package com.google.gerrit.httpd.auth.container;

import com.google.common.flogger.FluentLogger;
import com.google.gerrit.extensions.registration.DynamicItem;
import com.google.gerrit.httpd.WebSession;
import com.google.gerrit.server.account.AccountException;
import com.google.gerrit.server.account.AccountManager;
import com.google.gerrit.server.account.AuthRequest;
import com.google.inject.Inject;
import com.google.inject.Singleton;
import java.io.IOException;
import java.security.cert.X509Certificate;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;

@Singleton
/* loaded from: input_file:com/google/gerrit/httpd/auth/container/HttpsClientSslCertAuthFilter.class */
class HttpsClientSslCertAuthFilter implements Filter {
    private static final FluentLogger logger = FluentLogger.forEnclosingClass();
    private static final Pattern REGEX_USERID = Pattern.compile("CN=([^,]*)");
    private final DynamicItem<WebSession> webSession;
    private final AccountManager accountManager;
    private final AuthRequest.Factory authRequestFactory;

    @Inject
    HttpsClientSslCertAuthFilter(DynamicItem<WebSession> dynamicItem, AccountManager accountManager, AuthRequest.Factory factory) {
        this.webSession = dynamicItem;
        this.accountManager = accountManager;
        this.authRequestFactory = factory;
    }

    public void destroy() {
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        X509Certificate[] x509CertificateArr = (X509Certificate[]) servletRequest.getAttribute("javax.servlet.request.X509Certificate");
        if (x509CertificateArr == null || x509CertificateArr.length == 0) {
            throw new ServletException("Couldn't get the attribute javax.servlet.request.X509Certificate from the request");
        }
        Matcher matcher = REGEX_USERID.matcher(x509CertificateArr[0].getSubjectDN().getName());
        if (!matcher.find()) {
            throw new ServletException("Couldn't extract username from your certificate");
        }
        String group = matcher.group(1);
        try {
            ((WebSession) this.webSession.get()).login(this.accountManager.authenticate(this.authRequestFactory.createForUser(group)), true);
            filterChain.doFilter(servletRequest, servletResponse);
        } catch (AccountException e) {
            String str = "Unable to authenticate user \"" + group + "\"";
            logger.atSevere().withCause(e).log(str);
            throw new ServletException(str, e);
        }
    }

    public void init(FilterConfig filterConfig) throws ServletException {
    }
}
