package de.adorsys.psd2.xs2a.web.filter;

import de.adorsys.psd2.consent.api.service.TppService;
import de.adorsys.psd2.validator.certificate.util.CertificateExtractorUtil;
import de.adorsys.psd2.validator.certificate.util.TppCertificateData;
import de.adorsys.psd2.xs2a.core.domain.MessageCategory;
import de.adorsys.psd2.xs2a.core.error.MessageErrorCode;
import de.adorsys.psd2.xs2a.core.tpp.TppInfo;
import de.adorsys.psd2.xs2a.core.tpp.TppRole;
import de.adorsys.psd2.xs2a.service.RequestProviderService;
import de.adorsys.psd2.xs2a.service.profile.AspspProfileServiceWrapper;
import de.adorsys.psd2.xs2a.service.validator.tpp.TppInfoHolder;
import de.adorsys.psd2.xs2a.service.validator.tpp.TppRoleValidationService;
import de.adorsys.psd2.xs2a.web.Xs2aEndpointChecker;
import de.adorsys.psd2.xs2a.web.error.TppErrorMessageWriter;
import de.adorsys.psd2.xs2a.web.mapper.TppInfoRolesMapper;
import de.adorsys.psd2.xs2a.web.mapper.Xs2aTppInfoMapper;
import java.io.IOException;
import java.time.LocalDateTime;
import java.time.ZoneId;
import java.util.Arrays;
import java.util.Date;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.stream.Collectors;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import no.difi.certvalidator.api.CertificateValidationException;
import org.apache.commons.lang3.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.stereotype.Component;

@Component
/* loaded from: input_file:BOOT-INF/lib/xs2a-impl-9.6.jar:de/adorsys/psd2/xs2a/web/filter/QwacCertificateFilter.class */
public class QwacCertificateFilter extends AbstractXs2aFilter {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) QwacCertificateFilter.class);
    private final TppInfoHolder tppInfoHolder;
    private final RequestProviderService requestProviderService;
    private final TppRoleValidationService tppRoleValidationService;
    private final TppService tppService;
    private final AspspProfileServiceWrapper aspspProfileService;
    private final Xs2aTppInfoMapper xs2aTppInfoMapper;
    private final TppInfoRolesMapper tppInfoRolesMapper;
    private final TppErrorMessageWriter tppErrorMessageWriter;

    public QwacCertificateFilter(TppErrorMessageWriter tppErrorMessageWriter, Xs2aEndpointChecker xs2aEndpointChecker, TppInfoHolder tppInfoHolder, RequestProviderService requestProviderService, TppRoleValidationService tppRoleValidationService, TppService tppService, AspspProfileServiceWrapper aspspProfileServiceWrapper, Xs2aTppInfoMapper xs2aTppInfoMapper, TppInfoRolesMapper tppInfoRolesMapper, TppErrorMessageWriter tppErrorMessageWriter2) {
        super(tppErrorMessageWriter, xs2aEndpointChecker);
        this.tppInfoHolder = tppInfoHolder;
        this.requestProviderService = requestProviderService;
        this.tppRoleValidationService = tppRoleValidationService;
        this.tppService = tppService;
        this.aspspProfileService = aspspProfileServiceWrapper;
        this.xs2aTppInfoMapper = xs2aTppInfoMapper;
        this.tppInfoRolesMapper = tppInfoRolesMapper;
        this.tppErrorMessageWriter = tppErrorMessageWriter2;
    }

    @Override // de.adorsys.psd2.xs2a.web.filter.GlobalAbstractExceptionFilter
    protected void doFilterInternalCustom(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws IOException, ServletException {
        String encodedTppQwacCert = this.requestProviderService.getEncodedTppQwacCert();
        if (StringUtils.isNotBlank(encodedTppQwacCert)) {
            try {
                TppCertificateData extract = CertificateExtractorUtil.extract(encodedTppQwacCert);
                if (isCertificateExpired(extract.getNotAfter())) {
                    buildCertificateExpiredErrorResponse(httpServletResponse);
                    return;
                }
                TppInfo mapToTppInfo = this.xs2aTppInfoMapper.mapToTppInfo(extract);
                String tppRolesAllowedHeader = this.requestProviderService.getTppRolesAllowedHeader();
                boolean isNotBlank = StringUtils.isNotBlank(tppRolesAllowedHeader);
                boolean isCheckTppRolesFromCertificateSupported = this.aspspProfileService.isCheckTppRolesFromCertificateSupported();
                if (isNotBlank) {
                    processTppRolesFromHeader(mapToTppInfo, tppRolesAllowedHeader);
                } else if (isCheckTppRolesFromCertificateSupported) {
                    processTppRolesFromCertificate(mapToTppInfo, extract);
                }
                if ((isNotBlank || isCheckTppRolesFromCertificateSupported) && !this.tppRoleValidationService.hasAccess(mapToTppInfo, httpServletRequest)) {
                    buildRoleInvalidErrorResponse(httpServletResponse, extract);
                    return;
                }
                this.tppInfoHolder.setTppInfo(mapToTppInfo);
            } catch (CertificateValidationException e) {
                buildCertificateInvalidNoAccessErrorResponse(httpServletResponse, e);
                return;
            }
        }
        filterChain.doFilter(httpServletRequest, httpServletResponse);
    }

    private void processTppRolesFromCertificate(TppInfo tppInfo, TppCertificateData tppCertificateData) {
        setTppRolesAndUpdateTppInfo(tppInfo, (List) tppCertificateData.getPspRoles().stream().map(TppRole::valueOf).collect(Collectors.toList()));
    }

    private void processTppRolesFromHeader(TppInfo tppInfo, String str) {
        Optional map = Optional.of(str).map(str2 -> {
            return str2.split(",");
        }).map((v0) -> {
            return Arrays.asList(v0);
        });
        TppInfoRolesMapper tppInfoRolesMapper = this.tppInfoRolesMapper;
        Objects.requireNonNull(tppInfoRolesMapper);
        map.map(tppInfoRolesMapper::mapToTppRoles).ifPresent(list -> {
            setTppRolesAndUpdateTppInfo(tppInfo, list);
        });
    }

    private void setTppRolesAndUpdateTppInfo(TppInfo tppInfo, List<TppRole> list) {
        if (list.isEmpty()) {
            return;
        }
        tppInfo.setTppRoles(list);
        this.tppService.updateTppInfo(tppInfo);
    }

    private boolean isCertificateExpired(Date date) {
        return ((Boolean) Optional.ofNullable(date).map(date2 -> {
            return date2.toInstant().atZone(ZoneId.systemDefault()).toLocalDateTime();
        }).map(localDateTime -> {
            return Boolean.valueOf(localDateTime.isBefore(LocalDateTime.now()));
        }).orElse(true)).booleanValue();
    }

    private void buildCertificateInvalidNoAccessErrorResponse(HttpServletResponse httpServletResponse, CertificateValidationException certificateValidationException) throws IOException {
        log.info("TPP unauthorised because CertificateValidationException: {}", certificateValidationException.getMessage());
        setResponseStatusAndErrorCode(httpServletResponse, MessageErrorCode.CERTIFICATE_INVALID_NO_ACCESS);
    }

    private void buildRoleInvalidErrorResponse(HttpServletResponse httpServletResponse, TppCertificateData tppCertificateData) throws IOException {
        log.info("Access forbidden for TPP with authorisation number: [{}]", tppCertificateData.getPspAuthorisationNumber());
        setResponseStatusAndErrorCode(httpServletResponse, MessageErrorCode.ROLE_INVALID);
    }

    private void buildCertificateExpiredErrorResponse(HttpServletResponse httpServletResponse) throws IOException {
        log.info("TPP Certificate is expired");
        setResponseStatusAndErrorCode(httpServletResponse, MessageErrorCode.CERTIFICATE_EXPIRED);
    }

    private void setResponseStatusAndErrorCode(HttpServletResponse httpServletResponse, MessageErrorCode messageErrorCode) throws IOException {
        this.tppErrorMessageWriter.writeError(httpServletResponse, new TppErrorMessage(MessageCategory.ERROR, messageErrorCode, new Object[0]));
    }
}
