package org.wso2.choreo.connect.enforcer.security.mtls;

import io.opentelemetry.context.Scope;
import java.security.KeyStore;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Objects;
import org.apache.commons.lang3.StringUtils;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.apache.logging.log4j.ThreadContext;
import org.wso2.choreo.connect.enforcer.commons.exception.APISecurityException;
import org.wso2.choreo.connect.enforcer.commons.model.AuthenticationContext;
import org.wso2.choreo.connect.enforcer.commons.model.RequestContext;
import org.wso2.choreo.connect.enforcer.commons.model.ResourceConfig;
import org.wso2.choreo.connect.enforcer.config.ConfigHolder;
import org.wso2.choreo.connect.enforcer.constants.APIConstants;
import org.wso2.choreo.connect.enforcer.security.Authenticator;
import org.wso2.choreo.connect.enforcer.tracing.TracingConstants;
import org.wso2.choreo.connect.enforcer.tracing.TracingSpan;
import org.wso2.choreo.connect.enforcer.tracing.Utils;
import org.wso2.choreo.connect.enforcer.util.FilterUtils;

/* loaded from: input_file:org/wso2/choreo/connect/enforcer/security/mtls/MTLSAuthenticator.class */
public class MTLSAuthenticator implements Authenticator {
    private static final Logger log = LogManager.getLogger(MTLSAuthenticator.class);
    private final boolean isEnableClientValidation = ConfigHolder.getInstance().getConfig().getMtlsInfo().isEnableClientValidation();
    private final boolean isClientCertificateEncode = ConfigHolder.getInstance().getConfig().getMtlsInfo().isClientCertificateEncode();

    @Override // org.wso2.choreo.connect.enforcer.security.Authenticator
    public boolean canAuthenticate(RequestContext requestContext) {
        String str = "";
        if (this.isEnableClientValidation) {
            str = requestContext.getClientCertificate();
        } else if (requestContext.getHeaders().containsKey(FilterUtils.getCertificateHeaderName())) {
            str = (String) requestContext.getHeaders().get(FilterUtils.getCertificateHeaderName());
        }
        if (!StringUtils.isBlank(str)) {
            return true;
        }
        log.debug("Could not find a valid client certificate in the request: {} for the API: {}:{} ", ((ResourceConfig) requestContext.getMatchedResourcePaths().get(0)).getPath(), requestContext.getMatchedAPI().getName(), requestContext.getMatchedAPI().getVersion());
        return false;
    }

    @Override // org.wso2.choreo.connect.enforcer.security.Authenticator
    public AuthenticationContext authenticate(RequestContext requestContext) throws APISecurityException {
        TracingSpan tracingSpan = null;
        Scope scope = null;
        try {
            if (Utils.tracingEnabled()) {
                tracingSpan = Utils.startSpan(TracingConstants.MTLS_API_AUTHENTICATOR_SPAN, Utils.getGlobalTracer());
                scope = tracingSpan.getSpan().makeCurrent();
                Utils.setTag(tracingSpan, APIConstants.LOG_TRACE_ID, ThreadContext.get(APIConstants.LOG_TRACE_ID));
            }
            AuthenticationContext authenticationContext = new AuthenticationContext();
            KeyStore trustStore = requestContext.getMatchedAPI().getTrustStore();
            boolean z = false;
            try {
                X509Certificate clientCertificate = getClientCertificate(requestContext);
                String matchedCertificateAliasFromTrustStore = MtlsUtils.getMatchedCertificateAliasFromTrustStore(clientCertificate, trustStore);
                if (StringUtils.isBlank(matchedCertificateAliasFromTrustStore)) {
                    log.debug("Provided client certificate in request: {} is not in the truststore of the API: {}:{} ", ((ResourceConfig) requestContext.getMatchedResourcePaths().get(0)).getPath(), requestContext.getMatchedAPI().getName(), requestContext.getMatchedAPI().getVersion());
                    clientCertificate = null;
                }
                if (!Objects.isNull(clientCertificate)) {
                    z = true;
                    String str = requestContext.getMatchedAPI().getMtlsCertificateTiers().containsKey(matchedCertificateAliasFromTrustStore) ? (String) requestContext.getMatchedAPI().getMtlsCertificateTiers().get(matchedCertificateAliasFromTrustStore) : "";
                    if (StringUtils.isNotBlank(str)) {
                        authenticationContext.setTier(str);
                    }
                    authenticationContext.setUsername(clientCertificate.getSubjectDN().getName());
                }
                String name = requestContext.getMatchedAPI().getName();
                String version = requestContext.getMatchedAPI().getVersion();
                String uuid = requestContext.getMatchedAPI().getUuid();
                authenticationContext.setAuthenticated(z);
                authenticationContext.setApiName(name);
                authenticationContext.setApiUUID(uuid);
                authenticationContext.setApiVersion(version);
                if (Utils.tracingEnabled()) {
                    scope.close();
                    Utils.finishSpan(tracingSpan);
                }
                return authenticationContext;
            } catch (CertificateException e) {
                throw new APISecurityException(APIConstants.StatusCodes.UNAUTHENTICATED.getCode(), 900900, "Invalid client certificate");
            }
        } catch (Throwable th) {
            if (Utils.tracingEnabled()) {
                scope.close();
                Utils.finishSpan(tracingSpan);
            }
            throw th;
        }
    }

    private X509Certificate getClientCertificate(RequestContext requestContext) throws CertificateException {
        String str = "";
        if (this.isEnableClientValidation) {
            String clientCertificate = requestContext.getClientCertificate();
            if (StringUtils.isNotBlank(clientCertificate)) {
                str = MtlsUtils.getCertContent(clientCertificate, true);
            }
        } else if (requestContext.getHeaders().containsKey(FilterUtils.getCertificateHeaderName())) {
            String str2 = (String) requestContext.getHeaders().get(FilterUtils.getCertificateHeaderName());
            requestContext.setClientCertificate(str2);
            if (StringUtils.isNotBlank(str2)) {
                str = MtlsUtils.getCertContent(str2, this.isClientCertificateEncode);
            }
        }
        if (StringUtils.isNotBlank(str)) {
            return MtlsUtils.getX509Cert(str);
        }
        log.debug("Provided client certificate in the request: {} for the API: {}:{} is invalid.", ((ResourceConfig) requestContext.getMatchedResourcePaths().get(0)).getPath(), requestContext.getMatchedAPI().getName(), requestContext.getMatchedAPI().getVersion());
        return null;
    }

    @Override // org.wso2.choreo.connect.enforcer.security.Authenticator
    public String getChallengeString() {
        return "Mutual SSL realm=\"Choreo Connect\"";
    }

    @Override // org.wso2.choreo.connect.enforcer.security.Authenticator
    public String getName() {
        return APIConstants.API_SECURITY_MUTUAL_SSL_NAME;
    }

    @Override // org.wso2.choreo.connect.enforcer.security.Authenticator
    public int getPriority() {
        return -15;
    }
}
