package de.rwh.utils.jetty;

import de.rwh.utils.crypto.io.PemIo;
import java.io.IOException;
import java.net.URLDecoder;
import java.nio.charset.StandardCharsets;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Objects;
import org.eclipse.jetty.server.Connector;
import org.eclipse.jetty.server.HttpConfiguration;
import org.eclipse.jetty.server.Request;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:de/rwh/utils/jetty/ForwardedSecureRequestCustomizer.class */
public class ForwardedSecureRequestCustomizer implements HttpConfiguration.Customizer {
    private static final String URL_ENCODED_CERT_BEGIN = "-----BEGIN%20CERTIFICATE-----%0A";
    private static final String URL_ENCODED_CERT_END = "%0A-----END%20CERTIFICATE-----%0A";
    private static final String CERT_BEGIN = "-----BEGIN CERTIFICATE-----";
    private static final String CERT_END = "-----END CERTIFICATE-----";
    private static final Logger logger = LoggerFactory.getLogger(ForwardedSecureRequestCustomizer.class);
    private final String clientCertHeaderName;

    public ForwardedSecureRequestCustomizer(String str) {
        this.clientCertHeaderName = (String) Objects.requireNonNull(str, "clientCertHeaderName");
    }

    public void customize(Connector connector, HttpConfiguration httpConfiguration, Request request) {
        X509Certificate clientCert = getClientCert(request);
        if (clientCert != null) {
            request.setAttribute("javax.servlet.request.X509Certificate", new X509Certificate[]{clientCert});
        }
    }

    private X509Certificate getClientCert(Request request) {
        String header = request.getHeader(this.clientCertHeaderName);
        if (header == null) {
            logger.warn("No {} header found", this.clientCertHeaderName);
            return null;
        }
        if (header.isEmpty()) {
            logger.warn("{} header empty", this.clientCertHeaderName);
            return null;
        }
        if (!header.startsWith(CERT_BEGIN) && !header.startsWith(URL_ENCODED_CERT_BEGIN)) {
            logger.warn("{} header does not start with {} or {}", new Object[]{this.clientCertHeaderName, CERT_BEGIN, URL_ENCODED_CERT_BEGIN});
            return null;
        }
        if (header.endsWith(CERT_END) || header.endsWith(URL_ENCODED_CERT_END)) {
            try {
                return PemIo.readX509CertificateFromPem(header.startsWith(CERT_BEGIN) ? CERT_BEGIN + header.replace(CERT_BEGIN, "").replace(CERT_END, "").replaceAll(" ", "\n") + CERT_END : URLDecoder.decode(header, StandardCharsets.UTF_8).trim());
            } catch (IOException | CertificateException e) {
                return null;
            }
        }
        logger.warn("{} header does not end with {} or {}", new Object[]{this.clientCertHeaderName, CERT_END, URL_ENCODED_CERT_END});
        return null;
    }
}
