package net.shibboleth.idp.authn.impl;

import java.io.IOException;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import javax.security.auth.Subject;
import javax.servlet.ServletConfig;
import javax.servlet.ServletException;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import net.shibboleth.idp.authn.AuthnEventIds;
import net.shibboleth.idp.authn.ExternalAuthentication;
import net.shibboleth.idp.authn.ExternalAuthenticationException;
import net.shibboleth.utilities.java.support.annotation.constraint.NotEmpty;
import net.shibboleth.utilities.java.support.resolver.CriteriaSet;
import org.opensaml.security.SecurityException;
import org.opensaml.security.messaging.ServletRequestX509CredentialAdapter;
import org.opensaml.security.trust.TrustEngine;
import org.opensaml.security.x509.BasicX509Credential;
import org.opensaml.security.x509.X509Credential;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.web.context.WebApplicationContext;
import org.springframework.web.context.support.WebApplicationContextUtils;

/* loaded from: input_file:WEB-INF/lib/idp-authn-impl-4.1.2.jar:net/shibboleth/idp/authn/impl/X509AuthServlet.class */
public class X509AuthServlet extends HttpServlet {
    private static final long serialVersionUID = 7466474175700654990L;

    @NotEmpty
    @Nonnull
    private static final String TRUST_ENGINE_PARAM = "trustEngine";

    @NotEmpty
    @Nonnull
    private static final String SAVECERT_ENGINE_PARAM = "saveCertificateToCredentialSet";

    @NotEmpty
    @Nonnull
    private static final String PASSTHROUGH_PARAM = "x509passthrough";

    @Nullable
    private TrustEngine<? super X509Credential> trustEngine;

    @Nonnull
    private final Logger log = LoggerFactory.getLogger((Class<?>) X509AuthServlet.class);
    private boolean saveCertificateToCredentialSet = true;

    public void setTrustEngine(@Nullable TrustEngine<? super X509Credential> trustEngine) {
        this.trustEngine = trustEngine;
    }

    public void setSaveCertificateToCredentialSet(boolean z) {
        this.saveCertificateToCredentialSet = z;
    }

    public void init(ServletConfig servletConfig) throws ServletException {
        super.init(servletConfig);
        WebApplicationContext requiredWebApplicationContext = WebApplicationContextUtils.getRequiredWebApplicationContext(getServletContext());
        String initParameter = servletConfig.getInitParameter(TRUST_ENGINE_PARAM);
        if (initParameter != null) {
            this.log.debug("Looking up TrustEngine bean: {}", initParameter);
            Object bean = requiredWebApplicationContext.getBean(initParameter);
            if (!(bean instanceof TrustEngine)) {
                throw new ServletException("Bean " + initParameter + " was missing, or not a TrustManager");
            }
            this.trustEngine = (TrustEngine) bean;
        }
        String initParameter2 = servletConfig.getInitParameter(SAVECERT_ENGINE_PARAM);
        if (initParameter2 != null) {
            setSaveCertificateToCredentialSet(Boolean.valueOf(initParameter2).booleanValue());
        }
    }

    protected void service(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException, IOException {
        try {
            String startExternalAuthentication = ExternalAuthentication.startExternalAuthentication(httpServletRequest);
            X509Certificate[] x509CertificateArr = (X509Certificate[]) httpServletRequest.getAttribute(ServletRequestX509CredentialAdapter.X509_CERT_REQUEST_ATTRIBUTE);
            if (x509CertificateArr == null || x509CertificateArr.length == 0) {
                x509CertificateArr = (X509Certificate[]) httpServletRequest.getAttribute("jakarta.servlet.request.X509Certificate");
            }
            this.log.debug("{} X.509 Certificate(s) found in request", Integer.valueOf(x509CertificateArr != null ? x509CertificateArr.length : 0));
            if (x509CertificateArr == null || x509CertificateArr.length == 0) {
                this.log.error("No X.509 Certificates found in request");
                httpServletRequest.setAttribute(ExternalAuthentication.AUTHENTICATION_ERROR_KEY, AuthnEventIds.NO_CREDENTIALS);
                ExternalAuthentication.finishExternalAuthentication(startExternalAuthentication, httpServletRequest, httpServletResponse);
                return;
            }
            X509Certificate x509Certificate = x509CertificateArr[0];
            this.log.debug("End-entity X.509 certificate found with subject '{}', issued by '{}'", x509Certificate.getSubjectDN().getName(), x509Certificate.getIssuerDN().getName());
            if (this.trustEngine != null) {
                try {
                    BasicX509Credential basicX509Credential = new BasicX509Credential(x509Certificate);
                    basicX509Credential.setEntityCertificateChain(Arrays.asList(x509CertificateArr));
                    if (!this.trustEngine.validate(basicX509Credential, new CriteriaSet())) {
                        this.log.warn("Trust engine failed to validate X.509 certificate");
                        httpServletRequest.setAttribute(ExternalAuthentication.AUTHENTICATION_ERROR_KEY, AuthnEventIds.INVALID_CREDENTIALS);
                        ExternalAuthentication.finishExternalAuthentication(startExternalAuthentication, httpServletRequest, httpServletResponse);
                        return;
                    }
                    this.log.debug("Trust engine validated X.509 certificate");
                } catch (SecurityException e) {
                    this.log.error("Exception raised by trust engine", (Throwable) e);
                    httpServletRequest.setAttribute(ExternalAuthentication.AUTHENTICATION_EXCEPTION_KEY, e);
                    ExternalAuthentication.finishExternalAuthentication(startExternalAuthentication, httpServletRequest, httpServletResponse);
                    return;
                }
            }
            String parameter = httpServletRequest.getParameter(PASSTHROUGH_PARAM);
            if (parameter != null && Boolean.parseBoolean(parameter)) {
                this.log.debug("Setting UI passthrough cookie");
                Cookie cookie = new Cookie(PASSTHROUGH_PARAM, "1");
                cookie.setPath(httpServletRequest.getContextPath());
                cookie.setMaxAge(31536000);
                cookie.setSecure(true);
                httpServletResponse.addCookie(cookie);
            }
            Subject subject = new Subject();
            if (this.saveCertificateToCredentialSet) {
                subject.getPublicCredentials().add(x509Certificate);
            }
            subject.getPrincipals().add(x509Certificate.getSubjectX500Principal());
            httpServletRequest.setAttribute(ExternalAuthentication.SUBJECT_KEY, subject);
            String parameter2 = httpServletRequest.getParameter(ExternalAuthentication.REVOKECONSENT_KEY);
            if (parameter2 != null && ("1".equals(parameter2) || "true".equals(parameter2))) {
                httpServletRequest.setAttribute(ExternalAuthentication.REVOKECONSENT_KEY, Boolean.TRUE);
            }
            ExternalAuthentication.finishExternalAuthentication(startExternalAuthentication, httpServletRequest, httpServletResponse);
        } catch (ExternalAuthenticationException e2) {
            throw new ServletException("Error processing external authentication request", e2);
        }
    }
}
