package io.confluent.common.security.auth;

import com.google.common.base.Strings;
import jakarta.servlet.Filter;
import jakarta.servlet.FilterChain;
import jakarta.servlet.FilterConfig;
import jakarta.servlet.ServletException;
import jakarta.servlet.ServletRequest;
import jakarta.servlet.ServletResponse;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletRequestWrapper;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Enumeration;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/confluent/common/security/auth/MtlsLeaderProxyFilter.class */
public class MtlsLeaderProxyFilter implements Filter {
    private static final Logger log = LoggerFactory.getLogger(MtlsLeaderProxyFilter.class);
    private final LeaderForwardChecker<HttpServletRequest> leaderForwardChecker;
    private final TokenProvider<String> tokenProvider;

    /* loaded from: input_file:io/confluent/common/security/auth/MtlsLeaderProxyFilter$MtlsImpersonationRequestWrapper.class */
    public static class MtlsImpersonationRequestWrapper extends HttpServletRequestWrapper {
        private static final String AUTHORIZATION_KEY = "Authorization";
        private static final String BEARER_PREFIX = "Bearer ";
        private String authorizationValue;

        public MtlsImpersonationRequestWrapper(HttpServletRequest httpServletRequest) {
            super(httpServletRequest);
        }

        public void addAuthorizationHeader(String str) {
            this.authorizationValue = "Bearer " + str;
        }

        public String getHeader(String str) {
            return (!AUTHORIZATION_KEY.equalsIgnoreCase(str) || this.authorizationValue == null) ? super.getHeader(str) : this.authorizationValue;
        }

        public Enumeration<String> getHeaderNames() {
            ArrayList list = Collections.list(super.getHeaderNames());
            if (this.authorizationValue != null && !list.contains(AUTHORIZATION_KEY)) {
                list.add(AUTHORIZATION_KEY);
            }
            return Collections.enumeration(list);
        }

        public Enumeration<String> getHeaders(String str) {
            return (!AUTHORIZATION_KEY.equalsIgnoreCase(str) || this.authorizationValue == null) ? super.getHeaders(str) : Collections.enumeration(Collections.singleton(this.authorizationValue));
        }
    }

    public MtlsLeaderProxyFilter(LeaderForwardChecker<HttpServletRequest> leaderForwardChecker, TokenProvider<String> tokenProvider) {
        this.leaderForwardChecker = leaderForwardChecker;
        this.tokenProvider = tokenProvider;
    }

    public void init(FilterConfig filterConfig) throws ServletException {
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        if (this.leaderForwardChecker.shouldForwardToLeader(httpServletRequest) && Strings.isNullOrEmpty(httpServletRequest.getHeader("Authorization")) && (httpServletRequest.getUserPrincipal() instanceof CertificatePrincipal)) {
            String name = httpServletRequest.getUserPrincipal().getName();
            log.debug("Getting impersonation token for certificate user: `{} calling: `{}`.", name, httpServletRequest.getRequestURI());
            String str = this.tokenProvider.get(name);
            if (str != null) {
                MtlsImpersonationRequestWrapper mtlsImpersonationRequestWrapper = new MtlsImpersonationRequestWrapper((HttpServletRequest) servletRequest);
                mtlsImpersonationRequestWrapper.addAuthorizationHeader(str);
                filterChain.doFilter(mtlsImpersonationRequestWrapper, servletResponse);
                return;
            }
            log.warn("Continuing without adding a token in request for certificate user: `{}` calling: `{}`.", name, httpServletRequest.getRequestURI());
        }
        filterChain.doFilter(servletRequest, servletResponse);
    }

    public void destroy() {
    }
}
