package weblogic.servlet.security.internal;

import java.io.IOException;
import java.security.AccessController;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import weblogic.application.SecurityRole;
import weblogic.application.utils.ApplicationVersionUtils;
import weblogic.j2ee.descriptor.SecurityConstraintBean;
import weblogic.j2ee.descriptor.WebResourceCollectionBean;
import weblogic.management.DeploymentException;
import weblogic.management.security.DeploymentModel;
import weblogic.management.servlet.ConnectionSigner;
import weblogic.security.SubjectUtils;
import weblogic.security.acl.internal.AuthenticatedSubject;
import weblogic.security.service.AuthorizationManager;
import weblogic.security.service.AuthorizationManagerDeployHandle;
import weblogic.security.service.DeployHandleCreationException;
import weblogic.security.service.PrivilegedActions;
import weblogic.security.service.ResourceBase;
import weblogic.security.service.ResourceCreationException;
import weblogic.security.service.ResourceRemovalException;
import weblogic.security.service.RoleCreationException;
import weblogic.security.service.RoleManager;
import weblogic.security.service.RoleManagerDeployHandle;
import weblogic.security.service.RoleRemovalException;
import weblogic.security.service.SecurityService;
import weblogic.security.service.SecurityServiceManager;
import weblogic.security.service.URLResource;
import weblogic.servlet.HTTPLogger;
import weblogic.servlet.internal.ServletRequestImpl;
import weblogic.servlet.internal.ServletStubImpl;
import weblogic.servlet.internal.WebAppConfigManager;
import weblogic.servlet.internal.WebAppServletContext;
import weblogic.servlet.utils.StandardURLMapping;
import weblogic.servlet.utils.URLMappingFactory;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:weblogic/servlet/security/internal/WebAppSecurityWLS.class */
public final class WebAppSecurityWLS extends WebAppSecurity {
    private static final AuthenticatedSubject KERNEL_ID = (AuthenticatedSubject) AccessController.doPrivileged(PrivilegedActions.getKernelIdentityAction());
    private final AuthorizationManager authManager;
    private final RoleManager roleManager;
    private final boolean fullDelegation;
    private final boolean customRoles;
    private final RoleManagerDeployHandle roleMgrHandle;
    private final AuthorizationManagerDeployHandle authMgrHandle;
    private HashMap constraintsMap;

    public WebAppSecurityWLS(WebAppServletContext webAppServletContext) throws DeploymentException {
        super(webAppServletContext);
        this.authManager = (AuthorizationManager) SecurityServiceManager.getSecurityService(KERNEL_ID, webAppServletContext.getSecurityRealmName(), SecurityService.ServiceType.AUTHORIZE);
        this.roleManager = (RoleManager) SecurityServiceManager.getSecurityService(KERNEL_ID, webAppServletContext.getSecurityRealmName(), SecurityService.ServiceType.ROLE);
        try {
            this.authMgrHandle = this.authManager.startDeployPolicies(this.secureAppInfo);
            this.roleMgrHandle = this.roleManager.startDeployRoles(this.secureAppInfo);
            String securityDDModel = this.secureAppInfo.getSecurityDDModel();
            this.customRoles = securityDDModel.equals(DeploymentModel.CUSTOM_ROLES) || securityDDModel.equals(DeploymentModel.CUSTOM_ROLES_POLICIES);
            this.fullDelegation = SecurityServiceManager.isFullAuthorizationDelegationRequired(webAppServletContext.getSecurityRealmName(), this.secureAppInfo);
        } catch (DeployHandleCreationException e) {
            throw new DeploymentException(e);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // weblogic.servlet.security.internal.WebAppSecurity
    public boolean isFullSecurityDelegationRequired() {
        return this.fullDelegation;
    }

    @Override // weblogic.servlet.security.internal.WebAppSecurity
    protected boolean isJaccEnabled() {
        return false;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public AuthorizationManager getAuthManager() {
        return this.authManager;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public AuthorizationManagerDeployHandle getAuthMgrHandle() {
        return this.authMgrHandle;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Set getRoles() {
        return this.roles;
    }

    private void deployRole(ResourceBase resourceBase, String str, String[] strArr) throws DeploymentException {
        try {
            this.roleManager.deployRole(this.roleMgrHandle, resourceBase, str, strArr);
        } catch (RoleCreationException e) {
            HTTPLogger.logCouldNotDeployRole(str, this.context.getURI(), ApplicationVersionUtils.getDisplayName(this.context.getApplicationId()), e);
            throw new DeploymentException(e);
        }
    }

    @Override // weblogic.servlet.security.internal.WebAppSecurity
    protected void deployRoles() throws DeploymentException {
        if (this.roles.isEmpty()) {
            return;
        }
        URLResource uRLResource = new URLResource(this.context.getApplicationId(), this.context.getContextPath(), getEnforceStrictURLPattern() ? "/" : "/*", (String) null, (String) null);
        StringBuffer stringBuffer = null;
        int i = 0;
        Iterator it = this.roles.iterator();
        while (it.hasNext()) {
            String str = (String) it.next();
            String[] strArr = (String[]) this.roleMapping.get(str);
            boolean z = strArr != null && strArr.length > 0;
            if (isCompatibilitySecMode()) {
                if (z) {
                    if (!isExternallyDefined(strArr)) {
                        deployRole(uRLResource, str, strArr);
                    }
                } else if (!this.customRoles) {
                    deployRole(uRLResource, str, new String[]{str});
                    if (i < 1) {
                        stringBuffer = new StringBuffer();
                        stringBuffer.append(str);
                    } else {
                        stringBuffer.append(", " + str);
                    }
                    i++;
                }
            } else if (!isExternallyDefined(strArr)) {
                SecurityRole securityRole = this.context.getApplicationContext().getSecurityRole(str);
                String[] strArr2 = null;
                if (securityRole != null) {
                    strArr2 = securityRole.getPrincipalNames();
                }
                boolean z2 = strArr2 != null && strArr2.length > 0;
                if (z || z2) {
                    if (securityRole == null || !securityRole.isExternallyDefined()) {
                        if (z2) {
                            if (z) {
                                String[] strArr3 = new String[strArr2.length + strArr.length];
                                System.arraycopy(strArr, 0, strArr3, 0, strArr.length);
                                System.arraycopy(strArr2, 0, strArr3, strArr.length, strArr2.length);
                                strArr = strArr3;
                            } else {
                                strArr = strArr2;
                            }
                        }
                        if (strArr.length > 0) {
                            deployRole(uRLResource, str, strArr);
                        }
                    } else if (z) {
                        deployRole(uRLResource, str, strArr);
                    }
                } else if (isApplicationSecMode()) {
                    deployRole(uRLResource, str, new String[0]);
                }
            }
        }
        if (stringBuffer != null) {
            HTTPLogger.logCreatingImplicitMapForRoles(this.context.getLogContext(), i == 1 ? "role" : "roles", i == 1 ? "has" : "have", stringBuffer.toString());
        }
    }

    private void mergePolicy(ResourceConstraint resourceConstraint) throws DeploymentException {
        if (URLMappingFactory.isInvalidUrlPattern(this.context.getUrlMatchMap(), resourceConstraint.getResourceId())) {
            throw new DeploymentException("The url-pattern, '" + resourceConstraint.getResourceId() + "' is not valid");
        }
        String httpMethod = resourceConstraint.getHttpMethod();
        if (httpMethod == null) {
            httpMethod = "";
        }
        StandardURLMapping standardURLMapping = (StandardURLMapping) this.constraintsMap.get(httpMethod);
        if (standardURLMapping == null) {
            StandardURLMapping createCompatibleURLMapping = URLMappingFactory.createCompatibleURLMapping(this.context.getUrlMatchMap(), this.context.getServletClassLoader(), WebAppConfigManager.isCaseInsensitive(), getEnforceStrictURLPattern());
            this.constraintsMap.put(httpMethod, createCompatibleURLMapping);
            createCompatibleURLMapping.put(resourceConstraint.getResourceId(), resourceConstraint);
            return;
        }
        ResourceConstraint resourceConstraint2 = (ResourceConstraint) standardURLMapping.removePattern(resourceConstraint.getResourceId());
        if (resourceConstraint2 != null) {
            int transportGuarantee = resourceConstraint.getTransportGuarantee();
            int transportGuarantee2 = resourceConstraint2.getTransportGuarantee();
            if (transportGuarantee != transportGuarantee2) {
                resourceConstraint.setTransportGuarantee(transportGuarantee > transportGuarantee2 ? transportGuarantee : transportGuarantee2);
            }
            if (resourceConstraint2.getRoles() == null || resourceConstraint.getRoles() == null) {
                resourceConstraint = resourceConstraint2.getRoles() == null ? resourceConstraint2 : resourceConstraint;
            } else if (resourceConstraint2.getRoles().length == 0 || resourceConstraint.getRoles().length == 0) {
                resourceConstraint = resourceConstraint2.getRoles().length == 0 ? resourceConstraint2 : resourceConstraint;
            } else {
                resourceConstraint.addRoles(resourceConstraint2.getRoles());
            }
        }
        standardURLMapping.put(resourceConstraint.getResourceId(), resourceConstraint);
    }

    private void mergePatterns(String[] strArr, String str, SecurityConstraintBean securityConstraintBean) throws DeploymentException {
        for (int i = 0; strArr != null && i < strArr.length; i++) {
            String fixupURLPattern = fixupURLPattern(strArr[i]);
            if (getContext().isInternalApp() && fixupURLPattern.equals("/") && !getEnforceStrictURLPattern()) {
                fixupURLPattern = "/*";
            }
            mergePolicy(new ResourceConstraint(fixupURLPattern, str, securityConstraintBean));
        }
    }

    protected void mergePolicies(SecurityConstraintBean[] securityConstraintBeanArr) throws DeploymentException {
        if (securityConstraintBeanArr == null || securityConstraintBeanArr.length < 1) {
            return;
        }
        for (int i = 0; i < securityConstraintBeanArr.length; i++) {
            WebResourceCollectionBean[] webResourceCollections = securityConstraintBeanArr[i].getWebResourceCollections();
            for (int i2 = 0; webResourceCollections != null && i2 < webResourceCollections.length; i2++) {
                String[] httpMethods = webResourceCollections[i2].getHttpMethods();
                if (httpMethods == null || httpMethods.length == 0) {
                    mergePatterns(webResourceCollections[i2].getUrlPatterns(), null, securityConstraintBeanArr[i]);
                }
                for (int i3 = 0; httpMethods != null && i3 < httpMethods.length; i3++) {
                    mergePatterns(webResourceCollections[i2].getUrlPatterns(), httpMethods[i3], securityConstraintBeanArr[i]);
                }
            }
        }
    }

    @Override // weblogic.servlet.security.internal.WebAppSecurity
    protected void deployPolicies(SecurityConstraintBean[] securityConstraintBeanArr) throws DeploymentException {
        if (securityConstraintBeanArr == null || securityConstraintBeanArr.length < 1) {
            return;
        }
        if (this.constraintsMap == null) {
            this.constraintsMap = new HashMap();
        }
        mergePolicies(securityConstraintBeanArr);
        Iterator it = this.constraintsMap.values().iterator();
        while (it.hasNext()) {
            for (Object obj : ((StandardURLMapping) it.next()).values()) {
                ((ResourceConstraint) obj).deploy(this);
            }
        }
    }

    @Override // weblogic.servlet.security.internal.WebAppSecurity
    public void unregister() {
        super.unregister();
        try {
            this.authManager.undeployAllPolicies(this.authMgrHandle);
        } catch (ResourceRemovalException e) {
            HTTPLogger.logFailedToUndeploySecurityPolicy(this.context.getLogContext(), e);
        }
        try {
            this.roleManager.undeployAllRoles(this.roleMgrHandle);
        } catch (RoleRemovalException e2) {
            HTTPLogger.logFailedToUndeploySecurityRole(this.context.getLogContext(), e2);
        }
    }

    @Override // weblogic.servlet.security.internal.WebAppSecurity
    public ResourceConstraint getConstraint(HttpServletRequest httpServletRequest) {
        return getConstraint(getRelativeURI(httpServletRequest), httpServletRequest.getMethod());
    }

    private ResourceConstraint getConstraint(String str, String str2) {
        ResourceConstraint resourceConstraint;
        if (this.constraintsMap == null) {
            return null;
        }
        if (str2 != null) {
            StandardURLMapping standardURLMapping = (StandardURLMapping) this.constraintsMap.get(str2);
            return (standardURLMapping == null || (resourceConstraint = (ResourceConstraint) standardURLMapping.get(str)) == null) ? getConstraint(str, null) : resourceConstraint;
        }
        StandardURLMapping standardURLMapping2 = (StandardURLMapping) this.constraintsMap.get("");
        if (standardURLMapping2 == null) {
            return null;
        }
        return (ResourceConstraint) standardURLMapping2.get(str);
    }

    @Override // weblogic.servlet.security.internal.WebAppSecurity
    public boolean hasPermission(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticatedSubject authenticatedSubject, ResourceConstraint resourceConstraint) {
        if (this.context.isAdminMode() && this.context.isInternalApp() && ConnectionSigner.isConnectionSigned(httpServletRequest)) {
            return true;
        }
        if (this.context.isAdminMode()) {
            return checkAdminMode(authenticatedSubject);
        }
        if (this.fullDelegation) {
            if (resourceConstraint != null && resourceConstraint.isLoginRequired() && authenticatedSubject == null) {
                return false;
            }
        } else {
            if (resourceConstraint == null || resourceConstraint.isUnrestricted()) {
                return true;
            }
            if (resourceConstraint.isForbidden()) {
                return false;
            }
            if (resourceConstraint.isLoginRequired()) {
                return authenticatedSubject != null;
            }
            if (authenticatedSubject == null) {
                return false;
            }
        }
        if (authenticatedSubject == null) {
            authenticatedSubject = SubjectUtils.getAnonymousSubject();
        }
        return this.authManager.isAccessAllowed(authenticatedSubject, new URLResource(this.context.getApplicationId(), this.context.getContextPath(), getRelativeURI(httpServletRequest), httpServletRequest.getMethod(), (String) null), getContextHandler(httpServletRequest, httpServletResponse));
    }

    @Override // weblogic.servlet.security.internal.WebAppSecurity
    public boolean isSubjectInRole(AuthenticatedSubject authenticatedSubject, String str, WebAppContextHandler webAppContextHandler, ServletStubImpl servletStubImpl) {
        String roleLink = servletStubImpl.getSecurityHelper().getRoleLink(str);
        if (roleLink != null) {
            str = roleLink;
        }
        URLResource uRLResource = new URLResource(this.context.getApplicationId(), this.context.getContextPath(), getEnforceStrictURLPattern() ? "/" : "/*", (String) null, (String) null);
        if (authenticatedSubject == null) {
            authenticatedSubject = SubjectUtils.getAnonymousSubject();
        }
        Map roles = this.roleManager.getRoles(authenticatedSubject, uRLResource, webAppContextHandler);
        if (roles == null) {
            return false;
        }
        return SecurityServiceManager.isUserInRole(authenticatedSubject, str, roles);
    }

    @Override // weblogic.servlet.security.internal.WebAppSecurity
    public void registerRoleRefs(ServletStubImpl servletStubImpl) {
    }

    @Override // weblogic.servlet.security.internal.WebAppSecurity
    public void start() throws DeploymentException {
        try {
            this.authManager.endDeployPolicies(this.authMgrHandle);
            try {
                this.roleManager.endDeployRoles(this.roleMgrHandle);
            } catch (RoleCreationException e) {
                throw new DeploymentException(e);
            }
        } catch (ResourceCreationException e2) {
            throw new DeploymentException(e2);
        }
    }

    @Override // weblogic.servlet.security.internal.WebAppSecurity
    public void initContextHandler(ServletRequestImpl servletRequestImpl) {
    }

    @Override // weblogic.servlet.security.internal.WebAppSecurity
    public void resetContextHandler() {
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Override // weblogic.servlet.security.internal.WebAppSecurity
    public final boolean checkTransport(ResourceConstraint resourceConstraint, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        if (resourceConstraint == null || resourceConstraint.getTransportGuarantee() == 0 || httpServletRequest.isSecure()) {
            return true;
        }
        String securedURL = getSecuredURL(httpServletRequest, httpServletResponse, httpServletRequest.getRequestURI());
        if (securedURL != null) {
            httpServletResponse.sendRedirect(httpServletResponse.encodeURL(securedURL));
            return false;
        }
        httpServletResponse.sendError(403);
        return false;
    }

    @Override // weblogic.servlet.security.internal.WebAppSecurity
    public boolean isSSLRequired(String str, String str2) {
        ResourceConstraint constraint = getConstraint(str, str2);
        return (constraint == null || constraint.getTransportGuarantee() == 0) ? false : true;
    }

    @Override // weblogic.servlet.security.internal.WebAppSecurity
    protected void deployRoleLink(ServletStubImpl servletStubImpl, String str, String str2) {
        servletStubImpl.getSecurityHelper().addRoleLink(str, str2);
    }
}
