package com.terracotta.management.security.web.impl;

import com.terracotta.management.keychain.URIKeyName;
import com.terracotta.management.security.Authorizer;
import com.terracotta.management.security.HMACBuilder;
import com.terracotta.management.security.IACredentials;
import com.terracotta.management.security.InvalidIAInteractionException;
import com.terracotta.management.security.InvalidRequestTicketException;
import com.terracotta.management.security.KeyChainAccessor;
import com.terracotta.management.security.MaskedUserInfo;
import com.terracotta.management.security.RequestIdentityAsserter;
import com.terracotta.management.security.RequestTicketMonitor;
import com.terracotta.management.user.UserInfo;
import com.terracotta.management.user.services.UserService;
import java.net.URISyntaxException;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.X509Certificate;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

/* loaded from: input_file:WEB-INF/classes/com/terracotta/management/security/web/impl/LicensedIdentityAsserter.class */
public final class LicensedIdentityAsserter implements RequestIdentityAsserter {
    private static final String INVALID_IA_REQ = "Request received from host '%s' is missing the required IA parameters to fullfil this request.";
    private final UserService usrSvc;
    private final RequestTicketMonitor requestTicketMonitor;
    private final Authorizer authorizer;
    private final KeyChainAccessor keyChainAccessor;

    public LicensedIdentityAsserter(Authorizer authorizer, RequestTicketMonitor requestTicketMonitor, UserService userService, KeyChainAccessor keyChainAccessor) {
        this.authorizer = authorizer;
        this.requestTicketMonitor = requestTicketMonitor;
        this.usrSvc = userService;
        this.keyChainAccessor = keyChainAccessor;
    }

    @Override // com.terracotta.management.security.RequestIdentityAsserter
    public UserInfo assertIdentity(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws InvalidIAInteractionException {
        String header = httpServletRequest.getHeader(IACredentials.TC_ID_TOKEN);
        String header2 = httpServletRequest.getHeader(IACredentials.REQ_TICKET);
        if (header2 == null || header == null) {
            throw new InvalidIAInteractionException(String.format(INVALID_IA_REQ, httpServletRequest.getRemoteAddr()));
        }
        try {
            this.requestTicketMonitor.redeemRequestTicket(header2);
            String principalBySessionId = this.authorizer.getPrincipalBySessionId(header, true);
            if (principalBySessionId == null) {
                throw new InvalidIAInteractionException(String.format("Request received from host '%s' presented the currently invalid session id: '%s'", httpServletRequest.getRemoteAddr(), header));
            }
            MaskedUserInfo maskedUserInfo = new MaskedUserInfo(this.usrSvc.getUser(principalBySessionId));
            X509Certificate[] x509CertificateArr = (X509Certificate[]) httpServletRequest.getAttribute("javax.servlet.request.X509Certificate");
            if (x509CertificateArr == null || x509CertificateArr.length <= 0) {
                String header3 = httpServletRequest.getHeader(IACredentials.CLIENT_NONCE);
                String header4 = httpServletRequest.getHeader(IACredentials.ALIAS);
                if (header3 == null || header4 == null) {
                    throw new InvalidIAInteractionException(String.format(INVALID_IA_REQ, httpServletRequest.getRemoteAddr()));
                }
                try {
                    httpServletResponse.setHeader(IACredentials.SIGNATURE, HMACBuilder.getInstance(this.keyChainAccessor.retrieveSecret(new URIKeyName(header4))).addMessageComponent(header2).addMessageComponent(header).addMessageComponent(header4).addMessageComponent(header3).addUserDetail(maskedUserInfo).buildEncoded());
                } catch (URISyntaxException e) {
                    throw new RuntimeException("BUG Alert! Unable to determine uri alias for obtaining the key material to sign the hash.", e);
                } catch (InvalidKeyException e2) {
                    throw new RuntimeException("BUG Alert! Failed to create signed hash.", e2);
                } catch (NoSuchAlgorithmException e3) {
                    throw new RuntimeException("BUG Alert! Failed to create signed hash.", e3);
                }
            }
            return maskedUserInfo;
        } catch (InvalidRequestTicketException e4) {
            throw new InvalidIAInteractionException(String.format("Request received from host '%s' presented an invalid request ticket.", httpServletRequest.getRemoteAddr()), e4);
        }
    }
}
