package com.sun.enterprise.security.web.integration;

import com.sun.enterprise.config.serverbeans.ApplicationRef;
import com.sun.enterprise.config.serverbeans.Server;
import com.sun.enterprise.deployment.WebBundleDescriptor;
import com.sun.enterprise.deployment.runtime.common.SecurityRoleMapping;
import com.sun.enterprise.deployment.runtime.common.wls.SecurityRoleAssignment;
import com.sun.enterprise.deployment.runtime.web.SunWebApp;
import com.sun.enterprise.deployment.web.LoginConfiguration;
import com.sun.enterprise.security.SecurityContext;
import com.sun.enterprise.security.SecurityRoleMapperFactoryGen;
import com.sun.enterprise.security.SecurityServicesUtil;
import com.sun.enterprise.security.WebSecurityDeployerProbeProvider;
import com.sun.enterprise.security.audit.AuditManager;
import com.sun.enterprise.security.authorize.PolicyContextHandlerImpl;
import com.sun.enterprise.security.ee.CachedPermission;
import com.sun.enterprise.security.ee.CachedPermissionImpl;
import com.sun.enterprise.security.ee.PermissionCache;
import com.sun.enterprise.security.ee.PermissionCacheFactory;
import com.sun.enterprise.security.ee.SecurityUtil;
import com.sun.enterprise.security.ee.audit.AppServerAuditManager;
import jakarta.security.jacc.PolicyContextException;
import jakarta.security.jacc.WebResourcePermission;
import jakarta.security.jacc.WebUserDataPermission;
import jakarta.servlet.http.HttpServletRequest;
import java.lang.annotation.Annotation;
import java.net.MalformedURLException;
import java.net.URI;
import java.net.URISyntaxException;
import java.net.URL;
import java.security.CodeSource;
import java.security.Permission;
import java.security.Principal;
import java.security.cert.Certificate;
import java.util.Collections;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.WeakHashMap;
import java.util.logging.Level;
import java.util.logging.Logger;
import java.util.stream.Collectors;
import org.glassfish.exousia.AuthorizationService;
import org.glassfish.exousia.spi.PrincipalMapper;
import org.glassfish.internal.api.ServerContext;
import org.glassfish.security.common.Group;
import org.glassfish.security.common.PrincipalImpl;

/* loaded from: input_file:com/sun/enterprise/security/web/integration/WebSecurityManager.class */
public class WebSecurityManager {
    public static final String CONSTRAINT_URI = "org.apache.catalina.CONSTRAINT_URI";
    private static final String RESOURCE = "hasResourcePermission";
    private static final String USERDATA = "hasUserDataPermission";
    private static final String EMPTY_STRING = "";
    private String contextId;
    private String codebase;
    protected CodeSource codesource;
    private CachedPermission allResourcesCachedPermission;
    private CachedPermission allConnectionsCachedPermission;
    private PermissionCache uncheckedPermissionCache;
    private WebSecurityManagerFactory webSecurityManagerFactory;
    private ServerContext serverContext;
    private WebBundleDescriptor webBundleDescriptor;
    private boolean register;
    AuthorizationService authorizationService;
    private static final Logger logger = LogUtils.getLogger();
    private static final WebResourcePermission allResources = new WebResourcePermission("/*", (String) null);
    private static final WebUserDataPermission allConnections = new WebUserDataPermission("/*", null);
    private static Permission[] protoPerms = {allResources, allConnections};
    private static Set<Principal> defaultPrincipalSet = SecurityContext.getDefaultSecurityContext().getPrincipalSet();
    private Map protectionDomainCache = Collections.synchronizedMap(new WeakHashMap());
    private WebSecurityDeployerProbeProvider probeProvider = new WebSecurityDeployerProbeProvider();

    /* JADX INFO: Access modifiers changed from: package-private */
    public WebSecurityManager(WebBundleDescriptor webBundleDescriptor, ServerContext serverContext, WebSecurityManagerFactory webSecurityManagerFactory, boolean z) throws PolicyContextException {
        this.register = true;
        this.register = z;
        this.webBundleDescriptor = webBundleDescriptor;
        this.contextId = getContextID(webBundleDescriptor);
        this.serverContext = serverContext;
        this.webSecurityManagerFactory = webSecurityManagerFactory;
        String registrationName = webBundleDescriptor.getApplication().getRegistrationName();
        SecurityRoleMapperFactoryGen.getSecurityRoleMapperFactory().setAppNameForContext(registrationName, this.contextId);
        initialise(registrationName);
        this.authorizationService = new AuthorizationService(getContextID(webBundleDescriptor), () -> {
            return SecurityContext.getCurrent().getSubject();
        }, (PrincipalMapper) null);
        this.authorizationService.setConstrainedUriRequestAttribute("org.apache.catalina.CONSTRAINT_URI");
        this.authorizationService.setRequestSupplier(() -> {
            return (HttpServletRequest) webSecurityManagerFactory.pcHandlerImpl.getHandlerData().get(PolicyContextHandlerImpl.HTTP_SERVLET_REQUEST);
        });
        this.authorizationService.addConstraintsToPolicy(GlassFishToExousiaConverter.getConstraintsFromBundle(webBundleDescriptor), (Set) webBundleDescriptor.getRoles().stream().map(role -> {
            return role.getName();
        }).collect(Collectors.toSet()), webBundleDescriptor.isDenyUncoveredHttpMethods(), GlassFishToExousiaConverter.getSecurityRoleRefsFromBundle(webBundleDescriptor));
    }

    public static String getContextID(WebBundleDescriptor webBundleDescriptor) {
        return SecurityUtil.getContextID(webBundleDescriptor);
    }

    public boolean hasNoConstrainedResources() {
        boolean z = false;
        if (this.allResourcesCachedPermission != null && this.allConnectionsCachedPermission != null) {
            z = this.allResourcesCachedPermission.checkPermission() && this.allConnectionsCachedPermission.checkPermission();
            if (z) {
                try {
                    AuthorizationService.setThreadContextId(this.contextId);
                } catch (Throwable th) {
                    throw new RuntimeException(th);
                }
            }
        }
        return z;
    }

    public boolean permitAll(HttpServletRequest httpServletRequest) {
        setSecurityInfo(httpServletRequest);
        return this.authorizationService.checkWebResourcePermission(httpServletRequest, (Set) null);
    }

    public int hasUserDataPermission(HttpServletRequest httpServletRequest, String str, String str2) {
        setSecurityInfo(httpServletRequest);
        boolean checkWebUserDataPermission = str == null ? this.authorizationService.checkWebUserDataPermission(httpServletRequest) : this.authorizationService.checkWebUserDataPermission(str, str2, httpServletRequest.isSecure());
        int i = 0;
        if (checkWebUserDataPermission) {
            i = 1;
        }
        if (logger.isLoggable(Level.FINE)) {
            logger.log(Level.FINE, "[Web-Security] hasUserDataPermission isGranted: {0}", Boolean.valueOf(checkWebUserDataPermission));
        }
        recordWebInvocation(httpServletRequest, USERDATA, checkWebUserDataPermission);
        if (!checkWebUserDataPermission && !httpServletRequest.isSecure()) {
            if (str == null) {
                str = getUriMinusContextPath(httpServletRequest);
                str2 = httpServletRequest.getMethod();
            }
            if (this.authorizationService.checkWebUserDataPermission(str, str2, true, defaultPrincipalSet)) {
                i = -1;
            }
        }
        return i;
    }

    public boolean hasResourcePermission(HttpServletRequest httpServletRequest) {
        setSecurityInfo(httpServletRequest);
        SecurityContext.setCurrent(getSecurityContext(httpServletRequest.getUserPrincipal()));
        boolean checkWebResourcePermission = this.authorizationService.checkWebResourcePermission(httpServletRequest);
        if (logger.isLoggable(Level.FINE)) {
            logger.log(Level.FINE, "[Web-Security] hasResource isGranted: {0}", Boolean.valueOf(checkWebResourcePermission));
            logger.log(Level.FINE, "[Web-Security] hasResource perm: {0}", getUriMinusContextPath(httpServletRequest));
        }
        recordWebInvocation(httpServletRequest, RESOURCE, checkWebResourcePermission);
        return checkWebResourcePermission;
    }

    public boolean hasRoleRefPermission(String str, String str2, Principal principal) {
        boolean checkWebRoleRefPermission = this.authorizationService.checkWebRoleRefPermission(str, str2, getSecurityContext(principal).getPrincipalSet());
        if (logger.isLoggable(Level.FINE)) {
            logger.log(Level.FINE, "[Web-Security] hasRoleRef perm: {0}", str + " " + str2);
            logger.log(Level.FINE, "[Web-Security] hasRoleRef isGranted: {0}", Boolean.valueOf(checkWebRoleRefPermission));
        }
        return checkWebRoleRefPermission;
    }

    public boolean linkPolicy(String str, boolean z) {
        return this.authorizationService.linkPolicy(str, z);
    }

    public static boolean linkPolicy(String str, String str2, boolean z) {
        return AuthorizationService.linkPolicy(str, str2, z);
    }

    public void commitPolicy() {
        this.authorizationService.commitPolicy();
    }

    public static void commitPolicy(String str) {
        AuthorizationService.commitPolicy(str);
    }

    public void refresh() {
        this.authorizationService.refresh();
    }

    public void deletePolicy() {
        this.authorizationService.deletePolicy();
    }

    public static void deletePolicy(String str) {
        AuthorizationService.deletePolicy(str);
    }

    public void release() throws PolicyContextException {
        this.authorizationService.removeStatementsFromPolicy((Set) null);
        PermissionCacheFactory.removePermissionCache(this.uncheckedPermissionCache);
        this.uncheckedPermissionCache = null;
        this.webSecurityManagerFactory.getManager(this.contextId, true);
    }

    public void destroy() throws PolicyContextException {
        this.authorizationService.refresh();
        PermissionCacheFactory.removePermissionCache(this.uncheckedPermissionCache);
        this.uncheckedPermissionCache = null;
        SecurityRoleMapperFactoryGen.getSecurityRoleMapperFactory().removeAppNameForContext(this.contextId);
        this.webSecurityManagerFactory.getManager(this.contextId, true);
    }

    private void initialise(String str) throws PolicyContextException {
        this.codebase = removeSpaces(this.contextId);
        if ("__asadmin".equals(getVirtualServers(str))) {
            handleAdminVirtualServer();
        }
        this.codesource = createCodeSource();
        if (logger.isLoggable(Level.FINE)) {
            logger.log(Level.FINE, "[Web-Security] Context id (id under which  WEB component in application will be created) = {0}", this.contextId);
            logger.log(Level.FINE, "[Web-Security] Codebase (module id for web component) {0}", this.codebase);
        }
        initPermissionCache();
    }

    private CodeSource createCodeSource() {
        try {
            try {
                if (logger.isLoggable(Level.FINE)) {
                    logger.log(Level.FINE, "[Web-Security] Creating a Codebase URI with = {0}", this.codebase);
                }
                CodeSource codeSource = new CodeSource(new URL(new URI("file:///" + this.codebase).toString()), (Certificate[]) null);
                this.codesource = codeSource;
                return codeSource;
            } catch (URISyntaxException e) {
                logger.log(Level.FINE, "[Web-Security] Error Creating URI ", (Throwable) e);
                throw new RuntimeException(e);
            }
        } catch (MalformedURLException e2) {
            logger.log(Level.SEVERE, LogUtils.EJBSM_CODSOURCEERROR, (Throwable) e2);
            throw new RuntimeException(e2);
        }
    }

    private void initPermissionCache() {
        if (this.uncheckedPermissionCache != null) {
            this.uncheckedPermissionCache.reset();
        } else if (this.register) {
            this.uncheckedPermissionCache = PermissionCacheFactory.createPermissionCache(this.contextId, this.codesource, protoPerms, (String) null);
            this.allResourcesCachedPermission = new CachedPermissionImpl(this.uncheckedPermissionCache, allResources);
            this.allConnectionsCachedPermission = new CachedPermissionImpl(this.uncheckedPermissionCache, allConnections);
        }
    }

    private void handleAdminVirtualServer() {
        LoginConfiguration loginConfiguration = this.webBundleDescriptor.getLoginConfiguration();
        if (loginConfiguration != null) {
            String realmName = loginConfiguration.getRealmName();
            SunWebApp sunDescriptor = this.webBundleDescriptor.getSunDescriptor();
            if (sunDescriptor != null) {
                SecurityRoleMapping[] securityRoleMapping = sunDescriptor.getSecurityRoleMapping();
                if (securityRoleMapping != null) {
                    for (SecurityRoleMapping securityRoleMapping2 : securityRoleMapping) {
                        for (String str : securityRoleMapping2.getPrincipalName()) {
                            this.webSecurityManagerFactory.putAdminPrincipal(str, realmName, new PrincipalImpl(str));
                        }
                        for (String str2 : securityRoleMapping2.getGroupNames()) {
                            this.webSecurityManagerFactory.putAdminGroup(str2, realmName, new Group(str2));
                        }
                    }
                }
                SecurityRoleAssignment[] securityRoleAssignments = sunDescriptor.getSecurityRoleAssignments();
                if (securityRoleAssignments != null) {
                    for (SecurityRoleAssignment securityRoleAssignment : securityRoleAssignments) {
                        List<String> principalNames = securityRoleAssignment.getPrincipalNames();
                        if (securityRoleAssignment.isExternallyDefined()) {
                            this.webSecurityManagerFactory.putAdminGroup(securityRoleAssignment.getRoleName(), realmName, new Group(securityRoleAssignment.getRoleName()));
                        } else {
                            for (String str3 : principalNames) {
                                this.webSecurityManagerFactory.putAdminPrincipal(str3, realmName, new PrincipalImpl(str3));
                            }
                        }
                    }
                }
            }
        }
    }

    private void recordWebInvocation(HttpServletRequest httpServletRequest, String str, boolean z) {
        AuditManager auditManager = SecurityServicesUtil.getInstance().getAuditManager();
        if (auditManager != null && auditManager.isAuditOn() && (auditManager instanceof AppServerAuditManager)) {
            AppServerAuditManager appServerAuditManager = (AppServerAuditManager) auditManager;
            Principal userPrincipal = httpServletRequest.getUserPrincipal();
            appServerAuditManager.webInvocation(userPrincipal != null ? userPrincipal.getName() : null, httpServletRequest, str, z);
        }
    }

    private SecurityContext getSecurityContext(Principal principal) {
        SecurityContext securityContext = null;
        if (principal != null) {
            securityContext = principal instanceof WebPrincipal ? ((WebPrincipal) principal).getSecurityContext() : new SecurityContext(principal.getName(), null);
        }
        if (securityContext == null) {
            securityContext = SecurityContext.getDefaultSecurityContext();
        }
        return securityContext;
    }

    private void setSecurityInfo(HttpServletRequest httpServletRequest) {
        if (httpServletRequest != null) {
            this.webSecurityManagerFactory.pcHandlerImpl.getHandlerData().setHttpServletRequest(httpServletRequest);
        }
        AuthorizationService.setThreadContextId(this.contextId);
    }

    private String getVirtualServers(String str) {
        for (ApplicationRef applicationRef : ((Server) this.serverContext.getDefaultServices().getService(Server.class, new Annotation[0])).getApplicationRef()) {
            if (applicationRef.getRef().equals(str)) {
                return applicationRef.getVirtualServers();
            }
        }
        return null;
    }

    private static String removeSpaces(String str) {
        return str.replace(' ', '_');
    }

    private static String getUriMinusContextPath(HttpServletRequest httpServletRequest) {
        String requestURI = httpServletRequest.getRequestURI();
        if (requestURI == null) {
            return "";
        }
        String contextPath = httpServletRequest.getContextPath();
        int length = contextPath == null ? 0 : contextPath.length();
        if (length > 0) {
            requestURI = requestURI.substring(length);
        }
        return requestURI.equals("/") ? "" : requestURI.replaceAll(":", "%3A");
    }
}
