package org.zowe.apiml.gateway.security.service.schema.source;

import com.netflix.zuul.context.RequestContext;
import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;
import java.util.Base64;
import java.util.Optional;
import javax.servlet.http.HttpServletRequest;
import lombok.Generated;
import org.zowe.apiml.gateway.security.login.x509.X509AbstractMapper;
import org.zowe.apiml.gateway.security.service.AuthenticationService;
import org.zowe.apiml.gateway.security.service.TokenCreationService;
import org.zowe.apiml.gateway.security.service.schema.source.AuthSource;
import org.zowe.apiml.gateway.security.service.schema.source.X509AuthSource;
import org.zowe.apiml.message.core.MessageType;
import org.zowe.apiml.message.log.ApimlLogger;
import org.zowe.apiml.product.logging.annotations.InjectApimlLogger;
import org.zowe.apiml.security.common.error.InvalidCertificateException;

/* loaded from: input_file:org/zowe/apiml/gateway/security/service/schema/source/X509AuthSourceService.class */
public class X509AuthSourceService implements AuthSourceService {

    @InjectApimlLogger
    protected final ApimlLogger logger = ApimlLogger.empty();
    private final X509AbstractMapper mapper;
    private final TokenCreationService tokenService;
    private final AuthenticationService authenticationService;

    @Override // org.zowe.apiml.gateway.security.service.schema.source.AuthSourceService
    public Optional<AuthSource> getAuthSourceFromRequest() {
        RequestContext currentContext = RequestContext.getCurrentContext();
        this.logger.log(MessageType.DEBUG, "Getting X509 client certificate from custom attribute 'client.auth.X509Certificate'.", new Object[0]);
        X509Certificate certificateFromRequest = getCertificateFromRequest(currentContext.getRequest(), "client.auth.X509Certificate");
        X509Certificate x509Certificate = isValid(certificateFromRequest) ? certificateFromRequest : null;
        ApimlLogger apimlLogger = this.logger;
        MessageType messageType = MessageType.DEBUG;
        Object[] objArr = new Object[1];
        objArr[0] = x509Certificate == null ? "not found" : "found";
        apimlLogger.log(messageType, String.format("X509 client certificate %s in request.", objArr), new Object[0]);
        return x509Certificate == null ? Optional.empty() : Optional.of(new X509AuthSource(x509Certificate));
    }

    @Override // org.zowe.apiml.gateway.security.service.schema.source.AuthSourceService
    public boolean isValid(AuthSource authSource) {
        if (authSource instanceof X509AuthSource) {
            return isValid((X509Certificate) authSource.getRawSource());
        }
        return false;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean isValid(X509Certificate x509Certificate) {
        this.logger.log(MessageType.DEBUG, "Validating X509 client certificate.", new Object[0]);
        if (x509Certificate == null) {
            return false;
        }
        if (this.mapper.isClientAuthCertificate(x509Certificate)) {
            return true;
        }
        throw new AuthSchemeException("org.zowe.apiml.gateway.security.scheme.x509ExtendedKeyUsageError");
    }

    @Override // org.zowe.apiml.gateway.security.service.schema.source.AuthSourceService
    public AuthSource.Parsed parse(AuthSource authSource) {
        if (!(authSource instanceof X509AuthSource)) {
            return null;
        }
        this.logger.log(MessageType.DEBUG, "Parsing X509 client certificate.", new Object[0]);
        X509Certificate x509Certificate = (X509Certificate) authSource.getRawSource();
        if (x509Certificate == null) {
            return null;
        }
        return parseClientCert(x509Certificate, this.mapper);
    }

    @Override // org.zowe.apiml.gateway.security.service.schema.source.AuthSourceService
    public String getLtpaToken(AuthSource authSource) {
        String jwt = getJWT(authSource);
        if (jwt != null) {
            return this.authenticationService.getLtpaToken(jwt);
        }
        return null;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public X509Certificate getCertificateFromRequest(HttpServletRequest httpServletRequest, String str) {
        return getOne((X509Certificate[]) httpServletRequest.getAttribute(str));
    }

    protected X509Certificate getOne(X509Certificate[] x509CertificateArr) {
        if (x509CertificateArr == null || x509CertificateArr.length <= 0) {
            return null;
        }
        return x509CertificateArr[0];
    }

    private X509AuthSource.Parsed parseClientCert(X509Certificate x509Certificate, X509AbstractMapper x509AbstractMapper) {
        try {
            return new X509AuthSource.Parsed(x509AbstractMapper.mapCertificateToMainframeUserId(x509Certificate), x509Certificate.getNotBefore(), x509Certificate.getNotAfter(), AuthSource.Origin.X509, Base64.getEncoder().encodeToString(x509Certificate.getEncoded()), x509Certificate.getSubjectDN().toString());
        } catch (CertificateEncodingException e) {
            this.logger.log(MessageType.ERROR, "Exception parsing certificate.", new Object[]{e});
            throw new InvalidCertificateException("Exception parsing certificate. " + e.getLocalizedMessage());
        }
    }

    @Override // org.zowe.apiml.gateway.security.service.schema.source.AuthSourceService
    public String getJWT(AuthSource authSource) {
        if (!(authSource instanceof X509AuthSource)) {
            return null;
        }
        this.logger.log(MessageType.DEBUG, "Get JWT token from X509 client certificate.", new Object[0]);
        String mapCertificateToMainframeUserId = this.mapper.mapCertificateToMainframeUserId((X509Certificate) authSource.getRawSource());
        if (mapCertificateToMainframeUserId == null) {
            this.logger.log(MessageType.DEBUG, "It was not possible to map provided certificate to the mainframe identity.", new Object[0]);
            throw new AuthSchemeException("org.zowe.apiml.gateway.security.schema.x509.mappingFailed");
        }
        try {
            return this.tokenService.createJwtTokenWithoutCredentials(mapCertificateToMainframeUserId);
        } catch (Exception e) {
            this.logger.log(MessageType.DEBUG, "Gateway service failed to obtain token - authentication request to get token failed.", new Object[]{e.getLocalizedMessage()});
            throw new AuthSchemeException("org.zowe.apiml.gateway.security.token.authenticationFailed");
        }
    }

    @Generated
    public X509AuthSourceService(X509AbstractMapper x509AbstractMapper, TokenCreationService tokenCreationService, AuthenticationService authenticationService) {
        this.mapper = x509AbstractMapper;
        this.tokenService = tokenCreationService;
        this.authenticationService = authenticationService;
    }
}
