {
        return httpServletRequest.getParameter(X509CertificateConstants.SESSION_DATA_KEY);
    }

    public String getName() {
        return X509CertificateConstants.AUTHENTICATOR_NAME;
    }

    public String getFriendlyName() {
        return X509CertificateConstants.AUTHENTICATOR_FRIENDLY_NAME;
    }

    private AuthenticatedUser getUsername(AuthenticationContext authenticationContext) {
        AuthenticatedUser authenticatedUser = null;
        int i = 1;
        while (true) {
            if (i > authenticationContext.getSequenceConfig().getStepMap().size()) {
                break;
            }
            StepConfig stepConfig = (StepConfig) authenticationContext.getSequenceConfig().getStepMap().get(Integer.valueOf(i));
            if (stepConfig.getAuthenticatedUser() != null && (stepConfig.getAuthenticatedAutenticator().getApplicationAuthenticator() instanceof LocalApplicationAuthenticator)) {
                authenticatedUser = stepConfig.getAuthenticatedUser();
                break;
            }
            i++;
        }
        return authenticatedUser;
    }

    protected Map<ClaimMapping, String> getSubjectAttributes(AuthenticationContext authenticationContext, String str) throws AuthenticationFailedException {
        HashMap hashMap = new HashMap();
        try {
            LdapName ldapName = new LdapName(str);
            String str2 = (String) getAuthenticatorConfig().getParameterMap().get(X509CertificateConstants.USERNAME);
            if (log.isDebugEnabled()) {
                log.debug("Getting username attribute: " + str2);
            }
            for (Rdn rdn : ldapName.getRdns()) {
                hashMap.put(ClaimMapping.build(rdn.getType(), rdn.getType(), (String) null, false), String.valueOf(rdn.getValue()));
                if (StringUtils.isNotEmpty(str2) && str2.equals(rdn.getType())) {
                    if (log.isDebugEnabled()) {
                        log.debug("Setting X509Certificate username attribute: " + str2 + "and value is " + rdn.getValue());
                    }
                    authenticationContext.setProperty(X509CertificateConstants.X509_CERTIFICATE_USERNAME, String.valueOf(rdn.getValue()));
                }
            }
            return hashMap;
        } catch (InvalidNameException e) {
            throw new AuthenticationFailedException("error occurred while get the certificate claims", e);
        }
    }

    private void allowUser(String str, Map map, X509Certificate x509Certificate, AuthenticationContext authenticationContext) {
        AuthenticatedUser createLocalAuthenticatedUserFromSubjectIdentifier = AuthenticatedUser.createLocalAuthenticatedUserFromSubjectIdentifier(str);
        createLocalAuthenticatedUserFromSubjectIdentifier.setAuthenticatedSubjectIdentifier(String.valueOf(x509Certificate.getSerialNumber()));
        createLocalAuthenticatedUserFromSubjectIdentifier.setUserAttributes(map);
        authenticationContext.setSubject(createLocalAuthenticatedUserFromSubjectIdentifier);
    }

    protected boolean retryAuthenticationEnabled() {
        return true;
    }

    protected String getMatchedAlternativeName(X509Certificate x509Certificate, AuthenticationContext authenticationContext) throws AuthenticationFailedException {
        HashSet hashSet = new HashSet();
        try {
            Collection<List<?>> subjectAlternativeNames = x509Certificate.getSubjectAlternativeNames();
            if (subjectAlternativeNames == null) {
                authenticationContext.setProperty(X509CertificateConstants.X509_CERTIFICATE_ERROR_CODE, X509CertificateConstants.X509_CERTIFICATE_ALTERNATIVE_NAMES_NOTFOUND_ERROR_CODE);
                throw new AuthenticationFailedException(X509CertificateConstants.X509_CERTIFICATE_ALTERNATIVE_NAMES_NOTFOUND_ERROR);
            }
            for (List<?> list : subjectAlternativeNames) {
                ASN1InputStream aSN1InputStream = null;
                if (list.toArray()[1] instanceof byte[]) {
                    aSN1InputStream = new ASN1InputStream((byte[]) list.toArray()[1]);
                } else if (list.toArray()[1] instanceof String) {
                    addMatchStringsToList(this.alternativeNamesPatternCompiled.matcher((String) list.toArray()[1]), hashSet);
                }
                if (aSN1InputStream != null) {
                    addMatchStringsToList(this.alternativeNamesPatternCompiled.matcher(decodeAlternativeName(aSN1InputStream)), hashSet);
                }
            }
            if (hashSet.isEmpty()) {
                authenticationContext.setProperty(X509CertificateConstants.X509_CERTIFICATE_ERROR_CODE, X509CertificateConstants.X509_CERTIFICATE_ALTERNATIVE_NAMES_REGEX_NO_MATCHES_ERROR_CODE);
                throw new AuthenticationFailedException("Regex Configured but no matches found for the given regex");
            }
            if (hashSet.size() <= 1) {
                return ((String[]) hashSet.toArray(new String[0]))[0];
            }
            authenticationContext.setProperty(X509CertificateConstants.X509_CERTIFICATE_ERROR_CODE, X509CertificateConstants.X509_CERTIFICATE_ALTERNATIVE_NAMES_REGEX_MULTIPLE_MATCHES_ERROR_CODE);
            throw new AuthenticationFailedException("More than one match for the given regex");
        } catch (IOException | CertificateParsingException e) {
            throw new AuthenticationFailedException("Failed to Parse the certificate");
        }
    }

    private String decodeAlternativeName(ASN1InputStream aSN1InputStream) throws IOException {
        return aSN1InputStream.readObject().getObjectAt(1).getObject().getObject().getString();
    }

    private void validateUsingSubject(String str, AuthenticationContext authenticationContext, X509Certificate x509Certificate, Map<ClaimMapping, String> map) throws AuthenticationFailedException {
        try {
            byte[] encoded = x509Certificate.getEncoded();
            AuthenticatedUser username = getUsername(authenticationContext);
            if (log.isDebugEnabled()) {
                log.debug("Getting X509Certificate username");
            }
            if (username == null) {
                addOrValidateCertificate(str, authenticationContext, encoded, map, x509Certificate);
                return;
            }
            if (log.isDebugEnabled()) {
                log.debug("Authenticated username is: " + username);
            }
            String authenticatedUserName = getAuthenticatedUserName(username);
            if (authenticatedUserName.equals(str)) {
                addOrValidateCertificate(str, authenticationContext, encoded, map, x509Certificate);
            } else {
                authenticationContext.setProperty(X509CertificateConstants.X509_CERTIFICATE_ERROR_CODE, X509CertificateConstants.USERNAME_CONFLICT);
                throw new AuthenticationFailedException("Couldn't find X509 certificate to this authenticated user: " + authenticatedUserName);
            }
        } catch (CertificateEncodingException e) {
            throw new AuthenticationFailedException("Encoded certificate is not found in the certificate with subjectDN: " + x509Certificate.getSubjectDN(), e);
        }
    }

    private String getAuthenticatedUserName(AuthenticatedUser authenticatedUser) {
        String authenticatedSubjectIdentifier = authenticatedUser.getAuthenticatedSubjectIdentifier();
        if (authenticatedSubjectIdentifier.endsWith("carbon.super")) {
            authenticatedSubjectIdentifier = authenticatedUser.getUserName();
        }
        return authenticatedSubjectIdentifier;
    }

    private void addMatchStringsToList(Matcher matcher, Set<String> set) {
        while (matcher.find()) {
            set.add(matcher.group());
        }
    }

    private String getUserStoreDomainName(String str, AuthenticationContext authenticationContext) throws UserStoreException, AuthenticationFailedException {
        if (!Boolean.valueOf((String) getAuthenticatorConfig().getParameterMap().get(X509CertificateConstants.SEARCH_ALL_USERSTORES)).booleanValue()) {
            return "PRIMARY";
        }
        String[] listUsers = X509CertificateUtil.getUserRealm(str).getUserStoreManager().listUsers(MultitenantUtils.getTenantAwareUsername(str), -1);
        if (listUsers.length == 1) {
            if (log.isDebugEnabled()) {
                log.debug("User exists with the user name: " + str);
            }
            return getDomainNameByUserIdentifier(listUsers[0]);
        }
        if (listUsers.length > 1) {
            authenticationContext.setProperty(X509CertificateConstants.X509_CERTIFICATE_ERROR_CODE, X509CertificateConstants.USERNAME_CONFLICT);
            throw new AuthenticationFailedException("Conflicting users with user name: " + str);
        }
        if (!getAuthenticatorConfig().getParameterMap().containsKey(X509CertificateConstants.LOGIN_CLAIM_URIS)) {
            authenticationContext.setProperty(X509CertificateConstants.X509_CERTIFICATE_ERROR_CODE, X509CertificateConstants.USER_NOT_FOUND);
            throw new AuthenticationFailedException("Unable to find X509 Certificate's user in user store. ");
        }
        String[] split = ((String) getAuthenticatorConfig().getParameterMap().get(X509CertificateConstants.LOGIN_CLAIM_URIS)).split(",");
        AbstractUserStoreManager userStoreManager = X509CertificateUtil.getUserRealm(str).getUserStoreManager();
        for (String str2 : split) {
            String[] userList = userStoreManager.getUserList(str2, MultitenantUtils.getTenantAwareUsername(str), (String) null);
            if (userList.length == 1) {
                return getDomainNameByUserIdentifier(userList[0]);
            }
            if (userList.length > 1) {
                authenticationContext.setProperty(X509CertificateConstants.X509_CERTIFICATE_ERROR_CODE, X509CertificateConstants.USERNAME_CONFLICT);
                throw new AuthenticationFailedException("Conflicting users with claim value: " + str);
            }
        }
        throw new AuthenticationFailedException("Unable to find X509 Certificate's user in user store. ");
    }

    private String getDomainNameByUserIdentifier(String str) {
        return str.indexOf("/") > 0 ? str.split("/", 2)[0] : "PRIMARY";
    }
}
