package com.sun.web.security.realmadapter;

import com.sun.enterprise.deployment.WebBundleDescriptor;
import com.sun.enterprise.deployment.runtime.connector.MapElement;
import com.sun.enterprise.security.SecurityContext;
import com.sun.enterprise.security.jaspic.config.HttpServletConstants;
import com.sun.enterprise.security.jaspic.config.PayaraJaspicServletServices;
import com.sun.enterprise.security.web.integration.WebPrincipal;
import com.sun.jaspic.config.servlet.HttpMessageInfo;
import com.sun.logging.LogDomains;
import com.sun.web.security.HttpRequestWrapper;
import com.sun.web.security.HttpResponseWrapper;
import com.sun.web.security.RealmAdapter;
import fish.payara.notification.requesttracing.RequestTraceSpan;
import fish.payara.nucleus.requesttracing.RequestTracingService;
import jakarta.security.auth.message.AuthException;
import jakarta.security.auth.message.AuthStatus;
import jakarta.security.auth.message.MessageInfo;
import jakarta.security.auth.message.config.ServerAuthConfig;
import jakarta.security.auth.message.config.ServerAuthContext;
import jakarta.servlet.ServletContext;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.security.Principal;
import java.util.AbstractMap;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.atomic.AtomicBoolean;
import java.util.function.Function;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.security.auth.Subject;
import org.apache.catalina.Authenticator;
import org.apache.catalina.Container;
import org.apache.catalina.ContainerEvent;
import org.apache.catalina.Context;
import org.apache.catalina.Globals;
import org.apache.catalina.HttpRequest;
import org.apache.catalina.HttpResponse;
import org.apache.catalina.LifecycleException;
import org.apache.catalina.connector.RequestFacade;
import org.apache.catalina.deploy.LoginConfig;

/* loaded from: input_file:com/sun/web/security/realmadapter/JaspicRealm.class */
public class JaspicRealm {
    private static final String SYSTEM_HTTPSERVLET_SECURITY_PROVIDER = "system_httpservlet_security_provider";
    private static final String SERVER_AUTH_CONTEXT = "__jakarta.security.auth.message.ServerAuthContext";
    private static final String MESSAGE_INFO = "__jakarta.security.auth.message.MessageInfo";
    private String realmName;
    private boolean isSystemApp;
    private WebBundleDescriptor webDescriptor;
    private RequestTracingService requestTracing;
    private Container virtualServer;
    private PayaraJaspicServletServices jaspicServices;
    private AtomicBoolean initialised = new AtomicBoolean();
    private static final Logger logger = LogDomains.getLogger(RealmAdapter.class, LogDomains.WEB_LOGGER);
    private static String jaspicSystemConfigProviderID = getDefaultSystemProviderID();

    public JaspicRealm(String str, boolean z, WebBundleDescriptor webBundleDescriptor, RequestTracingService requestTracingService) {
        this.realmName = str;
        this.isSystemApp = z;
        this.webDescriptor = webBundleDescriptor;
        this.requestTracing = requestTracingService;
    }

    public void setVirtualServer(Container container) {
        this.virtualServer = container;
    }

    public synchronized void initJaspicServices(ServletContext servletContext) {
        if (this.jaspicServices != null) {
            return;
        }
        this.jaspicServices = getConfigHelper(servletContext);
        this.initialised.set(true);
    }

    public boolean isInitialised() {
        return this.initialised.get();
    }

    public boolean isJaspicEnabled(ServletContext servletContext) {
        if (this.jaspicServices == null) {
            initJaspicServices(servletContext);
        }
        return isJaspicEnabled();
    }

    public boolean isJaspicEnabled() {
        return getServerAuthConfig() != null;
    }

    public boolean validateRequest(HttpRequest httpRequest, HttpResponse httpResponse, Context context, Authenticator authenticator, boolean z, Function<HttpServletRequest, Boolean> function) throws IOException {
        try {
            context.fireContainerEvent(ContainerEvent.BEFORE_AUTHENTICATION, null);
            RequestFacade requestFacade = (RequestFacade) httpRequest.getRequest();
            setAdditionalPrincipalInContext(requestFacade);
            boolean validateRequest = validateRequest(getServerAuthConfig(), context, requestFacade, httpRequest, httpResponse, context.getLoginConfig(), authenticator, z, function);
            resetAdditionalPrincipalInContext();
            context.fireContainerEvent(ContainerEvent.AFTER_AUTHENTICATION, null);
            return validateRequest;
        } catch (Throwable th) {
            resetAdditionalPrincipalInContext();
            context.fireContainerEvent(ContainerEvent.AFTER_AUTHENTICATION, null);
            throw th;
        }
    }

    public boolean secureResponse(HttpRequest httpRequest, HttpResponse httpResponse, Context context) throws IOException {
        try {
            try {
                Map.Entry<MessageInfo, ServerAuthContext> messageInfoFromRequest = getMessageInfoFromRequest((HttpServletRequest) httpRequest.getRequest());
                if (messageInfoFromRequest == null) {
                    if (messageInfoFromRequest == null) {
                        return false;
                    }
                    if (httpRequest instanceof HttpRequestWrapper) {
                        httpRequest.removeNote(Globals.WRAPPED_REQUEST);
                    }
                    if (!(httpResponse instanceof HttpResponseWrapper)) {
                        return false;
                    }
                    httpRequest.removeNote(Globals.WRAPPED_RESPONSE);
                    return false;
                }
                try {
                    context.fireContainerEvent("beforePostAuthentication", null);
                    boolean equals = AuthStatus.SUCCESS.equals(messageInfoFromRequest.getValue().secureResponse(messageInfoFromRequest.getKey(), null));
                    context.fireContainerEvent("afterPostAuthentication", null);
                    if (messageInfoFromRequest != null) {
                        if (httpRequest instanceof HttpRequestWrapper) {
                            httpRequest.removeNote(Globals.WRAPPED_REQUEST);
                        }
                        if (httpResponse instanceof HttpResponseWrapper) {
                            httpRequest.removeNote(Globals.WRAPPED_RESPONSE);
                        }
                    }
                    return equals;
                } catch (Throwable th) {
                    context.fireContainerEvent("afterPostAuthentication", null);
                    throw th;
                }
            } catch (AuthException e) {
                throw new IOException(e);
            }
        } catch (Throwable th2) {
            if (0 != 0) {
                if (httpRequest instanceof HttpRequestWrapper) {
                    httpRequest.removeNote(Globals.WRAPPED_REQUEST);
                }
                if (httpResponse instanceof HttpResponseWrapper) {
                    httpRequest.removeNote(Globals.WRAPPED_RESPONSE);
                }
            }
            throw th2;
        }
    }

    public void cleanSubject(HttpRequest httpRequest) throws AuthException {
        MessageInfo messageInfo = (MessageInfo) httpRequest.getRequest().getAttribute(MESSAGE_INFO);
        if (messageInfo == null) {
            messageInfo = new HttpMessageInfo((HttpServletRequest) httpRequest.getRequest(), (HttpServletResponse) httpRequest.getResponse().getResponse());
        }
        messageInfo.getMap().put(HttpServletConstants.IS_MANDATORY, Boolean.TRUE.toString());
        ServerAuthContext serverAuthContext = this.jaspicServices.getServerAuthContext(messageInfo, null);
        if (serverAuthContext != null) {
            SecurityContext current = SecurityContext.getCurrent();
            Subject subject = current.didServerGenerateCredentials() ? new Subject() : current.getSubject();
            if (subject == null) {
                subject = new Subject();
            }
            if (subject.isReadOnly()) {
                logger.log(Level.WARNING, "Read-only subject found during logout processing");
            }
            try {
                httpRequest.getContext().fireContainerEvent("beforePostAuthentication", null);
                serverAuthContext.cleanSubject(messageInfo, subject);
                httpRequest.getContext().fireContainerEvent("afterPostAuthentication", null);
            } catch (Throwable th) {
                httpRequest.getContext().fireContainerEvent("afterPostAuthentication", null);
                throw th;
            }
        }
    }

    public void destroy() {
        if (this.jaspicServices != null) {
            this.jaspicServices.disable();
        }
    }

    private ServerAuthConfig getServerAuthConfig() {
        if (this.jaspicServices == null) {
            return null;
        }
        try {
            return this.jaspicServices.getServerAuthConfig();
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }

    private ServerAuthContext getServerAuthContext(MessageInfo messageInfo) throws AuthException {
        ServerAuthContext serverAuthContext = this.jaspicServices.getServerAuthContext(messageInfo, null);
        if (serverAuthContext == null) {
            throw new AuthException("null ServerAuthContext");
        }
        return serverAuthContext;
    }

    private PayaraJaspicServletServices getConfigHelper(ServletContext servletContext) {
        HashMap hashMap = new HashMap();
        hashMap.put(HttpServletConstants.WEB_BUNDLE, this.webDescriptor);
        return new PayaraJaspicServletServices(getAppContextID(servletContext), hashMap, null, this.realmName, this.isSystemApp, jaspicSystemConfigProviderID);
    }

    private String getAppContextID(ServletContext servletContext) {
        if (!servletContext.getVirtualServerName().equals(this.virtualServer.getName())) {
            logger.log(Level.INFO, "Virtual server name from ServletContext: {0} differs from name from virtual.getName(): {1}", new Object[]{servletContext.getVirtualServerName(), this.virtualServer.getName()});
        }
        if (!servletContext.getContextPath().equals(this.webDescriptor.getContextRoot())) {
            logger.log(Level.INFO, "Context path from ServletContext: {0} differs from path from bundle: {1}", new Object[]{servletContext.getContextPath(), this.webDescriptor.getContextRoot()});
        }
        return servletContext.getVirtualServerName() + " " + servletContext.getContextPath();
    }

    private static String getDefaultSystemProviderID() {
        String property = System.getProperty(SYSTEM_HTTPSERVLET_SECURITY_PROVIDER);
        if (property != null) {
            property = property.trim();
            if (property.length() == 0) {
                property = null;
            }
        }
        return property;
    }

    private void setAdditionalPrincipalInContext(RequestFacade requestFacade) {
        Principal principal;
        if (requestFacade == null || (principal = requestFacade.getPrincipal()) == null) {
            return;
        }
        SecurityContext.getCurrent().setAdditionalPrincipal(principal);
    }

    private void resetAdditionalPrincipalInContext() {
        SecurityContext.getCurrent().setAdditionalPrincipal(null);
    }

    private boolean validateRequest(ServerAuthConfig serverAuthConfig, Context context, RequestFacade requestFacade, HttpRequest httpRequest, HttpResponse httpResponse, LoginConfig loginConfig, Authenticator authenticator, boolean z, Function<HttpServletRequest, Boolean> function) throws IOException {
        return isRequestTracingEnabled() ? doTraced(serverAuthConfig, context, requestFacade, () -> {
            return Boolean.valueOf(validateRequest(httpRequest, httpResponse, loginConfig, authenticator, z, (Function<HttpServletRequest, Boolean>) function));
        }) : validateRequest(httpRequest, httpResponse, loginConfig, authenticator, z, function);
    }

    private boolean validateRequest(HttpRequest httpRequest, HttpResponse httpResponse, LoginConfig loginConfig, Authenticator authenticator, boolean z, Function<HttpServletRequest, Boolean> function) throws IOException {
        HttpServletRequest httpServletRequest = (HttpServletRequest) httpRequest.getRequest();
        HttpServletResponse httpServletResponse = (HttpServletResponse) httpResponse.getResponse();
        Subject subject = new Subject();
        HttpMessageInfo httpMessageInfo = new HttpMessageInfo(httpServletRequest, httpServletResponse);
        boolean z2 = false;
        boolean z3 = true;
        ServerAuthContext serverAuthContext = null;
        try {
            z3 = function.apply(httpServletRequest).booleanValue();
            if (z3 || z) {
                setMandatory(httpMessageInfo);
            }
            serverAuthContext = getServerAuthContext(httpMessageInfo);
            z2 = AuthStatus.SUCCESS.equals(serverAuthContext.validateRequest(httpMessageInfo, subject, null));
            if (!z2) {
                return false;
            }
        } catch (AuthException | RuntimeException e) {
            logger.log(Level.WARNING, "JASPIC: http msg authentication fail", e);
            httpServletResponse.setStatus(500);
        }
        storeMessageInfoInRequest(httpServletRequest, httpMessageInfo, serverAuthContext);
        if (hasNewPrincipal(subject.getPrincipals())) {
            handleSamAuthenticated(subject, httpMessageInfo, httpRequest, httpResponse, loginConfig, authenticator);
        } else {
            z2 = handleSamNotAuthenticated(httpMessageInfo, z3, z2, httpRequest, httpResponse);
        }
        if (z2) {
            checkRequestResponseWrappingNeeded(httpMessageInfo, httpRequest, httpResponse, httpServletRequest, httpServletResponse);
        }
        return z2;
    }

    private void handleSamAuthenticated(Subject subject, MessageInfo messageInfo, HttpRequest httpRequest, HttpResponse httpResponse, LoginConfig loginConfig, Authenticator authenticator) throws IOException {
        SecurityContext securityContext = new SecurityContext(subject);
        WebPrincipal webPrincipal = new WebPrincipal(securityContext.getCallerPrincipal(), securityContext);
        SecurityContext.setCurrent(securityContext);
        try {
            String authType = getAuthType(messageInfo, loginConfig);
            if (shouldRegisterSession(messageInfo)) {
                new AuthenticatorProxy(authenticator, webPrincipal, authType).authenticate(httpRequest, httpResponse, loginConfig);
            } else {
                httpRequest.setAuthType(authType == null ? AuthenticatorProxy.PROXY_AUTH_TYPE : authType);
                httpRequest.setUserPrincipal(webPrincipal.getCustomPrincipal() == null ? webPrincipal : webPrincipal.getCustomPrincipal());
            }
        } catch (LifecycleException e) {
            logger.log(Level.SEVERE, "[Web-Security] unable to register session", (Throwable) e);
        }
    }

    private boolean handleSamNotAuthenticated(MessageInfo messageInfo, boolean z, boolean z2, HttpRequest httpRequest, HttpResponse httpResponse) {
        if (hasRequestPrincipal(messageInfo)) {
            httpRequest.setUserPrincipal(null);
            httpRequest.setAuthType(null);
        }
        if (z) {
            return false;
        }
        return z2;
    }

    private boolean doTraced(ServerAuthConfig serverAuthConfig, Context context, RequestFacade requestFacade, RealmAdapter.IOSupplier<Boolean> iOSupplier) throws IOException {
        RequestTraceSpan requestTraceSpan = null;
        try {
            requestTraceSpan = new RequestTraceSpan("authenticateJaspic");
            requestTraceSpan.addSpanTag("AppContext", serverAuthConfig.getAppContext());
            requestTraceSpan.addSpanTag("Context", context.getPath());
            boolean booleanValue = iOSupplier.get().booleanValue();
            requestTraceSpan.addSpanTag("AuthResult", Boolean.toString(booleanValue));
            Principal principal = requestFacade.getPrincipal();
            requestTraceSpan.addSpanTag(MapElement.PRINCIPAL, principal != null ? principal.getName() : "null");
            if (requestTraceSpan != null) {
                this.requestTracing.traceSpan(requestTraceSpan);
            }
            return booleanValue;
        } catch (Throwable th) {
            if (requestTraceSpan != null) {
                this.requestTracing.traceSpan(requestTraceSpan);
            }
            throw th;
        }
    }

    private void checkRequestResponseWrappingNeeded(MessageInfo messageInfo, HttpRequest httpRequest, HttpResponse httpResponse, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        HttpServletRequest httpServletRequest2 = (HttpServletRequest) messageInfo.getRequestMessage();
        if (httpServletRequest2 != httpServletRequest) {
            httpRequest.setNote(Globals.WRAPPED_REQUEST, new HttpRequestWrapper(httpRequest, httpServletRequest2));
        }
        HttpServletResponse httpServletResponse2 = (HttpServletResponse) messageInfo.getResponseMessage();
        if (httpServletResponse2 != httpServletResponse) {
            httpRequest.setNote(Globals.WRAPPED_RESPONSE, new HttpResponseWrapper(httpResponse, httpServletResponse2));
        }
    }

    private boolean isRequestTracingEnabled() {
        return this.requestTracing != null && this.requestTracing.isRequestTracingEnabled();
    }

    private boolean hasRequestPrincipal(MessageInfo messageInfo) {
        return ((HttpServletRequest) messageInfo.getRequestMessage()).getUserPrincipal() != null;
    }

    private boolean hasNewPrincipal(Set<Principal> set) {
        return (set == null || set.isEmpty() || principalSetContainsOnlyAnonymousPrincipal(set)) ? false : true;
    }

    private boolean principalSetContainsOnlyAnonymousPrincipal(Set<Principal> set) {
        boolean z = false;
        Principal defaultCallerPrincipal = SecurityContext.getDefaultCallerPrincipal();
        if (defaultCallerPrincipal != null && set != null) {
            z = set.contains(defaultCallerPrincipal);
        }
        if (z) {
            Iterator<Principal> it = set.iterator();
            while (it.hasNext()) {
                if (!it.next().equals(defaultCallerPrincipal)) {
                    return false;
                }
            }
        }
        return z;
    }

    private void setMandatory(MessageInfo messageInfo) {
        messageInfo.getMap().put(HttpServletConstants.IS_MANDATORY, Boolean.TRUE.toString());
    }

    private String getAuthType(MessageInfo messageInfo, LoginConfig loginConfig) {
        String authType = getAuthType(messageInfo);
        if (authType == null && loginConfig != null && loginConfig.getAuthMethod() != null) {
            authType = loginConfig.getAuthMethod();
        }
        return authType;
    }

    private String getAuthType(MessageInfo messageInfo) {
        return (String) messageInfo.getMap().get("jakarta.servlet.http.authType");
    }

    private boolean shouldRegisterSession(MessageInfo messageInfo) {
        Map<String, Object> map = messageInfo.getMap();
        return map.containsKey(HttpServletConstants.REGISTER_WITH_AUTHENTICATOR) || mapEntryToBoolean(HttpServletConstants.REGISTER_SESSION, map);
    }

    private void storeMessageInfoInRequest(HttpServletRequest httpServletRequest, MessageInfo messageInfo, ServerAuthContext serverAuthContext) {
        messageInfo.getMap().put(SERVER_AUTH_CONTEXT, serverAuthContext);
        httpServletRequest.setAttribute(MESSAGE_INFO, messageInfo);
    }

    private Map.Entry<MessageInfo, ServerAuthContext> getMessageInfoFromRequest(HttpServletRequest httpServletRequest) {
        MessageInfo messageInfo;
        if (this.jaspicServices == null || (messageInfo = (MessageInfo) httpServletRequest.getAttribute(MESSAGE_INFO)) == null) {
            return null;
        }
        return new AbstractMap.SimpleImmutableEntry(messageInfo, (ServerAuthContext) messageInfo.getMap().get(SERVER_AUTH_CONTEXT));
    }

    private boolean mapEntryToBoolean(String str, Map map) {
        Object obj;
        if (map.containsKey(str) && (obj = map.get(str)) != null && (obj instanceof String)) {
            return Boolean.valueOf((String) obj).booleanValue();
        }
        return false;
    }
}
