package org.zowe.apiml.cloudgatewayservice.filters;

import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;
import java.util.Base64;
import lombok.Generated;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.cloud.gateway.filter.GatewayFilter;
import org.springframework.cloud.gateway.filter.factory.AbstractGatewayFilterFactory;
import org.springframework.stereotype.Service;

@Service
/* loaded from: input_file:org/zowe/apiml/cloudgatewayservice/filters/ClientCertFilterFactory.class */
public class ClientCertFilterFactory extends AbstractGatewayFilterFactory<Config> {

    @Generated
    private static final Logger log = LoggerFactory.getLogger(ClientCertFilterFactory.class);
    private static final String CLIENT_CERT_HEADER = "Client-Cert";

    /* loaded from: input_file:org/zowe/apiml/cloudgatewayservice/filters/ClientCertFilterFactory$Config.class */
    public static class Config {
        private String forwardingEnabled;

        public boolean isForwardingEnabled() {
            return Boolean.parseBoolean(this.forwardingEnabled);
        }

        @Generated
        public void setForwardingEnabled(String str) {
            this.forwardingEnabled = str;
        }
    }

    public ClientCertFilterFactory() {
        super(Config.class);
    }

    public GatewayFilter apply(Config config) {
        return (serverWebExchange, gatewayFilterChain) -> {
            return gatewayFilterChain.filter(serverWebExchange.mutate().request(serverWebExchange.getRequest().mutate().headers(httpHeaders -> {
                X509Certificate[] peerCertificates;
                httpHeaders.remove(CLIENT_CERT_HEADER);
                if (!config.isForwardingEnabled() || serverWebExchange.getRequest().getSslInfo() == null || (peerCertificates = serverWebExchange.getRequest().getSslInfo().getPeerCertificates()) == null || peerCertificates.length <= 0) {
                    return;
                }
                try {
                    httpHeaders.add(CLIENT_CERT_HEADER, Base64.getEncoder().encodeToString(peerCertificates[0].getEncoded()));
                    log.debug("Incoming client certificate has been added to the {} header.", CLIENT_CERT_HEADER);
                } catch (CertificateEncodingException e) {
                    log.debug("Failed to encode the incoming client certificate. Error message: {}", e.getMessage());
                    httpHeaders.add("X-Zowe-Auth-Failure", "Invalid client certificate in request. Error message: " + e.getMessage());
                }
            }).build()).build());
        };
    }
}
