package org.xipki.ca.server.servlet;

import java.io.IOException;
import java.security.cert.CertificateException;
import java.util.HashSet;
import java.util.List;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.xipki.audit.Audits;
import org.xipki.audit.services.MacAuditService;
import org.xipki.ca.api.profile.CertprofileFactory;
import org.xipki.ca.api.profile.CertprofileFactoryRegister;
import org.xipki.ca.api.publisher.CertPublisherFactoryRegister;
import org.xipki.ca.server.CaServerConf;
import org.xipki.ca.server.SdkResponder;
import org.xipki.ca.server.mgmt.CaManagerImpl;
import org.xipki.ca.server.publisher.OcspCertPublisherFactory;
import org.xipki.license.api.LicenseFactory;
import org.xipki.security.Securities;
import org.xipki.security.util.X509Util;
import org.xipki.util.CollectionUtil;
import org.xipki.util.ConfPairs;
import org.xipki.util.FileOrBinary;
import org.xipki.util.HttpConstants;
import org.xipki.util.IoUtil;
import org.xipki.util.LogUtil;
import org.xipki.util.StringUtil;
import org.xipki.util.XipkiBaseDir;
import org.xipki.util.exception.InvalidConfException;
import org.xipki.util.exception.ServletException0;
import org.xipki.util.http.HttpStatusCode;
import org.xipki.util.http.XiHttpFilter;
import org.xipki.util.http.XiHttpRequest;
import org.xipki.util.http.XiHttpResponse;

/* loaded from: input_file:WEB-INF/lib/ca-server-6.4.0.jar:org/xipki/ca/server/servlet/CaHttpFilter.class */
public class CaHttpFilter implements XiHttpFilter {
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) CaHttpFilter.class);
    private static final String XIJSON_CERTFACTORY = "org.xipki.ca.certprofile.xijson.CertprofileFactoryImpl";
    private static final String DFLT_CA_SERVER_CFG = "etc/ca/ca.json";
    private final Securities securities;
    private final LicenseFactory licenseFactory;
    private final CaManagerImpl caManager;
    private SdkResponder responder;
    private HttpRaServlet raServlet;
    private final boolean remoteMgmtEnabled;
    private HttpMgmtServlet mgmtServlet;

    public CaHttpFilter(String str) throws ServletException0 {
        String str2;
        XipkiBaseDir.init();
        try {
            CaServerConf readConfFromFile = CaServerConf.readConfFromFile(IoUtil.expandFilepath(DFLT_CA_SERVER_CFG, true));
            boolean isLogReqResp = readConfFromFile.isLogReqResp();
            LOG.info("logReqResp: {}", Boolean.valueOf(isLogReqResp));
            Audits.AuditConf audit = readConfFromFile.getAudit();
            String type = audit.getType();
            type = StringUtil.isBlank(type) ? "embed" : type;
            this.securities = new Securities();
            try {
                this.securities.init(readConfFromFile.getSecurity());
                int shardId = readConfFromFile.getShardId();
                String conf = audit.getConf();
                Audits.init(type, ("file-mac".equals(type) || "database-mac".equals(type)) ? new ConfPairs(conf).putPair(MacAuditService.KEY_SHARD_ID, Integer.toString(shardId)).getEncoded() : conf, this.securities.getSecurityFactory().getPasswordResolver());
                if (Audits.getAuditService() == null) {
                    throw new ServletException0("could not AuditService");
                }
                LOG.info("Use licenseFactory: {}", str);
                try {
                    this.licenseFactory = (LicenseFactory) Class.forName(str).getDeclaredConstructor(new Class[0]).newInstance(new Object[0]);
                    this.caManager = new CaManagerImpl(this.licenseFactory.createCmLicense());
                    this.caManager.setSecurityFactory(this.securities.getSecurityFactory());
                    this.caManager.setP11CryptServiceFactory(this.securities.getP11CryptServiceFactory());
                    this.caManager.setCertprofileFactoryRegister(initCertprofileFactoryRegister(readConfFromFile.getCertprofileFactories()));
                    CertPublisherFactoryRegister certPublisherFactoryRegister = new CertPublisherFactoryRegister();
                    certPublisherFactoryRegister.registFactory(new OcspCertPublisherFactory());
                    this.caManager.setCertPublisherFactoryRegister(certPublisherFactoryRegister);
                    this.caManager.setCaServerConf(readConfFromFile);
                    this.caManager.startCaSystem();
                    LOG.info("ca.noRA: {}", Boolean.valueOf(readConfFromFile.isNoRA()));
                    if (!readConfFromFile.isNoRA()) {
                        this.responder = new SdkResponder(this.caManager);
                        this.raServlet = new HttpRaServlet();
                        this.raServlet.setResponder(this.responder);
                        this.raServlet.setLogReqResp(isLogReqResp);
                    }
                    CaServerConf.RemoteMgmt remoteMgmt = readConfFromFile.getRemoteMgmt();
                    this.remoteMgmtEnabled = remoteMgmt != null && remoteMgmt.isEnabled();
                    LOG.info("remote management is {}", this.remoteMgmtEnabled ? "enabled" : "disabled");
                    if (this.remoteMgmtEnabled) {
                        List<FileOrBinary> certs = remoteMgmt.getCerts();
                        if (CollectionUtil.isEmpty(certs)) {
                            LOG.error("no client certificate is configured, disable the remote management");
                            return;
                        }
                        HashSet hashSet = new HashSet();
                        for (FileOrBinary fileOrBinary : certs) {
                            try {
                                hashSet.add(X509Util.parseCert(fileOrBinary.readContent()));
                            } catch (IOException | CertificateException e) {
                                str2 = "could not parse the client certificate";
                                LogUtil.error(LOG, e, fileOrBinary.getFile() != null ? str2 + " " + fileOrBinary.getFile() : "could not parse the client certificate");
                            }
                        }
                        if (hashSet.isEmpty()) {
                            LOG.error("could not find any valid client certificates, disable the remote management");
                            return;
                        }
                        this.mgmtServlet = new HttpMgmtServlet();
                        this.mgmtServlet.setCaManager(this.caManager);
                        this.mgmtServlet.setMgmtCerts(hashSet);
                    }
                } catch (Exception e2) {
                    throw new ServletException0("could not initialize LicenseFactory", e2);
                }
            } catch (IOException | InvalidConfException e3) {
                throw new ServletException0("could not initialize Securities", e3);
            }
        } catch (IOException | InvalidConfException e4) {
            throw new ServletException0("could not parse CA configuration file etc/ca/ca.json", e4);
        }
    }

    @Override // org.xipki.util.http.XiHttpFilter
    public void destroy() {
        if (this.securities != null) {
            this.securities.close();
        }
        if (this.caManager != null) {
            this.caManager.close();
        }
        if (this.licenseFactory != null) {
            this.licenseFactory.close();
        }
        if (this.responder != null) {
            this.responder.close();
        }
        if (Audits.getAuditService() != null) {
            try {
                Audits.getAuditService().close();
            } catch (Exception e) {
                LogUtil.error(LOG, e);
            }
        }
    }

    private CertprofileFactoryRegister initCertprofileFactoryRegister(List<String> list) {
        CertprofileFactoryRegister certprofileFactoryRegister = new CertprofileFactoryRegister();
        try {
            certprofileFactoryRegister.registFactory((CertprofileFactory) Class.forName(XIJSON_CERTFACTORY).getConstructor(new Class[0]).newInstance(new Object[0]));
        } catch (Exception e) {
            LOG.warn("error initializing org.xipki.ca.certprofile.xijson.CertprofileFactoryImpl");
        }
        if (list != null) {
            for (String str : list) {
                try {
                    certprofileFactoryRegister.registFactory((CertprofileFactory) Class.forName(str).getConstructor(new Class[0]).newInstance(new Object[0]));
                } catch (Exception e2) {
                    LOG.error("error caught while initializing CertprofileFactory " + str + ": " + e2.getClass().getName() + ": " + e2.getMessage(), (Throwable) e2);
                }
            }
        }
        return certprofileFactoryRegister;
    }

    @Override // org.xipki.util.http.XiHttpFilter
    public void doFilter(XiHttpRequest xiHttpRequest, XiHttpResponse xiHttpResponse) throws IOException {
        String servletPath = xiHttpRequest.getServletPath();
        if (servletPath.startsWith("/ra/")) {
            if (this.raServlet == null) {
                xiHttpResponse.sendError(HttpStatusCode.SC_NOT_FOUND);
                return;
            } else {
                xiHttpRequest.setAttribute(HttpConstants.ATTR_XIPKI_PATH, servletPath.substring(3));
                this.raServlet.service(xiHttpRequest, xiHttpResponse);
                return;
            }
        }
        if (!servletPath.startsWith("/mgmt/")) {
            xiHttpResponse.sendError(HttpStatusCode.SC_NOT_FOUND);
        } else if (this.mgmtServlet == null) {
            xiHttpResponse.sendError(HttpStatusCode.SC_FORBIDDEN);
        } else {
            xiHttpRequest.setAttribute(HttpConstants.ATTR_XIPKI_PATH, servletPath.substring(5));
            this.mgmtServlet.service(xiHttpRequest, xiHttpResponse);
        }
    }
}
