package edu.internet2.middleware.shibboleth.utils;

import edu.internet2.middleware.shibboleth.common.LocalPrincipal;
import java.io.IOException;
import java.security.Principal;
import java.security.cert.X509Certificate;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import java.util.regex.PatternSyntaxException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import javax.servlet.http.HttpServletResponse;
import org.apache.log4j.Logger;
import org.apache.log4j.MDC;

/* loaded from: input_file:edu/internet2/middleware/shibboleth/utils/ClientCertTrustFilter.class */
public class ClientCertTrustFilter implements Filter {
    private static Logger log;
    protected Pattern regex = Pattern.compile(".*CN=([^,/]+).*");
    protected int matchGroup = 1;
    static Class class$0;

    /* loaded from: input_file:edu/internet2/middleware/shibboleth/utils/ClientCertTrustFilter$ClientCertTrustWrapper.class */
    private class ClientCertTrustWrapper extends HttpServletRequestWrapper {
        private Principal principal;
        final ClientCertTrustFilter this$0;

        ClientCertTrustWrapper(ClientCertTrustFilter clientCertTrustFilter, HttpServletRequest httpServletRequest, Principal principal) {
            super(httpServletRequest);
            this.this$0 = clientCertTrustFilter;
            this.principal = principal;
        }

        public String getAuthType() {
            return "CLIENT_CERT";
        }

        public String getRemoteUser() {
            return this.principal.getName();
        }

        public Principal getUserPrincipal() {
            return this.principal;
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r1v2, types: [java.lang.Throwable] */
    static {
        Class<?> cls = class$0;
        if (cls == null) {
            try {
                cls = Class.forName("edu.internet2.middleware.shibboleth.utils.ClientCertTrustFilter");
                class$0 = cls;
            } catch (ClassNotFoundException unused) {
                throw new NoClassDefFoundError(cls.getMessage());
            }
        }
        log = Logger.getLogger(cls.getName());
    }

    public void init(FilterConfig filterConfig) throws ServletException {
        if (filterConfig.getInitParameter("regex") != null) {
            try {
                this.regex = Pattern.compile(filterConfig.getInitParameter("regex"));
            } catch (PatternSyntaxException e) {
                throw new ServletException("Failed to start ClientCertTrustFilter: supplied regular expression fails to compile.");
            }
        }
        if (filterConfig.getInitParameter("matchGroup") != null) {
            try {
                this.matchGroup = Integer.parseInt(filterConfig.getInitParameter("matchGroup"));
            } catch (NumberFormatException e2) {
                throw new ServletException("Failed to start ClientCertTrustFilter: supplied matchGroup is not an integer.");
            }
        }
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        MDC.put("serviceId", "[Client Cert Trust Filter]");
        if (!(servletRequest instanceof HttpServletRequest) || !(servletResponse instanceof HttpServletResponse)) {
            log.error("Only HTTP(s) requests are supported by the ClientCertTrustFilter.");
            return;
        }
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        log.debug(new StringBuffer("Using regex: (").append(this.regex.pattern()).append(").").toString());
        log.debug(new StringBuffer("Using matchGroup of (").append(this.matchGroup).append(")").toString());
        X509Certificate[] x509CertificateArr = (X509Certificate[]) httpServletRequest.getAttribute("javax.servlet.request.X509Certificate");
        if (x509CertificateArr == null) {
            log.error("Processed a request that did not contain a client certificate.");
            httpServletResponse.sendError(403, "Client certificate required.");
            return;
        }
        log.debug(new StringBuffer("Attempting to extract principal name from Subjet: (").append(x509CertificateArr[0].getSubjectDN().getName()).append(").").toString());
        Matcher matcher = this.regex.matcher(x509CertificateArr[0].getSubjectDN().getName());
        if (!matcher.find()) {
            log.error("Principal could not be extracted from Certificate Subject.");
            httpServletResponse.sendError(403, "Client certificate does not contain required data.");
            return;
        }
        try {
            String group = matcher.group(this.matchGroup);
            log.debug(new StringBuffer("Extracted principal name (").append(group).append(") from Subject.").toString());
            filterChain.doFilter(new ClientCertTrustWrapper(this, httpServletRequest, new LocalPrincipal(group)), servletResponse);
        } catch (IndexOutOfBoundsException e) {
            log.error("Principal could not be extracted from Certificate Subject: matchGroup out of bounds.");
            httpServletResponse.sendError(403, "Client certificate does not contain required data.");
        }
    }

    public void destroy() {
    }
}
