package io.gravitee.policy.sslenforcement;

import io.gravitee.common.util.Maps;
import io.gravitee.gateway.api.Request;
import io.gravitee.gateway.api.Response;
import io.gravitee.policy.api.PolicyChain;
import io.gravitee.policy.api.PolicyResult;
import io.gravitee.policy.api.annotations.OnRequest;
import io.gravitee.policy.sslenforcement.configuration.SslEnforcementPolicyConfiguration;
import java.util.Iterator;
import javax.net.ssl.SSLPeerUnverifiedException;
import javax.net.ssl.SSLSession;
import javax.security.auth.x500.X500Principal;
import org.bouncycastle.asn1.x500.AttributeTypeAndValue;
import org.bouncycastle.asn1.x500.RDN;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x500.style.IETFUtils;
import org.springframework.util.AntPathMatcher;

/* loaded from: input_file:io/gravitee/policy/sslenforcement/SslEnforcementPolicy.class */
public class SslEnforcementPolicy {
    private final SslEnforcementPolicyConfiguration configuration;
    static final String SSL_REQUIRED = "SSL_ENFORCEMENT_SSL_REQUIRED";
    static final String AUTHENTICATION_REQUIRED = "SSL_ENFORCEMENT_AUTHENTICATION_REQUIRED";
    static final String CLIENT_FORBIDDEN = "SSL_ENFORCEMENT_CLIENT_FORBIDDEN";

    public SslEnforcementPolicy(SslEnforcementPolicyConfiguration sslEnforcementPolicyConfiguration) {
        this.configuration = sslEnforcementPolicyConfiguration;
    }

    @OnRequest
    public void onRequest(Request request, Response response, PolicyChain policyChain) {
        SSLSession sslSession = request.sslSession();
        if (!this.configuration.isRequiresSsl() && sslSession == null) {
            policyChain.doNext(request, response);
            return;
        }
        if (this.configuration.isRequiresSsl() && sslSession == null) {
            policyChain.failWith(PolicyResult.failure(SSL_REQUIRED, 403, "Access to the resource requires SSL certificate."));
            return;
        }
        X500Principal x500Principal = null;
        try {
            x500Principal = (X500Principal) sslSession.getPeerPrincipal();
        } catch (SSLPeerUnverifiedException e) {
        }
        if (this.configuration.isRequiresClientAuthentication() && x500Principal == null) {
            policyChain.failWith(PolicyResult.failure(AUTHENTICATION_REQUIRED, 401, "Unauthorized"));
            return;
        }
        if (this.configuration.isRequiresClientAuthentication() && this.configuration.getWhitelistClientCertificates() != null && !this.configuration.getWhitelistClientCertificates().isEmpty()) {
            X500Name x500Name = new X500Name(x500Principal.getName());
            boolean z = false;
            Iterator<String> it = this.configuration.getWhitelistClientCertificates().iterator();
            while (it.hasNext()) {
                z = areEqual(new X500Name(new X500Principal(it.next()).getName()), x500Name);
                if (z) {
                    break;
                }
            }
            if (!z) {
                policyChain.failWith(PolicyResult.failure(CLIENT_FORBIDDEN, 403, "You're not allowed to access this resource", Maps.builder().put("name", x500Principal.getName()).build()));
                return;
            }
        }
        policyChain.doNext(request, response);
    }

    private boolean areEqual(X500Name x500Name, X500Name x500Name2) {
        RDN[] rDNs = x500Name.getRDNs();
        RDN[] rDNs2 = x500Name2.getRDNs();
        if (rDNs.length != rDNs2.length) {
            return false;
        }
        boolean z = false;
        if (rDNs[0].getFirst() != null && rDNs2[0].getFirst() != null) {
            z = !rDNs[0].getFirst().getType().equals(rDNs2[0].getFirst().getType());
        }
        for (int i = 0; i != rDNs.length; i++) {
            if (!foundMatch(z, rDNs[i], rDNs2)) {
                return false;
            }
        }
        return true;
    }

    private boolean foundMatch(boolean z, RDN rdn, RDN[] rdnArr) {
        if (z) {
            for (int length = rdnArr.length - 1; length >= 0; length--) {
                if (rdnArr[length] != null && rDNAreEqual(rdn, rdnArr[length])) {
                    rdnArr[length] = null;
                    return true;
                }
            }
            return false;
        }
        for (int i = 0; i != rdnArr.length; i++) {
            if (rdnArr[i] != null && rDNAreEqual(rdn, rdnArr[i])) {
                rdnArr[i] = null;
                return true;
            }
        }
        return false;
    }

    private static boolean rDNAreEqual(RDN rdn, RDN rdn2) {
        if (!rdn.isMultiValued()) {
            if (rdn2.isMultiValued()) {
                return false;
            }
            return atvAreEqual(rdn.getFirst(), rdn2.getFirst());
        }
        if (!rdn2.isMultiValued()) {
            return false;
        }
        AttributeTypeAndValue[] typesAndValues = rdn.getTypesAndValues();
        AttributeTypeAndValue[] typesAndValues2 = rdn2.getTypesAndValues();
        if (typesAndValues.length != typesAndValues2.length) {
            return false;
        }
        for (int i = 0; i != typesAndValues.length; i++) {
            if (!atvAreEqual(typesAndValues[i], typesAndValues2[i])) {
                return false;
            }
        }
        return true;
    }

    private static boolean atvAreEqual(AttributeTypeAndValue attributeTypeAndValue, AttributeTypeAndValue attributeTypeAndValue2) {
        if (attributeTypeAndValue == attributeTypeAndValue2) {
            return true;
        }
        if (attributeTypeAndValue == null || attributeTypeAndValue2 == null || !attributeTypeAndValue.getType().equals(attributeTypeAndValue2.getType())) {
            return false;
        }
        return new AntPathMatcher().match(IETFUtils.canonicalize(IETFUtils.valueToString(attributeTypeAndValue.getValue())), IETFUtils.canonicalize(IETFUtils.valueToString(attributeTypeAndValue2.getValue())));
    }
}
