package weblogic.servlet.security.internal;

import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.security.AccessController;
import java.security.cert.X509Certificate;
import java.util.Enumeration;
import java.util.List;
import java.util.Map;
import javax.security.auth.login.LoginException;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.http.cookie.SM;
import weblogic.security.SubjectUtils;
import weblogic.security.acl.internal.AuthenticatedSubject;
import weblogic.security.service.PrincipalAuthenticator;
import weblogic.security.service.PrivilegedActions;
import weblogic.security.service.SecurityService;
import weblogic.security.service.SecurityServiceManager;
import weblogic.security.spi.IdentityAsserter;
import weblogic.servlet.HTTPLogger;
import weblogic.servlet.internal.ErrorMessages;
import weblogic.servlet.internal.ServletRequestImpl;
import weblogic.servlet.internal.WebAppServletContext;
import weblogic.servlet.security.ServletAuthentication;
import weblogic.utils.encoders.BASE64Decoder;

/* loaded from: input_file:weblogic.jar:weblogic/servlet/security/internal/CertSecurityModule.class */
public final class CertSecurityModule extends SecurityModule {
    private PrincipalAuthenticator pa;
    private static AuthenticatedSubject kernelId = null;

    public CertSecurityModule(WebAppServletContext webAppServletContext, WebAppSecurity webAppSecurity) {
        super(webAppServletContext, webAppSecurity);
        this.pa = null;
        this.pa = (PrincipalAuthenticator) SecurityServiceManager.getSecurityService(getKernelID(), webAppServletContext.getSecurityRealmName(), SecurityService.ServiceType.AUTHENTICATION);
    }

    private AuthenticatedSubject getKernelID() {
        if (kernelId == null) {
            kernelId = (AuthenticatedSubject) AccessController.doPrivileged(PrivilegedActions.getKernelIdentityAction());
        }
        return kernelId;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Override // weblogic.servlet.security.internal.SecurityModule
    public boolean checkA(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        if (checkTransport(httpServletRequest, httpServletResponse)) {
            return beginCheck(httpServletRequest, httpServletResponse);
        }
        return false;
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v14, types: [java.security.cert.X509Certificate[]] */
    @Override // weblogic.servlet.security.internal.SecurityModule
    boolean checkUserPerm(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticatedSubject authenticatedSubject) throws IOException {
        Object obj;
        Object obj2;
        byte[] headerValueBytes;
        ServletRequestImpl servletRequestImpl;
        List proxyClientCertType;
        int size;
        boolean z = false;
        String str = null;
        byte[] bArr = null;
        if (authenticatedSubject == null || SubjectUtils.isUserAnonymous(authenticatedSubject)) {
            try {
                ?? r0 = (X509Certificate[]) httpServletRequest.getAttribute("javax.servlet.request.X509Certificate");
                if (r0 != 0 && r0.length > 0) {
                    z = true;
                    bArr = r0;
                    str = IdentityAsserter.X509_TYPE;
                }
                if (!z && (httpServletRequest instanceof ServletRequestImpl) && (size = (proxyClientCertType = (servletRequestImpl = (ServletRequestImpl) httpServletRequest).getProxyClientCertType()).size()) > 0) {
                    List proxyClientCert = servletRequestImpl.getProxyClientCert();
                    for (int i = size - 1; i >= 0; i--) {
                        str = (String) proxyClientCertType.get(i);
                        if (!str.equalsIgnoreCase(ServletAuthentication.CERT_RESERVED_IP) && !str.equalsIgnoreCase(ServletAuthentication.CERT_RESERVED_KEYSIZE) && !str.equalsIgnoreCase(ServletAuthentication.CERT_RESERVED_SECRETKEYSIZE)) {
                            try {
                                bArr = new BASE64Decoder().decodeBuffer(new ByteArrayInputStream((byte[]) proxyClientCert.get(i)));
                                z = true;
                                break;
                            } catch (Exception e) {
                                HTTPLogger.logIgnoringClientCert(str, e);
                                str = null;
                                bArr = null;
                            }
                        }
                    }
                }
                if (!z && (httpServletRequest instanceof ServletRequestImpl)) {
                    ServletRequestImpl servletRequestImpl2 = (ServletRequestImpl) httpServletRequest;
                    Enumeration headerNames = httpServletRequest.getHeaderNames();
                    Map assertionsEncodingMap = this.pa.getAssertionsEncodingMap();
                    if (assertionsEncodingMap != null && !assertionsEncodingMap.isEmpty()) {
                        while (true) {
                            if (!headerNames.hasMoreElements()) {
                                break;
                            }
                            String str2 = (String) headerNames.nextElement();
                            if (!SM.COOKIE.equalsIgnoreCase(str2) && (obj2 = assertionsEncodingMap.get(str2)) != null && (headerValueBytes = servletRequestImpl2.getHeaderValueBytes(str2)) != null && headerValueBytes.length >= 1) {
                                try {
                                    byte[] decodeBuffer = this.pa.doesTokenRequireBase64Decoding(obj2) ? new BASE64Decoder().decodeBuffer(new ByteArrayInputStream(headerValueBytes)) : headerValueBytes;
                                    if (decodeBuffer != null && decodeBuffer.length >= 1) {
                                        bArr = decodeBuffer;
                                        str = str2;
                                        z = true;
                                        break;
                                    }
                                    z = false;
                                } catch (Exception e2) {
                                    z = false;
                                    HTTPLogger.logIgnoringClientCert(str, e2);
                                }
                            }
                        }
                    }
                }
                if (!z) {
                    Cookie[] cookies = httpServletRequest.getCookies();
                    boolean z2 = true;
                    for (int i2 = 0; cookies != null && i2 < cookies.length; i2++) {
                        String name = cookies[i2].getName();
                        String value = cookies[i2].getValue();
                        if (value != null && value.length() >= 1) {
                            if (name.length() <= 16 || !"WL-Proxy-Client-".regionMatches(true, 0, cookies[i2].getName(), 0, 16)) {
                                Map assertionsEncodingMap2 = this.pa.getAssertionsEncodingMap();
                                if (assertionsEncodingMap2 != null && !assertionsEncodingMap2.isEmpty() && (obj = assertionsEncodingMap2.get(name)) != null) {
                                    str = name;
                                    z = true;
                                    z2 = this.pa.doesTokenRequireBase64Decoding(obj);
                                }
                            } else {
                                str = name.substring(16);
                                z = true;
                            }
                            if (!z) {
                                continue;
                            } else {
                                if (!z2) {
                                    bArr = value.getBytes();
                                    break;
                                    break;
                                }
                                try {
                                    byte[] decodeBuffer2 = new BASE64Decoder().decodeBuffer(new ByteArrayInputStream(value.getBytes()));
                                    if (decodeBuffer2 != null && decodeBuffer2.length >= 1) {
                                        bArr = decodeBuffer2;
                                        break;
                                    }
                                    z = false;
                                } catch (Exception e3) {
                                    z = false;
                                    HTTPLogger.logIgnoringClientCert(str, e3);
                                }
                            }
                        }
                    }
                }
                if (z) {
                    try {
                        authenticatedSubject = this.pa.assertIdentity(str, bArr);
                    } catch (LoginException e4) {
                        authenticatedSubject = null;
                    }
                }
            } catch (ClassCastException e5) {
                HTTPLogger.logCertAuthenticationError(httpServletRequest.getRequestURI(), e5);
                authenticatedSubject = null;
            } catch (SecurityException e6) {
                HTTPLogger.logCertAuthenticationError(httpServletRequest.getRequestURI(), e6);
                authenticatedSubject = null;
            }
        }
        if (!checkAuthCookie(getHttpServer(), httpServletRequest, getUserSession(httpServletRequest, false))) {
            httpServletResponse.sendError(401, ErrorMessages.getErrorPage(401));
            return false;
        }
        boolean z3 = false;
        ResourceConstraint constraint = this.webAppSecurity.getConstraint(httpServletRequest);
        if (constraint == null && !this.webAppSecurity.isFullSecurityDelegationRequired()) {
            z3 = true;
        } else if (authenticatedSubject != null && checkPerm((ServletRequestImpl) httpServletRequest, constraint, authenticatedSubject)) {
            z3 = true;
        }
        if (!z3) {
            if (this.webAppSecurity.getContext().getDebugHttp()) {
                HTTPLogger.logCertAuthenticationFailure(httpServletRequest.getRequestURI());
            }
            httpServletResponse.sendError(401, ErrorMessages.getErrorPage(401));
            return false;
        }
        if (authenticatedSubject == null || SubjectUtils.isUserAnonymous(authenticatedSubject) || SecurityServiceManager.isKernelIdentity(authenticatedSubject)) {
            return true;
        }
        SecurityModule.storeAuthUser(httpServletRequest, getUserSession(httpServletRequest, true), getHttpServer(), authenticatedSubject);
        if (!this.verbose) {
            return true;
        }
        HTTPLogger.logAuthenticatedUser(this.webAppSecurity.getContextLog(), SubjectUtils.getUsername(authenticatedSubject));
        return true;
    }
}
