package weblogic.servlet.security.internal;

import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.security.AccessController;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Enumeration;
import java.util.Map;
import javax.security.auth.login.LoginException;
import javax.servlet.ServletException;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import weblogic.diagnostics.debug.DebugLogger;
import weblogic.security.SubjectUtils;
import weblogic.security.acl.internal.AuthenticatedSubject;
import weblogic.security.service.PrincipalAuthenticator;
import weblogic.security.service.PrivilegedActions;
import weblogic.security.service.SecurityService;
import weblogic.security.service.SecurityServiceManager;
import weblogic.servlet.HTTPLogger;
import weblogic.servlet.internal.ServletRequestImpl;
import weblogic.servlet.internal.VirtualConnection;
import weblogic.servlet.internal.WebAppServletContext;
import weblogic.servlet.internal.session.SessionInternal;
import weblogic.utils.encoders.BASE64Decoder;
import weblogic.utils.http.HttpConstants;

/* loaded from: input_file:weblogic/servlet/security/internal/CertSecurityModule.class */
public final class CertSecurityModule extends SecurityModule {
    private static final String CERT_RESERVED_IP = "IP";
    private static final String CERT_RESERVED_KEYSIZE = "Keysize";
    private static final String CERT_RESERVED_SECRETKEYSIZE = "SecretKeysize";
    private static final boolean protectResourceIfUnspecifiedConstraint = Boolean.getBoolean("weblogic.http.security.cert.protectResourceIfUnspecifiedConstraint");
    protected static final DebugLogger DEBUG_IA = DebugLogger.getDebugLogger("DebugWebAppIdentityAssertion");
    private static final AuthenticatedSubject KERNEL_ID = (AuthenticatedSubject) AccessController.doPrivileged(PrivilegedActions.getKernelIdentityAction());
    private final PrincipalAuthenticator pa;
    private final boolean alwaysAssert;

    /* loaded from: input_file:weblogic/servlet/security/internal/CertSecurityModule$Token.class */
    public static class Token {
        public final String type;
        public final Object value;

        Token(String str, Object obj) {
            this.type = str;
            this.value = obj;
        }
    }

    public CertSecurityModule(WebAppServletContext webAppServletContext, WebAppSecurity webAppSecurity, boolean z, boolean z2) {
        super(webAppServletContext, webAppSecurity, z);
        this.alwaysAssert = z2;
        this.pa = (PrincipalAuthenticator) SecurityServiceManager.getSecurityService(KERNEL_ID, webAppServletContext.getSecurityRealmName(), SecurityService.ServiceType.AUTHENTICATION);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Override // weblogic.servlet.security.internal.SecurityModule
    public boolean checkUserPerm(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, SessionInternal sessionInternal, ResourceConstraint resourceConstraint, AuthenticatedSubject authenticatedSubject, boolean z) throws IOException, ServletException {
        AuthenticatedSubject assertIdentity;
        boolean hasPermission;
        ServletRequestImpl originalRequest = ServletRequestImpl.getOriginalRequest(httpServletRequest);
        boolean z2 = false;
        if ((this.alwaysAssert || authenticatedSubject == null || SubjectUtils.isUserAnonymous(authenticatedSubject)) && (assertIdentity = assertIdentity(httpServletRequest, httpServletResponse, originalRequest.getConnection(), getServletContext())) != null && authenticatedSubject != assertIdentity) {
            authenticatedSubject = assertIdentity;
            z2 = true;
        }
        if (protectResourceIfUnspecifiedConstraint) {
            hasPermission = (resourceConstraint == null && !this.webAppSecurity.isFullSecurityDelegationRequired()) || (authenticatedSubject != null && this.webAppSecurity.hasPermission(httpServletRequest, httpServletResponse, authenticatedSubject, resourceConstraint));
        } else {
            hasPermission = this.webAppSecurity.hasPermission(httpServletRequest, httpServletResponse, authenticatedSubject, resourceConstraint);
        }
        if (hasPermission) {
            if (!checkAuthCookie(getHttpServer(), httpServletRequest, sessionInternal)) {
                if (DEBUG_SEC.isDebugEnabled()) {
                    DEBUG_SEC.debug("AuthCookie not found - permission denied for " + httpServletRequest);
                }
                sendUnauthorizedResponse(httpServletRequest, httpServletResponse);
                return false;
            }
            if (!z2) {
                return true;
            }
            login(httpServletRequest, authenticatedSubject, sessionInternal);
            if (!DEBUG_SEC.isDebugEnabled()) {
                return true;
            }
            DEBUG_SEC.debug(this.webAppSecurity.getContextLog() + ": user: " + getUsername(authenticatedSubject) + " has permissions to access " + httpServletRequest);
            return true;
        }
        if (DEBUG_IA.isDebugEnabled()) {
            DEBUG_IA.debug("Permission check failed for " + httpServletRequest.toString());
        }
        if (isForbidden(resourceConstraint) || !(authenticatedSubject == null || isReloginEnabled())) {
            sendForbiddenResponse(httpServletRequest, httpServletResponse);
            return false;
        }
        if (z && this.webAppSecurity.hasAuthFilters()) {
            invokeAuthFilterChain(httpServletRequest, httpServletResponse);
            return false;
        }
        sendUnauthorizedResponse(httpServletRequest, httpServletResponse);
        return false;
    }

    protected AuthenticatedSubject assertIdentity(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, VirtualConnection virtualConnection, WebAppServletContext webAppServletContext) {
        try {
            if (DEBUG_IA.isDebugEnabled()) {
                DEBUG_IA.debug("Trying to find identity assertion tokens for " + httpServletRequest);
            }
            Token findToken = findToken(httpServletRequest, virtualConnection, webAppServletContext, this.pa);
            if (findToken != null) {
                if (DEBUG_IA.isDebugEnabled()) {
                    DEBUG_IA.debug("assertIdentity with tokem.type: " + findToken.type + " token.value: " + findToken.value);
                }
                return this.pa.assertIdentity(findToken.type, findToken.value, WebAppSecurity.getContextHandler(httpServletRequest, httpServletResponse));
            }
            if (!DEBUG_IA.isDebugEnabled()) {
                return null;
            }
            DEBUG_IA.debug("Didn't find any token!");
            return null;
        } catch (SecurityException e) {
            if (DEBUG_IA.isDebugEnabled()) {
                DEBUG_IA.debug("Indentity assertion failed", e);
            }
            HTTPLogger.logCertAuthenticationError(httpServletRequest.getRequestURI(), e);
            return null;
        } catch (LoginException e2) {
            if (!DEBUG_SEC.isDebugEnabled()) {
                return null;
            }
            DEBUG_SEC.debug("Login failed for request: " + httpServletRequest.toString(), e2);
            return null;
        }
    }

    public static Token findToken(HttpServletRequest httpServletRequest, VirtualConnection virtualConnection, WebAppServletContext webAppServletContext, PrincipalAuthenticator principalAuthenticator) {
        byte[] decodeCert;
        Object obj;
        byte[] decodeCert2;
        Map assertionsEncodingMap = principalAuthenticator.getAssertionsEncodingMap();
        if (assertionsEncodingMap == null || assertionsEncodingMap.isEmpty()) {
            if (!DEBUG_IA.isDebugEnabled()) {
                return null;
            }
            DEBUG_IA.debug("AssertionsEncodingMap for active token types was null!!");
            return null;
        }
        if (DEBUG_IA.isDebugEnabled()) {
            DEBUG_IA.debug("AssertionsEncodingMap size: " + assertionsEncodingMap.size());
        }
        X509Certificate[] x509CertificateArr = (X509Certificate[]) httpServletRequest.getAttribute("javax.servlet.request.X509Certificate");
        if (x509CertificateArr != null && x509CertificateArr.length > 0 && assertionsEncodingMap.containsKey("X.509")) {
            return new Token("X.509", x509CertificateArr);
        }
        ArrayList perimeterAuthClientCertType = virtualConnection.getPerimeterAuthClientCertType();
        int size = perimeterAuthClientCertType.size();
        if (size > 0) {
            ArrayList perimeterAuthClientCert = virtualConnection.getPerimeterAuthClientCert();
            for (int i = size - 1; i >= 0; i--) {
                String str = (String) perimeterAuthClientCertType.get(i);
                if (assertionsEncodingMap.containsKey(str) && !isForbiddenTokenType(str) && (decodeCert2 = decodeCert(str, (byte[]) perimeterAuthClientCert.get(i))) != null) {
                    return new Token(str, decodeCert2);
                }
            }
        }
        Enumeration headerNames = httpServletRequest.getHeaderNames();
        ServletRequestImpl servletRequestImpl = null;
        boolean z = true;
        if (httpServletRequest instanceof ServletRequestImpl) {
            z = false;
            servletRequestImpl = (ServletRequestImpl) httpServletRequest;
        }
        while (headerNames.hasMoreElements()) {
            String str2 = (String) headerNames.nextElement();
            if (!HttpConstants.COOKIE_HEADER.equalsIgnoreCase(str2) && (obj = assertionsEncodingMap.get(str2)) != null) {
                byte[] bArr = null;
                if (z) {
                    String header = httpServletRequest.getHeader(str2);
                    if (header != null) {
                        try {
                            bArr = header.getBytes(getInputEncoding(httpServletRequest, webAppServletContext));
                        } catch (UnsupportedEncodingException e) {
                        }
                    }
                } else {
                    bArr = servletRequestImpl.getRequestHeaders().getHeaderAsBytes(str2);
                }
                if (bArr != null && bArr.length >= 1) {
                    if (principalAuthenticator.doesTokenRequireBase64Decoding(obj)) {
                        bArr = decodeCert(str2, bArr);
                        if (bArr == null) {
                        }
                    }
                    return new Token(str2, bArr);
                }
            }
        }
        Cookie[] cookies = httpServletRequest.getCookies();
        if (cookies == null) {
            return null;
        }
        for (int i2 = 0; i2 < cookies.length; i2++) {
            String name = cookies[i2].getName();
            String value = cookies[i2].getValue();
            if (value != null && value.length() >= 1) {
                if (name.length() <= 16 || !HttpConstants.WL_PROXY_CLIENT_.regionMatches(true, 0, cookies[i2].getName(), 0, 16)) {
                    Object obj2 = assertionsEncodingMap.get(name);
                    if (obj2 == null) {
                        continue;
                    } else {
                        if (!principalAuthenticator.doesTokenRequireBase64Decoding(obj2)) {
                            return new Token(name, value.getBytes());
                        }
                        byte[] decodeCert3 = decodeCert(name, value.getBytes());
                        if (decodeCert3 != null) {
                            return new Token(name, decodeCert3);
                        }
                    }
                } else {
                    String substring = name.substring(16);
                    if (assertionsEncodingMap.containsKey(substring) && (decodeCert = decodeCert(substring, value.getBytes())) != null) {
                        return new Token(substring, decodeCert);
                    }
                }
            }
        }
        return null;
    }

    private static String getInputEncoding(HttpServletRequest httpServletRequest, WebAppServletContext webAppServletContext) {
        String characterEncoding = httpServletRequest.getCharacterEncoding();
        return characterEncoding != null ? characterEncoding : webAppServletContext.getConfigManager().getDefaultEncoding();
    }

    private static byte[] decodeCert(String str, byte[] bArr) {
        try {
            byte[] decodeBuffer = new BASE64Decoder().decodeBuffer(new ByteArrayInputStream(bArr));
            if (decodeBuffer == null) {
                return null;
            }
            if (decodeBuffer.length < 1) {
                return null;
            }
            return decodeBuffer;
        } catch (Exception e) {
            HTTPLogger.logIgnoringClientCert(str, e);
            return null;
        }
    }

    private static boolean isForbiddenTokenType(String str) {
        return str.equalsIgnoreCase(CERT_RESERVED_IP) || str.equalsIgnoreCase(CERT_RESERVED_KEYSIZE) || str.equalsIgnoreCase(CERT_RESERVED_SECRETKEYSIZE);
    }
}
