package org.wso2.carbon.identity.authenticator.mutualssl;

import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.Map;
import javax.servlet.http.HttpServletRequest;
import org.apache.axiom.om.util.Base64;
import org.apache.axiom.soap.SOAPHeader;
import org.apache.axiom.soap.SOAPHeaderBlock;
import org.apache.axis2.context.MessageContext;
import org.apache.axis2.transport.http.HTTPConstants;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.osgi.framework.BundleContext;
import org.osgi.util.tracker.ServiceTracker;
import org.osgi.util.tracker.ServiceTrackerCustomizer;
import org.wso2.carbon.core.security.AuthenticatorsConfiguration;
import org.wso2.carbon.core.services.authentication.CarbonServerAuthenticator;
import org.wso2.carbon.core.services.util.CarbonAuthenticationUtil;
import org.wso2.carbon.identity.authenticator.mutualssl.internal.MutualSSLAuthenticatorServiceComponent;
import org.wso2.carbon.utils.AuthenticationObserver;
import org.wso2.carbon.utils.multitenancy.MultitenantUtils;

/* loaded from: input_file:org/wso2/carbon/identity/authenticator/mutualssl/MutualSSLAuthenticator.class */
public class MutualSSLAuthenticator implements CarbonServerAuthenticator {
    private static final int DEFAULT_PRIORITY_LEVEL = 5;
    private static final String AUTHENTICATOR_NAME = "MutualSSLAuthenticator";
    private static final String MUTUAL_SSL_URL = "http://mutualssl.carbon.wso2.org";
    private static final String USERNAME_HEADER = "UsernameHeader";
    private static final String WHITE_LIST = "WhiteList";
    private static final String WHITE_LIST_ENABLED = "WhiteListEnabled";
    private static final String JAVAX_SERVLET_REQUEST_CERTIFICATE = "javax.servlet.request.X509Certificate";
    private static final String CHARACTER_ENCODING = "UTF-8";
    private static String[] whiteList;
    private static final Log log = LogFactory.getLog(MutualSSLAuthenticator.class);
    private static String usernameHeaderName = "UserName";
    private static boolean whiteListEnabled = false;
    private static boolean authenticatorInitialized = false;

    private static synchronized void init() {
        AuthenticatorsConfiguration.AuthenticatorConfig authenticatorConfig = AuthenticatorsConfiguration.getInstance().getAuthenticatorConfig(AUTHENTICATOR_NAME);
        if (authenticatorConfig == null) {
            if (log.isDebugEnabled()) {
                log.debug("MutualSSLAuthenticator configuration is not set for initialization");
                return;
            }
            return;
        }
        Map parameters = authenticatorConfig.getParameters();
        if (parameters != null) {
            if (parameters.containsKey(USERNAME_HEADER)) {
                usernameHeaderName = (String) parameters.get(USERNAME_HEADER);
            }
            if (parameters.containsKey(WHITE_LIST_ENABLED)) {
                whiteListEnabled = Boolean.parseBoolean((String) parameters.get(WHITE_LIST_ENABLED));
                if (log.isDebugEnabled()) {
                    log.debug("Enabling trusted client certificates list : " + whiteListEnabled);
                }
            }
            if (whiteListEnabled) {
                if (!parameters.containsKey(WHITE_LIST)) {
                    log.error("Trusted client certificates list is enabled but empty");
                    return;
                }
                whiteList = ((String) parameters.get(WHITE_LIST)).trim().split(",");
                int i = 0;
                for (String str : whiteList) {
                    String trim = str.trim();
                    whiteList[i] = trim;
                    if (log.isDebugEnabled()) {
                        log.debug("Client thumbprint " + trim + " added to the white list");
                    }
                    i++;
                }
            }
            authenticatorInitialized = true;
        }
    }

    public int getPriority() {
        AuthenticatorsConfiguration.AuthenticatorConfig authenticatorConfig = AuthenticatorsConfiguration.getInstance().getAuthenticatorConfig(AUTHENTICATOR_NAME);
        return (authenticatorConfig == null || authenticatorConfig.getPriority() <= 0) ? DEFAULT_PRIORITY_LEVEL : authenticatorConfig.getPriority();
    }

    public boolean isDisabled() {
        AuthenticatorsConfiguration.AuthenticatorConfig authenticatorConfig = AuthenticatorsConfiguration.getInstance().getAuthenticatorConfig(AUTHENTICATOR_NAME);
        if (authenticatorConfig != null) {
            return authenticatorConfig.isDisabled();
        }
        return false;
    }

    public boolean authenticateWithRememberMe(MessageContext messageContext) {
        return false;
    }

    public String getAuthenticatorName() {
        return AUTHENTICATOR_NAME;
    }

    public boolean isAuthenticated(MessageContext messageContext) {
        SOAPHeader header;
        ArrayList headerBlocksWithNSURI;
        boolean z = false;
        HttpServletRequest httpServletRequest = (HttpServletRequest) messageContext.getProperty(HTTPConstants.MC_HTTP_SERVLETREQUEST);
        Object attribute = httpServletRequest.getAttribute(JAVAX_SERVLET_REQUEST_CERTIFICATE);
        try {
        } catch (Exception e) {
            log.error("Error authenticating the user " + e.getMessage(), e);
        }
        if (attribute == null) {
            throw new IllegalStateException("The certificate cannot be empty");
        }
        if (!authenticatorInitialized) {
            init();
        }
        if (!authenticatorInitialized) {
            log.error("MutualSSLAuthenticator failed initialization");
            return false;
        }
        boolean z2 = false;
        String str = null;
        if (attribute instanceof X509Certificate[]) {
            X509Certificate[] x509CertificateArr = (X509Certificate[]) attribute;
            if (whiteListEnabled && whiteList != null) {
                str = getThumbPrint(x509CertificateArr[0]);
                if (log.isDebugEnabled()) {
                    log.debug("Client certificate thumbprint is " + str);
                }
                String[] strArr = whiteList;
                int length = strArr.length;
                int i = 0;
                while (true) {
                    if (i >= length) {
                        break;
                    }
                    if (str.equals(strArr[i])) {
                        z2 = true;
                        if (log.isDebugEnabled()) {
                            log.debug("Client certificate thumbprint matched with the white list");
                        }
                    } else {
                        i++;
                    }
                }
            }
        }
        if (!whiteListEnabled || z2) {
            String str2 = null;
            String header2 = httpServletRequest.getHeader(usernameHeaderName);
            boolean z3 = false;
            if (StringUtils.isNotEmpty(header2)) {
                str2 = new String(Base64.decode(header2), CHARACTER_ENCODING);
                z3 = true;
                if (log.isDebugEnabled()) {
                    log.debug("Username for Mutual SSL : " + str2);
                }
            }
            if (StringUtils.isEmpty(str2) && (header = messageContext.getEnvelope().getHeader()) != null && (headerBlocksWithNSURI = header.getHeaderBlocksWithNSURI(MUTUAL_SSL_URL)) != null) {
                Iterator it = headerBlocksWithNSURI.iterator();
                while (true) {
                    if (!it.hasNext()) {
                        break;
                    }
                    SOAPHeaderBlock sOAPHeaderBlock = (SOAPHeaderBlock) it.next();
                    if (usernameHeaderName.equals(sOAPHeaderBlock.getLocalName())) {
                        str2 = sOAPHeaderBlock.getText();
                        z3 = true;
                        break;
                    }
                }
            }
            if (!z3 && log.isDebugEnabled()) {
                log.debug("'" + usernameHeaderName + "' header is not received in HTTP or SOAP header");
            }
            if (StringUtils.isNotEmpty(str2)) {
                String tenantDomain = MultitenantUtils.getTenantDomain(str2);
                String tenantAwareUsername = MultitenantUtils.getTenantAwareUsername(str2);
                int tenantId = MutualSSLAuthenticatorServiceComponent.getRealmService().getTenantManager().getTenantId(tenantDomain);
                handleAuthenticationStarted(tenantId);
                if (MutualSSLAuthenticatorServiceComponent.getRealmService().getTenantUserRealm(tenantId).getUserStoreManager().isExistingUser(tenantAwareUsername)) {
                    z = true;
                }
                if (z) {
                    CarbonAuthenticationUtil.onSuccessAdminLogin(httpServletRequest.getSession(), tenantAwareUsername, tenantId, tenantDomain, "Mutual SSL Authentication");
                    handleAuthenticationCompleted(tenantId, true);
                    z = true;
                } else {
                    if (log.isDebugEnabled()) {
                        log.debug("Authentication rquest is rejected. User " + tenantAwareUsername + " does not exist in userstore");
                    }
                    CarbonAuthenticationUtil.onFailedAdminLogin(httpServletRequest.getSession(), tenantAwareUsername, tenantId, "Mutual SSL Authentication", "User does not exist in userstore");
                    handleAuthenticationCompleted(tenantId, false);
                    z = false;
                }
            }
        } else if (log.isDebugEnabled()) {
            log.debug("Client Thumbprint " + str + " is not in the White List of " + AUTHENTICATOR_NAME);
        }
        return z;
    }

    public boolean isHandle(MessageContext messageContext) {
        ArrayList headerBlocksWithNSURI;
        boolean z = false;
        if (!isDisabled()) {
            if (!authenticatorInitialized) {
                init();
                if (!authenticatorInitialized) {
                    return false;
                }
            }
            HttpServletRequest httpServletRequest = (HttpServletRequest) messageContext.getProperty(HTTPConstants.MC_HTTP_SERVLETREQUEST);
            if (httpServletRequest.getHeader("Authorization") == null) {
                if (httpServletRequest.getAttribute(JAVAX_SERVLET_REQUEST_CERTIFICATE) != null) {
                    SOAPHeader header = messageContext.getEnvelope().getHeader();
                    boolean z2 = false;
                    if (header != null && (headerBlocksWithNSURI = header.getHeaderBlocksWithNSURI(MUTUAL_SSL_URL)) != null) {
                        Iterator it = headerBlocksWithNSURI.iterator();
                        while (true) {
                            if (!it.hasNext()) {
                                break;
                            }
                            if (usernameHeaderName.equals(((SOAPHeaderBlock) it.next()).getLocalName())) {
                                z = true;
                                z2 = true;
                                break;
                            }
                        }
                    }
                    if (!z && StringUtils.isNotEmpty(httpServletRequest.getHeader(usernameHeaderName))) {
                        z2 = true;
                        z = true;
                    }
                    if (!z2 && log.isDebugEnabled()) {
                        log.debug("'" + usernameHeaderName + "' header is not received in HTTP or SOAP header");
                    }
                } else if (log.isDebugEnabled()) {
                    log.debug("Server is not picking up the client certificate. Mutual SSL authentication is notdone");
                }
            }
        } else if (log.isDebugEnabled()) {
            log.debug("MutualSSLAuthenticator is Disabled.");
        }
        return z;
    }

    private String getThumbPrint(X509Certificate x509Certificate) throws NoSuchAlgorithmException, CertificateEncodingException {
        MessageDigest messageDigest = MessageDigest.getInstance("SHA-1");
        messageDigest.update(x509Certificate.getEncoded());
        return hexify(messageDigest.digest());
    }

    private String hexify(byte[] bArr) {
        StringBuilder sb = new StringBuilder(bArr.length * 2);
        char[] cArr = {'0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'a', 'b', 'c', 'd', 'e', 'f'};
        for (byte b : bArr) {
            sb.append(cArr[(b & 240) >> 4]).append(cArr[b & 15]);
        }
        return sb.toString();
    }

    private void handleAuthenticationStarted(int i) {
        BundleContext bundleContext = MutualSSLAuthenticatorServiceComponent.getBundleContext();
        if (bundleContext != null) {
            ServiceTracker serviceTracker = new ServiceTracker(bundleContext, AuthenticationObserver.class.getName(), (ServiceTrackerCustomizer) null);
            serviceTracker.open();
            Object[] services = serviceTracker.getServices();
            if (services != null) {
                for (Object obj : services) {
                    ((AuthenticationObserver) obj).startedAuthentication(i);
                }
            }
            serviceTracker.close();
        }
    }

    private void handleAuthenticationCompleted(int i, boolean z) {
        BundleContext bundleContext = MutualSSLAuthenticatorServiceComponent.getBundleContext();
        if (bundleContext != null) {
            ServiceTracker serviceTracker = new ServiceTracker(bundleContext, AuthenticationObserver.class.getName(), (ServiceTrackerCustomizer) null);
            serviceTracker.open();
            Object[] services = serviceTracker.getServices();
            if (services != null) {
                for (Object obj : services) {
                    ((AuthenticationObserver) obj).completedAuthentication(i, z);
                }
            }
            serviceTracker.close();
        }
    }
}
