package com.ibm.ws.proxy.security.sip;

import com.ibm.ejs.ras.Tr;
import com.ibm.ejs.ras.TraceComponent;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.proxy.filter.SipProxyServerFilter;
import com.ibm.ws.proxy.util.sip.extdomain.SipDomainInfo;
import com.ibm.ws.proxy.util.sip.extdomain.SipDomainList;
import com.ibm.wsspi.http.channel.values.StatusCodes;
import com.ibm.wsspi.proxy.config.ProxyConfig;
import com.ibm.wsspi.proxy.config.sip.SipExternalDomain;
import com.ibm.wsspi.proxy.config.sip.SipExternalDomainProtocol;
import com.ibm.wsspi.proxy.config.sip.SipProxyConfig;
import com.ibm.wsspi.proxy.config.sip.SipProxyCustomProperties;
import com.ibm.wsspi.proxy.filter.FilterConfig;
import com.ibm.wsspi.proxy.filter.sip.SipFilter;
import com.ibm.wsspi.proxy.filter.sip.SipFilterStatusCode;
import com.ibm.wsspi.proxy.filter.sip.SipProxyServiceContext;
import com.ibm.wsspi.sip.channel.SIPMessage;
import com.ibm.wsspi.sip.channel.protocol.SIPUri;
import com.ibm.wsspi.sip.channelutils.BNFHeaderKeys;
import com.ibm.wsspi.tcp.channel.SSLConnectionContext;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;
import java.util.Properties;
import java.util.Vector;
import java.util.regex.Pattern;
import javax.net.ssl.SSLSession;

/* loaded from: input_file:com/ibm/ws/proxy/security/sip/SipIdentityAssertFilter.class */
public class SipIdentityAssertFilter extends SipProxyServerFilter {
    static final TraceComponent tc = Tr.register(SipIdentityAssertFilter.class, "SIP", SipFilter.TR_MSGS);
    private static Map<SipExternalDomainProtocol, Integer> protocolStringTable = new HashMap(3);
    private static int PRIVACY_NOT_IN_MESSAGE;
    private static int PRIVACY_NONE;
    private static int PRIVACY_ID;
    private static int PRIVACY_SET;
    private static String IP_ADDR_SEPARATOR;
    private SipDomainList sipDomainList = new SipDomainList();
    private Vector<Pattern> trustedAddressList = null;
    private Object trustedAddressListSync = new Object();
    private boolean domainsInDomainList = false;
    private boolean removeIdentityAssertionHeaders = true;

    @Override // com.ibm.ws.proxy.filter.SipProxyServerFilter
    protected void initFilterConfig(ProxyConfig proxyConfig) {
        try {
            if (tc.isEventEnabled()) {
                Tr.event(tc, "Filter=" + this.filterConfig.getDisplayName() + " initialized from ProxyConfig");
            }
            initDomainList(proxyConfig);
        } catch (IllegalArgumentException e) {
            throw e;
        }
    }

    @Override // com.ibm.ws.proxy.filter.SipProxyServerFilter
    protected void replaceFilterConfig(ProxyConfig proxyConfig) {
        if (tc.isEventEnabled()) {
            Tr.event(tc, "Filter=" + this.filterConfig.getDisplayName() + " replaced ProxyConfig");
        }
        initDomainList(proxyConfig);
    }

    @Override // com.ibm.ws.proxy.filter.SipProxyServerFilter
    protected void initFilterConfig(FilterConfig filterConfig) {
        if (tc.isEventEnabled()) {
            Tr.event(tc, "Filter=" + filterConfig.getDisplayName() + " initialized from FilterConfig");
        }
    }

    private void initDomainList(ProxyConfig proxyConfig) {
        try {
            SipDomainList sipDomainList = new SipDomainList();
            boolean z = false;
            SipProxyConfig sipProxyConfig = proxyConfig.getSipProxyConfig();
            if (sipProxyConfig != null) {
                SipExternalDomain[] externalDomains = sipProxyConfig.getExternalDomains();
                for (int i = 0; i < externalDomains.length; i++) {
                    SipDomainInfo sipDomainInfo = new SipDomainInfo(externalDomains[i].getDomainName(), externalDomains[i].getDistinguishedName(), protocolStringTable.get(externalDomains[i].getProtocol()).intValue(), externalDomains[i].getHost(), externalDomains[i].getPort());
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "SipDomain " + sipDomainInfo.toString() + " added to list.");
                    }
                    sipDomainList.addSipDomainInfo(sipDomainInfo);
                    z = true;
                }
                Properties customProperties = sipProxyConfig.getCustomProperties();
                if (customProperties != null) {
                    String property = customProperties.getProperty(SipProxyCustomProperties.trustedIPAddressList);
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "trustedIPAddressList is set [" + property + "]");
                    }
                    this.trustedAddressList = new Vector<>();
                    synchronized (this.trustedAddressListSync) {
                        if (property != null) {
                            if (!property.equals("")) {
                                for (String str : property.split("\\" + IP_ADDR_SEPARATOR)) {
                                    String trim = str.trim();
                                    if (tc.isDebugEnabled()) {
                                        Tr.debug(tc, "parsed out [" + trim + "]");
                                    }
                                    this.trustedAddressList.add(Pattern.compile(trim.replaceAll("\\.", "\\\\.").replaceAll("\\*", ".*")));
                                }
                            }
                        }
                        this.trustedAddressList = null;
                    }
                    String property2 = customProperties.getProperty(SipProxyCustomProperties.identityAssertionHeaderRemovalEnabled);
                    if (property2 != null) {
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "identityAssertionHeaderRemovalEnabled is set [" + property2 + "]");
                        }
                        this.removeIdentityAssertionHeaders = Boolean.parseBoolean(property2);
                    }
                } else {
                    this.trustedAddressList = null;
                }
            } else if (tc.isDebugEnabled()) {
                Tr.debug(tc, "SipProxyConfig == null. No External Domain Support!!");
            }
            this.sipDomainList = sipDomainList;
            this.domainsInDomainList = z;
        } catch (Exception e) {
            FFDCFilter.processException(e, "com.ibm.ws.proxy.security.sip.SipIdentityAssertFilter.initDomainList", "1", this);
            if (tc.isEventEnabled()) {
                Tr.event(tc, "Filter=" + this.filterConfig.getDisplayName() + " is unable to init the external domain list because exception=" + e + ".");
            }
        }
    }

    @Override // com.ibm.wsspi.proxy.filter.sip.SipDefaultFilter, com.ibm.wsspi.proxy.filter.sip.SipFilter
    public StatusCodes doFilter(SipProxyServiceContext sipProxyServiceContext) throws Exception {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "doFilter");
        }
        SIPMessage message = sipProxyServiceContext.getMessage();
        if (sipProxyServiceContext.isServerConnection()) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "This is a connection from the server.");
            }
            boolean z = false;
            SipDomainInfo findDomain = this.sipDomainList.findDomain(SIPUri.createSIPUri(sipProxyServiceContext.getMessage().getRequestUri()).getBaseSIPUri(), sipProxyServiceContext.getTransportType());
            if (findDomain != null) {
                if (findDomain.getDistinguishedName() != null && !findDomain.getDistinguishedName().equals("")) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "message is going to a trusted domain " + findDomain.getDistinguishedName());
                    }
                    z = true;
                    message.setDistinguishedName(findDomain.getDistinguishedName());
                } else if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "message is going to a domain but it doesn't have a Distinguished Name");
                }
            }
            if (!z) {
                if (getPrivacyHeaderValue(message) == PRIVACY_ID) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Stripping off the PAI and PPI because the Privacy header was set to 'id'");
                    }
                    if (this.removeIdentityAssertionHeaders) {
                        removeAllHeadersInMessage(message, SIPMessage.HDR_IDENTITY_ASSERTED);
                        removeAllHeadersInMessage(message, SIPMessage.HDR_PREFFERED_IDENTITY);
                    }
                } else if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Did not strip off the PAI or PPI because the Privacy header did NOT tell me to");
                }
            }
        } else {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "This is a connection from clients.");
            }
            boolean z2 = false;
            if (this.domainsInDomainList) {
                SSLConnectionContext sSLContext = sipProxyServiceContext.getSSLContext();
                if (sSLContext != null && sipProxyServiceContext.isSecure()) {
                    SSLSession session = sSLContext.getSession();
                    if (session != null) {
                        try {
                            String name = session.getPeerPrincipal().getName();
                            SipDomainInfo findDistinuishedName = this.sipDomainList.findDistinuishedName(name);
                            if (findDistinuishedName != null) {
                                if (tc.isEventEnabled()) {
                                    Tr.event(tc, "Found distinuished name [" + name + "] in domainlist [" + findDistinuishedName.toString() + "].");
                                }
                                z2 = true;
                                String retrieveHeaderInUTF8Format = message.retrieveHeaderInUTF8Format(SIPMessage.HDR_IDENTITY_ASSERTED);
                                if (retrieveHeaderInUTF8Format == null || retrieveHeaderInUTF8Format.equals("")) {
                                    if (tc.isDebugEnabled()) {
                                        Tr.debug(tc, "Did not find existing PAI header [" + retrieveHeaderInUTF8Format + "] using it.");
                                    }
                                    String retrieveHeaderInUTF8Format2 = message.retrieveHeaderInUTF8Format(SIPMessage.HDR_PREFFERED_IDENTITY, 0);
                                    if (retrieveHeaderInUTF8Format2 == null || retrieveHeaderInUTF8Format2.equals("")) {
                                        retrieveHeaderInUTF8Format2 = message.retrieveHeaderInUTF8Format(SIPMessage.HDR_FROM, 0);
                                    } else if (tc.isDebugEnabled()) {
                                        Tr.debug(tc, "Found PPI header, using it [" + retrieveHeaderInUTF8Format2 + "]");
                                    }
                                    if (tc.isDebugEnabled()) {
                                        Tr.debug(tc, "Did not find existing PAI header, using [" + retrieveHeaderInUTF8Format2 + "]");
                                    }
                                    message.prependHeader(SIPMessage.HDR_IDENTITY_ASSERTED, retrieveHeaderInUTF8Format2);
                                } else if (tc.isDebugEnabled()) {
                                    Tr.debug(tc, "Found existing PAI header [" + retrieveHeaderInUTF8Format + "] using it.");
                                }
                            } else if (tc.isEventEnabled()) {
                                Tr.event(tc, "Did not find distinuished name [" + name + "] in domainlist.");
                            }
                        } catch (Exception e) {
                            if (tc.isEventEnabled()) {
                                Tr.event(tc, "Caught " + e.getMessage() + " when trying to get getPeerPrincipal().getName()");
                            }
                        }
                    } else if (tc.isEventEnabled()) {
                        Tr.event(tc, "Could not get SSLSession from sslContext....");
                    }
                } else if (tc.isEventEnabled()) {
                    Tr.event(tc, "Not a SSL Connection....");
                }
            } else if (tc.isDebugEnabled()) {
                Tr.debug(tc, "No external domains defined.  Not getting SSL information.");
            }
            if (!z2) {
                String hostAddress = sipProxyServiceContext.getClientAddr().getHostAddress();
                if ((this.trustedAddressList == null || !isTrustedAddress(hostAddress)) && this.removeIdentityAssertionHeaders) {
                    removeAllHeadersInMessage(message, SIPMessage.HDR_IDENTITY_ASSERTED);
                    removeAllHeadersInMessage(message, SIPMessage.HDR_PREFFERED_IDENTITY);
                }
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "doFilter");
        }
        return SipFilterStatusCode.STATUS_FILTER_SUCCESS;
    }

    private void removeAllHeadersInMessage(SIPMessage sIPMessage, BNFHeaderKeys bNFHeaderKeys) {
        int numberOfHeaderInstances = sIPMessage.getNumberOfHeaderInstances(bNFHeaderKeys);
        if (tc.isDebugEnabled() && numberOfHeaderInstances > 0) {
            Tr.debug(tc, "Removing extra " + numberOfHeaderInstances + ":" + bNFHeaderKeys.getName() + " header values.");
        }
        sIPMessage.removeHeader(bNFHeaderKeys);
    }

    private int getPrivacyHeaderValue(SIPMessage sIPMessage) {
        int i = PRIVACY_NOT_IN_MESSAGE;
        if (sIPMessage.getNumberOfHeaderInstances("Privacy") > 0) {
            String retrieveHeaderInUTF8Format = sIPMessage.retrieveHeaderInUTF8Format("Privacy");
            i = retrieveHeaderInUTF8Format.equalsIgnoreCase("none") ? PRIVACY_NONE : retrieveHeaderInUTF8Format.equalsIgnoreCase("id") ? PRIVACY_ID : PRIVACY_SET;
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "getPrivacyHeaderValue: returning " + i);
        }
        return i;
    }

    public boolean isTrustedAddress(String str) {
        boolean z = false;
        synchronized (this.trustedAddressListSync) {
            if (this.trustedAddressList != null) {
                Iterator<Pattern> it = this.trustedAddressList.iterator();
                while (true) {
                    if (!it.hasNext()) {
                        break;
                    }
                    Pattern next = it.next();
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "comparing [" + str + "] to [" + next.toString() + "]");
                    }
                    if (next.matcher(str).find()) {
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "EQUALS [" + str + "] to [" + next.toString() + "]");
                        }
                        z = true;
                    }
                }
            }
        }
        return z;
    }

    static {
        protocolStringTable.put(SipExternalDomainProtocol.TCP, new Integer(1));
        protocolStringTable.put(SipExternalDomainProtocol.UDP, new Integer(0));
        protocolStringTable.put(SipExternalDomainProtocol.TLS, new Integer(2));
        PRIVACY_NOT_IN_MESSAGE = 0;
        PRIVACY_NONE = 1;
        PRIVACY_ID = 2;
        PRIVACY_SET = 3;
        IP_ADDR_SEPARATOR = ";";
    }
}
