package weblogic.servlet.security.internal;

import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.security.AccessController;
import java.security.PrivilegedAction;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Enumeration;
import java.util.Map;
import javax.security.auth.login.LoginException;
import javax.servlet.ServletException;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import weblogic.diagnostics.debug.DebugLogger;
import weblogic.servlet.HTTPLogger;
import weblogic.servlet.internal.ServletRequestImpl;
import weblogic.servlet.internal.VirtualConnection;
import weblogic.servlet.spi.ApplicationSecurity;
import weblogic.servlet.spi.SubjectHandle;
import weblogic.utils.StringUtils;
import weblogic.utils.encoders.BASE64Decoder;
import weblogic.utils.http.HttpConstants;

/* loaded from: input_file:weblogic/servlet/security/internal/CertSecurityModule.class */
public final class CertSecurityModule extends SecurityModule {
    private static final String X509_TYPE = "X.509";
    private static final String CERT_RESERVED_IP = "IP";
    private static final String CERT_RESERVED_KEYSIZE = "Keysize";
    private static final String CERT_RESERVED_SECRETKEYSIZE = "SecretKeysize";
    private static final boolean protectResourceIfUnspecifiedConstraint = Boolean.getBoolean("weblogic.http.security.cert.protectResourceIfUnspecifiedConstraint");
    protected static final DebugLogger DEBUG_IA = DebugLogger.getDebugLogger("DebugWebAppIdentityAssertion");
    private final boolean alwaysAssert;

    /* loaded from: input_file:weblogic/servlet/security/internal/CertSecurityModule$Token.class */
    public static class Token {
        public final String type;
        public final Object value;

        Token(String str, Object obj) {
            this.type = str;
            this.value = obj;
        }
    }

    public CertSecurityModule(ServletSecurityContext servletSecurityContext, WebAppSecurity webAppSecurity, boolean z, boolean z2) {
        super(servletSecurityContext, webAppSecurity, z);
        this.alwaysAssert = z2;
    }

    @Override // weblogic.servlet.security.internal.SecurityModule
    protected boolean checkUserPerm(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, SessionSecurityData sessionSecurityData, ResourceConstraint resourceConstraint, SubjectHandle subjectHandle, boolean z) throws IOException, ServletException {
        boolean hasPermission;
        ServletRequestImpl originalRequest = ServletRequestImpl.getOriginalRequest(httpServletRequest);
        boolean z2 = false;
        boolean isReAuthenticateRequired = isReAuthenticateRequired(getSecurityContext(), sessionSecurityData);
        if (this.alwaysAssert || subjectHandle == null || subjectHandle.isAnonymous() || isReAuthenticateRequired) {
            SubjectHandle assertIdentity = assertIdentity(httpServletRequest, httpServletResponse, originalRequest.getConnection(), isReAuthenticateRequired);
            if (isReAuthenticateRequired && assertIdentity == null && subjectHandle != null) {
                sendForbiddenResponse(httpServletRequest, httpServletResponse);
                return false;
            }
            if (assertIdentity != null && subjectHandle != assertIdentity) {
                subjectHandle = assertIdentity;
                z2 = true;
            }
        }
        if (protectResourceIfUnspecifiedConstraint) {
            hasPermission = (resourceConstraint == null && !this.webAppSecurity.isFullSecurityDelegationRequired()) || (subjectHandle != null && this.webAppSecurity.hasPermission(httpServletRequest, httpServletResponse, subjectHandle, resourceConstraint));
        } else {
            hasPermission = this.webAppSecurity.hasPermission(httpServletRequest, httpServletResponse, subjectHandle, resourceConstraint);
        }
        if (!hasPermission) {
            if (DEBUG_IA.isDebugEnabled()) {
                DEBUG_IA.debug("Permission check failed for " + httpServletRequest.toString());
            }
            if (isForbidden(resourceConstraint) || !(subjectHandle == null || isReloginEnabled())) {
                sendForbiddenResponse(httpServletRequest, httpServletResponse);
                return false;
            }
            if (z && this.webAppSecurity.hasAuthFilters()) {
                this.webAppSecurity.invokeAuthFilterChain(httpServletRequest, httpServletResponse);
                return false;
            }
            sendUnauthorizedResponse(httpServletRequest, httpServletResponse);
            return false;
        }
        if (wlsAuthCookieMissing(httpServletRequest, sessionSecurityData)) {
            if (DEBUG_SEC.isDebugEnabled()) {
                DEBUG_SEC.debug("AuthCookie not found - permission denied for " + httpServletRequest);
            }
            sendUnauthorizedResponse(httpServletRequest, httpServletResponse);
            setAuthCookieForReAuth(getSecurityContext(), sessionSecurityData, this);
            return false;
        }
        if (!z2) {
            return true;
        }
        if (sessionSecurityData != null) {
            synchronized (sessionSecurityData) {
                if (getCurrentUser(getSecurityContext(), httpServletRequest, sessionSecurityData) == null) {
                    login(httpServletRequest, subjectHandle, sessionSecurityData);
                }
            }
        } else {
            login(httpServletRequest, subjectHandle, sessionSecurityData);
        }
        if (!DEBUG_SEC.isDebugEnabled()) {
            return true;
        }
        DEBUG_SEC.debug(getSecurityContext().getLogContext() + ": user: " + getUsername(subjectHandle) + " has permissions to access " + httpServletRequest);
        return true;
    }

    protected SubjectHandle assertIdentity(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, VirtualConnection virtualConnection, boolean z) {
        if (z && this.webAppSecurity.isNotLastChainedSecurityModule(this)) {
            return null;
        }
        try {
            if (DEBUG_IA.isDebugEnabled()) {
                DEBUG_IA.debug("Trying to find identity assertion tokens for " + httpServletRequest);
            }
            Token findToken = findToken(httpServletRequest, virtualConnection, getSecurityContext());
            if (findToken != null) {
                if (DEBUG_IA.isDebugEnabled()) {
                    DEBUG_IA.debug("assertIdentity with tokem.type: " + findToken.type + " token.value: " + findToken.value);
                }
                return this.webAppSecurity.getAppSecurityProvider().assertIdentity(findToken.type, findToken.value, httpServletRequest, httpServletResponse);
            }
            if (!DEBUG_IA.isDebugEnabled()) {
                return null;
            }
            DEBUG_IA.debug("Didn't find any token!");
            return null;
        } catch (SecurityException e) {
            if (DEBUG_IA.isDebugEnabled()) {
                DEBUG_IA.debug("Indentity assertion failed", e);
            }
            HTTPLogger.logCertAuthenticationError(httpServletRequest.getRequestURI(), e);
            return null;
        } catch (LoginException e2) {
            if (!DEBUG_SEC.isDebugEnabled()) {
                return null;
            }
            DEBUG_SEC.debug("Login failed for request: " + httpServletRequest.toString(), e2);
            return null;
        }
    }

    public static Token findToken(HttpServletRequest httpServletRequest, VirtualConnection virtualConnection, final ServletSecurityContext servletSecurityContext) {
        byte[] decodeCert;
        Object obj;
        Object obj2;
        String str;
        byte[] decodeCert2;
        ApplicationSecurity applicationSecurity = (ApplicationSecurity) AccessController.doPrivileged(new PrivilegedAction<ApplicationSecurity>() { // from class: weblogic.servlet.security.internal.CertSecurityModule.1
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedAction
            public ApplicationSecurity run() {
                return ServletSecurityContext.this.getAppSecurityProvider();
            }
        });
        Map assertionsEncodingMap = applicationSecurity.getAssertionsEncodingMap();
        if (assertionsEncodingMap == null || assertionsEncodingMap.isEmpty()) {
            if (!DEBUG_IA.isDebugEnabled()) {
                return null;
            }
            DEBUG_IA.debug("AssertionsEncodingMap for active token types was null!!");
            return null;
        }
        Map[] assertionsEncodingPrecedence = applicationSecurity.getAssertionsEncodingPrecedence();
        if (DEBUG_IA.isDebugEnabled()) {
            DEBUG_IA.debug("AssertionsEncodingMap size: " + assertionsEncodingMap.size());
            DEBUG_IA.debug("AssertionsEncodingPrecedence size: " + (assertionsEncodingPrecedence != null ? Integer.valueOf(assertionsEncodingPrecedence.length) : "None"));
        }
        X509Certificate[] x509CertificateArr = (X509Certificate[]) httpServletRequest.getAttribute(VirtualConnection.X509_CERTIFICATE);
        if (x509CertificateArr != null && x509CertificateArr.length > 0 && assertionsEncodingMap.containsKey("X.509")) {
            return new Token("X.509", x509CertificateArr);
        }
        ArrayList perimeterAuthClientCertType = virtualConnection.getPerimeterAuthClientCertType();
        int size = perimeterAuthClientCertType.size();
        if (size > 0) {
            ArrayList perimeterAuthClientCert = virtualConnection.getPerimeterAuthClientCert();
            for (int i = size - 1; i >= 0; i--) {
                String str2 = (String) perimeterAuthClientCertType.get(i);
                if (assertionsEncodingMap.containsKey(str2) && !isForbiddenTokenType(str2) && (decodeCert2 = decodeCert(str2, (byte[]) perimeterAuthClientCert.get(i))) != null) {
                    return new Token(str2, decodeCert2);
                }
            }
        }
        if (assertionsEncodingPrecedence != null && assertionsEncodingPrecedence.length > 0) {
            if (DEBUG_IA.isDebugEnabled()) {
                DEBUG_IA.debug("Trying to find identity assertion tokens based on precedence ordering");
            }
            for (int i2 = 0; i2 < assertionsEncodingPrecedence.length; i2++) {
                String str3 = (String) assertionsEncodingPrecedence[i2].get("header");
                if (!HttpConstants.COOKIE_HEADER.equalsIgnoreCase(str3) && (obj2 = assertionsEncodingMap.get(str3)) != null) {
                    byte[] bArr = null;
                    String header = httpServletRequest.getHeader(str3);
                    if (header != null && ((str = (String) assertionsEncodingPrecedence[i2].get("scheme")) == null || StringUtils.split(header, ' ')[0].equalsIgnoreCase(str))) {
                        try {
                            bArr = header.getBytes(getInputEncoding(httpServletRequest, servletSecurityContext));
                        } catch (UnsupportedEncodingException e) {
                        }
                        if (bArr != null && bArr.length >= 1) {
                            if (applicationSecurity.doesTokenRequireBase64Decoding(obj2)) {
                                bArr = decodeCert(str3, bArr);
                                if (bArr == null) {
                                }
                            }
                            return new Token(str3, bArr);
                        }
                    }
                }
            }
            if (DEBUG_IA.isDebugEnabled()) {
                DEBUG_IA.debug("Didn't find identity assertion tokens based on precedence ordering!");
            }
        }
        Enumeration<String> headerNames = httpServletRequest.getHeaderNames();
        ServletRequestImpl servletRequestImpl = null;
        boolean z = true;
        if (httpServletRequest instanceof ServletRequestImpl) {
            z = false;
            servletRequestImpl = (ServletRequestImpl) httpServletRequest;
        }
        while (headerNames.hasMoreElements()) {
            String nextElement = headerNames.nextElement();
            if (!HttpConstants.COOKIE_HEADER.equalsIgnoreCase(nextElement) && (obj = assertionsEncodingMap.get(nextElement)) != null) {
                byte[] bArr2 = null;
                if (z) {
                    String header2 = httpServletRequest.getHeader(nextElement);
                    if (header2 != null) {
                        try {
                            bArr2 = header2.getBytes(getInputEncoding(httpServletRequest, servletSecurityContext));
                        } catch (UnsupportedEncodingException e2) {
                        }
                    }
                } else {
                    bArr2 = servletRequestImpl.getRequestHeaders().getHeaderAsBytes(nextElement);
                }
                if (bArr2 != null && bArr2.length >= 1) {
                    if (applicationSecurity.doesTokenRequireBase64Decoding(obj)) {
                        bArr2 = decodeCert(nextElement, bArr2);
                        if (bArr2 == null) {
                        }
                    }
                    return new Token(nextElement, bArr2);
                }
            }
        }
        Cookie[] cookies = httpServletRequest.getCookies();
        if (cookies == null) {
            return null;
        }
        for (int i3 = 0; i3 < cookies.length; i3++) {
            String name = cookies[i3].getName();
            String value = cookies[i3].getValue();
            if (value != null && value.length() >= 1) {
                if (name.length() <= 16 || !HttpConstants.WL_PROXY_CLIENT_.regionMatches(true, 0, cookies[i3].getName(), 0, 16)) {
                    Object obj3 = assertionsEncodingMap.get(name);
                    if (obj3 == null) {
                        continue;
                    } else {
                        if (!applicationSecurity.doesTokenRequireBase64Decoding(obj3)) {
                            return new Token(name, value.getBytes());
                        }
                        byte[] decodeCert3 = decodeCert(name, value.getBytes());
                        if (decodeCert3 != null) {
                            return new Token(name, decodeCert3);
                        }
                    }
                } else {
                    String substring = name.substring(16);
                    if (assertionsEncodingMap.containsKey(substring) && (decodeCert = decodeCert(substring, value.getBytes())) != null) {
                        return new Token(substring, decodeCert);
                    }
                }
            }
        }
        return null;
    }

    private static String getInputEncoding(HttpServletRequest httpServletRequest, ServletSecurityContext servletSecurityContext) {
        String characterEncoding = httpServletRequest.getCharacterEncoding();
        return characterEncoding != null ? characterEncoding : servletSecurityContext.getDefaultEncoding();
    }

    private static byte[] decodeCert(String str, byte[] bArr) {
        try {
            byte[] decodeBuffer = new BASE64Decoder().decodeBuffer(new ByteArrayInputStream(bArr));
            if (decodeBuffer == null) {
                return null;
            }
            if (decodeBuffer.length < 1) {
                return null;
            }
            return decodeBuffer;
        } catch (Exception e) {
            HTTPLogger.logIgnoringClientCert(str, e);
            return null;
        }
    }

    private static boolean isForbiddenTokenType(String str) {
        return str.equalsIgnoreCase(CERT_RESERVED_IP) || str.equalsIgnoreCase(CERT_RESERVED_KEYSIZE) || str.equalsIgnoreCase(CERT_RESERVED_SECRETKEYSIZE);
    }
}
