package org.xipki.ocsp.servlet;

import java.io.IOException;
import java.security.cert.CertificateException;
import java.util.HashSet;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.xipki.datasource.DataAccessException;
import org.xipki.ocsp.server.OcspServerImpl;
import org.xipki.ocsp.servlet.OcspConf;
import org.xipki.password.PasswordResolverException;
import org.xipki.security.Securities;
import org.xipki.security.util.X509Util;
import org.xipki.util.CollectionUtil;
import org.xipki.util.FileOrBinary;
import org.xipki.util.HttpConstants;
import org.xipki.util.InvalidConfException;
import org.xipki.util.LogUtil;

/* loaded from: input_file:WEB-INF/classes/org/xipki/ocsp/servlet/OcspServletFilter.class */
public class OcspServletFilter implements Filter {
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) OcspServletFilter.class);
    private static final String DFLT_CONF_FILE = "xipki/etc/ocsp/ocsp.json";
    private Securities securities;
    private OcspServerImpl server;
    private HealthCheckServlet healthServlet;
    private OcspServlet ocspServlet;
    private boolean remoteMgmtEnabled;
    private boolean logReqResp;
    private HttpMgmtServlet mgmtServlet;

    public void init(FilterConfig filterConfig) throws ServletException {
        String str;
        try {
            OcspConf readConfFromFile = OcspConf.readConfFromFile(DFLT_CONF_FILE);
            this.logReqResp = Boolean.parseBoolean(filterConfig.getInitParameter("logReqResp"));
            LOG.info("logReqResp: {}", Boolean.valueOf(this.logReqResp));
            this.securities = new Securities();
            try {
                this.securities.init(readConfFromFile.getSecurity());
                OcspServerImpl ocspServerImpl = new OcspServerImpl();
                ocspServerImpl.setSecurityFactory(this.securities.getSecurityFactory());
                ocspServerImpl.setConfFile(readConfFromFile.getServerConf());
                try {
                    ocspServerImpl.init();
                } catch (DataAccessException | PasswordResolverException | InvalidConfException e) {
                    LogUtil.error(LOG, e, "could not start OCSP server");
                }
                this.server = ocspServerImpl;
                this.healthServlet = new HealthCheckServlet();
                this.healthServlet.setServer(this.server);
                this.ocspServlet = new OcspServlet();
                this.ocspServlet.setServer(this.server);
                this.ocspServlet.setLogReqResp(this.logReqResp);
                OcspConf.RemoteMgmt remoteMgmt = readConfFromFile.getRemoteMgmt();
                this.remoteMgmtEnabled = remoteMgmt == null ? false : remoteMgmt.isEnabled();
                LOG.info("remote management is {}", this.remoteMgmtEnabled ? "enabled" : "disabled");
                if (this.remoteMgmtEnabled && CollectionUtil.isNotEmpty(remoteMgmt.getCerts())) {
                    HashSet hashSet = new HashSet();
                    for (FileOrBinary fileOrBinary : remoteMgmt.getCerts()) {
                        try {
                            hashSet.add(X509Util.parseCert(fileOrBinary.readContent()));
                        } catch (IOException | CertificateException e2) {
                            str = "could not parse the client certificate";
                            LogUtil.error(LOG, e2, fileOrBinary.getFile() != null ? str + " " + fileOrBinary.getFile() : "could not parse the client certificate");
                        }
                    }
                    if (hashSet.isEmpty()) {
                        LOG.error("could not find any valid client certificates, disable the remote management");
                        return;
                    }
                    this.mgmtServlet = new HttpMgmtServlet();
                    this.mgmtServlet.setMgmtCerts(hashSet);
                    this.mgmtServlet.setOcspServer(this.server);
                }
            } catch (IOException | InvalidConfException e3) {
                LogUtil.error(LOG, e3, "could not initialize Securities");
            }
        } catch (IOException | InvalidConfException e4) {
            throw new IllegalArgumentException("could not parse OCSP configuration file " + DFLT_CONF_FILE, e4);
        }
    }

    public void destroy() {
        if (this.securities != null) {
            this.securities.close();
        }
        if (this.server != null) {
            this.server.close();
        }
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        if (!(servletRequest instanceof HttpServletRequest) || !(servletResponse instanceof HttpServletResponse)) {
            throw new ServletException("Only HTTP request is supported");
        }
        ServletRequest servletRequest2 = (HttpServletRequest) servletRequest;
        ServletResponse servletResponse2 = (HttpServletResponse) servletResponse;
        String requestURI = servletRequest2.getRequestURI();
        String contextPath = servletRequest2.getContextPath();
        String substring = requestURI.length() == contextPath.length() ? "/" : requestURI.substring(contextPath.length());
        if (substring.startsWith("/health/")) {
            servletRequest2.setAttribute(HttpConstants.ATTR_XIPKI_PATH, substring.substring(7));
            this.healthServlet.service(servletRequest2, servletResponse2);
        } else if (!substring.startsWith("/mgmt/")) {
            servletRequest2.setAttribute(HttpConstants.ATTR_XIPKI_PATH, substring);
            this.ocspServlet.service(servletRequest2, servletResponse2);
        } else if (!this.remoteMgmtEnabled) {
            servletResponse2.sendError(403);
        } else {
            servletRequest2.setAttribute(HttpConstants.ATTR_XIPKI_PATH, substring.substring(5));
            this.mgmtServlet.service(servletRequest2, servletResponse2);
        }
    }
}
