package com.ibm.ws.security.authorization.jacc.web.impl;

import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.security.authorization.jacc.common.PolicyConfigurationManager;
import com.ibm.ws.security.authorization.jacc.web.WebSecurityPropagator;
import com.ibm.ws.webcontainer.security.metadata.SecurityConstraint;
import com.ibm.ws.webcontainer.security.metadata.SecurityConstraintCollection;
import com.ibm.ws.webcontainer.security.metadata.SecurityMetadata;
import com.ibm.ws.webcontainer.security.metadata.WebResourceCollection;
import com.ibm.ws.webcontainer.webapp.WebAppConfigExtended;
import com.ibm.wsspi.webcontainer.webapp.WebAppConfig;
import java.security.Permissions;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.StringTokenizer;
import javax.security.jacc.PolicyConfiguration;
import javax.security.jacc.PolicyConfigurationFactory;
import javax.security.jacc.PolicyContextException;
import javax.security.jacc.WebResourcePermission;
import javax.security.jacc.WebRoleRefPermission;
import javax.security.jacc.WebUserDataPermission;
import org.eclipse.equinox.http.servlet.internal.util.Const;

@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
/* loaded from: input_file:wlp/lib/com.ibm.ws.security.authorization.jacc.web_1.0.16.jar:com/ibm/ws/security/authorization/jacc/web/impl/WebSecurityPropagatorImpl.class */
public class WebSecurityPropagatorImpl implements WebSecurityPropagator {
    private static final int EXTENSION_PATTERN = 0;
    private static final int PATHPREFIX_PATTERN = 1;
    private static final int EXACT_PATTERN = 2;
    private static final int DEFAULT_PATTERN = 3;
    private static final String STARSTAR = "**";
    static final long serialVersionUID = 4193090874632708401L;
    private static final TraceComponent tc = Tr.register(WebSecurityPropagatorImpl.class);
    private static final ActionString ALLMETHOD = new ActionString(":NONE");

    @Override // com.ibm.ws.security.authorization.jacc.web.WebSecurityPropagator
    public void propagateWebConstraints(PolicyConfigurationFactory policyConfigurationFactory, String str, Object obj) {
        if (obj == null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Nothing to propagate due to null webAppConfig object.", new Object[0]);
                return;
            }
            return;
        }
        try {
            WebAppConfig webAppConfig = (WebAppConfig) obj;
            SecurityConstraintCollection securityConstraintCollection = getSecurityMetadata(webAppConfig).getSecurityConstraintCollection();
            if (securityConstraintCollection == null) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Nothing to propagate due to no security constraints.", new Object[0]);
                    return;
                }
                return;
            }
            String applicationName = webAppConfig.getApplicationName();
            PolicyConfigurationManager.removeModule(applicationName, str);
            try {
                PolicyConfiguration policyConfiguration = policyConfigurationFactory.getPolicyConfiguration(str, true);
                try {
                    processRole(policyConfiguration, webAppConfig);
                    List<SecurityConstraint> securityConstraints = securityConstraintCollection.getSecurityConstraints();
                    processUrlMap(policyConfiguration, convertURLMap(securityConstraints), isDenyUncoveredHttpMethods(securityConstraints));
                    PolicyConfigurationManager.linkConfiguration(applicationName, policyConfiguration);
                    PolicyConfigurationManager.addModule(applicationName, str);
                } catch (PolicyContextException e) {
                    FFDCFilter.processException(e, "com.ibm.ws.security.authorization.jacc.web.impl.WebSecurityPropagatorImpl", "102", this, new Object[]{policyConfigurationFactory, str, obj});
                    Tr.error(tc, "JACC_WEB_PERMISSION_PROPAGATION_FAILURE", str, e);
                }
            } catch (PolicyContextException e2) {
                FFDCFilter.processException(e2, "com.ibm.ws.security.authorization.jacc.web.impl.WebSecurityPropagatorImpl", "89", this, new Object[]{policyConfigurationFactory, str, obj});
                Tr.error(tc, "JACC_WEB_GET_POLICYCONFIGURATION_FAILURE", str, e2);
            }
        } catch (ClassCastException e3) {
            FFDCFilter.processException(e3, "com.ibm.ws.security.authorization.jacc.web.impl.WebSecurityPropagatorImpl", "63", this, new Object[]{policyConfigurationFactory, str, obj});
            Tr.error(tc, "JACC_WEB_SPI_PARAMETER_ERROR", obj.getClass().getName(), "propagateWebConstraints", "WebAppConfig");
        }
    }

    private void processRole(PolicyConfiguration policyConfiguration, WebAppConfig webAppConfig) throws PolicyContextException {
        SecurityMetadata securityMetadata = getSecurityMetadata(webAppConfig);
        List<String> roles = securityMetadata.getRoles();
        Iterator servletNames = webAppConfig.getServletNames();
        while (servletNames.hasNext()) {
            String str = (String) servletNames.next();
            boolean z = false;
            Map<String, String> roleRefs = securityMetadata.getRoleRefs(str);
            if (roleRefs != null && !roleRefs.isEmpty()) {
                for (Map.Entry<String, String> entry : roleRefs.entrySet()) {
                    String key = entry.getKey();
                    String value = entry.getValue();
                    WebRoleRefPermission webRoleRefPermission = new WebRoleRefPermission(str, key);
                    if (!z && "**".equals(key)) {
                        z = true;
                    }
                    policyConfiguration.addToRole(value, webRoleRefPermission);
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "addToRole(roleRef) role : " + value + " permission : " + webRoleRefPermission, new Object[0]);
                    }
                }
            }
            if (!z) {
                WebRoleRefPermission webRoleRefPermission2 = new WebRoleRefPermission(str, "**");
                policyConfiguration.addToRole("**", webRoleRefPermission2);
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "addToRole(roleRef) role : ** permission : " + webRoleRefPermission2, new Object[0]);
                }
            }
            for (String str2 : roles) {
                WebRoleRefPermission webRoleRefPermission3 = new WebRoleRefPermission(str, str2);
                policyConfiguration.addToRole(str2, webRoleRefPermission3);
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "addToRole(role) role : " + str2 + " permission : " + webRoleRefPermission3, new Object[0]);
                }
            }
        }
        for (String str3 : roles) {
            WebRoleRefPermission webRoleRefPermission4 = new WebRoleRefPermission("", str3);
            policyConfiguration.addToRole(str3, webRoleRefPermission4);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "addToRole(every role) role : " + str3 + " permission : " + webRoleRefPermission4, new Object[0]);
            }
        }
    }

    private Map<String, URLMap> convertURLMap(List<SecurityConstraint> list) {
        HashMap hashMap = new HashMap();
        URLMap uRLMap = new URLMap("/");
        uRLMap.setUncheckedSet(null);
        hashMap.put("/", uRLMap);
        for (SecurityConstraint securityConstraint : list) {
            List<WebResourceCollection> webResourceCollections = securityConstraint.getWebResourceCollections();
            List<String> roles = securityConstraint.getRoles();
            String str = securityConstraint.isSSLRequired() ? "CONFIDENTIAL" : "NONE";
            boolean isAccessPrecluded = securityConstraint.isAccessPrecluded();
            for (WebResourceCollection webResourceCollection : webResourceCollections) {
                List<String> urlPatterns = webResourceCollection.getUrlPatterns();
                List<String> httpMethods = webResourceCollection.getHttpMethods();
                List<String> omissionMethods = webResourceCollection.getOmissionMethods();
                for (String str2 : urlPatterns) {
                    List<String> list2 = null;
                    URLMap uRLMap2 = hashMap.get(str2);
                    if (uRLMap2 == null) {
                        uRLMap2 = getNewURLMap(str2, hashMap);
                    }
                    boolean z = false;
                    if (httpMethods != null && httpMethods.size() != 0) {
                        list2 = httpMethods;
                    } else if (omissionMethods != null && omissionMethods.size() > 0) {
                        z = true;
                        list2 = omissionMethods;
                    } else if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "All Methods are set since HTTP Method isn't defined.", new Object[0]);
                    }
                    if (isAccessPrecluded) {
                        uRLMap2.setExcludedSet(list2, z);
                    } else if (roles == null) {
                        uRLMap2.setUncheckedSet(list2, z);
                    } else {
                        for (String str3 : roles) {
                            if (tc.isDebugEnabled()) {
                                Tr.debug(tc, "Setting role map for role = " + str3, new Object[0]);
                            }
                            uRLMap2.setRoleMap(str3, list2, z);
                        }
                    }
                    uRLMap2.setUserDataMap(str, list2, z);
                }
            }
        }
        return hashMap;
    }

    private URLMap getNewURLMap(String str, Map<String, URLMap> map) {
        URLMap uRLMap = new URLMap(str);
        for (Map.Entry<String, URLMap> entry : map.entrySet()) {
            String key = entry.getKey();
            URLMap value = entry.getValue();
            int urlType = urlType(key);
            switch (urlType(str)) {
                case 0:
                    if (urlType != 1 && (urlType != 2 || !urlPatternMatch(str, key))) {
                        if (urlType == 3) {
                            value.appendURLPattern(str);
                            break;
                        } else {
                            break;
                        }
                    } else {
                        uRLMap.appendURLPattern(key);
                        break;
                    }
                    break;
                case 1:
                    if ((urlType != 1 && urlType != 2) || !urlPatternMatch(str, key)) {
                        if (urlType != 1 || !urlPatternMatch(key, str)) {
                            if (urlType != 0 && urlType != 3) {
                                break;
                            } else {
                                value.appendURLPattern(str);
                                break;
                            }
                        } else {
                            value.appendURLPattern(str);
                            break;
                        }
                    } else {
                        uRLMap.appendURLPattern(key);
                        break;
                    }
                    break;
                case 2:
                    if ((urlType != 0 && urlType != 1) || !urlPatternMatch(key, str)) {
                        if (urlType == 3) {
                            value.appendURLPattern(str);
                            break;
                        } else {
                            break;
                        }
                    } else {
                        value.appendURLPattern(str);
                        break;
                    }
                    break;
                case 3:
                    if (urlType != 3) {
                        uRLMap.appendURLPattern(key);
                        break;
                    } else {
                        break;
                    }
            }
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "full urlPattern created is: " + uRLMap.getURLPattern(), new Object[0]);
        }
        map.put(str, uRLMap);
        return uRLMap;
    }

    private void processUrlMap(PolicyConfiguration policyConfiguration, Map<String, URLMap> map, boolean z) throws PolicyContextException {
        ActionString userDataString;
        Permissions permissions = new Permissions();
        Permissions permissions2 = new Permissions();
        boolean z2 = false;
        boolean z3 = false;
        for (Map.Entry<String, URLMap> entry : map.entrySet()) {
            String key = entry.getKey();
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "url is: " + key, new Object[0]);
            }
            URLMap value = entry.getValue();
            String uRLPattern = value.getURLPattern();
            if (!isUnqualified(key, uRLPattern)) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "urlPatternName: " + uRLPattern, new Object[0]);
                }
                boolean z4 = false;
                ActionString excludedString = value.getExcludedString();
                boolean z5 = false;
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Method string for Excluded Permission: " + excludedString, new Object[0]);
                }
                if (excludedString != null) {
                    String actions = excludedString.getActions();
                    permissions2.add(new WebResourcePermission(uRLPattern, actions));
                    permissions2.add(new WebUserDataPermission(uRLPattern, actions));
                    z4 = true;
                    z3 = true;
                    if (actions == null) {
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "all methods is set for excluded", new Object[0]);
                        }
                        z5 = true;
                    }
                }
                if (!z5) {
                    Map<String, String> roleMap = value.getRoleMap();
                    ActionString uncheckedString = value.getUncheckedString();
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Method string for Unchecked Permission: " + uncheckedString, new Object[0]);
                    }
                    if (uncheckedString != null) {
                        WebResourcePermission webResourcePermission = new WebResourcePermission(uRLPattern, uncheckedString.getActions());
                        if (z) {
                            permissions2.add(webResourcePermission);
                            z3 = true;
                        } else {
                            permissions.add(webResourcePermission);
                        }
                    } else if (!z4 && roleMap == null) {
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "set unchecked for all methods", new Object[0]);
                        }
                        permissions.add(new WebResourcePermission(uRLPattern, (String) null));
                        z2 = true;
                    } else if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "unchecked list is null", new Object[0]);
                    }
                    ActionString userDataString2 = value.getUserDataString("CONFIDENTIAL_OR_INTEGRAL");
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "\nUserData - Confidential: " + userDataString2, new Object[0]);
                    }
                    if (userDataString2 != null) {
                        String actions2 = userDataString2.getActions();
                        addUserData(permissions, uRLPattern, actions2);
                        z2 = true;
                        if (actions2 != null && actions2.startsWith(":")) {
                            z5 = true;
                        }
                    }
                    if (!z5) {
                        if (userDataString2 != null || z4) {
                            userDataString = value.getUserDataString("REST");
                            if (userDataString == null && userDataString2 == null) {
                                userDataString = ALLMETHOD;
                            }
                        } else {
                            userDataString = ALLMETHOD;
                        }
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "UserData - Rest: " + userDataString, new Object[0]);
                        }
                        if (userDataString != null) {
                            if (!z || uncheckedString == null) {
                                addUserData(permissions, uRLPattern, userDataString.getActions());
                                z2 = true;
                            } else if (ALLMETHOD.equals(userDataString)) {
                                String actions3 = uncheckedString.getActions();
                                addUserData(permissions2, uRLPattern, actions3);
                                if (tc.isDebugEnabled()) {
                                    Tr.debug(tc, "UserData - setExcluded: " + actions3, new Object[0]);
                                }
                                z3 = true;
                                String reverseActions = uncheckedString.getReverseActions();
                                addUserData(permissions, uRLPattern, reverseActions);
                                if (tc.isDebugEnabled()) {
                                    Tr.debug(tc, "UserData - setUnchecked: " + reverseActions, new Object[0]);
                                }
                                z2 = true;
                            } else {
                                addUserData(permissions2, uRLPattern, userDataString.getActions());
                                z3 = true;
                            }
                        }
                    }
                    if (roleMap != null) {
                        for (Map.Entry<String, String> entry2 : roleMap.entrySet()) {
                            String key2 = entry2.getKey();
                            if (tc.isDebugEnabled()) {
                                Tr.debug(tc, "role is " + key2, new Object[0]);
                            }
                            String value2 = entry2.getValue();
                            if (value2 == null || value2.length() == 0) {
                                WebResourcePermission webResourcePermission2 = new WebResourcePermission(uRLPattern, (String) null);
                                policyConfiguration.addToRole(key2, webResourcePermission2);
                                if (tc.isDebugEnabled()) {
                                    Tr.debug(tc, "addToRole(all methods) role : " + key2 + " permission : " + webResourcePermission2, new Object[0]);
                                }
                            } else {
                                WebResourcePermission webResourcePermission3 = new WebResourcePermission(uRLPattern, value2);
                                policyConfiguration.addToRole(key2, webResourcePermission3);
                                if (tc.isDebugEnabled()) {
                                    Tr.debug(tc, "addToRole(specific methods) role : " + key2 + " permission : " + webResourcePermission3, new Object[0]);
                                }
                            }
                        }
                    } else if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "No role map. URL: " + uRLPattern, new Object[0]);
                    }
                }
            } else if (tc.isDebugEnabled()) {
                Tr.debug(tc, "url: " + key + " is unqualified", new Object[0]);
            }
        }
        if (z3) {
            policyConfiguration.addToExcludedPolicy(permissions2);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "addToExcludedPolicy permission : " + permissions2, new Object[0]);
            }
        }
        if (z2) {
            policyConfiguration.addToUncheckedPolicy(permissions);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "addToUncheckedPolicy permission : " + permissions, new Object[0]);
            }
        }
    }

    private boolean isUnqualified(String str, String str2) {
        boolean z = false;
        if (str2.indexOf(":") != -1) {
            StringTokenizer stringTokenizer = new StringTokenizer(str2.substring(str2.indexOf(":") + 1), ":");
            while (true) {
                if (!stringTokenizer.hasMoreTokens()) {
                    break;
                }
                if (urlPatternMatch(stringTokenizer.nextToken(), str)) {
                    z = true;
                    break;
                }
            }
        }
        return z;
    }

    private void addUserData(Permissions permissions, String str, String str2) {
        if (str2 == null || !str2.startsWith(":")) {
            permissions.add(new WebUserDataPermission(str, str2));
        } else {
            permissions.add(new WebUserDataPermission(str, null, str2.substring(1)));
        }
    }

    private int urlType(String str) {
        String str2 = str.toString();
        if (str2.startsWith(Const.STAR_DOT)) {
            return 0;
        }
        if (str2.startsWith("/") && str2.endsWith("/*")) {
            return 1;
        }
        return str2.equals("/") ? 3 : 2;
    }

    protected boolean urlPatternMatch(String str, String str2) {
        if (str.equals(str2) || str.equals("/*")) {
            return true;
        }
        if (str.startsWith("/") && str.endsWith("/*")) {
            String substring = str.substring(0, str.length() - 2);
            int length = substring.length();
            if (str2.startsWith(substring) && (str2.length() == length || str2.charAt(length) == '/')) {
                return true;
            }
        }
        return (str.startsWith(Const.STAR_DOT) && str2.endsWith(str.substring(1))) || str.equals("/");
    }

    private SecurityMetadata getSecurityMetadata(WebAppConfig webAppConfig) {
        return (SecurityMetadata) ((WebAppConfigExtended) webAppConfig).getMetaData().getSecurityMetaData();
    }

    private boolean isDenyUncoveredHttpMethods(List<SecurityConstraint> list) {
        Iterator<SecurityConstraint> it = list.iterator();
        while (it.hasNext()) {
            Iterator<WebResourceCollection> it2 = it.next().getWebResourceCollections().iterator();
            while (it2.hasNext()) {
                if (it2.next().getDenyUncoveredHttpMethods()) {
                    return true;
                }
            }
        }
        return false;
    }
}
