package org.alfresco.web.scripts.servlet;

import java.io.IOException;
import java.security.cert.X509Certificate;
import java.util.Set;
import java.util.regex.Pattern;
import javax.management.Attribute;
import javax.management.MBeanServer;
import javax.management.MBeanServerFactory;
import javax.management.ObjectName;
import javax.management.Query;
import javax.management.QueryExp;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletContext;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;

/* loaded from: input_file:WEB-INF/lib/alfresco-core-15.13.jar:org/alfresco/web/scripts/servlet/X509ServletFilterBase.class */
public abstract class X509ServletFilterBase implements Filter {
    protected boolean enforce;
    private String httpsPort;
    private String certContains;
    private static final Pattern PATTERN_CRLF = Pattern.compile("(\\r|\\n)");
    private static Log logger = LogFactory.getLog(X509ServletFilterBase.class);

    public void init(FilterConfig filterConfig) throws ServletException {
        try {
            if (logger.isDebugEnabled()) {
                logger.debug("Initializing X509ServletFilter");
            }
            handleClientAuth();
            this.enforce = checkEnforce(filterConfig.getServletContext());
            if (logger.isDebugEnabled()) {
                logger.debug("Enforcing X509 Authentication:" + this.enforce);
            }
            if (this.enforce) {
                this.certContains = filterConfig.getInitParameter("cert-contains");
                if (logger.isDebugEnabled()) {
                    if (this.certContains == null) {
                        logger.debug("Not enforcing cert-contains");
                    } else {
                        logger.debug("Enforcing cert-contains:" + this.certContains);
                    }
                }
            }
        } catch (Exception e) {
            throw new ServletException(e);
        }
    }

    public void setHttpsPort(int i) {
        this.httpsPort = Integer.toString(i);
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        if (!this.enforce) {
            filterChain.doFilter(servletRequest, servletResponse);
            return;
        }
        if (logger.isDebugEnabled()) {
            logger.debug("Enforcing X509 request");
        }
        if (validCert((X509Certificate[]) httpServletRequest.getAttribute("javax.servlet.request.X509Certificate"))) {
            if (logger.isDebugEnabled()) {
                logger.debug("Cert is valid");
            }
            filterChain.doFilter(servletRequest, servletResponse);
            return;
        }
        if (logger.isDebugEnabled()) {
            logger.debug("Cert is invalid");
        }
        if (httpServletRequest.isSecure() || this.httpsPort == null) {
            httpServletResponse.sendError(403, "X509 Authentication failure");
            return;
        }
        String replace = httpServletRequest.getRequestURL().toString().replace(Integer.toString(httpServletRequest.getLocalPort()), this.httpsPort).replace("http", "https");
        String queryString = httpServletRequest.getQueryString();
        if (queryString != null) {
            replace = replace + "?" + queryString;
        }
        if (logger.isDebugEnabled()) {
            logger.debug("Redirecting to:" + replace);
        }
        httpServletResponse.sendRedirect(sanitize(replace));
    }

    protected abstract boolean checkEnforce(ServletContext servletContext) throws IOException;

    private boolean validCert(X509Certificate[] x509CertificateArr) {
        if (x509CertificateArr == null) {
            return false;
        }
        X509Certificate x509Certificate = x509CertificateArr[0];
        try {
            if (logger.isDebugEnabled()) {
                logger.debug("Checking cert is valid");
            }
            x509Certificate.checkValidity();
            String name = x509Certificate.getSubjectX500Principal().getName();
            if (this.certContains == null) {
                return true;
            }
            if (!name.contains(this.certContains)) {
                logger.error("Cert: " + name + "  does not contain:  " + this.certContains);
                return false;
            }
            if (!logger.isDebugEnabled()) {
                return true;
            }
            logger.debug("Cert: " + name + "  contains:  " + this.certContains);
            return true;
        } catch (Exception e) {
            logger.error("Cert is invalid", e);
            return false;
        }
    }

    private String sanitize(String str) {
        if (str != null) {
            return PATTERN_CRLF.matcher(str).replaceAll("");
        }
        return null;
    }

    public void destroy() {
    }

    private void handleClientAuth() {
        try {
            MBeanServer mBeanServer = (MBeanServer) MBeanServerFactory.findMBeanServer((String) null).get(0);
            Set queryNames = mBeanServer.queryNames(new ObjectName("Catalina", "type", "Engine"), (QueryExp) null);
            if (queryNames == null || queryNames.size() == 0) {
                return;
            }
            Set queryNames2 = mBeanServer.queryNames((ObjectName) null, Query.or(Query.eq(Query.attr("clientAuth"), Query.value("want")), Query.eq(Query.attr("clientAuth"), Query.value(true))));
            if (queryNames2 != null && queryNames2.size() == 0) {
                logger.warn("clientAuth does not appear to be set for Tomcat. clientAuth must be set to 'want' for X509 Authentication");
                logger.warn("Attempting to set clientAuth=want through JMX...");
                Set<ObjectName> queryNames3 = mBeanServer.queryNames((ObjectName) null, Query.eq(Query.attr("secure"), Query.value(true)));
                if (queryNames3 != null) {
                    for (ObjectName objectName : queryNames3) {
                        if (objectName.toString().contains("ProtocolHandler")) {
                            logger.warn("Setting clientAuth=want on MBean:" + objectName.toString());
                            mBeanServer.setAttribute(objectName, new Attribute("clientAuth", "want"));
                            return;
                        }
                    }
                }
                logger.warn("Unable to set clientAuth=want through JMX.");
            }
        } catch (Throwable th) {
            logger.warn("An error occurred while checking for clientAuth. Turn on debug logging to see the stacktrace.");
            logger.debug("Error while handling clientAuth", th);
        }
    }
}
