package weblogic.servlet.security.internal;

import java.io.IOException;
import java.security.AccessController;
import java.security.PrivilegedAction;
import javafx.fxml.FXMLLoader;
import javax.security.auth.login.LoginException;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.jsp.PageContext;
import weblogic.logging.LogOutputStream;
import weblogic.rjvm.LocalRJVM;
import weblogic.security.SubjectUtils;
import weblogic.security.acl.internal.AuthenticatedSubject;
import weblogic.security.auth.login.PasswordCredential;
import weblogic.security.service.PrincipalAuthenticator;
import weblogic.security.service.PrivilegedActions;
import weblogic.security.service.SecurityService;
import weblogic.security.service.SecurityServiceManager;
import weblogic.server.Server;
import weblogic.servlet.HTTPLogger;
import weblogic.servlet.internal.ErrorMessages;
import weblogic.servlet.internal.HttpServer;
import weblogic.servlet.internal.ServletRequestImpl;
import weblogic.servlet.internal.ServletResponseImpl;
import weblogic.servlet.internal.WebAppServletContext;
import weblogic.servlet.internal.session.HTTPSessionLogger;
import weblogic.servlet.internal.session.SessionInternal;
import weblogic.utils.encoders.BASE64Encoder;

/* loaded from: input_file:weblogic.jar:weblogic/servlet/security/internal/SecurityModule.class */
public abstract class SecurityModule {
    public static final String SESSION_AUTH_USER = "weblogic.authuser";
    public static final String SESSION_FORM_URL = "weblogic.formauth.targeturl";
    static final String SESSION_FORM_METHOD = "weblogic.formauth.method";
    static final String SESSION_FORM_QUERY = "weblogic.formauth.queryparams";
    static final String SESSION_FORM_BYTEARRAY = "weblogic.formauth.bytearray";
    static final String SESSION_FORM_REQHEADNAMES = "weblogic.formauth.reqheadernames";
    static final String SESSION_FORM_REQHEADVALUES = "weblogic.formauth.reqheadervalues";
    static final String SESSION_POST_COOKIE = "weblogic.formauth.postcookie";
    static final String SESSION_FORM_IMMEDIATE = "weblogic.formauth.immediate";
    public static final String REQUEST_FORM_TARGETURL = "weblogic.formauth.targetURL";
    public static final String REQUEST_AUTH_RESULT = "weblogic.auth.result";
    public static final int REQUEST_PRE_AUTH = -1;
    public static final String WLS_AUTHCOOKIE = "_wl_authcookie_";
    private static final boolean _DEBUG_AUTHCOOKIE_HTTP_ = false;
    boolean verbose;
    private WebAppServletContext servletContext;
    protected WebAppSecurity webAppSecurity;
    protected static int AUTH_COOKIE_ID_LENGTH = 20;
    private static AuthenticatedSubject kernelId = null;
    protected LogOutputStream log = new LogOutputStream("ServletSecurity");
    protected String authRealmBanner = null;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:weblogic.jar:weblogic/servlet/security/internal/SecurityModule$SessionRetrievalAction.class */
    public class SessionRetrievalAction implements PrivilegedAction {
        private HttpServletRequest request;
        private boolean flag;
        private SessionInternal session = null;
        private final SecurityModule this$0;

        SessionRetrievalAction(SecurityModule securityModule, HttpServletRequest httpServletRequest, boolean z) {
            this.this$0 = securityModule;
            this.request = null;
            this.flag = false;
            this.request = httpServletRequest;
            this.flag = z;
        }

        public SessionInternal getUserSession() {
            return this.session;
        }

        @Override // java.security.PrivilegedAction
        public Object run() {
            try {
                this.session = (SessionInternal) this.request.getSession(this.flag);
                return null;
            } catch (Throwable th) {
                return th;
            }
        }
    }

    public SecurityModule(WebAppServletContext webAppServletContext, WebAppSecurity webAppSecurity) {
        this.verbose = false;
        this.servletContext = null;
        this.webAppSecurity = null;
        this.servletContext = webAppServletContext;
        this.webAppSecurity = webAppSecurity;
        this.verbose = webAppServletContext.getDebugHttp();
    }

    private static AuthenticatedSubject getKernelID() {
        if (kernelId == null) {
            kernelId = (AuthenticatedSubject) AccessController.doPrivileged(PrivilegedActions.getKernelIdentityAction());
        }
        return kernelId;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public HttpServer getHttpServer() {
        return this.servletContext.getServer();
    }

    WebAppServletContext getServletContext() {
        return this.servletContext;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public abstract boolean checkA(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException;

    abstract boolean checkUserPerm(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticatedSubject authenticatedSubject) throws IOException;

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean checkPerm(ServletRequestImpl servletRequestImpl, ResourceConstraint resourceConstraint, AuthenticatedSubject authenticatedSubject) throws IOException {
        if (this.webAppSecurity.hasPermission(servletRequestImpl, authenticatedSubject, resourceConstraint)) {
            if (!this.verbose) {
                return true;
            }
            this.log.debug(new StringBuffer().append("Checking WebApp permission for user ").append(authenticatedSubject).append(", passed").toString());
            return true;
        }
        if (!this.verbose) {
            return false;
        }
        this.log.debug(new StringBuffer().append("Checking WebApp permission for user ").append(authenticatedSubject).append(", failed").toString());
        return false;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean beginCheck(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        SessionInternal userSession = getUserSession(httpServletRequest, false);
        AuthenticatedSubject currentUser = getCurrentUser(getHttpServer(), httpServletRequest);
        if (currentUser == null) {
            return checkUserPerm(httpServletRequest, httpServletResponse, null);
        }
        if (!checkUserPerm(httpServletRequest, httpServletResponse, currentUser)) {
            return false;
        }
        if (this.verbose) {
            this.log.debug(new StringBuffer().append(currentUser).append(" was already logged in and ").append(" has permission to execute this webapp on ").append(httpServletRequest.getRequestURI()).toString());
        }
        if (userSession == null) {
            return true;
        }
        userSession.removeInternalAttribute(SESSION_FORM_IMMEDIATE);
        return true;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean checkTransport(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        ResourceConstraint constraint = this.webAppSecurity.getConstraint(httpServletRequest);
        if (constraint == null || this.webAppSecurity.checkTransport(constraint, httpServletRequest)) {
            return true;
        }
        httpServletResponse.sendRedirect(getRedirectURL(httpServletRequest, httpServletResponse, httpServletRequest.getRequestURI()));
        return false;
    }

    private String getRedirectURL(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str) {
        String serverName = httpServletRequest.getServerName();
        int frontendHTTPSPort = getHttpServer().getFrontendHTTPSPort();
        if (frontendHTTPSPort == 0) {
            frontendHTTPSPort = Server.getDefaultChannel().getSSLListenPort();
        }
        String processRedirectedURL = ((ServletResponseImpl) httpServletResponse).processRedirectedURL(str);
        return frontendHTTPSPort == 443 ? new StringBuffer().append("https://").append(serverName).append(processRedirectedURL).toString() : new StringBuffer().append("https://").append(serverName).append(":").append(frontendHTTPSPort).append(processRedirectedURL).toString();
    }

    public static AuthenticatedSubject getCurrentUser(HttpServer httpServer, HttpServletRequest httpServletRequest) {
        AuthenticatedSubject authenticatedSubject = null;
        SessionInternal sessionInternal = (SessionInternal) httpServletRequest.getSession(false);
        try {
            if (sessionInternal != null) {
                String internalId = sessionInternal.getInternalId();
                authenticatedSubject = httpServer.getAuthUser(internalId);
                if (authenticatedSubject != null) {
                    sessionInternal.setInternalAttribute(SESSION_AUTH_USER, authenticatedSubject);
                } else {
                    authenticatedSubject = (AuthenticatedSubject) sessionInternal.getInternalAttribute(SESSION_AUTH_USER);
                    if (authenticatedSubject != null) {
                        httpServer.setAuthUser(internalId, authenticatedSubject);
                    }
                }
                String str = (String) sessionInternal.getInternalAttribute(WLS_AUTHCOOKIE);
                if (str == null) {
                    String authCookieId = httpServer.getAuthCookieId(internalId);
                    if (authCookieId != null) {
                        sessionInternal.setInternalAttribute(WLS_AUTHCOOKIE, authCookieId);
                    }
                } else {
                    httpServer.addAuthCookieId(internalId, str);
                }
            } else {
                String requestedSessionId = httpServletRequest.getRequestedSessionId();
                if (requestedSessionId != null) {
                    authenticatedSubject = httpServer.getAuthUser(requestedSessionId);
                }
            }
        } catch (IllegalStateException e) {
            HTTPSessionLogger.logSessionExpired(sessionInternal == null ? FXMLLoader.NULL_KEYWORD : sessionInternal.getInternalId(), e);
        }
        return authenticatedSubject;
    }

    public static AuthenticatedSubject checkAuthenticate(String str, Object obj, ServletRequestImpl servletRequestImpl, boolean z) {
        AuthenticatedSubject authenticatedSubject;
        SessionInternal sessionInternal = (SessionInternal) servletRequestImpl.getSession(false);
        WebAppServletContext context = servletRequestImpl.getContext();
        HttpServer server = context.getServer();
        String securityRealmName = context.getSecurityRealmName();
        String logContext = context.getLogContext();
        try {
            AuthenticatedSubject currentUser = getCurrentUser(server, servletRequestImpl);
            if (currentUser != null && (currentUser instanceof AuthenticatedSubject)) {
                if (str == null || str.equals(SubjectUtils.getUsername(currentUser))) {
                    return currentUser;
                }
                logoutAuthUser(server, sessionInternal);
                currentUser = null;
            }
            if (currentUser != null) {
                authenticatedSubject = null;
                logoutAuthUser(server, sessionInternal);
            } else {
                if (str == null) {
                    return null;
                }
                storeAuthUser(servletRequestImpl, sessionInternal, server, currentUser);
                authenticatedSubject = ((PrincipalAuthenticator) SecurityServiceManager.getSecurityService(getKernelID(), securityRealmName, SecurityService.ServiceType.AUTHENTICATION)).authenticate(new ServletCallbackHandler(str, obj, servletRequestImpl));
                if (authenticatedSubject != null) {
                    AccessController.doPrivileged(new PrivilegedAction(authenticatedSubject, new PasswordCredential(str, (String) obj)) { // from class: weblogic.servlet.security.internal.SecurityModule.1
                        private final AuthenticatedSubject val$localSubject;
                        private final PasswordCredential val$passwordCred;

                        {
                            this.val$localSubject = authenticatedSubject;
                            this.val$passwordCred = r5;
                        }

                        @Override // java.security.PrivilegedAction
                        public Object run() {
                            this.val$localSubject.getPrivateCredentials(SecurityModule.kernelId).add(this.val$passwordCred);
                            return null;
                        }
                    });
                }
                if (sessionInternal != null && authenticatedSubject != null && !SubjectUtils.isUserAnonymous(authenticatedSubject) && !SecurityServiceManager.isKernelIdentity(authenticatedSubject)) {
                    if (server != null) {
                        server.setAuthUser(sessionInternal.getInternalId(), authenticatedSubject);
                    }
                    sessionInternal.setInternalAttribute(SESSION_AUTH_USER, authenticatedSubject);
                }
                if (context.getDebugHttp()) {
                    HTTPLogger.logAuthenticatedUser(logContext, SubjectUtils.getUsername(authenticatedSubject));
                }
            }
        } catch (ClassCastException e) {
            HTTPLogger.logClassCastException(logContext, e);
            authenticatedSubject = null;
        } catch (LoginException e2) {
            if (z) {
                servletRequestImpl.setAttribute("javax.servlet.error.exception_type", e2.getClass());
                servletRequestImpl.setAttribute("javax.servlet.error.exception", e2);
                servletRequestImpl.setAttribute("javax.servlet.error.message", e2.getMessage());
                if (sessionInternal != null) {
                    servletRequestImpl.setAttribute("javax.servlet.error.request_uri", sessionInternal.getInternalAttribute("weblogic.formauth.targeturl"));
                }
                servletRequestImpl.setAttribute(PageContext.EXCEPTION, e2);
                servletRequestImpl.setAttribute("javax.servlet.error.status_code", new Integer(403));
            }
            authenticatedSubject = null;
        }
        return authenticatedSubject;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void setAuthRealmBanner(String str) {
        this.authRealmBanner = new StringBuffer().append("Basic realm=\"").append(str).append("\"").toString();
    }

    void setVerbose(boolean z) {
        this.verbose = z;
    }

    public static void setAuthCookieIDLength(int i) {
        AUTH_COOKIE_ID_LENGTH = i;
    }

    public static final void logoutAuthUser(HttpServer httpServer, SessionInternal sessionInternal) {
        if (sessionInternal == null) {
            return;
        }
        if (httpServer != null) {
            httpServer.unregister(sessionInternal.getInternalId());
        }
        sessionInternal.removeInternalAttribute(SESSION_AUTH_USER);
        sessionInternal.removeInternalAttribute(WLS_AUTHCOOKIE);
    }

    public static final void storeAuthUser(HttpServletRequest httpServletRequest, SessionInternal sessionInternal, HttpServer httpServer, AuthenticatedSubject authenticatedSubject) {
        if (sessionInternal == null) {
            return;
        }
        String internalId = sessionInternal.getInternalId();
        sessionInternal.setInternalAttribute(SESSION_AUTH_USER, authenticatedSubject);
        if (httpServer == null) {
            return;
        }
        httpServer.setAuthUser(internalId, authenticatedSubject);
        if (httpServer.isAuthCookieEnabled() && httpServletRequest.isSecure()) {
            String authCookieId = httpServer.getAuthCookieId(internalId);
            if (authCookieId != null) {
                sessionInternal.setInternalAttribute(WLS_AUTHCOOKIE, authCookieId);
                return;
            }
            String str = (String) sessionInternal.getInternalAttribute(WLS_AUTHCOOKIE);
            if (str != null) {
                httpServer.addAuthCookieId(internalId, str);
                return;
            }
            ServletResponseImpl response = WebAppServletContext.getOriginalRequest(httpServletRequest).getResponse();
            if (response != null) {
                String replace = new String(new BASE64Encoder().encodeBuffer(LocalRJVM.getLocalRJVM().getSecureRandom().randomBytes(new byte[AUTH_COOKIE_ID_LENGTH]))).substring(0, AUTH_COOKIE_ID_LENGTH).replace('/', '[').replace('+', ']').replace('=', '_');
                sessionInternal.setInternalAttribute(WLS_AUTHCOOKIE, replace);
                Cookie cookie = new Cookie(WLS_AUTHCOOKIE, replace);
                cookie.setSecure(true);
                cookie.setMaxAge(-1);
                cookie.setPath("/");
                response.addCookie(cookie);
                httpServer.addAuthCookieId(internalId, replace);
            }
        }
    }

    public boolean checkAuthCookie(HttpServer httpServer, HttpServletRequest httpServletRequest, SessionInternal sessionInternal) {
        Cookie cookie;
        if (!httpServer.isAuthCookieEnabled()) {
            return true;
        }
        ServletRequestImpl originalRequest = WebAppServletContext.getOriginalRequest(httpServletRequest);
        if ((originalRequest != null && !originalRequest.getContext().isSessionCookiesEnabled()) || !httpServletRequest.isSecure() || this.webAppSecurity.getConstraint(httpServletRequest) == null) {
            return true;
        }
        String str = null;
        if (sessionInternal == null) {
            sessionInternal = (SessionInternal) httpServletRequest.getSession(false);
        }
        if (sessionInternal != null) {
            str = (String) sessionInternal.getInternalAttribute(WLS_AUTHCOOKIE);
            if (str == null) {
                str = httpServer.getAuthCookieId(sessionInternal.getInternalId());
                if (str != null) {
                    sessionInternal.setInternalAttribute(WLS_AUTHCOOKIE, str);
                }
            }
        }
        if (str == null) {
            return true;
        }
        Cookie[] cookies = httpServletRequest.getCookies();
        if (cookies != null) {
            int i = 0;
            while (true) {
                if (i >= cookies.length) {
                    break;
                }
                if (!cookies[i].getName().equals(WLS_AUTHCOOKIE)) {
                    i++;
                } else if (cookies[i].getValue().equals(str)) {
                    return true;
                }
            }
        }
        return (originalRequest == null || (cookie = originalRequest.getResponse().getCookie(WLS_AUTHCOOKIE)) == null || !cookie.getValue().equals(str)) ? false : true;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void sendError(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        try {
            ((ServletResponseImpl) httpServletResponse).setHeader("WWW-Authenticate", this.authRealmBanner);
            ((ServletResponseImpl) httpServletResponse).sendError(401, ErrorMessages.getErrorPage(401));
        } catch (IOException e) {
            HTTPLogger.logServlet("Error sending 401", e.getMessage());
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public SessionInternal getUserSession(HttpServletRequest httpServletRequest, boolean z) {
        if (!SecurityServiceManager.isKernelIdentity(SecurityServiceManager.getCurrentSubject(getKernelID()))) {
            return (SessionInternal) httpServletRequest.getSession(z);
        }
        SessionRetrievalAction sessionRetrievalAction = new SessionRetrievalAction(this, httpServletRequest, z);
        Throwable th = (Throwable) SecurityServiceManager.runAs(getKernelID(), SubjectUtils.getAnonymousSubject(), sessionRetrievalAction);
        if (th == null) {
            return sessionRetrievalAction.getUserSession();
        }
        HTTPSessionLogger.logUnexpectedError(this.servletContext.getLogContext(), th);
        throw new IllegalStateException("Failed to retrieve session");
    }
}
