package com.ibm.ws.webcontainer.security.metadata;

import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.ws.container.service.annotations.WebAnnotations;
import com.ibm.ws.container.service.config.ServletConfigurator;
import com.ibm.ws.container.service.config.ServletConfiguratorHelper;
import com.ibm.ws.container.service.config.WebFragmentInfo;
import com.ibm.ws.javaee.dd.common.EnvEntry;
import com.ibm.ws.javaee.dd.common.RunAs;
import com.ibm.ws.javaee.dd.common.SecurityRole;
import com.ibm.ws.javaee.dd.common.SecurityRoleRef;
import com.ibm.ws.javaee.dd.web.WebApp;
import com.ibm.ws.javaee.dd.web.WebFragment;
import com.ibm.ws.javaee.dd.web.common.AuthConstraint;
import com.ibm.ws.javaee.dd.web.common.FormLoginConfig;
import com.ibm.ws.javaee.dd.web.common.LoginConfig;
import com.ibm.ws.javaee.dd.web.common.Servlet;
import com.ibm.ws.javaee.dd.web.common.ServletMapping;
import com.ibm.ws.javaee.dd.web.common.UserDataConstraint;
import com.ibm.ws.javaee.dd.webbnd.WebBnd;
import com.ibm.ws.javaee.dd.webext.WebExt;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.wsspi.adaptable.module.UnableToAdaptException;
import com.ibm.wsspi.anno.info.AnnotationInfo;
import com.ibm.wsspi.anno.info.AnnotationValue;
import com.ibm.wsspi.anno.info.ClassInfo;
import com.ibm.wsspi.webcontainer.metadata.WebModuleMetaData;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.annotation.security.DeclareRoles;

@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
/* loaded from: input_file:lib/com.ibm.ws.webcontainer.security_1.0.13.cl160220160819-1442.jar:com/ibm/ws/webcontainer/security/metadata/SecurityServletConfiguratorHelper.class */
public class SecurityServletConfiguratorHelper implements ServletConfiguratorHelper, SecurityMetadata {
    public static final String AUTH_METHOD_KEY = "auth-method";
    public static final String FORM_LOGIN_CONFIG_KEY = "form-login-config";
    public static final String REALM_NAME_KEY = "realm-name";
    public static final String LOGIN_CONFIG_KEY = "login-config";
    public static final String RUN_AS_KEY = "run-as";
    public static final String SERVLET_NAME_KEY = "servlet-name";
    public static final String SERVLET_KEY = "servlet";
    public static final String SECURITY_CONSTRAINT_KEY = "security-constraint";
    public static final String AUTH_CONSTRAINT_KEY = "auth-constraint";
    public static final String USER_DATA_CONSTRAINT_KEY = "user-data-constraint";
    public static final String DENY_UNCOVERED_HTTP_METHODS_KEY = "deny-uncovered-http-methods";
    protected static final String SYNC_TO_OS_THREAD_ENV_ENTRY_KEY = "com.ibm.websphere.security.SyncToOSThread";
    private static final TraceComponent tc = Tr.register(SecurityServletConfiguratorHelper.class);
    private ServletConfigurator configurator;
    private static final String ALL_ROLES_MARKER = "*";
    private SecurityConstraintCollection securityConstraintCollection;
    private LoginConfiguration loginConfiguration;
    private List<String> allRoles = new ArrayList();
    private final Map<String, Map<String, String>> securityRoleRefsByServlet = new HashMap();
    private Map<String, String> urlPatternToServletName = new HashMap();
    private final Map<String, String> servletNameToRunAsRole = new HashMap();
    private boolean syncToOSThread = false;
    private boolean denyUncoveredHttpMethods = false;
    static final long serialVersionUID = 2786513624388493391L;

    public SecurityServletConfiguratorHelper(ServletConfigurator servletConfigurator) {
        this.configurator = servletConfigurator;
    }

    public void configureInit() {
    }

    public void configureFromWebApp(WebApp webApp) {
        configureSecurity(webApp.getSecurityConstraints(), webApp.getLoginConfig(), webApp.getSecurityRoles(), webApp.getServletMappings(), webApp.getEnvEntries(), webApp.isSetDenyUncoveredHttpMethods());
        if (webApp.isSetDenyUncoveredHttpMethods()) {
            setDenyUncoveredHttpMethods(true);
        }
        for (Servlet servlet : webApp.getServlets()) {
            processSecurityRoleRefs(servlet.getServletName(), servlet.getSecurityRoleRefs());
            processRunAs(servlet);
        }
    }

    public void configureFromWebFragment(WebFragmentInfo webFragmentInfo) {
        WebFragment webFragment = webFragmentInfo.getWebFragment();
        configureSecurity(webFragment.getSecurityConstraints(), webFragment.getLoginConfig(), webFragment.getSecurityRoles(), webFragment.getServletMappings(), webFragment.getEnvEntries(), false);
        for (Servlet servlet : webFragment.getServlets()) {
            processSecurityRoleRefs(servlet.getServletName(), servlet.getSecurityRoleRefs());
            processRunAs(servlet);
        }
    }

    public void configureFromAnnotations(WebFragmentInfo webFragmentInfo) throws UnableToAdaptException {
        WebAnnotations webAnnotations = this.configurator.getWebAnnotations();
        processSecurityRoles(webAnnotations, webAnnotations.getFragmentAnnotations(webFragmentInfo).selectAnnotatedClasses(DeclareRoles.class));
    }

    public void configureDefaults() throws UnableToAdaptException {
        if (this.loginConfiguration == null) {
            this.loginConfiguration = new LoginConfigurationImpl(LoginConfiguration.BASIC, null, null);
        }
    }

    public void configureWebBnd(WebBnd webBnd) throws UnableToAdaptException {
    }

    public void configureWebExt(WebExt webExt) throws UnableToAdaptException {
    }

    public void finish() {
        WebModuleMetaData webModuleMetaData = (WebModuleMetaData) this.configurator.getFromModuleCache(WebModuleMetaData.class);
        this.configurator = null;
        webModuleMetaData.setSecurityMetaData(this);
    }

    private void configureSecurity(List<com.ibm.ws.javaee.dd.web.common.SecurityConstraint> list, LoginConfig loginConfig, List<SecurityRole> list2, List<ServletMapping> list3, List<EnvEntry> list4, boolean z) {
        processSecurityConstraints(list, z);
        processLoginConfig(loginConfig);
        processSecurityRoles(list2);
        processURLPatterns(list3);
        processEnvEntries(list4);
        processDenyUncoveredHttpMethods(z);
    }

    private void processDenyUncoveredHttpMethods(boolean z) {
        if (z) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "deny-uncovered-http-methods element IS found", new Object[0]);
            }
        } else if (tc.isDebugEnabled()) {
            Tr.debug(tc, "deny-uncovered-http-methods element NOT found", new Object[0]);
        }
    }

    private void processSecurityConstraints(List<com.ibm.ws.javaee.dd.web.common.SecurityConstraint> list, boolean z) {
        ArrayList arrayList = new ArrayList();
        Iterator<com.ibm.ws.javaee.dd.web.common.SecurityConstraint> it = list.iterator();
        while (it.hasNext()) {
            arrayList.add(createSecurityConstraint(it.next(), z));
        }
        if (this.securityConstraintCollection == null) {
            this.securityConstraintCollection = new SecurityConstraintCollectionImpl(arrayList);
        } else {
            this.securityConstraintCollection.addSecurityConstraints(arrayList);
        }
    }

    private void processLoginConfig(LoginConfig loginConfig) {
        if (loginConfig != null) {
            String authMethod = loginConfig.getAuthMethod();
            if (authMethod != null) {
                Map configItemMap = this.configurator.getConfigItemMap(AUTH_METHOD_KEY);
                ServletConfigurator.ConfigItem configItem = (ServletConfigurator.ConfigItem) configItemMap.get(LOGIN_CONFIG_KEY);
                if (configItem == null) {
                    configItemMap.put(LOGIN_CONFIG_KEY, this.configurator.createConfigItem(authMethod));
                } else {
                    this.configurator.validateDuplicateConfiguration(LOGIN_CONFIG_KEY, AUTH_METHOD_KEY, authMethod, configItem);
                }
            }
            String realmName = loginConfig.getRealmName();
            if (realmName != null) {
                Map configItemMap2 = this.configurator.getConfigItemMap(REALM_NAME_KEY);
                ServletConfigurator.ConfigItem configItem2 = (ServletConfigurator.ConfigItem) configItemMap2.get(LOGIN_CONFIG_KEY);
                if (configItem2 == null) {
                    configItemMap2.put(LOGIN_CONFIG_KEY, this.configurator.createConfigItem(realmName));
                } else {
                    this.configurator.validateDuplicateConfiguration(LOGIN_CONFIG_KEY, REALM_NAME_KEY, realmName, configItem2);
                }
            }
            FormLoginConfig formLoginConfig = loginConfig.getFormLoginConfig();
            FormLoginConfiguration formLoginConfiguration = null;
            if (formLoginConfig != null) {
                Map configItemMap3 = this.configurator.getConfigItemMap(FORM_LOGIN_CONFIG_KEY);
                ServletConfigurator.ConfigItem configItem3 = (ServletConfigurator.ConfigItem) configItemMap3.get(LOGIN_CONFIG_KEY);
                if (configItem3 == null) {
                    configItemMap3.put(LOGIN_CONFIG_KEY, this.configurator.createConfigItem(loginConfig.getFormLoginConfig()));
                    formLoginConfiguration = createFormLoginConfiguration(loginConfig);
                } else {
                    this.configurator.validateDuplicateConfiguration(LOGIN_CONFIG_KEY, FORM_LOGIN_CONFIG_KEY, formLoginConfig, configItem3);
                }
            }
            this.loginConfiguration = new LoginConfigurationImpl(authMethod, realmName, formLoginConfiguration);
        }
    }

    private void processSecurityRoles(List<SecurityRole> list) {
        for (SecurityRole securityRole : list) {
            if (!this.allRoles.contains(securityRole.getRoleName())) {
                this.allRoles.add(securityRole.getRoleName());
            }
        }
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "allRoles: " + this.allRoles, new Object[0]);
        }
    }

    private void processSecurityRoles(WebAnnotations webAnnotations, Set<String> set) throws UnableToAdaptException {
        for (String str : set) {
            ClassInfo classInfo = webAnnotations.getClassInfo(str);
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "@DeclareRoles found on class ", str);
            }
            AnnotationInfo annotation = classInfo.getAnnotation(DeclareRoles.class);
            if (annotation != null) {
                Iterator it = annotation.getValue("value").getArrayValue().iterator();
                while (it.hasNext()) {
                    String stringValue = ((AnnotationValue) it.next()).getStringValue();
                    if (!this.allRoles.contains(stringValue)) {
                        this.allRoles.add(stringValue);
                    }
                }
            }
        }
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "allRoles: " + this.allRoles, new Object[0]);
        }
    }

    private void processURLPatterns(List<ServletMapping> list) {
        for (ServletMapping servletMapping : list) {
            String servletName = servletMapping.getServletName();
            List uRLPatterns = servletMapping.getURLPatterns();
            if (uRLPatterns != null) {
                Iterator it = uRLPatterns.iterator();
                while (it.hasNext()) {
                    this.urlPatternToServletName.put((String) it.next(), servletName);
                }
            }
        }
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "urlPatternToServletName: " + this.urlPatternToServletName, new Object[0]);
        }
    }

    private void processEnvEntries(List<EnvEntry> list) {
        if (list != null) {
            for (EnvEntry envEntry : list) {
                if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                    Tr.debug(tc, "processing envEntry", envEntry.getName(), envEntry.getValue());
                }
                if (SYNC_TO_OS_THREAD_ENV_ENTRY_KEY.equals(envEntry.getName())) {
                    this.syncToOSThread = Boolean.parseBoolean(envEntry.getValue());
                }
            }
        }
    }

    private void processSecurityRoleRefs(String str, List<SecurityRoleRef> list) {
        HashMap hashMap = new HashMap();
        this.securityRoleRefsByServlet.put(str, hashMap);
        for (SecurityRoleRef securityRoleRef : list) {
            if (securityRoleRef.getLink() == null) {
                Tr.warning(tc, "MISSING_SEC_ROLE_REF_ROLE_LINK", str, securityRoleRef.getName());
            } else if (this.allRoles.contains(securityRoleRef.getLink())) {
                hashMap.put(securityRoleRef.getName(), securityRoleRef.getLink());
            } else {
                Tr.warning(tc, "INVALID_SEC_ROLE_REF_ROLE_LINK", str, securityRoleRef.getLink(), securityRoleRef.getName());
            }
        }
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "securityRoleRefsByServlet: " + this.securityRoleRefsByServlet, new Object[0]);
        }
    }

    private void processRunAs(Servlet servlet) {
        String servletName = servlet.getServletName();
        Map configItemMap = this.configurator.getConfigItemMap(RUN_AS_KEY);
        ServletConfigurator.ConfigItem configItem = (ServletConfigurator.ConfigItem) configItemMap.get(servletName);
        RunAs runAs = servlet.getRunAs();
        String roleName = runAs != null ? runAs.getRoleName() : null;
        if (runAs != null) {
            if (configItem == null) {
                configItemMap.put(servletName, this.configurator.createConfigItem(roleName));
                if (roleName != null) {
                    this.servletNameToRunAsRole.put(servletName, roleName);
                }
            } else {
                this.configurator.validateDuplicateKeyValueConfiguration(SERVLET_KEY, SERVLET_NAME_KEY, servletName, RUN_AS_KEY, roleName, configItem);
            }
        }
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "servletNameToRunAsRole: " + this.servletNameToRunAsRole, new Object[0]);
        }
    }

    private SecurityConstraint createSecurityConstraint(com.ibm.ws.javaee.dd.web.common.SecurityConstraint securityConstraint, boolean z) {
        return new SecurityConstraint(createWebResourceCollections(securityConstraint, z), createRoles(securityConstraint), isSSLRequired(securityConstraint), isAccessPrecluded(securityConstraint), false, false);
    }

    private List<WebResourceCollection> createWebResourceCollections(com.ibm.ws.javaee.dd.web.common.SecurityConstraint securityConstraint, boolean z) {
        ArrayList arrayList = new ArrayList();
        for (com.ibm.ws.javaee.dd.web.common.WebResourceCollection webResourceCollection : securityConstraint.getWebResourceCollections()) {
            arrayList.add(new WebResourceCollection(webResourceCollection.getURLPatterns(), webResourceCollection.getHTTPMethods(), webResourceCollection.getHTTPMethodOmissions(), z));
        }
        return arrayList;
    }

    /* JADX WARN: Multi-variable type inference failed */
    private List<String> createRoles(com.ibm.ws.javaee.dd.web.common.SecurityConstraint securityConstraint) {
        List arrayList = new ArrayList();
        AuthConstraint authConstraint = securityConstraint.getAuthConstraint();
        if (authConstraint != null) {
            Map configItemMap = this.configurator.getConfigItemMap(AUTH_CONSTRAINT_KEY);
            String webResourceName = ((com.ibm.ws.javaee.dd.web.common.WebResourceCollection) securityConstraint.getWebResourceCollections().get(0)).getWebResourceName();
            ServletConfigurator.ConfigItem configItem = (ServletConfigurator.ConfigItem) configItemMap.get(webResourceName);
            arrayList = authConstraint.getRoleNames();
            if (arrayList.contains(ALL_ROLES_MARKER)) {
                arrayList = this.allRoles;
            }
            if (configItem == null) {
                configItemMap.put(webResourceName, this.configurator.createConfigItem(arrayList));
            } else {
                this.configurator.validateDuplicateConfiguration(SECURITY_CONSTRAINT_KEY, AUTH_CONSTRAINT_KEY, arrayList, configItem);
                if (ServletConfigurator.ConfigSource.WEB_FRAGMENT == this.configurator.getConfigSource() && ServletConfigurator.ConfigSource.WEB_XML == configItem.getSource()) {
                    return new ArrayList();
                }
            }
        }
        return arrayList;
    }

    private boolean isSSLRequired(com.ibm.ws.javaee.dd.web.common.SecurityConstraint securityConstraint) {
        boolean z = false;
        UserDataConstraint userDataConstraint = securityConstraint.getUserDataConstraint();
        if (userDataConstraint != null) {
            int transportGuarantee = userDataConstraint.getTransportGuarantee();
            String webResourceName = ((com.ibm.ws.javaee.dd.web.common.WebResourceCollection) securityConstraint.getWebResourceCollections().get(0)).getWebResourceName();
            Map configItemMap = this.configurator.getConfigItemMap(USER_DATA_CONSTRAINT_KEY);
            ServletConfigurator.ConfigItem configItem = (ServletConfigurator.ConfigItem) configItemMap.get(webResourceName);
            if (configItem == null) {
                configItemMap.put(webResourceName, this.configurator.createConfigItem(String.valueOf(transportGuarantee)));
                if (transportGuarantee != 0) {
                    z = true;
                }
            } else {
                this.configurator.validateDuplicateConfiguration(SECURITY_CONSTRAINT_KEY, USER_DATA_CONSTRAINT_KEY, String.valueOf(transportGuarantee), configItem);
                if (ServletConfigurator.ConfigSource.WEB_FRAGMENT == this.configurator.getConfigSource() && ServletConfigurator.ConfigSource.WEB_XML == configItem.getSource()) {
                    return false;
                }
            }
        }
        return z;
    }

    private boolean isAccessPrecluded(com.ibm.ws.javaee.dd.web.common.SecurityConstraint securityConstraint) {
        List roleNames;
        boolean z = false;
        AuthConstraint authConstraint = securityConstraint.getAuthConstraint();
        if (authConstraint != null && ((roleNames = authConstraint.getRoleNames()) == null || roleNames.isEmpty())) {
            z = true;
        }
        return z;
    }

    private FormLoginConfiguration createFormLoginConfiguration(LoginConfig loginConfig) {
        FormLoginConfigurationImpl formLoginConfigurationImpl = null;
        FormLoginConfig formLoginConfig = loginConfig.getFormLoginConfig();
        if (formLoginConfig != null) {
            formLoginConfigurationImpl = new FormLoginConfigurationImpl(formLoginConfig.getFormLoginPage(), formLoginConfig.getFormErrorPage());
        }
        return formLoginConfigurationImpl;
    }

    @Override // com.ibm.ws.webcontainer.security.metadata.SecurityMetadata
    public SecurityConstraintCollection getSecurityConstraintCollection() {
        return this.securityConstraintCollection;
    }

    @Override // com.ibm.ws.webcontainer.security.metadata.SecurityMetadata
    public LoginConfiguration getLoginConfiguration() {
        return this.loginConfiguration;
    }

    @Override // com.ibm.ws.webcontainer.security.metadata.SecurityMetadata
    public String getSecurityRoleReferenced(String str, String str2) {
        Map<String, String> map = this.securityRoleRefsByServlet.get(str);
        if (map == null) {
            if (this.allRoles.contains(str2)) {
                return str2;
            }
            return null;
        }
        String str3 = map.get(str2);
        if (str3 != null) {
            return str3;
        }
        if (this.allRoles.contains(str2)) {
            return str2;
        }
        return null;
    }

    @Override // com.ibm.ws.webcontainer.security.metadata.SecurityMetadata
    public Map<String, String> getRoleRefs(String str) {
        return this.securityRoleRefsByServlet.get(str);
    }

    @Override // com.ibm.ws.webcontainer.security.metadata.SecurityMetadata
    public String getRunAsRoleForServlet(String str) {
        return this.servletNameToRunAsRole.get(str);
    }

    @Override // com.ibm.ws.webcontainer.security.metadata.SecurityMetadata
    public Map<String, String> getRunAsMap() {
        return this.servletNameToRunAsRole;
    }

    @Override // com.ibm.ws.webcontainer.security.metadata.SecurityMetadata
    public List<String> getRoles() {
        return this.allRoles;
    }

    @Override // com.ibm.ws.webcontainer.security.metadata.SecurityMetadata
    public void setSecurityConstraintCollection(SecurityConstraintCollection securityConstraintCollection) {
        this.securityConstraintCollection = securityConstraintCollection;
    }

    @Override // com.ibm.ws.webcontainer.security.metadata.SecurityMetadata
    public void setRoles(List<String> list) {
        this.allRoles = list;
    }

    @Override // com.ibm.ws.webcontainer.security.metadata.SecurityMetadata
    public void setLoginConfiguration(LoginConfiguration loginConfiguration) {
        this.loginConfiguration = loginConfiguration;
    }

    @Override // com.ibm.ws.webcontainer.security.metadata.SecurityMetadata
    public void setUrlPatternToServletNameMap(Map<String, String> map) {
        this.urlPatternToServletName = map;
    }

    @Override // com.ibm.ws.webcontainer.security.metadata.SecurityMetadata
    public boolean isSyncToOSThreadRequested() {
        return this.syncToOSThread;
    }

    @Override // com.ibm.ws.webcontainer.security.metadata.SecurityMetadata
    public void setDenyUncoveredHttpMethods(boolean z) {
        this.denyUncoveredHttpMethods = z;
    }

    @Override // com.ibm.ws.webcontainer.security.metadata.SecurityMetadata
    public boolean isDenyUncoveredHttpMethods() {
        return this.denyUncoveredHttpMethods;
    }
}
