package com.ibm.ws.webcontainer.security.internal;

import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.Sensitive;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.ws.genericbnf.PasswordNullifier;
import com.ibm.ws.kernel.provisioning.ExtensionConstants;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.security.authentication.AuthenticationService;
import com.ibm.ws.security.context.SubjectManager;
import com.ibm.ws.security.registry.UserRegistry;
import com.ibm.ws.webcontainer.security.AuthResult;
import com.ibm.ws.webcontainer.security.AuthenticationResult;
import com.ibm.ws.webcontainer.security.CookieHelper;
import com.ibm.ws.webcontainer.security.ReferrerURLCookieHandler;
import com.ibm.ws.webcontainer.security.SSOCookieHelper;
import com.ibm.ws.webcontainer.security.SSOCookieHelperImpl;
import com.ibm.ws.webcontainer.security.WebAppSecurityConfig;
import com.ibm.ws.webcontainer.security.WebAuthenticator;
import com.ibm.ws.webcontainer.security.WebProviderAuthenticatorProxy;
import com.ibm.ws.webcontainer.security.metadata.FormLoginConfiguration;
import com.ibm.ws.webcontainer.security.metadata.LoginConfiguration;
import com.ibm.ws.webcontainer.security.metadata.SecurityMetadata;
import com.ibm.ws.webcontainer.security.openidconnect.OidcServer;
import com.ibm.wsspi.kernel.service.location.WsLocationConstants;
import com.ibm.wsspi.kernel.service.utils.AtomicServiceReference;
import com.ibm.wsspi.kernel.service.utils.ConcurrentServiceReferenceMap;
import com.ibm.wsspi.webcontainer.metadata.WebModuleMetaData;
import com.ibm.wsspi.webcontainer.osgi.extension.WebExtensionProcessor;
import com.ibm.wsspi.webcontainer.servlet.IServletContext;
import com.ibm.wsspi.webcontainer.webapp.WebAppConfig;
import java.io.IOException;
import java.util.HashMap;
import javax.security.auth.Subject;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
/* loaded from: input_file:lib/com.ibm.ws.webcontainer.security_1.0.13.cl160220160819-1442.jar:com/ibm/ws/webcontainer/security/internal/FormLoginExtensionProcessor.class */
public class FormLoginExtensionProcessor extends WebExtensionProcessor {
    private static final TraceComponent tc = Tr.register(FormLoginExtensionProcessor.class);
    private final SubjectManager subjectManager;
    private final AuthenticationService authenticationService;
    private final UserRegistry userRegistry;
    private final SecurityMetadata securityMetadata;
    private final WebAppSecurityConfig webAppSecConfig;
    private final SSOCookieHelper ssoCookieHelper;
    private String appName;
    private final WebProviderAuthenticatorProxy providerAuthenticatorProxy;
    private ConcurrentServiceReferenceMap<String, WebAuthenticator> webAuthenticatorRef;
    ReferrerURLCookieHandler referrerURLHandler;
    String errorPage;
    private WebAppConfig wac;
    static final long serialVersionUID = 4518837489542195037L;

    public FormLoginExtensionProcessor(WebAppSecurityConfig webAppSecurityConfig, AuthenticationService authenticationService, UserRegistry userRegistry, IServletContext iServletContext, WebProviderAuthenticatorProxy webProviderAuthenticatorProxy, ConcurrentServiceReferenceMap<String, WebAuthenticator> concurrentServiceReferenceMap) {
        this(webAppSecurityConfig, authenticationService, userRegistry, iServletContext, webProviderAuthenticatorProxy, (AtomicServiceReference) null, concurrentServiceReferenceMap);
    }

    public FormLoginExtensionProcessor(WebAppSecurityConfig webAppSecurityConfig, AuthenticationService authenticationService, UserRegistry userRegistry, IServletContext iServletContext, WebProviderAuthenticatorProxy webProviderAuthenticatorProxy, AtomicServiceReference<OidcServer> atomicServiceReference, ConcurrentServiceReferenceMap<String, WebAuthenticator> concurrentServiceReferenceMap) {
        super(iServletContext);
        this.appName = null;
        this.webAuthenticatorRef = null;
        this.referrerURLHandler = null;
        this.errorPage = null;
        this.wac = null;
        this.subjectManager = new SubjectManager();
        this.authenticationService = authenticationService;
        this.userRegistry = userRegistry;
        this.webAppSecConfig = webAppSecurityConfig;
        this.providerAuthenticatorProxy = webProviderAuthenticatorProxy;
        this.webAuthenticatorRef = concurrentServiceReferenceMap;
        this.ssoCookieHelper = new SSOCookieHelperImpl(webAppSecurityConfig, atomicServiceReference);
        this.referrerURLHandler = new ReferrerURLCookieHandler(webAppSecurityConfig);
        this.wac = iServletContext.getWebAppConfig();
        WebModuleMetaData metaData = this.wac.getMetaData();
        this.appName = this.wac.getApplicationName();
        this.securityMetadata = (SecurityMetadata) metaData.getSecurityMetaData();
    }

    public void handleRequest(ServletRequest servletRequest, ServletResponse servletResponse) throws Exception {
        if ((servletRequest instanceof HttpServletRequest) && (servletResponse instanceof HttpServletResponse)) {
            HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
            HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
            if (handleProviderAuthenticate(httpServletRequest, httpServletResponse)) {
                return;
            }
            formLogin(httpServletRequest, httpServletResponse, this.referrerURLHandler);
        }
    }

    private boolean handleProviderAuthenticate(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws Exception {
        HashMap<String, Object> hashMap = null;
        if (isJaspiEnabled()) {
            hashMap = new HashMap<>();
            hashMap.put("authType", "FORM_LOGIN");
            hashMap.put("webAppConfig", this.wac);
            hashMap.put("securityMetadata", this.securityMetadata);
            hashMap.put("webAppSecurityConfig", this.webAppSecConfig);
        }
        AuthenticationResult authenticate = this.providerAuthenticatorProxy.authenticate(httpServletRequest, httpServletResponse, hashMap);
        if (authenticate.getStatus() == AuthResult.CONTINUE) {
            return false;
        }
        if (authenticate.getStatus() == AuthResult.REDIRECT_TO_PROVIDER) {
            return true;
        }
        if (authenticate.getStatus() != AuthResult.SUCCESS) {
            handleError(httpServletRequest, httpServletResponse);
        }
        postFormLoginProcess(httpServletRequest, httpServletResponse, authenticate.getSubject());
        return true;
    }

    private void formLogin(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, ReferrerURLCookieHandler referrerURLCookieHandler) throws ServletException, IOException {
        if (this.webAppSecConfig.getLogoutOnHttpSessionExpire() && httpServletRequest.getRequestedSessionId() != null && !httpServletRequest.isRequestedSessionIdValid()) {
            httpServletRequest.getSession(true);
        }
        if (!this.webAppSecConfig.isSingleSignonEnabled()) {
            Tr.error(tc, "SEC_FORM_LOGIN_BAD_CONFIG", this.appName);
            handleError(httpServletRequest, httpServletResponse);
            return;
        }
        String parameter = httpServletRequest.getParameter("j_username");
        String parameter2 = httpServletRequest.getParameter("j_password");
        if (parameter == null || parameter2 == null || parameter2.length() == 0) {
            handleError(httpServletRequest, httpServletResponse);
            return;
        }
        AuthenticationResult basicAuthenticate = new BasicAuthAuthenticator(this.authenticationService, this.userRegistry, this.ssoCookieHelper, this.webAppSecConfig).basicAuthenticate(null, parameter, parameter2, httpServletRequest, httpServletResponse);
        if (basicAuthenticate.getStatus() != AuthResult.SUCCESS) {
            handleError(httpServletRequest, httpServletResponse);
        } else {
            postFormLoginProcess(httpServletRequest, httpServletResponse, basicAuthenticate.getSubject());
        }
    }

    private void handleError(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        httpServletResponse.setStatus(401);
        if (getErrorPage(httpServletRequest, httpServletResponse) != null) {
            httpServletResponse.sendRedirect(httpServletResponse.encodeURL(getErrorPage(httpServletRequest, httpServletResponse)));
        }
    }

    protected void postFormLoginProcess(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Subject subject) throws IOException, RuntimeException {
        this.subjectManager.setCallerSubject(subject);
        this.subjectManager.setInvocationSubject(subject);
        String storedReq = getStoredReq(httpServletRequest, this.referrerURLHandler);
        if (storedReq != null && storedReq.length() > 0) {
            ReferrerURLCookieHandler.isReferrerHostValid(PasswordNullifier.nullifyParams(httpServletRequest.getRequestURL().toString()), PasswordNullifier.nullifyParams(storedReq), this.webAppSecConfig.getWASReqURLRedirectDomainNames());
        }
        this.ssoCookieHelper.addSSOCookiesToResponse(subject, httpServletRequest, httpServletResponse);
        this.referrerURLHandler.invalidateReferrerURLCookie(httpServletRequest, httpServletResponse, ReferrerURLCookieHandler.REFERRER_URL_COOKIENAME);
        if (httpServletResponse.isCommitted()) {
            return;
        }
        httpServletResponse.sendRedirect(httpServletResponse.encodeURL(storedReq));
    }

    @Sensitive
    private String getStoredReq(HttpServletRequest httpServletRequest, ReferrerURLCookieHandler referrerURLCookieHandler) {
        String referrerURLFromCookies = referrerURLCookieHandler.getReferrerURLFromCookies(httpServletRequest, ReferrerURLCookieHandler.REFERRER_URL_COOKIENAME);
        if (referrerURLFromCookies == null) {
            referrerURLFromCookies = ExtensionConstants.CORE_EXTENSION;
        } else if (referrerURLFromCookies.equals(WsLocationConstants.LOC_VIRTUAL_ROOT)) {
            referrerURLFromCookies = ExtensionConstants.CORE_EXTENSION;
        } else if (referrerURLFromCookies.startsWith(WsLocationConstants.LOC_VIRTUAL_ROOT)) {
            referrerURLFromCookies = referrerURLFromCookies.substring(1);
        }
        return referrerURLFromCookies;
    }

    private String setUpAFullUrl(HttpServletRequest httpServletRequest, String str, boolean z) {
        String str2;
        String str3 = null;
        if (str != null) {
            if (str.startsWith("http://") || str.startsWith("https://")) {
                return str;
            }
            if (!str.startsWith(WsLocationConstants.LOC_VIRTUAL_ROOT)) {
                str = WsLocationConstants.LOC_VIRTUAL_ROOT + str;
            }
            StringBuffer requestURL = httpServletRequest.getRequestURL();
            String stringBuffer = requestURL.toString();
            int indexOf = stringBuffer.indexOf(WsLocationConstants.LOC_VIRTUAL_ROOT, stringBuffer.indexOf("//") + 2);
            int length = stringBuffer.length();
            if (z) {
                String contextPath = httpServletRequest.getContextPath();
                if (contextPath.equals(WsLocationConstants.LOC_VIRTUAL_ROOT)) {
                    contextPath = ExtensionConstants.CORE_EXTENSION;
                }
                str2 = contextPath + str;
            } else {
                str2 = str;
            }
            requestURL.replace(indexOf, length, str2);
            str3 = requestURL.toString();
        }
        return str3;
    }

    private String getErrorPage(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        boolean z = true;
        String customErrorPage = getCustomErrorPage(httpServletRequest);
        if (customErrorPage == null || customErrorPage.length() == 0) {
            z = false;
            customErrorPage = getCustomReloginErrorPage(httpServletRequest);
        }
        if (customErrorPage == null || customErrorPage.length() == 0) {
            z = true;
            customErrorPage = getErrorPageFromWebXml();
        }
        if (customErrorPage != null) {
            return setUpAFullUrl(httpServletRequest, customErrorPage, z);
        }
        return null;
    }

    private String getCustomErrorPage(HttpServletRequest httpServletRequest) {
        return httpServletRequest.getParameter("error_page");
    }

    private String getCustomReloginErrorPage(HttpServletRequest httpServletRequest) {
        String cookieValue = CookieHelper.getCookieValue(httpServletRequest.getCookies(), ReferrerURLCookieHandler.CUSTOM_RELOGIN_URL_COOKIENAME);
        if (cookieValue != null && cookieValue.length() > 0 && cookieValue.indexOf("?") < 0) {
            cookieValue = cookieValue + "?error=error";
        }
        return cookieValue;
    }

    private String getErrorPageFromWebXml() {
        FormLoginConfiguration formLoginConfiguration;
        String str = null;
        LoginConfiguration loginConfiguration = this.securityMetadata.getLoginConfiguration();
        if (loginConfiguration != null && (formLoginConfiguration = loginConfiguration.getFormLoginConfiguration()) != null) {
            str = formLoginConfiguration.getErrorPage();
        }
        return str;
    }

    private boolean isJaspiEnabled() {
        return (this.webAuthenticatorRef != null ? this.webAuthenticatorRef.getService("com.ibm.ws.security.jaspi") : null) != null;
    }
}
