package org.dataone.solr.servlet;

import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.nio.charset.Charset;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashSet;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.ServletResponse;
import javax.servlet.http.Cookie;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.dataone.client.auth.CertificateManager;
import org.dataone.cn.servlet.http.ProxyServletRequestWrapper;
import org.dataone.portal.PortalCertificateManager;
import org.dataone.service.cn.impl.v2.CNIdentityLDAPImpl;
import org.dataone.service.exceptions.NotAuthorized;
import org.dataone.service.exceptions.NotFound;
import org.dataone.service.exceptions.NotImplemented;
import org.dataone.service.exceptions.ServiceFailure;
import org.dataone.service.types.v1.Session;
import org.dataone.service.types.v1.Subject;
import org.dataone.service.types.v1.SubjectInfo;
import org.dataone.service.types.v1.util.AuthUtils;

/* loaded from: input_file:org/dataone/solr/servlet/SessionAuthorizationUtil.class */
public class SessionAuthorizationUtil {
    protected static Log logger = LogFactory.getLog(SessionAuthorizationUtil.class);
    private static final CNIdentityLDAPImpl identityService = new CNIdentityLDAPImpl();
    private static final String CERTIFICATES_ATTR = "javax.servlet.request.X509Certificate";
    private static final String SSL_CLIENT_CERT_HEADER = "SSL_CLIENT_CERT";
    private static final String CIPHER_SUITE_ATTR = "javax.servlet.request.cipher_suite";
    private static final String SSL_CIPHER_HEADER = "SSL_CIPHER";
    private static final String SSL_SESSION_ID_ATTR = "javax.servlet.request.ssl_session";
    private static final String SSL_SESSIONID_HEADER = "SSL_SESSION_ID";
    private static final String KEY_SIZE_ATTR = "javax.servlet.request.key_size";
    private static final String SSL_CIPHER_USER_KEYSIZE_HEADER = "SSL_CIPHER_USEKEYSIZE";
    private static final String SSL_CLIENT_VERIFY_HEADER = "SSL_CLIENT_VERIFY";
    private static final String MOD_HEADER_NULL = "(null)";
    private static final String D1_AUTHORIZATION_TOKEN_HEADER = "Authorization";

    private SessionAuthorizationUtil() {
    }

    public static void handleNoCertificateManagerSession(ProxyServletRequestWrapper proxyServletRequestWrapper, ServletResponse servletResponse, FilterChain filterChain) throws ServletException, IOException, NotAuthorized {
        logger.debug("session is null: default to public");
        filterChain.doFilter(proxyServletRequestWrapper, servletResponse);
    }

    public static void addAuthenticatedSubjectsToRequest(ProxyServletRequestWrapper proxyServletRequestWrapper, Session session, Subject subject) throws ServiceFailure, NotAuthorized, NotImplemented {
        SubjectInfo subjectInfo;
        ArrayList arrayList = new ArrayList();
        arrayList.add("public");
        arrayList.add("authenticatedUser");
        try {
            subjectInfo = identityService.getSubjectInfo(session, subject);
        } catch (NotFound e) {
            subjectInfo = session.getSubjectInfo();
        }
        if (subjectInfo == null) {
            String value = subject.getValue();
            try {
                value = CertificateManager.getInstance().standardizeDN(value);
            } catch (Exception e2) {
            }
            arrayList.add(value);
        } else {
            HashSet<Subject> hashSet = new HashSet();
            AuthUtils.findPersonsSubjects(hashSet, subjectInfo, subject);
            for (Subject subject2 : hashSet) {
                if (subject2 != null) {
                    if ("verifiedUser".equals(subject2.getValue())) {
                        arrayList.add("verifiedUser");
                    } else {
                        String value2 = subject2.getValue();
                        try {
                            value2 = CertificateManager.getInstance().standardizeDN(subject2.getValue());
                        } catch (Exception e3) {
                            logger.warn("Could not standardize DN for: " + value2, e3);
                        }
                        arrayList.add(value2);
                    }
                }
            }
        }
        if (arrayList.isEmpty()) {
            return;
        }
        proxyServletRequestWrapper.setParameterValues("authorizedSubjects", (String[]) arrayList.toArray(new String[0]));
    }

    public static boolean validateSSLAttributes(ProxyServletRequestWrapper proxyServletRequestWrapper) {
        ArrayList list = Collections.list(proxyServletRequestWrapper.getAttributeNames());
        boolean z = false;
        Cookie cookie = PortalCertificateManager.getInstance().getCookie(proxyServletRequestWrapper);
        if (list.contains(CERTIFICATES_ATTR)) {
            z = true;
        } else {
            ArrayList<String> list2 = Collections.list(proxyServletRequestWrapper.getHeaderNames());
            for (String str : list2) {
                logger.debug(str + ": " + proxyServletRequestWrapper.getHeader(str));
            }
            if (list2.contains(SSL_CLIENT_VERIFY_HEADER)) {
                String header = proxyServletRequestWrapper.getHeader(SSL_CLIENT_VERIFY_HEADER);
                if (header != null && header.equals("SUCCESS")) {
                    String header2 = proxyServletRequestWrapper.getHeader(SSL_CLIENT_CERT_HEADER);
                    if (header2 != null && !header2.equals(MOD_HEADER_NULL) && header2.length() > 28) {
                        try {
                            String replace = header2.replace(' ', '\n');
                            proxyServletRequestWrapper.setAttribute(CERTIFICATES_ATTR, new X509Certificate[]{(X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(("-----BEGIN CERTIFICATE-----\n" + replace.substring(28, replace.length() - 26) + "\n-----END CERTIFICATE-----\n").getBytes(Charset.defaultCharset())))});
                            String header3 = proxyServletRequestWrapper.getHeader(SSL_CLIENT_CERT_HEADER);
                            if (header3 != null && !header3.equals(MOD_HEADER_NULL)) {
                                proxyServletRequestWrapper.setAttribute(CIPHER_SUITE_ATTR, header3);
                            }
                            String header4 = proxyServletRequestWrapper.getHeader(SSL_SESSIONID_HEADER);
                            if (header4 != null && !header4.equals(MOD_HEADER_NULL)) {
                                proxyServletRequestWrapper.setAttribute(SSL_SESSION_ID_ATTR, header4);
                            }
                            String header5 = proxyServletRequestWrapper.getHeader(SSL_CIPHER_USER_KEYSIZE_HEADER);
                            if (header5 != null && !header5.equals(MOD_HEADER_NULL)) {
                                proxyServletRequestWrapper.setAttribute(KEY_SIZE_ATTR, Integer.valueOf(header5));
                            }
                            z = true;
                        } catch (CertificateException e) {
                            logger.warn("sslValve.certError", e);
                        }
                    }
                } else if (list2.contains(D1_AUTHORIZATION_TOKEN_HEADER) && !proxyServletRequestWrapper.getHeader(D1_AUTHORIZATION_TOKEN_HEADER).equals(MOD_HEADER_NULL)) {
                    logger.debug("session passed via token: Authorization: " + proxyServletRequestWrapper.getHeader(D1_AUTHORIZATION_TOKEN_HEADER));
                    z = true;
                } else if (cookie != null) {
                    logger.debug("portal cookie found: " + cookie.getName() + ": " + cookie.getValue());
                    z = true;
                }
            } else if (list2.contains(D1_AUTHORIZATION_TOKEN_HEADER) && !proxyServletRequestWrapper.getHeader(D1_AUTHORIZATION_TOKEN_HEADER).equals(MOD_HEADER_NULL)) {
                logger.debug("session passed via token: Authorization: " + proxyServletRequestWrapper.getHeader(D1_AUTHORIZATION_TOKEN_HEADER));
                z = true;
            } else if (cookie != null) {
                logger.debug("portal cookie found: " + cookie.getName() + ": " + cookie.getValue());
                z = true;
            }
        }
        return z;
    }
}
