package org.zowe.apiml.gateway.x509;

import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Base64;
import lombok.Generated;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.cloud.gateway.filter.GatewayFilter;
import org.springframework.cloud.gateway.filter.factory.AbstractGatewayFilterFactory;
import org.springframework.http.server.reactive.ServerHttpRequest;
import org.springframework.http.server.reactive.SslInfo;
import org.springframework.stereotype.Service;
import org.zowe.apiml.security.common.verify.CertificateValidator;

@Service
/* loaded from: input_file:BOOT-INF/classes/org/zowe/apiml/gateway/x509/AcceptForwardedClientCertFilterFactory.class */
public class AcceptForwardedClientCertFilterFactory extends AbstractGatewayFilterFactory<Config> {

    @Generated
    private static final Logger log = LoggerFactory.getLogger((Class<?>) AcceptForwardedClientCertFilterFactory.class);
    private final CertificateValidator certificateValidator;

    /* loaded from: input_file:BOOT-INF/classes/org/zowe/apiml/gateway/x509/AcceptForwardedClientCertFilterFactory$Config.class */
    public static class Config {
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:BOOT-INF/classes/org/zowe/apiml/gateway/x509/AcceptForwardedClientCertFilterFactory$CustomSslInfo.class */
    public static final class CustomSslInfo implements SslInfo {
        private final String sessionId;
        private final X509Certificate[] peerCertificates;

        @Generated
        /* loaded from: input_file:BOOT-INF/classes/org/zowe/apiml/gateway/x509/AcceptForwardedClientCertFilterFactory$CustomSslInfo$CustomSslInfoBuilder.class */
        public static class CustomSslInfoBuilder {

            @Generated
            private String sessionId;

            @Generated
            private X509Certificate[] peerCertificates;

            @Generated
            CustomSslInfoBuilder() {
            }

            @Generated
            public CustomSslInfoBuilder sessionId(String str) {
                this.sessionId = str;
                return this;
            }

            @Generated
            public CustomSslInfoBuilder peerCertificates(X509Certificate[] x509CertificateArr) {
                this.peerCertificates = x509CertificateArr;
                return this;
            }

            @Generated
            public CustomSslInfo build() {
                return new CustomSslInfo(this.sessionId, this.peerCertificates);
            }

            @Generated
            public String toString() {
                return "AcceptForwardedClientCertFilterFactory.CustomSslInfo.CustomSslInfoBuilder(sessionId=" + this.sessionId + ", peerCertificates=" + Arrays.deepToString(this.peerCertificates) + ")";
            }
        }

        @Generated
        CustomSslInfo(String str, X509Certificate[] x509CertificateArr) {
            this.sessionId = str;
            this.peerCertificates = x509CertificateArr;
        }

        @Generated
        public static CustomSslInfoBuilder builder() {
            return new CustomSslInfoBuilder();
        }

        @Override // org.springframework.http.server.reactive.SslInfo
        @Generated
        public String getSessionId() {
            return this.sessionId;
        }

        @Override // org.springframework.http.server.reactive.SslInfo
        @Generated
        public X509Certificate[] getPeerCertificates() {
            return this.peerCertificates;
        }

        @Generated
        public boolean equals(Object obj) {
            if (obj == this) {
                return true;
            }
            if (!(obj instanceof CustomSslInfo)) {
                return false;
            }
            CustomSslInfo customSslInfo = (CustomSslInfo) obj;
            String sessionId = getSessionId();
            String sessionId2 = customSslInfo.getSessionId();
            if (sessionId == null) {
                if (sessionId2 != null) {
                    return false;
                }
            } else if (!sessionId.equals(sessionId2)) {
                return false;
            }
            return Arrays.deepEquals(getPeerCertificates(), customSslInfo.getPeerCertificates());
        }

        @Generated
        public int hashCode() {
            String sessionId = getSessionId();
            return (((1 * 59) + (sessionId == null ? 43 : sessionId.hashCode())) * 59) + Arrays.deepHashCode(getPeerCertificates());
        }

        @Generated
        public String toString() {
            return "AcceptForwardedClientCertFilterFactory.CustomSslInfo(sessionId=" + getSessionId() + ", peerCertificates=" + Arrays.deepToString(getPeerCertificates()) + ")";
        }
    }

    public AcceptForwardedClientCertFilterFactory(CertificateValidator certificateValidator) {
        super(Config.class);
        this.certificateValidator = certificateValidator;
    }

    private X509Certificate[] getClientCertificateFromHeader(ServerHttpRequest serverHttpRequest) {
        String first = serverHttpRequest.getHeaders().getFirst(ForwardClientCertFilterFactory.CLIENT_CERT_HEADER);
        if (first == null) {
            return new X509Certificate[0];
        }
        try {
            ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(Base64.getDecoder().decode(first));
            try {
                X509Certificate[] x509CertificateArr = {(X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(byteArrayInputStream)};
                byteArrayInputStream.close();
                return x509CertificateArr;
            } finally {
            }
        } catch (IOException | CertificateException e) {
            throw new IllegalStateException(e);
        }
    }

    @Override // org.springframework.cloud.gateway.filter.factory.GatewayFilterFactory
    public GatewayFilter apply(Config config) {
        return (serverWebExchange, gatewayFilterChain) -> {
            SslInfo sslInfo = serverWebExchange.getRequest().getSslInfo();
            X509Certificate[] peerCertificates = sslInfo == null ? null : sslInfo.getPeerCertificates();
            if (peerCertificates != null && peerCertificates.length > 0 && this.certificateValidator.isTrusted(peerCertificates)) {
                X509Certificate[] clientCertificateFromHeader = getClientCertificateFromHeader(serverWebExchange.getRequest());
                if (clientCertificateFromHeader.length > 0) {
                    log.debug("Accepting forwarded client certificate {}", clientCertificateFromHeader[0].getSubjectX500Principal().getName());
                    return gatewayFilterChain.filter(serverWebExchange.mutate().request(serverWebExchange.getRequest().mutate().sslInfo(CustomSslInfo.builder().peerCertificates(clientCertificateFromHeader).build()).build()).build());
                }
            }
            return gatewayFilterChain.filter(serverWebExchange);
        };
    }
}
