package com.sun.enterprise.security.webservices;

import com.sun.enterprise.deployment.ServiceReferenceDescriptor;
import com.sun.enterprise.deployment.WebServiceEndpoint;
import com.sun.enterprise.deployment.runtime.common.MessageSecurityBindingDescriptor;
import com.sun.enterprise.security.SecurityContext;
import com.sun.enterprise.security.ee.audit.AppServerAuditManager;
import com.sun.enterprise.security.jacc.context.PolicyContextHandlerImpl;
import com.sun.enterprise.security.jauth.jaspic.provider.ServerAuthConfig;
import com.sun.enterprise.security.web.integration.WebPrincipal;
import com.sun.enterprise.web.WebModule;
import com.sun.web.security.RealmAdapter;
import com.sun.xml.ws.assembler.metro.dev.ClientPipelineHook;
import jakarta.inject.Inject;
import jakarta.inject.Singleton;
import jakarta.security.jacc.PolicyContext;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.xml.soap.SOAPMessage;
import java.lang.ref.WeakReference;
import java.security.Principal;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.List;
import java.util.logging.Level;
import java.util.logging.Logger;
import org.apache.catalina.util.Base64;
import org.glassfish.webservices.EjbRuntimeEndpointInfo;
import org.glassfish.webservices.SecurityService;
import org.glassfish.webservices.WebServiceContextImpl;
import org.glassfish.webservices.monitoring.AuthenticationListener;
import org.glassfish.webservices.monitoring.Endpoint;
import org.glassfish.webservices.monitoring.WebServiceEngineImpl;
import org.jvnet.hk2.annotations.Service;

@Singleton
@Service
/* loaded from: input_file:com/sun/enterprise/security/webservices/SecurityServiceImpl.class */
public class SecurityServiceImpl implements SecurityService {
    private static final String AUTHORIZATION_HEADER = "authorization";

    @Inject
    private AppServerAuditManager auditManager;
    protected static final Logger _logger = LogUtils.getLogger();
    private static ThreadLocal<WeakReference<SOAPMessage>> req = new ThreadLocal<>();

    @Override // org.glassfish.webservices.SecurityService
    public Object mergeSOAPMessageSecurityPolicies(MessageSecurityBindingDescriptor messageSecurityBindingDescriptor) {
        try {
            return ServerAuthConfig.getConfig("SOAP", messageSecurityBindingDescriptor, null);
        } catch (Exception e) {
            _logger.log(Level.SEVERE, LogUtils.EJB_SEC_CONFIG_FAILURE, (Throwable) e);
            return null;
        }
    }

    @Override // org.glassfish.webservices.SecurityService
    public boolean doSecurity(HttpServletRequest httpServletRequest, EjbRuntimeEndpointInfo ejbRuntimeEndpointInfo, String str, WebServiceContextImpl webServiceContextImpl) {
        try {
            try {
                String method = httpServletRequest.getMethod();
                if (webServiceContextImpl != null) {
                    webServiceContextImpl.setUserPrincipal(null);
                }
                WebServiceEndpoint endpoint = ejbRuntimeEndpointInfo.getEndpoint();
                String header = httpServletRequest.getHeader("authorization");
                if (method.equals("GET") || !endpoint.hasAuthMethod()) {
                    if (this.auditManager != null && this.auditManager.isAuditOn()) {
                        this.auditManager.ejbAsWebServiceInvocation(ejbRuntimeEndpointInfo.getEndpoint().getEndpointName(), true);
                    }
                    return true;
                }
                WebPrincipal webPrincipal = null;
                String endpointName = endpoint.getEndpointName();
                if (!endpoint.hasBasicAuth() && header == null) {
                    X509Certificate[] x509CertificateArr = (X509Certificate[]) httpServletRequest.getAttribute("jakarta.servlet.request.X509Certificate");
                    if (x509CertificateArr == null || x509CertificateArr.length < 1) {
                        x509CertificateArr = (X509Certificate[]) httpServletRequest.getAttribute("org.apache.coyote.request.X509Certificate");
                    }
                    if (x509CertificateArr != null) {
                        webPrincipal = new WebPrincipal(x509CertificateArr, SecurityContext.init());
                    } else {
                        _logger.log(Level.WARNING, LogUtils.CLIENT_CERT_ERROR, endpointName);
                    }
                } else {
                    if (header == null) {
                        sendAuthenticationEvents(false, httpServletRequest.getRequestURI(), null);
                        if (this.auditManager != null && this.auditManager.isAuditOn()) {
                            this.auditManager.ejbAsWebServiceInvocation(ejbRuntimeEndpointInfo.getEndpoint().getEndpointName(), false);
                        }
                        return false;
                    }
                    List<Object> parseUsernameAndPassword = parseUsernameAndPassword(header);
                    if (parseUsernameAndPassword != null) {
                        webPrincipal = new WebPrincipal((String) parseUsernameAndPassword.get(0), (char[]) parseUsernameAndPassword.get(1), SecurityContext.init());
                    } else {
                        _logger.log(Level.WARNING, LogUtils.BASIC_AUTH_ERROR, endpointName);
                    }
                }
                if (webPrincipal == null) {
                    sendAuthenticationEvents(false, httpServletRequest.getRequestURI(), null);
                    if (this.auditManager != null && this.auditManager.isAuditOn()) {
                        this.auditManager.ejbAsWebServiceInvocation(ejbRuntimeEndpointInfo.getEndpoint().getEndpointName(), false);
                    }
                    return false;
                }
                boolean authenticate = new RealmAdapter(str, endpoint.getBundleDescriptor().getModuleID()).authenticate(webPrincipal);
                if (authenticate) {
                    sendAuthenticationEvents(true, httpServletRequest.getRequestURI(), webPrincipal);
                } else {
                    sendAuthenticationEvents(false, httpServletRequest.getRequestURI(), webPrincipal);
                    if (_logger.isLoggable(Level.FINE)) {
                        _logger.fine("authentication failed for " + endpointName);
                    }
                }
                ejbRuntimeEndpointInfo.prepareInvocation(false);
                ((WebServiceContextImpl) ejbRuntimeEndpointInfo.getWebServiceContext()).setUserPrincipal(webPrincipal);
                if (this.auditManager != null && this.auditManager.isAuditOn()) {
                    this.auditManager.ejbAsWebServiceInvocation(ejbRuntimeEndpointInfo.getEndpoint().getEndpointName(), authenticate);
                }
                return authenticate;
            } catch (Exception e) {
                throw new RuntimeException(e);
            }
        } catch (Throwable th) {
            if (this.auditManager != null && this.auditManager.isAuditOn()) {
                this.auditManager.ejbAsWebServiceInvocation(ejbRuntimeEndpointInfo.getEndpoint().getEndpointName(), false);
            }
            throw th;
        }
    }

    @Override // org.glassfish.webservices.SecurityService
    public Principal getUserPrincipal(boolean z) {
        SecurityContext current = SecurityContext.getCurrent();
        if (current == null) {
            return null;
        }
        if (current.didServerGenerateCredentials() && z) {
            return null;
        }
        return current.getCallerPrincipal();
    }

    @Override // org.glassfish.webservices.SecurityService
    public boolean isUserInRole(WebModule webModule, Principal principal, String str, String str2) {
        if (webModule.getRealm() instanceof RealmAdapter) {
            return ((RealmAdapter) webModule.getRealm()).hasRole(str, principal, str2);
        }
        return false;
    }

    @Override // org.glassfish.webservices.SecurityService
    public void resetSecurityContext() {
        SecurityContext.setUnauthenticatedContext();
    }

    @Override // org.glassfish.webservices.SecurityService
    public void resetPolicyContext() {
        ((PolicyContextHandlerImpl) PolicyContextHandlerImpl.getInstance()).reset();
        PolicyContext.setContextID(null);
    }

    @Override // org.glassfish.webservices.SecurityService
    public ClientPipelineHook getClientPipelineHook(ServiceReferenceDescriptor serviceReferenceDescriptor) {
        return new ClientPipeCreator(serviceReferenceDescriptor);
    }

    private List<Object> parseUsernameAndPassword(String str) {
        String str2;
        int indexOf;
        ArrayList arrayList = null;
        if (str != null && str.startsWith("Basic ") && (indexOf = (str2 = new String(Base64.decode(str.substring(6).trim().getBytes()))).indexOf(58)) > 0) {
            arrayList = new ArrayList();
            arrayList.add(str2.substring(0, indexOf).trim());
            arrayList.add(str2.substring(indexOf + 1).trim().toCharArray());
        }
        return arrayList;
    }

    private void sendAuthenticationEvents(boolean z, String str, Principal principal) {
        Endpoint endpoint = WebServiceEngineImpl.getInstance().getEndpoint(str);
        if (endpoint == null) {
            return;
        }
        for (AuthenticationListener authenticationListener : WebServiceEngineImpl.getInstance().getAuthListeners()) {
            if (z) {
                authenticationListener.authSucess(endpoint.getDescriptor().getBundleDescriptor(), endpoint, principal);
            } else {
                authenticationListener.authFailure(endpoint.getDescriptor().getBundleDescriptor(), endpoint, principal);
            }
        }
    }
}
