package com.apusic.web.container;

import com.apusic.deploy.runtime.AppContext;
import com.apusic.deploy.runtime.EnvContext;
import com.apusic.deploy.runtime.J2EEModule;
import com.apusic.deploy.runtime.LoginConfig;
import com.apusic.deploy.runtime.ModuleContext;
import com.apusic.deploy.runtime.SecurityConstraint;
import com.apusic.deploy.runtime.WebModule;
import com.apusic.invocation.Invocation;
import com.apusic.invocation.InvocationContext;
import com.apusic.security.Security;
import com.apusic.security.SecurityContext;
import com.apusic.security.SecurityController;
import com.apusic.security.jaspic.servlet.AuthConfigContextListener;
import com.apusic.security.jaspic.servlet.HttpMessageInfo;
import com.apusic.security.sso.AuthCentralFactory;
import com.apusic.security.sso.AuthCentralHandler;
import com.apusic.security.sso.SSOCredential;
import com.apusic.server.Config;
import com.apusic.server.VMOptions;
import com.apusic.util.Base64;
import com.apusic.util.Utils;
import com.apusic.web.resources.Resources;
import com.apusic.web.session.ManagerBase;
import java.io.IOException;
import java.security.Principal;
import java.security.cert.X509Certificate;
import java.util.Map;
import java.util.Set;
import javax.security.auth.Subject;
import javax.security.auth.message.AuthException;
import javax.security.auth.message.AuthStatus;
import javax.security.auth.message.MessageInfo;
import javax.security.auth.message.config.ServerAuthConfig;
import javax.security.auth.message.config.ServerAuthContext;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import javax.transaction.Transaction;
import javax.transaction.TransactionManager;

/* loaded from: input_file:com/apusic/web/container/ServletInvocation.class */
public class ServletInvocation extends Invocation {
    private static final Object InvalidToken;
    private static final boolean USE_DELEGATE_ClASSES_LOADER;
    private WebContainer container;
    private WebComponent<?> component;
    private Request request;
    private Response response;
    public int previousOutputState;
    public int currentOutputState;
    private static final int AUTH_SUCCEED = 0;
    private static final int AUTH_FAILED = 1;
    private static final int AUTH_INCOMPLETE = 2;
    private static final int AUTH_CONTINUE = 3;
    private boolean authenticated;
    private boolean impersonated;
    private Transaction prevTx;
    static final /* synthetic */ boolean $assertionsDisabled;

    /* JADX INFO: Access modifiers changed from: package-private */
    public ServletInvocation(WebContainer webContainer) {
        this(webContainer, null, null, null);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public ServletInvocation(WebContainer webContainer, WebComponent<?> webComponent, Request request, Response response) {
        this.authenticated = false;
        this.impersonated = false;
        this.prevTx = null;
        this.container = webContainer;
        this.component = webComponent;
        this.request = request;
        this.response = response;
    }

    @Override // com.apusic.invocation.Invocation
    public Object getContainer() {
        return this.container;
    }

    @Override // com.apusic.invocation.Invocation
    public Object getComponent() {
        return this.component;
    }

    @Override // com.apusic.invocation.Invocation
    public J2EEModule getJ2EEModule() {
        return this.container.getWebModule();
    }

    public Request getRequest() {
        return this.request;
    }

    public Response getResponse() {
        return this.response;
    }

    @Override // com.apusic.invocation.Invocation
    public EnvContext getEnvContext() {
        return this.container.getEnvContext();
    }

    @Override // com.apusic.invocation.Invocation
    protected void doPreInvoke() throws Exception {
        if (this.response != null) {
            this.response.preInvoke(this);
        }
    }

    @Override // com.apusic.invocation.Invocation
    protected Throwable doPostInvoke(Throwable th) {
        if (this.response != null) {
            try {
                this.response.postInvoke(this);
            } catch (Throwable th2) {
                th = th2;
            }
        }
        if (this.component != null) {
            InvocationContext.releaseResources(this.component);
        }
        return th;
    }

    public void preRequest() throws Throwable {
        if (!$assertionsDisabled && (this.request == null || this.response == null)) {
            throw new AssertionError();
        }
        Object attributeFromMap = this.container.getAttributeFromMap(AuthConfigContextListener.APUSIC_SERVER_AUTU_CONFIG);
        if (attributeFromMap == null || !(attributeFromMap instanceof ServerAuthConfig)) {
            checkSecurityConstraint();
            setRunAsRole();
        } else {
            ServerAuthConfig serverAuthConfig = (ServerAuthConfig) attributeFromMap;
            HttpMessageInfo httpMessageInfo = new HttpMessageInfo(this.request, this.response);
            try {
                try {
                    ServerAuthContext authContext = serverAuthConfig.getAuthContext(serverAuthConfig.getAuthContextID(httpMessageInfo), (Subject) null, (Map) null);
                    Subject subject = new Subject();
                    if (AuthStatus.SUCCESS.equals(authContext.validateRequest(httpMessageInfo, subject, (Subject) null))) {
                        Set<Principal> principals = subject.getPrincipals();
                        if (principals != null && !principals.isEmpty()) {
                            Principal next = principals.iterator().next();
                            if (!Security.ANONYMOUS.equals(next)) {
                                this.request.setUserPrincipal(next);
                            }
                        }
                        Object obj = httpMessageInfo.getMap().get("javax.servlet.http.authType");
                        if (obj != null) {
                            this.request.setAuthType(String.valueOf(obj));
                        } else {
                            LoginConfig loginConfig = this.container.getWebModule().getLoginConfig();
                            String str = null;
                            if (loginConfig != null) {
                                str = loginConfig.getAuthMethod();
                            }
                            if (str == null || str.equalsIgnoreCase(LoginConfig.BASIC_AUTH)) {
                                this.request.setAuthType(LoginConfig.BASIC_AUTH);
                            } else if (str.equalsIgnoreCase(LoginConfig.FORM_AUTH)) {
                                this.request.setAuthType(LoginConfig.FORM_AUTH);
                            } else if (str.equalsIgnoreCase(LoginConfig.CLIENT_CERT_AUTH)) {
                                this.request.setAuthType(LoginConfig.CLIENT_CERT_AUTH);
                            } else if (str.equalsIgnoreCase(AuthCentralHandler.AUTH_METHOD)) {
                                this.request.setAuthType(AuthCentralHandler.AUTH_METHOD);
                            } else {
                                this.request.setAuthType(LoginConfig.BASIC_AUTH);
                            }
                        }
                    }
                    SecurityConstraint[] securityConstraints = this.container.getWebModule().getSecurityConstraints();
                    if (securityConstraints == null || securityConstraints.length == 0) {
                        if (this.request.getAttribute("JASPIC_AUTH_CONTEXT") == null) {
                            Security.setCurrentUser(null);
                            return;
                        }
                        return;
                    } else {
                        if (!this.container.checkResourcePermission(this.request)) {
                            this.response.sendError(403);
                            throw new PreInvokeException(Resources._T(Resources.ERR_AUTH_FAILED, this.request.getRemoteUser() + "@" + this.request.getRemoteAddr()));
                        }
                        SecurityController securityController = Security.getSecurityController();
                        if (securityController.getSecurityContext() != null && securityController.getSecurityContext().isImpersonation()) {
                            securityController.revertToSelf();
                        }
                        this.request.setAttribute("JASPIC_AUTH_CONTEXT", authContext);
                        this.request.setAttribute("JASPIC_MESSAGE_INFO", httpMessageInfo);
                        this.request.setAttribute("JASPIC_SERVICE_SUBJECT", null);
                        if (this.request.getAttribute("JASPIC_AUTH_CONTEXT") == null) {
                            Security.setCurrentUser(null);
                        }
                    }
                } catch (RuntimeException e) {
                    if (!(e.getCause() instanceof AuthException)) {
                        throw e;
                    }
                    this.response.setStatus(ManagerBase.SESSION_LIST_INIT_SIZE);
                    if (this.request.getAttribute("JASPIC_AUTH_CONTEXT") == null) {
                        Security.setCurrentUser(null);
                    }
                } catch (AuthException e2) {
                    this.response.setStatus(ManagerBase.SESSION_LIST_INIT_SIZE);
                    if (this.request.getAttribute("JASPIC_AUTH_CONTEXT") == null) {
                        Security.setCurrentUser(null);
                    }
                }
            } catch (Throwable th) {
                if (this.request.getAttribute("JASPIC_AUTH_CONTEXT") == null) {
                    Security.setCurrentUser(null);
                }
                throw th;
            }
        }
        TransactionManager transactionManager = Config.getTransactionManager();
        if (transactionManager != null) {
            this.prevTx = transactionManager.getTransaction();
        }
    }

    public Throwable postRequest(Throwable th) {
        if (!$assertionsDisabled && (this.request == null || this.response == null)) {
            throw new AssertionError();
        }
        try {
            restoreSecurityContext();
            Object attribute = this.request.getAttribute("JASPIC_AUTH_CONTEXT");
            if (attribute != null && (attribute instanceof ServerAuthContext)) {
                ((ServerAuthContext) attribute).secureResponse((MessageInfo) this.request.getAttribute("JASPIC_MESSAGE_INFO"), (Subject) this.request.getAttribute("JASPIC_SERVICE_SUBJECT"));
                this.request.removeAttribute("JASPIC_AUTH_CONTEXT");
                this.request.removeAttribute("JASPIC_MESSAGE_INFO");
                this.request.removeAttribute("JASPIC_SERVICE_SUBJECT");
                Security.setCurrentUser(null);
            }
            TransactionManager transactionManager = Config.getTransactionManager();
            Transaction transaction = null;
            if (transactionManager != null) {
                transaction = transactionManager.getTransaction();
            }
            if (transaction != null && !transaction.equals(this.prevTx)) {
                int status = transaction.getStatus();
                if (status == 0 || status == 2 || status == 7 || status == 1) {
                    transactionManager.rollback();
                }
                if (this.prevTx != null && this.prevTx.getStatus() == 0) {
                    transactionManager.resume(this.prevTx);
                }
            }
            this.prevTx = null;
        } catch (Throwable th2) {
            this.prevTx = null;
            th = th2;
        }
        return th;
    }

    private void checkSecurityConstraint() throws PreInvokeException, IOException {
        WebModule webModule = this.container.getWebModule();
        SecurityConstraint[] securityConstraints = webModule.getSecurityConstraints();
        if (securityConstraints == null || securityConstraints.length == 0) {
            return;
        }
        boolean z = !initSecurityContext(null, null);
        if (enforceTransportGuarantee()) {
            throw new PreInvokeException();
        }
        if (this.container.checkResourcePermission(this.request)) {
            return;
        }
        if (!z) {
            this.response.sendError(403);
            throw new PreInvokeException(Resources._T(Resources.ERR_AUTH_FAILED, this.request.getRemoteUser() + "@" + this.request.getRemoteAddr()));
        }
        switch (authenticate(webModule.getLoginConfig())) {
            case 0:
            default:
                if (this.container.checkResourcePermission(this.request)) {
                    return;
                }
                this.response.sendError(403);
                throw new PreInvokeException(Resources._T(Resources.ERR_AUTH_FAILED, this.request.getRemoteUser() + "@" + this.request.getRemoteAddr()));
            case 1:
                throw new PreInvokeException(Resources._T(Resources.ERR_AUTH_FAILED, this.request.getRemoteAddr()));
            case 2:
                throw new PreInvokeException();
            case 3:
                return;
        }
    }

    private boolean initSecurityContext(SecurityContext securityContext, String str) {
        if (this.request.getUserPrincipal() != null) {
            return true;
        }
        SecurityController securityController = Security.getSecurityController();
        boolean z = false;
        HttpSession session = this.request.getSession(securityContext != null);
        if (session != null) {
            if (securityContext == null) {
                securityContext = (SecurityContext) session.getAttribute("security_context");
                z = true;
            }
            if (str == null) {
                str = (String) session.getAttribute("auth_type");
            }
        }
        if (securityContext == null) {
            return false;
        }
        try {
            securityController.impersonate(securityContext.getAccessToken(), securityContext.getCredential());
            this.authenticated = true;
            if (session != null) {
                session.setAttribute("security_context", securityContext);
                session.setAttribute("auth_type", str);
            }
            this.request.setUserPrincipal(securityContext.getUserPrincipal());
            this.request.setAuthType(str);
            return true;
        } catch (SecurityException e) {
            if (!z || session == null) {
                throw ((SecurityException) e.fillInStackTrace());
            }
            session.removeAttribute("security_context");
            return false;
        }
    }

    private boolean authenticate(String str, String str2, Object obj) {
        try {
            initSecurityContext(Security.getSecurityController().logonUser(str2, obj), str);
            return true;
        } catch (Exception e) {
            return false;
        }
    }

    private void setRunAsRole() {
        ServletComponent servletComponent = (ServletComponent) this.component;
        String runAsRole = servletComponent.getRunAsRole();
        if (runAsRole == null) {
            return;
        }
        SecurityController securityController = Security.getSecurityController();
        Object runAsToken = servletComponent.getRunAsToken();
        if (runAsToken == null) {
            synchronized (servletComponent) {
                Object runAsToken2 = servletComponent.getRunAsToken();
                runAsToken = runAsToken2;
                if (runAsToken2 == null) {
                    Principal mappedPrincipal = this.container.getWebModule().getApplication().getRoleMapper().getMappedPrincipal(runAsRole);
                    if (mappedPrincipal != null) {
                        try {
                            runAsToken = securityController.getImpersonateToken(mappedPrincipal.getName());
                        } catch (Exception e) {
                            runAsToken = InvalidToken;
                        }
                    } else {
                        runAsToken = InvalidToken;
                    }
                    servletComponent.setRunAsToken(runAsToken);
                }
            }
        }
        if (runAsToken == InvalidToken) {
            return;
        }
        try {
            securityController.impersonate(runAsToken);
            this.impersonated = true;
        } catch (Exception e2) {
        }
    }

    private void restoreSecurityContext() {
        SecurityController securityController = Security.getSecurityController();
        if (this.impersonated) {
            securityController.revertToSelf();
            this.impersonated = false;
        }
        if (this.authenticated) {
            securityController.revertToSelf();
            this.authenticated = false;
        }
        this.request.setUserPrincipal(null);
        this.request.setAuthType(null);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean requestAuthenticate(HttpServletResponse httpServletResponse) throws IOException, ServletException {
        if (initSecurityContext(null, null)) {
            return true;
        }
        switch (authenticate(this.container.getWebModule().getLoginConfig())) {
            case 0:
                return true;
            case 1:
                throw new ServletException(Resources._T(Resources.ERR_AUTH_FAILED, this.request.getRemoteAddr()));
            case 2:
                return false;
            case 3:
                return false;
            default:
                return false;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void requestLogin(String str, String str2) throws ServletException {
        if (initSecurityContext(null, null)) {
            throw new ServletException("Attempt to re-login while the user identity already exists");
        }
        String str3 = LoginConfig.BASIC_AUTH;
        LoginConfig loginConfig = this.container.getWebModule().getLoginConfig();
        if (loginConfig != null) {
            str3 = loginConfig.getAuthMethod();
        }
        if (loginConfig != null && !str3.equals(LoginConfig.BASIC_AUTH) && !str3.equals(LoginConfig.FORM_AUTH)) {
            throw new ServletException("Invalid LoginConfig, Auth Method Required is BASIC or FORM, but found " + str3);
        }
        if (!authenticate("LOGIN", str, str2)) {
            throw new ServletException("Failed login while attempting to authenticate user: " + str);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void requestLogout() throws ServletException {
        restoreSecurityContext();
        HttpSession session = this.request.getSession(false);
        if (session != null) {
            session.removeAttribute("security_context");
        }
    }

    private int authenticate(LoginConfig loginConfig) throws IOException {
        String str = null;
        if (loginConfig != null) {
            str = loginConfig.getAuthMethod();
        }
        if (str == null || str.equalsIgnoreCase(LoginConfig.BASIC_AUTH)) {
            return basicAuthentication(loginConfig);
        }
        if (str.equalsIgnoreCase(LoginConfig.FORM_AUTH)) {
            return formAuthentication(loginConfig);
        }
        if (str.equalsIgnoreCase(LoginConfig.CLIENT_CERT_AUTH)) {
            return clientCertAuthentication(loginConfig);
        }
        if (str.equalsIgnoreCase(AuthCentralHandler.AUTH_METHOD)) {
            return authCentralAuthentication(loginConfig);
        }
        return 1;
    }

    private int basicAuthentication(LoginConfig loginConfig) throws IOException {
        String str;
        int indexOf;
        String str2 = null;
        String str3 = null;
        String header = this.request.getHeader("Authorization");
        if (header != null && header.startsWith("Basic ") && (indexOf = (str = new String(Base64.decode(header.substring(6).trim()))).indexOf(58)) > 0) {
            str2 = str.substring(0, indexOf);
            str3 = str.substring(indexOf + 1);
        }
        if (str2 != null && str3 != null && authenticate(LoginConfig.BASIC_AUTH, str2, str3)) {
            return 0;
        }
        String str4 = null;
        if (loginConfig != null) {
            str4 = loginConfig.getRealmName();
        }
        if (str4 == null) {
            str4 = this.request.getServerName() + ":" + this.request.getServerPort();
        }
        this.response.setHeader("WWW-Authenticate", "Basic realm=\"" + str4 + "\"");
        this.response.setStatus(401);
        this.response.sendError(401);
        return str2 != null ? 1 : 2;
    }

    private int authCentralAuthentication(LoginConfig loginConfig) throws IOException {
        AuthCentralHandler newAuthCentralHandler = AuthCentralFactory.getInstance().newAuthCentralHandler();
        int authenticate = newAuthCentralHandler.authenticate(this.request, this.response);
        if (authenticate == 0) {
            authenticate(AuthCentralHandler.AUTH_METHOD, newAuthCentralHandler.getUserName(), new SSOCredential());
        }
        return authenticate;
    }

    private int formAuthentication(LoginConfig loginConfig) throws IOException {
        String urlDecode = Utils.urlDecode(this.request.getRequestURI());
        String str = this.container.getContextRoot() + loginConfig.getFormLoginPage();
        String str2 = this.container.getContextRoot() + loginConfig.getFormErrorPage();
        if (urlDecode.equals(str) || urlDecode.equals(str2) || urlDecode.endsWith("/j_security_check")) {
            return 3;
        }
        HttpSession session = this.request.getSession(true);
        String str3 = (String) session.getAttribute("j_username");
        String str4 = (String) session.getAttribute("j_password");
        session.removeAttribute("j_username");
        session.removeAttribute("j_password");
        if (str3 == null || str4 == null) {
            if (this.request.getQueryString() != null) {
                urlDecode = urlDecode + "?" + this.request.getQueryString();
            }
            session.setAttribute("original_url", urlDecode);
            this.response.sendRedirect(this.response.encodeURL(str));
            return 2;
        }
        if (authenticate(LoginConfig.FORM_AUTH, str3, str4)) {
            return 0;
        }
        try {
            this.request.getRequestDispatcher(loginConfig.getFormErrorPage()).forward(this.request, this.response);
            return 1;
        } catch (Exception e) {
            return 1;
        }
    }

    private int clientCertAuthentication(LoginConfig loginConfig) throws IOException {
        X509Certificate[] x509CertificateArr = (X509Certificate[]) this.request.getAttribute("javax.servlet.request.X509Certificate");
        if (x509CertificateArr != null && x509CertificateArr.length > 0 && authenticate("CLIENT_CERT", null, x509CertificateArr)) {
            return 0;
        }
        this.response.sendError(403);
        return 1;
    }

    private boolean enforceTransportGuarantee() throws IOException {
        if (this.request.isSecure() || this.container.checkUserDataPermission(this.request)) {
            return false;
        }
        LoginConfig loginConfig = this.container.getWebModule().getLoginConfig();
        int securePort = ((loginConfig == null || !LoginConfig.CLIENT_CERT_AUTH.equals(loginConfig.getAuthMethod())) && !VMOptions.isUseMutualAuthPort()) ? this.container.getServer().getSecurePort() : this.container.getServer().getMutualAuthPort();
        if (securePort <= 0) {
            return false;
        }
        String str = "https://" + this.request.getServerName();
        if (securePort != 443) {
            str = str + ":" + securePort;
        }
        String str2 = str + Utils.urlDecode(this.request.getRequestURI());
        if (this.request.getQueryString() != null) {
            str2 = str2 + "?" + this.request.getQueryString();
        }
        this.response.sendRedirect(this.response.encodeURL(str2));
        return true;
    }

    public String toString() {
        String str = "context=" + this.container.getServletContextName();
        if (this.request != null) {
            String str2 = (String) this.request.getAttribute(Request.INCLUDE_REQUEST_URI);
            if (str2 == null) {
                str2 = Utils.urlDecode(this.request.getRequestURI());
            }
            str = str + ", uri=" + str2;
        }
        return str;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // com.apusic.invocation.Invocation
    public String currentRealm() throws Exception {
        return this.container.getWebModule().getApplication().getRealmName();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // com.apusic.invocation.Invocation
    public boolean isPwdTransEncrypted() {
        return this.container.getWebModule().getApplication().isPwdTransEncrypted();
    }

    @Override // com.apusic.invocation.Invocation
    public AppContext getAppContext() {
        return this.container.getWebModule().getApplication().getAppContext();
    }

    @Override // com.apusic.invocation.Invocation
    public ModuleContext getModuleContext() {
        return this.container.getWebModule().getModuleContext();
    }

    @Override // com.apusic.invocation.Invocation
    protected ClassLoader getClassLoader() {
        ClassLoader classLoader = this.container.getClassLoader();
        if (!USE_DELEGATE_ClASSES_LOADER && (classLoader instanceof ServletClassLoader)) {
            classLoader = ((ServletClassLoader) classLoader).getDelegate().getClassesLoader();
        }
        return classLoader;
    }

    static {
        $assertionsDisabled = !ServletInvocation.class.desiredAssertionStatus();
        InvalidToken = new Object();
        USE_DELEGATE_ClASSES_LOADER = VMOptions.isUseDelegateClassesLoader();
    }
}
