package weblogic.servlet.security.internal;

import java.io.IOException;
import java.security.AccessController;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Locale;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import weblogic.application.SecurityRole;
import weblogic.j2ee.J2EEUtils;
import weblogic.j2ee.descriptor.LoginConfigBean;
import weblogic.j2ee.descriptor.SecurityConstraintBean;
import weblogic.j2ee.descriptor.SecurityRoleBean;
import weblogic.j2ee.descriptor.SecurityRoleRefBean;
import weblogic.j2ee.descriptor.wl.RunAsRoleAssignmentBean;
import weblogic.j2ee.descriptor.wl.SecurityRoleAssignmentBean;
import weblogic.j2ee.descriptor.wl.ServletDescriptorBean;
import weblogic.logging.Loggable;
import weblogic.management.DeploymentException;
import weblogic.protocol.ServerChannel;
import weblogic.protocol.ServerChannelManager;
import weblogic.security.SubjectUtils;
import weblogic.security.acl.internal.AuthenticatedSubject;
import weblogic.security.service.ContextHandler;
import weblogic.security.service.PrincipalAuthenticator;
import weblogic.security.service.PrivilegedActions;
import weblogic.security.service.SecurityApplicationInfo;
import weblogic.security.service.SecurityApplicationInfoImpl;
import weblogic.security.service.SecurityService;
import weblogic.security.service.SecurityServiceManager;
import weblogic.security.spi.ApplicationInfo;
import weblogic.servlet.HTTPLogger;
import weblogic.servlet.internal.ProtocolHandlerHTTPS;
import weblogic.servlet.internal.RequestDispatcherImpl;
import weblogic.servlet.internal.ServletRequestImpl;
import weblogic.servlet.internal.ServletResponseImpl;
import weblogic.servlet.internal.ServletStubImpl;
import weblogic.servlet.internal.WebAppModule;
import weblogic.servlet.internal.WebAppServletContext;
import weblogic.servlet.internal.dd.LoginDescriptor;
import weblogic.utils.http.HttpParsing;
import weblogic.xml.crypto.utils.DOMUtils;

/* loaded from: input_file:weblogic/servlet/security/internal/WebAppSecurity.class */
public abstract class WebAppSecurity {
    protected static final String NONE = "NONE";
    protected static final String INTEGRAL = "INTEGRAL";
    protected static final String CONFIDENTIAL = "CONFIDENTIAL";
    private static final AuthenticatedSubject KERNEL_ID = (AuthenticatedSubject) AccessController.doPrivileged(PrivilegedActions.getKernelIdentityAction());
    protected final WebAppServletContext context;
    private final Filter[] authFilters;
    private final boolean authFiltersPresent;
    protected SecurityApplicationInfo secureAppInfo;
    private String authFilter;
    private RequestDispatcherImpl authFilterRD;
    private String realmName;
    private int roleMappingMode;
    private ExternalRoleChecker externalRoleChecker;
    protected final HashSet roles = new HashSet();
    protected final HashMap roleMapping = new HashMap();
    protected final HashMap runAsMapping = new HashMap();
    private String loginPage = null;
    private String errorPage = null;
    private String authMethod = null;
    private boolean formAuth = false;

    /* JADX INFO: Access modifiers changed from: package-private */
    public WebAppSecurity(WebAppServletContext webAppServletContext) throws DeploymentException {
        this.context = webAppServletContext;
        try {
            this.authFilters = ((PrincipalAuthenticator) SecurityServiceManager.getSecurityService(KERNEL_ID, this.context.getSecurityRealmName(), SecurityService.ServiceType.AUTHENTICATION)).getServletAuthenticationFilters(webAppServletContext);
            this.authFiltersPresent = this.authFilters != null && this.authFilters.length > 0;
            this.secureAppInfo = new SecurityApplicationInfoImpl(this.context.getApplicationContext() != null ? this.context.getApplicationContext().getAppDeploymentMBean() : null, ApplicationInfo.ComponentType.WEBAPP, webAppServletContext.getContextPath());
            this.realmName = this.context.getApplicationContext().getApplicationSecurityRealmName();
            this.roleMappingMode = SecurityServiceManager.getRoleMappingBehavior(this.realmName, this.secureAppInfo);
            this.externalRoleChecker = new ExternalRoleCheckerManager(this.context);
        } catch (ServletException e) {
            throw new DeploymentException(e);
        }
    }

    public void unregister() {
        ((PrincipalAuthenticator) SecurityServiceManager.getSecurityService(KERNEL_ID, this.context.getSecurityRealmName(), SecurityService.ServiceType.AUTHENTICATION)).destroyServletAuthenticationFilters(this.authFilters);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public abstract boolean isFullSecurityDelegationRequired();

    protected abstract boolean isJaccEnabled();

    protected abstract void deployRoles() throws DeploymentException;

    protected abstract void deployPolicies(SecurityConstraintBean[] securityConstraintBeanArr) throws DeploymentException;

    protected abstract void deployRoleLink(ServletStubImpl servletStubImpl, String str, String str2) throws DeploymentException;

    public abstract ResourceConstraint getConstraint(HttpServletRequest httpServletRequest);

    public abstract boolean hasPermission(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticatedSubject authenticatedSubject, ResourceConstraint resourceConstraint);

    public abstract boolean isSubjectInRole(AuthenticatedSubject authenticatedSubject, String str, WebAppContextHandler webAppContextHandler, ServletStubImpl servletStubImpl);

    public abstract void registerRoleRefs(ServletStubImpl servletStubImpl) throws DeploymentException;

    public abstract void start() throws DeploymentException;

    /* JADX INFO: Access modifiers changed from: package-private */
    public abstract boolean checkTransport(ResourceConstraint resourceConstraint, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException;

    public abstract boolean isSSLRequired(String str, String str2);

    public abstract void initContextHandler(ServletRequestImpl servletRequestImpl);

    public abstract void resetContextHandler();

    /* JADX INFO: Access modifiers changed from: package-private */
    public final String getContextLog() {
        return this.context.getLogContext();
    }

    final String getContextName() {
        return this.context.getName() == null ? "Default WebApplication" : this.context.getName();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean hasAuthFilters() {
        return this.authFiltersPresent;
    }

    public FilterChain getAuthFilterChain() {
        return new AuthFilterChain(this.authFilters, this.context);
    }

    public final void registerSecurityConstraints(SecurityConstraintBean[] securityConstraintBeanArr) throws DeploymentException {
        deployPolicies(securityConstraintBeanArr);
        deployRoles();
    }

    public final void registerSecurityRoles(WebAppModule webAppModule) throws DeploymentException {
        if (webAppModule == null || webAppModule.getWebAppBean() == null) {
            return;
        }
        SecurityRoleBean[] securityRoles = webAppModule.getWebAppBean().getSecurityRoles();
        if (securityRoles != null) {
            for (SecurityRoleBean securityRoleBean : securityRoles) {
                this.roles.add(securityRoleBean.getRoleName());
            }
        }
        if (webAppModule.getWlWebAppBean() != null) {
            setRoleMapping(webAppModule.getWlWebAppBean().getSecurityRoleAssignments());
            RunAsRoleAssignmentBean[] runAsRoleAssignments = webAppModule.getWlWebAppBean().getRunAsRoleAssignments();
            if (runAsRoleAssignments != null) {
                for (RunAsRoleAssignmentBean runAsRoleAssignmentBean : runAsRoleAssignments) {
                    if (this.roles.contains(runAsRoleAssignmentBean.getRoleName())) {
                        this.runAsMapping.put(runAsRoleAssignmentBean.getRoleName(), runAsRoleAssignmentBean.getRunAsPrincipalName());
                    } else if (!this.externalRoleChecker.isExternalRole(runAsRoleAssignmentBean.getRoleName())) {
                        Loggable logUndefinedSecurityRoleLoggable = HTTPLogger.logUndefinedSecurityRoleLoggable(runAsRoleAssignmentBean.getRoleName(), "run-as-role-assignment");
                        logUndefinedSecurityRoleLoggable.log();
                        throw new DeploymentException(logUndefinedSecurityRoleLoggable.getMessage());
                    }
                }
            }
        }
    }

    private final void setRoleMapping(SecurityRoleAssignmentBean[] securityRoleAssignmentBeanArr) throws DeploymentException {
        if (securityRoleAssignmentBeanArr == null) {
            return;
        }
        for (int i = 0; i < securityRoleAssignmentBeanArr.length; i++) {
            String roleName = securityRoleAssignmentBeanArr[i].getRoleName();
            if (!this.roles.contains(roleName)) {
                if (!this.externalRoleChecker.isExternalRole(roleName)) {
                    Loggable logBadSecurityRoleInSRALoggable = HTTPLogger.logBadSecurityRoleInSRALoggable(roleName);
                    logBadSecurityRoleInSRALoggable.log();
                    throw new DeploymentException(logBadSecurityRoleInSRALoggable.getMessage());
                }
            } else if (securityRoleAssignmentBeanArr[i].getExternallyDefined() != null) {
                this.roleMapping.put(roleName, new String[]{null});
            } else if (securityRoleAssignmentBeanArr[i].getPrincipalNames() != null && securityRoleAssignmentBeanArr[i].getPrincipalNames().length > 0) {
                this.roleMapping.put(roleName, securityRoleAssignmentBeanArr[i].getPrincipalNames());
            }
        }
    }

    public final String getRunAsIdentity(String str) {
        return (String) this.runAsMapping.get(str);
    }

    public final String getFirstPrincipal(String str) {
        String[] strArr = (String[]) this.roleMapping.get(str);
        if (strArr == null || strArr.length < 1) {
            return null;
        }
        return strArr[0];
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public final void setLoginConfig(LoginConfigBean loginConfigBean) {
        if (loginConfigBean.getFormLoginConfig() != null) {
            if (loginConfigBean.getFormLoginConfig().getFormLoginPage() != null) {
                this.loginPage = HttpParsing.ensureStartingSlash(loginConfigBean.getFormLoginConfig().getFormLoginPage());
            }
            if (loginConfigBean.getFormLoginConfig().getFormErrorPage() != null) {
                this.errorPage = HttpParsing.ensureStartingSlash(loginConfigBean.getFormLoginConfig().getFormErrorPage());
            }
        }
        this.authMethod = initAuthMethod(loginConfigBean.getAuthMethod());
        this.formAuth = this.authMethod.toUpperCase(Locale.ENGLISH).contains("FORM");
    }

    private String initAuthMethod(String str) {
        return (str == null || str.equalsIgnoreCase("BASIC")) ? "BASIC" : str.equalsIgnoreCase("FORM") ? "FORM" : str.equalsIgnoreCase(LoginDescriptor.AM_CLIENT_CERT) ? HttpServletRequest.CLIENT_CERT_AUTH : str.equalsIgnoreCase("DIGEST") ? "DIGEST" : str.toUpperCase(Locale.ENGLISH).contains(LoginDescriptor.AM_CLIENT_CERT) ? str.toUpperCase(Locale.ENGLISH).replaceAll(LoginDescriptor.AM_CLIENT_CERT, HttpServletRequest.CLIENT_CERT_AUTH) : str;
    }

    public final String getLoginPage() {
        return this.loginPage;
    }

    public final String getErrorPage() {
        return this.errorPage;
    }

    public final String getAuthMethod() {
        return this.authMethod;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public final WebAppServletContext getContext() {
        return this.context;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public final RequestDispatcherImpl getAuthFilterRD() {
        return this.authFilterRD;
    }

    public final String getAuthFilter() {
        return this.authFilter;
    }

    public final boolean isFormAuth() {
        return this.formAuth;
    }

    public final void setAuthFilter(String str) {
        this.authFilter = str;
        this.authFilterRD = new RequestDispatcherImpl(new ServletStubImpl(str, str, this.context, null), this.context, -1);
        this.authFilterRD.disableFilters();
    }

    public final void registerSecurityRoleRef(ServletStubImpl servletStubImpl, SecurityRoleRefBean[] securityRoleRefBeanArr) throws DeploymentException {
        if (securityRoleRefBeanArr == null) {
            return;
        }
        for (SecurityRoleRefBean securityRoleRefBean : securityRoleRefBeanArr) {
            String roleName = securityRoleRefBean.getRoleName();
            String roleLink = securityRoleRefBean.getRoleLink();
            if (roleName != null && roleLink != null) {
                deployRoleLink(servletStubImpl, roleName, roleLink);
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public final String getSecuredURL(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str) {
        String serverName = httpServletRequest.getServerName();
        int frontendHTTPSPort = this.context.getServer().getFrontendHTTPSPort();
        if (frontendHTTPSPort == 0) {
            ServerChannel findLocalServerChannel = ServerChannelManager.findLocalServerChannel(ProtocolHandlerHTTPS.PROTOCOL_HTTPS);
            if (findLocalServerChannel == null) {
                return null;
            }
            frontendHTTPSPort = findLocalServerChannel.getPublicPort();
        }
        String processProxyPathHeaders = ServletResponseImpl.getOriginalResponse(httpServletResponse).processProxyPathHeaders(str);
        String queryString = httpServletRequest.getQueryString();
        StringBuffer stringBuffer = new StringBuffer();
        if (frontendHTTPSPort == 443) {
            stringBuffer.append("https://").append(serverName).append(processProxyPathHeaders);
            if (queryString != null && queryString.length() > 1) {
                stringBuffer.append("?").append(queryString);
            }
        } else {
            stringBuffer.append("https://").append(serverName).append(DOMUtils.QNAME_SEPARATOR);
            stringBuffer.append(frontendHTTPSPort).append(processProxyPathHeaders);
            if (queryString != null && queryString.length() > 1) {
                stringBuffer.append("?").append(queryString);
            }
        }
        return stringBuffer.toString();
    }

    public static final String getRelativeURI(HttpServletRequest httpServletRequest) {
        String str = (String) httpServletRequest.getAttribute(WebAppServletContext.WEBFLOW_RESOURCE);
        if (str != null) {
            return str;
        }
        if (httpServletRequest instanceof ServletRequestImpl) {
            return ((ServletRequestImpl) httpServletRequest).getRelativeUri();
        }
        String resolvedURI = ServletRequestImpl.getResolvedURI(httpServletRequest);
        String resolvedContextPath = ServletRequestImpl.getResolvedContextPath(httpServletRequest);
        return (resolvedContextPath == null || resolvedContextPath.length() <= 0 || !resolvedURI.startsWith(resolvedContextPath)) ? resolvedURI : resolvedURI.substring(resolvedContextPath.length());
    }

    public static final ContextHandler getContextHandler(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        return httpServletRequest instanceof ServletRequestImpl ? ((ServletRequestImpl) httpServletRequest).getSecurityContextHandler() : new WebAppContextHandler(httpServletRequest, httpServletResponse);
    }

    public static String fixupURLPattern(String str) {
        return isDefaultUrlPattern(str) ? "/" : !str.startsWith("*.") ? HttpParsing.ensureStartingSlash(str) : str;
    }

    private static boolean isDefaultUrlPattern(String str) {
        if (str.length() > 2) {
            return false;
        }
        return getEnforceStrictURLPattern() ? str.equals("/") : str.equals("*") || str.equals("/");
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean isExternallyDefined(String[] strArr) {
        return strArr != null && strArr.length == 1 && (strArr[0] == null || strArr[0].length() == 0);
    }

    public boolean isCompatibilitySecMode() {
        return this.roleMappingMode == 0;
    }

    public boolean isApplicationSecMode() {
        return this.roleMappingMode == 1;
    }

    public boolean isExternallyDefinedSecMode() {
        return this.roleMappingMode == 2;
    }

    public String getRunAsPrincipalName(ServletDescriptorBean servletDescriptorBean, String str) throws DeploymentException {
        String runAsPrincipalName;
        if (servletDescriptorBean != null && (runAsPrincipalName = servletDescriptorBean.getRunAsPrincipalName()) != null) {
            return runAsPrincipalName;
        }
        String runAsIdentity = getRunAsIdentity(str);
        if (runAsIdentity != null) {
            return runAsIdentity;
        }
        String firstPrincipal = getFirstPrincipal(str);
        if (firstPrincipal != null) {
            HTTPLogger.logImplicitMappingForRunAsRole(this.context.getLogContext(), "run-as", str, J2EEUtils.WEB_DD_NAME, firstPrincipal);
            return firstPrincipal;
        }
        if (!isCompatibilitySecMode()) {
            SecurityRole securityRole = this.context.getApplicationContext().getSecurityRole(str);
            if (securityRole != null) {
                String[] principalNames = securityRole.getPrincipalNames();
                if (!securityRole.isExternallyDefined() && principalNames != null && principalNames.length > 0) {
                    return principalNames[0];
                }
            }
            if (isApplicationSecMode()) {
                throw new DeploymentException("Cannot resolve role-Name " + str);
            }
        }
        HTTPLogger.logImplicitMappingForRunAsRoleToSelf(this.context.getLogContext(), "run-as", str, J2EEUtils.WEB_DD_NAME);
        return str;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean checkAdminMode(AuthenticatedSubject authenticatedSubject) {
        if (authenticatedSubject == null) {
            return false;
        }
        return SubjectUtils.isUserInAdminRoles(authenticatedSubject, new String[]{"Admin", "AppTester"});
    }

    public static final boolean getEnforceStrictURLPattern() {
        return SecurityServiceManager.getEnforceStrictURLPattern();
    }

    public static final boolean getEnforceValidBasicAuthCredentials() {
        return SecurityServiceManager.getEnforceValidBasicAuthCredentials();
    }
}
