package com.sun.enterprise.security.webservices;

import com.sun.enterprise.deployment.ServiceReferenceDescriptor;
import com.sun.enterprise.deployment.WebServiceEndpoint;
import com.sun.enterprise.deployment.runtime.common.MessageSecurityBindingDescriptor;
import com.sun.enterprise.security.SecurityContext;
import com.sun.enterprise.security.authorize.PolicyContextHandlerImpl;
import com.sun.enterprise.security.ee.audit.AppServerAuditManager;
import com.sun.enterprise.security.jauth.AuthException;
import com.sun.enterprise.security.jauth.ServerAuthContext;
import com.sun.enterprise.security.jmac.provider.ClientAuthConfig;
import com.sun.enterprise.security.jmac.provider.ServerAuthConfig;
import com.sun.enterprise.security.web.integration.WebPrincipal;
import com.sun.enterprise.web.WebModule;
import com.sun.logging.LogDomains;
import com.sun.web.security.RealmAdapter;
import com.sun.xml.rpc.spi.runtime.SOAPMessageContext;
import com.sun.xml.rpc.spi.runtime.StreamingHandler;
import com.sun.xml.rpc.spi.runtime.SystemHandlerDelegate;
import com.sun.xml.ws.assembler.ClientPipelineHook;
import java.lang.ref.WeakReference;
import java.security.Principal;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.inject.Inject;
import javax.inject.Singleton;
import javax.security.jacc.PolicyContext;
import javax.servlet.http.HttpServletRequest;
import javax.xml.namespace.QName;
import javax.xml.rpc.handler.HandlerInfo;
import javax.xml.soap.SOAPMessage;
import org.apache.catalina.util.Base64;
import org.glassfish.webservices.Ejb2RuntimeEndpointInfo;
import org.glassfish.webservices.EjbRuntimeEndpointInfo;
import org.glassfish.webservices.SecurityService;
import org.glassfish.webservices.WebServiceContextImpl;
import org.glassfish.webservices.monitoring.AuthenticationListener;
import org.glassfish.webservices.monitoring.Endpoint;
import org.glassfish.webservices.monitoring.WebServiceEngineImpl;
import org.jvnet.hk2.annotations.Service;

@Singleton
@Service
/* loaded from: input_file:com/sun/enterprise/security/webservices/SecurityServiceImpl.class */
public class SecurityServiceImpl implements SecurityService {

    @Inject
    private AppServerAuditManager auditManager;
    private static final String AUTHORIZATION_HEADER = "authorization";
    protected static final Logger _logger = LogDomains.getLogger(SecurityServiceImpl.class, "javax.enterprise.system.core.security");
    private static ThreadLocal<WeakReference<SOAPMessage>> req = new ThreadLocal<>();

    public Object mergeSOAPMessageSecurityPolicies(MessageSecurityBindingDescriptor messageSecurityBindingDescriptor) {
        try {
            return ServerAuthConfig.getConfig(PipeConstants.SOAP_LAYER, messageSecurityBindingDescriptor, null);
        } catch (Exception e) {
            _logger.log(Level.SEVERE, "EJB Webservice security configuration Failure", (Throwable) e);
            return null;
        }
    }

    public boolean doSecurity(HttpServletRequest httpServletRequest, EjbRuntimeEndpointInfo ejbRuntimeEndpointInfo, String str, WebServiceContextImpl webServiceContextImpl) {
        try {
            try {
                String method = httpServletRequest.getMethod();
                if (webServiceContextImpl != null) {
                    webServiceContextImpl.setUserPrincipal((Principal) null);
                }
                WebServiceEndpoint endpoint = ejbRuntimeEndpointInfo.getEndpoint();
                String header = httpServletRequest.getHeader(AUTHORIZATION_HEADER);
                if (method.equals("GET") || !endpoint.hasAuthMethod()) {
                    if (this.auditManager != null && this.auditManager.isAuditOn()) {
                        this.auditManager.ejbAsWebServiceInvocation(ejbRuntimeEndpointInfo.getEndpoint().getEndpointName(), true);
                    }
                    return true;
                }
                WebPrincipal webPrincipal = null;
                String endpointName = endpoint.getEndpointName();
                if (!endpoint.hasBasicAuth() && header == null) {
                    X509Certificate[] x509CertificateArr = (X509Certificate[]) httpServletRequest.getAttribute("javax.servlet.request.X509Certificate");
                    if (x509CertificateArr == null || x509CertificateArr.length < 1) {
                        x509CertificateArr = (X509Certificate[]) httpServletRequest.getAttribute("org.apache.coyote.request.X509Certificate");
                    }
                    if (x509CertificateArr != null) {
                        webPrincipal = new WebPrincipal(x509CertificateArr, SecurityContext.init());
                    } else {
                        _logger.log(Level.WARNING, "CLIENT CERT authentication error for " + endpointName);
                    }
                } else {
                    if (header == null) {
                        sendAuthenticationEvents(false, httpServletRequest.getRequestURI(), null);
                        if (this.auditManager != null && this.auditManager.isAuditOn()) {
                            this.auditManager.ejbAsWebServiceInvocation(ejbRuntimeEndpointInfo.getEndpoint().getEndpointName(), false);
                        }
                        return false;
                    }
                    List<Object> parseUsernameAndPassword = parseUsernameAndPassword(header);
                    if (parseUsernameAndPassword != null) {
                        webPrincipal = new WebPrincipal((String) parseUsernameAndPassword.get(0), (char[]) parseUsernameAndPassword.get(1), SecurityContext.init());
                    } else {
                        _logger.log(Level.WARNING, "BASIC AUTH username/password http header parsing error for " + endpointName);
                    }
                }
                if (webPrincipal == null) {
                    sendAuthenticationEvents(false, httpServletRequest.getRequestURI(), null);
                    if (this.auditManager != null && this.auditManager.isAuditOn()) {
                        this.auditManager.ejbAsWebServiceInvocation(ejbRuntimeEndpointInfo.getEndpoint().getEndpointName(), false);
                    }
                    return false;
                }
                boolean authenticate = new RealmAdapter(str, endpoint.getBundleDescriptor().getModuleID()).authenticate(webPrincipal);
                if (authenticate) {
                    sendAuthenticationEvents(true, httpServletRequest.getRequestURI(), webPrincipal);
                } else {
                    sendAuthenticationEvents(false, httpServletRequest.getRequestURI(), webPrincipal);
                    _logger.fine("authentication failed for " + endpointName);
                }
                if (ejbRuntimeEndpointInfo instanceof Ejb2RuntimeEndpointInfo) {
                    if (this.auditManager != null && this.auditManager.isAuditOn()) {
                        this.auditManager.ejbAsWebServiceInvocation(ejbRuntimeEndpointInfo.getEndpoint().getEndpointName(), authenticate);
                    }
                    return authenticate;
                }
                ejbRuntimeEndpointInfo.prepareInvocation(false);
                ejbRuntimeEndpointInfo.getWebServiceContext().setUserPrincipal(webPrincipal);
                if (this.auditManager != null && this.auditManager.isAuditOn()) {
                    this.auditManager.ejbAsWebServiceInvocation(ejbRuntimeEndpointInfo.getEndpoint().getEndpointName(), authenticate);
                }
                return authenticate;
            } catch (Exception e) {
                throw new RuntimeException(e);
            }
        } catch (Throwable th) {
            if (this.auditManager != null && this.auditManager.isAuditOn()) {
                this.auditManager.ejbAsWebServiceInvocation(ejbRuntimeEndpointInfo.getEndpoint().getEndpointName(), false);
            }
            throw th;
        }
    }

    private List<Object> parseUsernameAndPassword(String str) {
        String str2;
        int indexOf;
        ArrayList arrayList = null;
        if (str != null && str.startsWith("Basic ") && (indexOf = (str2 = new String(Base64.decode(str.substring(6).trim().getBytes()))).indexOf(58)) > 0) {
            arrayList = new ArrayList();
            arrayList.add(str2.substring(0, indexOf).trim());
            arrayList.add(str2.substring(indexOf + 1).trim().toCharArray());
        }
        return arrayList;
    }

    private void sendAuthenticationEvents(boolean z, String str, Principal principal) {
        Endpoint endpoint = WebServiceEngineImpl.getInstance().getEndpoint(str);
        if (endpoint == null) {
            return;
        }
        for (AuthenticationListener authenticationListener : WebServiceEngineImpl.getInstance().getAuthListeners()) {
            if (z) {
                authenticationListener.authSucess(endpoint.getDescriptor().getBundleDescriptor(), endpoint, principal);
            } else {
                authenticationListener.authFailure(endpoint.getDescriptor().getBundleDescriptor(), endpoint, principal);
            }
        }
    }

    public void resetSecurityContext() {
        SecurityContext.setUnauthenticatedContext();
    }

    public void resetPolicyContext() {
        PolicyContextHandlerImpl.getInstance().reset();
        PolicyContext.setContextID((String) null);
    }

    public SystemHandlerDelegate getSecurityHandler(WebServiceEndpoint webServiceEndpoint) {
        if (webServiceEndpoint.hasAuthMethod()) {
            return null;
        }
        try {
            ServerAuthConfig config = ServerAuthConfig.getConfig(PipeConstants.SOAP_LAYER, webServiceEndpoint.getMessageSecurityBinding(), null);
            if (config != null) {
                return new ServletSystemHandlerDelegate(config, webServiceEndpoint);
            }
            return null;
        } catch (Exception e) {
            _logger.log(Level.SEVERE, "Servlet Webservice security configuration Failure", (Throwable) e);
            return null;
        }
    }

    public boolean validateRequest(Object obj, StreamingHandler streamingHandler, SOAPMessageContext sOAPMessageContext) {
        ServerAuthConfig serverAuthConfig = (ServerAuthConfig) obj;
        if (serverAuthConfig == null) {
            return true;
        }
        ServerAuthContext authContext = serverAuthConfig.getAuthContext(streamingHandler, sOAPMessageContext.getMessage());
        req.set(new WeakReference<>(sOAPMessageContext.getMessage()));
        if (authContext == null) {
            return true;
        }
        try {
            return WebServiceSecurity.validateRequest(sOAPMessageContext, authContext);
        } catch (AuthException e) {
            _logger.log(Level.SEVERE, e.getMessage(), e);
            if (req.get() != null) {
                req.get().clear();
                req.set(null);
            }
            throw new RuntimeException(e);
        }
    }

    public void secureResponse(Object obj, StreamingHandler streamingHandler, SOAPMessageContext sOAPMessageContext) {
        if (obj != null) {
            try {
                ServerAuthContext authContext = ((ServerAuthConfig) obj).getAuthContext(streamingHandler, req.get() != null ? req.get().get() : sOAPMessageContext.getMessage());
                if (authContext != null) {
                    try {
                        WebServiceSecurity.secureResponse(sOAPMessageContext, authContext);
                    } catch (AuthException e) {
                        _logger.log(Level.SEVERE, (String) null, e);
                        throw new RuntimeException(e);
                    }
                }
                if (req.get() != null) {
                    req.get().clear();
                    req.set(null);
                }
            } catch (Throwable th) {
                if (req.get() != null) {
                    req.get().clear();
                    req.set(null);
                }
                throw th;
            }
        }
    }

    public HandlerInfo getMessageSecurityHandler(MessageSecurityBindingDescriptor messageSecurityBindingDescriptor, QName qName) {
        HandlerInfo handlerInfo = null;
        try {
            ClientAuthConfig config = ClientAuthConfig.getConfig(PipeConstants.SOAP_LAYER, messageSecurityBindingDescriptor, null);
            if (config != null) {
                QName[] mechanisms = config.getMechanisms();
                HashMap hashMap = new HashMap();
                hashMap.put(MessageLayerClientHandler.CLIENT_AUTH_CONFIG, config);
                hashMap.put("javax.xml.ws.wsdl.service", qName);
                handlerInfo = new HandlerInfo(MessageLayerClientHandler.class, hashMap, mechanisms);
            }
            return handlerInfo;
        } catch (Exception e) {
            _logger.log(Level.SEVERE, (String) null, (Throwable) e);
            throw new RuntimeException(e);
        }
    }

    public ClientPipelineHook getClientPipelineHook(ServiceReferenceDescriptor serviceReferenceDescriptor) {
        return new ClientPipeCreator(serviceReferenceDescriptor);
    }

    public Principal getUserPrincipal(boolean z) {
        SecurityContext current = SecurityContext.getCurrent();
        if (current == null) {
            return null;
        }
        if (current.didServerGenerateCredentials() && z) {
            return null;
        }
        return current.getCallerPrincipal();
    }

    public boolean isUserInRole(WebModule webModule, Principal principal, String str, String str2) {
        if (webModule.getRealm() instanceof RealmAdapter) {
            return webModule.getRealm().hasRole(str, principal, str2);
        }
        return false;
    }
}
