package com.sun.enterprise.security.web.integration;

import com.sun.enterprise.config.serverbeans.ApplicationRef;
import com.sun.enterprise.config.serverbeans.Server;
import com.sun.enterprise.deployment.WebBundleDescriptor;
import com.sun.enterprise.deployment.runtime.common.SecurityRoleMapping;
import com.sun.enterprise.deployment.runtime.common.wls.SecurityRoleAssignment;
import com.sun.enterprise.deployment.runtime.web.SunWebApp;
import com.sun.enterprise.deployment.web.LoginConfiguration;
import com.sun.enterprise.security.SecurityContext;
import com.sun.enterprise.security.SecurityRoleMapperFactoryGen;
import com.sun.enterprise.security.SecurityServicesUtil;
import com.sun.enterprise.security.WebSecurityDeployerProbeProvider;
import com.sun.enterprise.security.audit.AuditManager;
import com.sun.enterprise.security.common.AppservAccessController;
import com.sun.enterprise.security.ee.CachedPermission;
import com.sun.enterprise.security.ee.CachedPermissionImpl;
import com.sun.enterprise.security.ee.PermissionCache;
import com.sun.enterprise.security.ee.PermissionCacheFactory;
import com.sun.enterprise.security.ee.SecurityUtil;
import com.sun.enterprise.security.ee.audit.AppServerAuditManager;
import java.lang.annotation.Annotation;
import java.net.MalformedURLException;
import java.net.URI;
import java.net.URISyntaxException;
import java.net.URL;
import java.security.AccessControlException;
import java.security.CodeSource;
import java.security.Permission;
import java.security.Policy;
import java.security.Principal;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.security.ProtectionDomain;
import java.security.cert.Certificate;
import java.util.Collections;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.WeakHashMap;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.security.jacc.PolicyConfiguration;
import javax.security.jacc.PolicyConfigurationFactory;
import javax.security.jacc.PolicyContext;
import javax.security.jacc.PolicyContextException;
import javax.security.jacc.WebResourcePermission;
import javax.security.jacc.WebRoleRefPermission;
import javax.security.jacc.WebUserDataPermission;
import javax.servlet.http.HttpServletRequest;
import org.glassfish.deployment.versioning.VersioningUtils;
import org.glassfish.internal.api.ServerContext;
import org.glassfish.security.common.Group;
import org.glassfish.security.common.PrincipalImpl;

/* loaded from: input_file:com/sun/enterprise/security/web/integration/WebSecurityManager.class */
public class WebSecurityManager {
    public static final String CONSTRAINT_URI = "org.apache.catalina.CONSTRAINT_URI";
    private static final String RESOURCE = "hasResourcePermission";
    private static final String USERDATA = "hasUserDataPermission";
    private static final String ROLEREF = "hasRoleRefPermission";
    private static final String DEFAULT_PATTERN = "/";
    private static final String EMPTY_STRING = "";
    private String CONTEXT_ID;
    private String CODEBASE;
    protected Policy policy;
    protected PolicyConfiguration pc;
    protected PolicyConfigurationFactory pcf;
    protected CodeSource codesource;
    private Map protectionDomainCache;
    private CachedPermission allResourcesCP;
    private CachedPermission allConnectionsCP;
    private PermissionCache uncheckedPermissionCache;
    private WebSecurityManagerFactory wsmf;
    private ServerContext serverContext;
    private WebBundleDescriptor wbd;
    private WebSecurityDeployerProbeProvider probeProvider;
    private boolean register;
    private static final Logger logger = LogUtils.getLogger();
    private static final WebResourcePermission allResources = new WebResourcePermission("/*", (String) null);
    private static final WebUserDataPermission allConnections = new WebUserDataPermission("/*", null);
    private static Permission[] protoPerms = {allResources, allConnections};
    private static Set defaultPrincipalSet = SecurityContext.getDefaultSecurityContext().getPrincipalSet();

    /* JADX INFO: Access modifiers changed from: package-private */
    public WebSecurityManager(WebBundleDescriptor webBundleDescriptor, ServerContext serverContext, WebSecurityManagerFactory webSecurityManagerFactory, boolean z) throws PolicyContextException {
        this.CONTEXT_ID = null;
        this.CODEBASE = null;
        this.policy = Policy.getPolicy();
        this.pc = null;
        this.pcf = null;
        this.codesource = null;
        this.protectionDomainCache = Collections.synchronizedMap(new WeakHashMap());
        this.allResourcesCP = null;
        this.allConnectionsCP = null;
        this.uncheckedPermissionCache = null;
        this.wsmf = null;
        this.serverContext = null;
        this.wbd = null;
        this.probeProvider = new WebSecurityDeployerProbeProvider();
        this.register = true;
        this.register = z;
        this.wbd = webBundleDescriptor;
        this.CONTEXT_ID = getContextID(webBundleDescriptor);
        this.serverContext = serverContext;
        this.wsmf = webSecurityManagerFactory;
        String appId = getAppId();
        postConstruct();
        initialise(appId);
    }

    private WebSecurityManager(WebBundleDescriptor webBundleDescriptor, WebSecurityManagerFactory webSecurityManagerFactory) throws PolicyContextException {
        this(webBundleDescriptor, null, webSecurityManagerFactory);
    }

    WebSecurityManager(WebBundleDescriptor webBundleDescriptor, ServerContext serverContext, WebSecurityManagerFactory webSecurityManagerFactory) throws PolicyContextException {
        this.CONTEXT_ID = null;
        this.CODEBASE = null;
        this.policy = Policy.getPolicy();
        this.pc = null;
        this.pcf = null;
        this.codesource = null;
        this.protectionDomainCache = Collections.synchronizedMap(new WeakHashMap());
        this.allResourcesCP = null;
        this.allConnectionsCP = null;
        this.uncheckedPermissionCache = null;
        this.wsmf = null;
        this.serverContext = null;
        this.wbd = null;
        this.probeProvider = new WebSecurityDeployerProbeProvider();
        this.register = true;
        this.wbd = webBundleDescriptor;
        this.CONTEXT_ID = getContextID(webBundleDescriptor);
        this.serverContext = serverContext;
        this.wsmf = webSecurityManagerFactory;
        String appId = getAppId();
        postConstruct();
        initialise(appId);
    }

    private void postConstruct() {
        SecurityRoleMapperFactoryGen.getSecurityRoleMapperFactory().setAppNameForContext(getAppId(), this.CONTEXT_ID);
    }

    private String removeSpaces(String str) {
        return str.replace(' ', '_');
    }

    public static String getContextID(WebBundleDescriptor webBundleDescriptor) {
        return SecurityUtil.getContextID(webBundleDescriptor);
    }

    private void initialise(String str) throws PolicyContextException {
        LoginConfiguration loginConfiguration;
        getPolicyFactory();
        this.CODEBASE = removeSpaces(this.CONTEXT_ID);
        if ("__asadmin".equals(getVirtualServers(str)) && (loginConfiguration = this.wbd.getLoginConfiguration()) != null) {
            String realmName = loginConfiguration.getRealmName();
            SunWebApp sunDescriptor = this.wbd.getSunDescriptor();
            if (sunDescriptor != null) {
                SecurityRoleMapping[] securityRoleMapping = sunDescriptor.getSecurityRoleMapping();
                if (securityRoleMapping != null) {
                    for (SecurityRoleMapping securityRoleMapping2 : securityRoleMapping) {
                        String[] principalName = securityRoleMapping2.getPrincipalName();
                        if (principalName != null) {
                            for (String str2 : principalName) {
                                this.wsmf.ADMIN_PRINCIPAL.put(realmName + str2, new PrincipalImpl(str2));
                            }
                        }
                        for (String str3 : securityRoleMapping2.getGroupNames()) {
                            this.wsmf.ADMIN_GROUP.put(realmName + str3, new Group(str3));
                        }
                    }
                }
                SecurityRoleAssignment[] securityRoleAssignments = sunDescriptor.getSecurityRoleAssignments();
                if (securityRoleAssignments != null) {
                    for (SecurityRoleAssignment securityRoleAssignment : securityRoleAssignments) {
                        List<String> principalNames = securityRoleAssignment.getPrincipalNames();
                        if (securityRoleAssignment.isExternallyDefined()) {
                            this.wsmf.ADMIN_GROUP.put(realmName + securityRoleAssignment.getRoleName(), new Group(securityRoleAssignment.getRoleName()));
                        } else {
                            for (String str4 : principalNames) {
                                this.wsmf.ADMIN_PRINCIPAL.put(realmName + str4, new PrincipalImpl(str4));
                            }
                        }
                    }
                }
            }
        }
        try {
            try {
                if (logger.isLoggable(Level.FINE)) {
                    logger.log(Level.FINE, "[Web-Security] Creating a Codebase URI with = {0}", this.CODEBASE);
                }
                URI uri = new URI("file:///" + this.CODEBASE);
                if (uri != null) {
                    this.codesource = new CodeSource(new URL(uri.toString()), (Certificate[]) null);
                }
                if (logger.isLoggable(Level.FINE)) {
                    logger.log(Level.FINE, "[Web-Security] Context id (id under which  WEB component in application will be created) = {0}", this.CONTEXT_ID);
                    logger.log(Level.FINE, "[Web-Security] Codebase (module id for web component) {0}", this.CODEBASE);
                }
                loadPolicyConfiguration();
                if (this.uncheckedPermissionCache != null) {
                    this.uncheckedPermissionCache.reset();
                } else if (this.register) {
                    this.uncheckedPermissionCache = PermissionCacheFactory.createPermissionCache(this.CONTEXT_ID, this.codesource, protoPerms, (String) null);
                    this.allResourcesCP = new CachedPermissionImpl(this.uncheckedPermissionCache, allResources);
                    this.allConnectionsCP = new CachedPermissionImpl(this.uncheckedPermissionCache, allConnections);
                }
            } catch (URISyntaxException e) {
                logger.log(Level.FINE, "[Web-Security] Error Creating URI ", (Throwable) e);
                throw new RuntimeException(e);
            }
        } catch (MalformedURLException e2) {
            logger.log(Level.SEVERE, LogUtils.EJBSM_CODSOURCEERROR, (Throwable) e2);
            throw new RuntimeException(e2);
        }
    }

    public void loadPolicyConfiguration() throws PolicyContextException {
        if (getPolicyFactory().inService(this.CONTEXT_ID)) {
            return;
        }
        this.pc = getPolicyFactory().getPolicyConfiguration(this.CONTEXT_ID, false);
        try {
            WebPermissionUtil.processConstraints(this.wbd, this.pc);
            WebPermissionUtil.createWebRoleRefPermission(this.wbd, this.pc);
        } catch (PolicyContextException e) {
            logger.log(Level.FINE, "[Web-Security] FATAL Permission Generation: " + e.getMessage());
            throw e;
        }
    }

    private String getAppId() {
        return this.wbd.getApplication().getRegistrationName();
    }

    public boolean permitAll(HttpServletRequest httpServletRequest) {
        boolean z = false;
        WebResourcePermission createWebResourcePermission = createWebResourcePermission(httpServletRequest);
        if (this.uncheckedPermissionCache != null) {
            z = this.uncheckedPermissionCache.checkPermission(createWebResourcePermission);
        }
        if (!z) {
            z = checkPermissionWithoutCache(createWebResourcePermission, null);
        }
        return z;
    }

    protected boolean checkPermission(Permission permission, Set set) {
        boolean z = false;
        if (this.uncheckedPermissionCache != null) {
            z = this.uncheckedPermissionCache.checkPermission(permission);
        }
        if (z) {
            try {
                setPolicyContext(this.CONTEXT_ID);
            } catch (Throwable th) {
                if (logger.isLoggable(Level.FINE)) {
                    logger.log(Level.FINE, "[Web-Security] Web Permission Access Denied.", th);
                }
                z = false;
            }
        } else {
            z = checkPermissionWithoutCache(permission, set);
        }
        return z;
    }

    private boolean checkPermissionWithoutCache(Permission permission, Set set) {
        try {
            setPolicyContext(this.CONTEXT_ID);
            ProtectionDomain protectionDomain = (ProtectionDomain) this.protectionDomainCache.get(set);
            if (protectionDomain == null) {
                Principal[] principalArr = set == null ? null : (Principal[]) set.toArray(new Principal[0]);
                if (logger.isLoggable(Level.FINE)) {
                    logger.log(Level.FINE, "[Web-Security] Generating a protection domain for Permission check.");
                    if (principalArr != null) {
                        for (Principal principal : principalArr) {
                            logger.log(Level.FINE, "[Web-Security] Checking with Principal : {0}", principal.toString());
                        }
                    } else {
                        logger.log(Level.FINE, "[Web-Security] Checking with Principals: null");
                    }
                }
                protectionDomain = new ProtectionDomain(this.codesource, null, null, principalArr);
                this.protectionDomainCache.put(set, protectionDomain);
            }
            if (logger.isLoggable(Level.FINE)) {
                logger.log(Level.FINE, "[Web-Security] Codesource with Web URL: {0}", this.codesource.getLocation().toString());
                logger.log(Level.FINE, "[Web-Security] Checking Web Permission with Principals : {0}", principalSetToString(set));
                logger.log(Level.FINE, "[Web-Security] Web Permission = {0}", permission.toString());
            }
            return this.policy.implies(protectionDomain, permission);
        } catch (Throwable th) {
            if (!logger.isLoggable(Level.FINE)) {
                return false;
            }
            logger.log(Level.FINE, "[Web-Security] Web Permission Access Denied.", th);
            return false;
        }
    }

    private PolicyConfigurationFactory getPolicyFactory() throws PolicyContextException {
        return this.pcf != null ? this.pcf : _getPolicyFactory();
    }

    private synchronized PolicyConfigurationFactory _getPolicyFactory() throws PolicyContextException {
        if (this.pcf == null) {
            try {
                this.pcf = PolicyConfigurationFactory.getPolicyConfigurationFactory();
            } catch (ClassNotFoundException e) {
                logger.log(Level.SEVERE, LogUtils.JACCFACTORY_NOTFOUND);
                throw new PolicyContextException(e);
            } catch (PolicyContextException e2) {
                logger.log(Level.SEVERE, LogUtils.JACCFACTORY_NOTFOUND);
                throw e2;
            }
        }
        return this.pcf;
    }

    private WebResourcePermission createWebResourcePermission(HttpServletRequest httpServletRequest) {
        String str = (String) httpServletRequest.getAttribute(CONSTRAINT_URI);
        if (str == null) {
            str = httpServletRequest.getRequestURI();
            if (str != null) {
                String contextPath = httpServletRequest.getContextPath();
                int length = contextPath == null ? 0 : contextPath.length();
                if (length > 0) {
                    str = str.substring(length);
                }
            }
        }
        if (str != null) {
            return new WebResourcePermission(str.equals("/") ? "" : str.replaceAll(VersioningUtils.EXPRESSION_SEPARATOR, "%3A"), httpServletRequest.getMethod());
        }
        if (logger.isLoggable(Level.FINE)) {
            logger.log(Level.FINE, "[Web-Security] mappedUri is null");
        }
        throw new RuntimeException("Fatal Error in creating WebResourcePermission");
    }

    public boolean hasResourcePermission(HttpServletRequest httpServletRequest) {
        SecurityContext securityContext = getSecurityContext(httpServletRequest.getUserPrincipal());
        WebResourcePermission createWebResourcePermission = createWebResourcePermission(httpServletRequest);
        setSecurityInfo(httpServletRequest);
        boolean checkPermission = checkPermission(createWebResourcePermission, securityContext.getPrincipalSet());
        SecurityContext.setCurrent(securityContext);
        if (logger.isLoggable(Level.FINE)) {
            logger.log(Level.FINE, "[Web-Security] hasResource isGranted: {0}", Boolean.valueOf(checkPermission));
            logger.log(Level.FINE, "[Web-Security] hasResource perm: {0}", createWebResourcePermission);
        }
        recordWebInvocation(httpServletRequest, RESOURCE, checkPermission);
        return checkPermission;
    }

    public boolean hasRoleRefPermission(String str, String str2, Principal principal) {
        Set principalSet = getSecurityContext(principal).getPrincipalSet();
        WebRoleRefPermission webRoleRefPermission = new WebRoleRefPermission(str, str2);
        boolean checkPermission = checkPermission(webRoleRefPermission, principalSet);
        if (logger.isLoggable(Level.FINE)) {
            logger.log(Level.FINE, "[Web-Security] hasRoleRef perm: {0}", webRoleRefPermission);
            logger.log(Level.FINE, "[Web-Security] hasRoleRef isGranted: {0}", Boolean.valueOf(checkPermission));
        }
        return checkPermission;
    }

    public int hasUserDataPermission(HttpServletRequest httpServletRequest, String str, String str2) {
        WebUserDataPermission webUserDataPermission;
        setSecurityInfo(httpServletRequest);
        boolean isSecure = httpServletRequest.isSecure();
        if (str == null) {
            webUserDataPermission = new WebUserDataPermission(httpServletRequest);
        } else {
            webUserDataPermission = new WebUserDataPermission(str, str2 == null ? null : new String[]{str2}, isSecure ? "CONFIDENTIAL" : null);
        }
        boolean checkPermission = checkPermission(webUserDataPermission, defaultPrincipalSet);
        int i = 0;
        if (checkPermission) {
            i = 1;
        }
        if (logger.isLoggable(Level.FINE)) {
            logger.log(Level.FINE, "[Web-Security] hasUserDataPermission perm: {0}", webUserDataPermission);
            logger.log(Level.FINE, "[Web-Security] hasUserDataPermission isGranted: {0}", Boolean.valueOf(checkPermission));
        }
        recordWebInvocation(httpServletRequest, USERDATA, checkPermission);
        if (!checkPermission && !isSecure) {
            if (str == null) {
                str2 = httpServletRequest.getMethod();
            }
            if (checkPermission(new WebUserDataPermission(webUserDataPermission.getName(), str2 == null ? null : new String[]{str2}, "CONFIDENTIAL"), defaultPrincipalSet)) {
                i = -1;
            }
        }
        return i;
    }

    public void destroy() throws PolicyContextException {
        if (getPolicyFactory().inService(this.CONTEXT_ID)) {
            this.policy.refresh();
        }
        PermissionCacheFactory.removePermissionCache(this.uncheckedPermissionCache);
        this.uncheckedPermissionCache = null;
        SecurityRoleMapperFactoryGen.getSecurityRoleMapperFactory().removeAppNameForContext(this.CONTEXT_ID);
        this.wsmf.getManager(this.CONTEXT_ID, null, true);
    }

    public void release() throws PolicyContextException {
        boolean inService = getPolicyFactory().inService(this.CONTEXT_ID);
        WebPermissionUtil.removePolicyStatements(getPolicyFactory().getPolicyConfiguration(this.CONTEXT_ID, false), this.wbd);
        if (inService) {
            Policy.getPolicy().refresh();
        }
        PermissionCacheFactory.removePermissionCache(this.uncheckedPermissionCache);
        this.uncheckedPermissionCache = null;
        this.wsmf.getManager(this.CONTEXT_ID, null, true);
    }

    private void recordWebInvocation(HttpServletRequest httpServletRequest, String str, boolean z) {
        AuditManager auditManager = SecurityServicesUtil.getInstance().getAuditManager();
        if (auditManager != null && auditManager.isAuditOn() && (auditManager instanceof AppServerAuditManager)) {
            AppServerAuditManager appServerAuditManager = (AppServerAuditManager) auditManager;
            Principal userPrincipal = httpServletRequest.getUserPrincipal();
            appServerAuditManager.webInvocation(userPrincipal != null ? userPrincipal.getName() : null, httpServletRequest, str, z);
        }
    }

    private static String setPolicyContext(final String str) throws Throwable {
        String contextID = PolicyContext.getContextID();
        if (contextID != str && (contextID == null || str == null || !contextID.equals(str))) {
            if (logger.isLoggable(Level.FINE)) {
                logger.log(Level.FINE, "[Web-Security] Setting Policy Context ID: old = {0} ctxID = {1}", new Object[]{contextID, str});
            }
            try {
                AppservAccessController.doPrivileged(new PrivilegedExceptionAction() { // from class: com.sun.enterprise.security.web.integration.WebSecurityManager.1
                    @Override // java.security.PrivilegedExceptionAction
                    public Object run() throws Exception {
                        PolicyContext.setContextID(str);
                        return null;
                    }
                });
            } catch (PrivilegedActionException e) {
                Throwable cause = e.getCause();
                if (cause instanceof AccessControlException) {
                    logger.log(Level.SEVERE, LogUtils.SECURITY_PERMISSION_REQUIRED, cause);
                } else {
                    logger.log(Level.SEVERE, LogUtils.POLICY_CONTEXT_EXCEPTION, cause);
                }
                throw cause;
            }
        } else if (logger.isLoggable(Level.FINE)) {
            logger.log(Level.FINE, "[Web-Security] Policy Context ID was: {0}", contextID);
        }
        return contextID;
    }

    private SecurityContext getSecurityContext(Principal principal) {
        SecurityContext securityContext = null;
        if (principal != null) {
            securityContext = principal instanceof WebPrincipal ? ((WebPrincipal) principal).getSecurityContext() : new SecurityContext(principal.getName(), null);
        }
        if (securityContext == null) {
            securityContext = SecurityContext.getDefaultSecurityContext();
        }
        return securityContext;
    }

    private void setSecurityInfo(HttpServletRequest httpServletRequest) {
        if (httpServletRequest != null) {
            this.wsmf.pcHandlerImpl.getHandlerData().setHttpServletRequest(httpServletRequest);
        }
    }

    private String principalSetToString(Set set) {
        StringBuilder sb = null;
        if (set != null) {
            Principal[] principalArr = (Principal[]) set.toArray(new Principal[0]);
            for (int i = 0; i < principalArr.length; i++) {
                if (i == 0) {
                    sb = new StringBuilder(principalArr[i].toString());
                } else {
                    sb.append(", ").append(principalArr[i].toString());
                }
            }
        }
        if (sb != null) {
            return sb.toString();
        }
        return null;
    }

    private String getVirtualServers(String str) {
        for (ApplicationRef applicationRef : ((Server) this.serverContext.getDefaultServices().getService(Server.class, new Annotation[0])).getApplicationRef()) {
            if (applicationRef.getRef().equals(str)) {
                return applicationRef.getVirtualServers();
            }
        }
        return null;
    }

    public boolean hasNoConstrainedResources() {
        boolean z = false;
        if (this.allResourcesCP != null && this.allConnectionsCP != null) {
            z = this.allResourcesCP.checkPermission() && this.allConnectionsCP.checkPermission();
            if (z) {
                try {
                    setPolicyContext(this.CONTEXT_ID);
                } catch (Throwable th) {
                    throw new RuntimeException(th);
                }
            }
        }
        return z;
    }
}
