package com.yahoo.vespa.hosted.provision.restapi.v2.filter;

import com.google.inject.Inject;
import com.yahoo.config.provision.Zone;
import com.yahoo.jdisc.http.filter.DiscFilterRequest;
import com.yahoo.jdisc.http.filter.security.base.JsonSecurityRequestFilterBase;
import com.yahoo.log.LogLevel;
import com.yahoo.vespa.hosted.provision.NodeRepository;
import com.yahoo.vespa.hosted.provision.restapi.v2.filter.NodeIdentifier;
import com.yahoo.yolean.chain.Provides;
import java.security.cert.X509Certificate;
import java.util.List;
import java.util.Optional;
import java.util.logging.Logger;

@Provides({"NodeIdentifierFilter"})
/* loaded from: input_file:com/yahoo/vespa/hosted/provision/restapi/v2/filter/NodeIdentifierFilter.class */
public class NodeIdentifierFilter extends JsonSecurityRequestFilterBase {
    private static final Logger log = Logger.getLogger(NodeIdentifierFilter.class.getName());
    private final NodeIdentifier nodeIdentifier;

    @Inject
    public NodeIdentifierFilter(Zone zone, NodeRepository nodeRepository) {
        this.nodeIdentifier = new NodeIdentifier(zone, nodeRepository);
    }

    protected Optional<JsonSecurityRequestFilterBase.ErrorResponse> filter(DiscFilterRequest discFilterRequest) {
        List<X509Certificate> clientCertificateChain = discFilterRequest.getClientCertificateChain();
        if (clientCertificateChain.isEmpty()) {
            return Optional.of(new JsonSecurityRequestFilterBase.ErrorResponse(401, 0, "Missing client certificate"));
        }
        try {
            discFilterRequest.setUserPrincipal(this.nodeIdentifier.resolveNode(clientCertificateChain));
            return Optional.empty();
        } catch (NodeIdentifier.NodeIdentifierException e) {
            log.log(LogLevel.WARNING, "Node identification failed: " + e.getMessage(), (Throwable) e);
            return Optional.of(new JsonSecurityRequestFilterBase.ErrorResponse(401, 1, e.getMessage()));
        }
    }
}
