package org.apache.falcon.security;

import java.io.IOException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.X509Certificate;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.ws.rs.core.Response;
import org.apache.falcon.util.StartupProperties;
import org.apache.log4j.Logger;

/* loaded from: input_file:WEB-INF/lib/falcon-prism-0.8-classes.jar:org/apache/falcon/security/ClientCertificateFilter.class */
public class ClientCertificateFilter implements Filter {
    private static final Logger LOG = Logger.getLogger(ClientCertificateFilter.class);
    protected boolean enableTLS = false;

    @Override // javax.servlet.Filter
    public void init(FilterConfig filterConfig) throws ServletException {
        this.enableTLS = Boolean.parseBoolean(StartupProperties.get().getProperty("falcon.enableTLS", "false"));
    }

    @Override // javax.servlet.Filter
    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        if (!(servletRequest instanceof HttpServletRequest) || !(servletResponse instanceof HttpServletResponse)) {
            throw new IllegalStateException("Invalid request/response object");
        }
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        X509Certificate[] x509CertificateArr = (X509Certificate[]) servletRequest.getAttribute("javax.servlet.request.X509Certificate");
        if (!this.enableTLS || isValid(x509CertificateArr)) {
            filterChain.doFilter(servletRequest, servletResponse);
        } else {
            httpServletResponse.sendError(Response.Status.FORBIDDEN.getStatusCode(), "Request not authorized, valid certificates not presented");
        }
    }

    private boolean isValid(X509Certificate[] x509CertificateArr) {
        boolean z = false;
        if (x509CertificateArr != null) {
            for (X509Certificate x509Certificate : x509CertificateArr) {
                LOG.debug("Issuer: " + x509Certificate.getIssuerDN() + ", Subject: " + x509Certificate.getSubjectDN());
                try {
                    x509Certificate.checkValidity();
                    z = true;
                    break;
                } catch (CertificateExpiredException e) {
                    LOG.error("Certificate " + x509Certificate + " expired", e);
                } catch (CertificateNotYetValidException e2) {
                    LOG.error("Certificate " + x509Certificate + " not valid", e2);
                }
            }
        } else {
            LOG.warn("No valid certificates present");
        }
        return z;
    }

    @Override // javax.servlet.Filter
    public void destroy() {
    }
}
