package org.openscdp.pkiapi;

import jakarta.servlet.Filter;
import jakarta.servlet.FilterChain;
import jakarta.servlet.ServletException;
import jakarta.servlet.ServletRequest;
import jakarta.servlet.ServletResponse;
import jakarta.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import javax.security.auth.x500.X500Principal;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/openscdp/pkiapi/EnforceTLSFilter.class */
public class EnforceTLSFilter implements Filter {
    private final Logger logger = LoggerFactory.getLogger(EnforceTLSFilter.class);
    private ArrayList<X500Principal> authorizedClients = new ArrayList<>();

    public void addAuthorizedClient(X500Principal x500Principal) {
        this.logger.debug("Adding " + x500Principal + " to list of allowed clients");
        this.authorizedClients.add(x500Principal);
    }

    private void sendError(ServletResponse servletResponse, String str) throws IOException {
        ((HttpServletResponse) servletResponse).sendError(403, str);
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        if (!servletRequest.isSecure()) {
            sendError(servletResponse, "Must use TLS");
            return;
        }
        X509Certificate[] x509CertificateArr = (X509Certificate[]) servletRequest.getAttribute("jakarta.servlet.request.X509Certificate");
        if (x509CertificateArr.length < 1) {
            sendError(servletResponse, "No client certificate");
            return;
        }
        if (!this.authorizedClients.isEmpty()) {
            X500Principal subjectX500Principal = x509CertificateArr[0].getSubjectX500Principal();
            this.logger.debug("Client authenticated as " + subjectX500Principal);
            if (!this.authorizedClients.contains(subjectX500Principal)) {
                sendError(servletResponse, "TLS client " + subjectX500Principal + " not in list of allowed clients");
                return;
            }
        }
        filterChain.doFilter(servletRequest, servletResponse);
    }
}
