package com.mulesoft.mmc.agent.web;

import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletContext;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.io.IOUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.logging.log4j.core.net.ssl.SslConfigurationDefaults;

/* loaded from: input_file:mule/lib/mule/mmc-agent-impl-3.7.1.jar:com/mulesoft/mmc/agent/web/ConsoleClientCertFilter.class */
public final class ConsoleClientCertFilter implements Filter {
    private static final int TRUST_STORE_RELOAD_TIMEOUT = 30000;
    private FilterConfig filterConfig;
    private Certificate consoleCert;
    protected final Log log = LogFactory.getLog(getClass());
    private String trustStorePath = null;
    private String trustStorePassword = null;
    private String trustStoreAlias = null;
    private long lastTrustStoreLoadTime = 0;
    private KeyStore trustStore = null;

    @Override // javax.servlet.Filter
    public void init(FilterConfig filterConfig) throws ServletException {
        this.filterConfig = filterConfig;
    }

    @Override // javax.servlet.Filter
    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        try {
            if (!httpServletRequest.isSecure()) {
                this.log.warn("Unauthorized HTTP request to the agent from IP address " + httpServletRequest.getRemoteAddr());
                httpServletResponse.sendError(503, "Service unavailable at this time.");
                return;
            }
            X509Certificate[] x509CertificateArr = (X509Certificate[]) servletRequest.getAttribute("javax.servlet.request.X509Certificate");
            if (x509CertificateArr == null) {
                this.log.warn("Unauthorized HTTPS request to the agent from IP address " + httpServletRequest.getRemoteAddr() + ": no certificate provided");
                httpServletResponse.sendError(403, "Not Authorized: Client certificate is missing.");
                return;
            }
            if (x509CertificateArr.length != 1) {
                this.log.warn("Unauthorized HTTPS request to the agent from IP address " + httpServletRequest.getRemoteAddr() + ": too many certificates (" + Arrays.toString(x509CertificateArr) + ")");
                httpServletResponse.sendError(403, "Not Authorized: Too many client certificates.");
                return;
            }
            ServletContext servletContext = this.filterConfig.getServletContext();
            if (this.trustStorePath == null) {
                this.trustStorePath = (String) servletContext.getAttribute("agent.truststore.path");
            }
            if (this.trustStorePassword == null) {
                this.trustStorePassword = (String) servletContext.getAttribute("agent.truststore.password");
            }
            if (this.trustStoreAlias == null) {
                this.trustStoreAlias = (String) servletContext.getAttribute("agent.truststore.alias");
            }
            if (this.trustStorePath == null || this.trustStorePath.length() == 0 || this.trustStorePassword == null || this.trustStorePassword.length() == 0 || this.trustStoreAlias == null || this.trustStoreAlias.length() == 0) {
                this.log.error("Service unavailable at this time.");
                httpServletResponse.sendError(503, "Service unavailable at this time.");
                return;
            }
            try {
                this.trustStore = getTrustStore(this.trustStorePath, this.trustStorePassword, this.trustStoreAlias);
                if (this.consoleCert == null) {
                    this.log.error("Could not read console certificate from trust store " + this.trustStorePath + ", alias: " + this.trustStoreAlias);
                    httpServletResponse.sendError(500, "Internal server error: Could not read console certificate from trust store.");
                } else if (x509CertificateArr[0].equals(this.consoleCert)) {
                    filterChain.doFilter(servletRequest, servletResponse);
                } else {
                    this.log.warn("Unauthorized HTTPS request to the agent from IP address " + httpServletRequest.getRemoteAddr() + ": wrong certificate");
                    httpServletResponse.sendError(403, "Not Authorized: The certificate provided is unauthorized.");
                }
            } catch (GeneralSecurityException e) {
                this.log.error(e.getMessage(), e);
                httpServletResponse.sendError(500, "Internal server error, please try again.");
            }
        } catch (Exception e2) {
            this.log.error(e2.getMessage(), e2);
            httpServletResponse.sendError(500, "Internal server error, please try again.");
        }
    }

    @Override // javax.servlet.Filter
    public void destroy() {
    }

    protected KeyStore getTrustStore(String str, String str2, String str3) throws GeneralSecurityException, IOException {
        long currentTimeMillis = System.currentTimeMillis();
        if (currentTimeMillis > this.lastTrustStoreLoadTime + 30000) {
            this.lastTrustStoreLoadTime = currentTimeMillis;
            File file = new File(str);
            if (file.exists() && file.canRead()) {
                if (this.trustStore == null) {
                    this.trustStore = KeyStore.getInstance(SslConfigurationDefaults.KEYSTORE_TYPE);
                }
                FileInputStream fileInputStream = new FileInputStream(file);
                try {
                    this.trustStore.load(fileInputStream, str2.toCharArray());
                    IOUtils.closeQuietly((InputStream) fileInputStream);
                    this.consoleCert = this.trustStore.getCertificate(str3);
                } catch (Throwable th) {
                    IOUtils.closeQuietly((InputStream) fileInputStream);
                    throw th;
                }
            } else {
                this.log.warn("Cannot read agent trust store file " + file.getAbsolutePath());
            }
        }
        return this.trustStore;
    }
}
