package org.zowe.apiml.security.common.filter;

import java.io.IOException;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Base64;
import java.util.List;
import java.util.Set;
import java.util.function.Predicate;
import java.util.stream.Collectors;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import lombok.Generated;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.web.authentication.preauth.x509.X509AuthenticationFilter;

/* loaded from: input_file:BOOT-INF/lib/apiml-security-common-1.23.7.jar:org/zowe/apiml/security/common/filter/ApimlX509Filter.class */
public class ApimlX509Filter extends X509AuthenticationFilter {

    @Generated
    private static final Logger log = LoggerFactory.getLogger((Class<?>) ApimlX509Filter.class);
    private static final String ATTRNAME_CLIENT_AUTH_X509_CERTIFICATE = "client.auth.X509Certificate";
    private static final String ATTRNAME_JAVAX_SERVLET_REQUEST_X509_CERTIFICATE = "javax.servlet.request.X509Certificate";
    private static final String LOG_FORMAT_FILTERING_CERTIFICATES = "Filtering certificates: {} -> {}";
    private final Set<String> publicKeyCertificatesBase64;
    Predicate<X509Certificate> certificateForClientAuth = x509Certificate -> {
        return !getPublicKeyCertificatesBase64().contains(base64EncodePublicKey(x509Certificate));
    };
    Predicate<X509Certificate> notCertificateForClientAuth = x509Certificate -> {
        return getPublicKeyCertificatesBase64().contains(base64EncodePublicKey(x509Certificate));
    };

    public Set<String> getPublicKeyCertificatesBase64() {
        return this.publicKeyCertificatesBase64;
    }

    private void categorizeCerts(ServletRequest servletRequest) {
        X509Certificate[] x509CertificateArr = (X509Certificate[]) servletRequest.getAttribute("javax.servlet.request.X509Certificate");
        if (x509CertificateArr != null) {
            servletRequest.setAttribute(ATTRNAME_CLIENT_AUTH_X509_CERTIFICATE, selectCerts(x509CertificateArr, this.certificateForClientAuth));
            servletRequest.setAttribute("javax.servlet.request.X509Certificate", selectCerts(x509CertificateArr, this.notCertificateForClientAuth));
            log.debug(LOG_FORMAT_FILTERING_CERTIFICATES, ATTRNAME_CLIENT_AUTH_X509_CERTIFICATE, servletRequest.getAttribute(ATTRNAME_CLIENT_AUTH_X509_CERTIFICATE));
            log.debug(LOG_FORMAT_FILTERING_CERTIFICATES, "javax.servlet.request.X509Certificate", servletRequest.getAttribute("javax.servlet.request.X509Certificate"));
        }
    }

    @Override // org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter, javax.servlet.Filter
    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        categorizeCerts(servletRequest);
        super.doFilter(servletRequest, servletResponse, filterChain);
    }

    private X509Certificate[] selectCerts(X509Certificate[] x509CertificateArr, Predicate<X509Certificate> predicate) {
        return (X509Certificate[]) ((List) Arrays.stream(x509CertificateArr).filter(predicate).collect(Collectors.toList())).toArray(new X509Certificate[0]);
    }

    public String base64EncodePublicKey(X509Certificate x509Certificate) {
        return Base64.getEncoder().encodeToString(x509Certificate.getPublicKey().getEncoded());
    }

    public void setCertificateForClientAuth(Predicate<X509Certificate> predicate) {
        this.certificateForClientAuth = predicate;
    }

    public void setNotCertificateForClientAuth(Predicate<X509Certificate> predicate) {
        this.notCertificateForClientAuth = predicate;
    }

    @Generated
    public ApimlX509Filter(Set<String> set) {
        this.publicKeyCertificatesBase64 = set;
    }
}
