package com.ibm.ws.security.javaeesec.cdi.beans;

import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.Sensitive;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.genericbnf.PasswordNullifier;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.security.javaeesec.CDIHelper;
import com.ibm.ws.security.javaeesec.properties.ModulePropertiesProvider;
import com.ibm.ws.security.javaeesec.properties.ModulePropertiesUtils;
import com.ibm.ws.webcontainer.security.AuthResult;
import com.ibm.ws.webcontainer.security.AuthenticationResult;
import com.ibm.ws.webcontainer.security.CookieHelper;
import com.ibm.ws.webcontainer.security.PostParameterHelper;
import com.ibm.ws.webcontainer.security.ReferrerURLCookieHandler;
import com.ibm.ws.webcontainer.security.WebAppSecurityConfig;
import com.ibm.ws.webcontainer.security.metadata.FormLoginConfigurationImpl;
import com.ibm.ws.webcontainer.security.metadata.LoginConfigurationImpl;
import com.ibm.ws.webcontainer.security.metadata.SecurityMetadata;
import com.ibm.ws.webcontainer.security.util.WebConfigUtils;
import com.ibm.wsspi.webcontainer.servlet.IExtendedRequest;
import java.io.IOException;
import java.lang.annotation.Annotation;
import java.util.Iterator;
import java.util.Properties;
import javax.annotation.PostConstruct;
import javax.annotation.Priority;
import javax.el.ELProcessor;
import javax.enterprise.inject.Instance;
import javax.enterprise.inject.spi.CDI;
import javax.interceptor.AroundInvoke;
import javax.interceptor.Interceptor;
import javax.interceptor.InvocationContext;
import javax.security.enterprise.AuthenticationStatus;
import javax.security.enterprise.authentication.mechanism.http.AuthenticationParameters;
import javax.security.enterprise.authentication.mechanism.http.HttpMessageContext;
import javax.security.enterprise.authentication.mechanism.http.LoginToContinue;
import javax.servlet.RequestDispatcher;
import javax.servlet.ServletContext;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

@LoginToContinue
@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
@Priority(220)
@Interceptor
/* loaded from: input_file:com/ibm/ws/security/javaeesec/cdi/beans/LoginToContinueInterceptor.class */
public class LoginToContinueInterceptor {
    private static final String ATTR_DONE_LOGIN_PROCESS = "com.ibm.ws.security.javaeesec.donePostLoginProcess";
    private static final String METHOD_TO_INTERCEPT = "validateRequest";
    private static final TraceComponent tc = Tr.register(LoginToContinueInterceptor.class);
    ModulePropertiesProvider mpp = null;
    private final boolean resolved = false;
    Properties props = null;
    private String _errorPage = null;
    private String _loginPage = null;
    private Boolean _isForward = null;
    private Boolean _useGlobalLogin = false;
    private String _formLoginContextRoot = null;
    private boolean isCustomHAM = false;
    static final long serialVersionUID = 7327631654256756182L;

    @PostConstruct
    public void initialize(InvocationContext invocationContext) {
        this.mpp = getModulePropertiesProvider();
        if (this.mpp == null) {
            Tr.error(tc, "JAVAEESEC_CDI_ERROR_LOGIN_TO_CONTINUE_DOES_NOT_EXIST", new Object[0]);
            return;
        }
        Class targetClass = getTargetClass(invocationContext);
        this.isCustomHAM = isCustomHAM(targetClass);
        this.props = this.mpp.getAuthMechProperties(targetClass);
        this._isForward = resolveBoolean((String) this.props.get("useForwardToLoginExpression"), (Boolean) this.props.get("useForwardToLogin"), true, this.isCustomHAM);
        this._loginPage = resolveString((String) this.props.get("loginPage"), "/login", true, this.isCustomHAM);
        this._errorPage = resolveString((String) this.props.get("errorPage"), "/login-error", true, this.isCustomHAM);
        this._useGlobalLogin = (Boolean) this.props.get("useGlobalLogin");
        this._formLoginContextRoot = (String) this.props.get("formLoginContextRoot");
        if (this._useGlobalLogin == null) {
            this._useGlobalLogin = Boolean.FALSE;
        }
        if (this._formLoginContextRoot == null) {
            this._formLoginContextRoot = "";
        }
    }

    @AroundInvoke
    public Object intercept(InvocationContext invocationContext) throws Exception {
        Object proceed;
        if (!isMethodToIntercept(invocationContext)) {
            proceed = invocationContext.proceed();
        } else {
            if (this.mpp != null) {
                Object[] parameters = invocationContext.getParameters();
                HttpServletRequest httpServletRequest = (HttpServletRequest) parameters[0];
                HttpServletResponse httpServletResponse = (HttpServletResponse) parameters[1];
                HttpMessageContext httpMessageContext = (HttpMessageContext) parameters[2];
                if (isNewAuth(httpMessageContext)) {
                    return invocationContext.proceed();
                }
                if (isJSecurityCheck(httpServletRequest) || existCredential(httpMessageContext)) {
                    Object proceed2 = invocationContext.proceed();
                    if (AuthenticationStatus.SUCCESS.equals(proceed2)) {
                        postLoginProcess(httpServletRequest, httpServletResponse);
                    } else if (AuthenticationStatus.SEND_FAILURE.equals(proceed2)) {
                        rediectErrorPage(this.mpp.getAuthMechProperties(getClass(invocationContext)), httpServletRequest, httpServletResponse);
                    }
                    return proceed2;
                }
                if (httpMessageContext.getRequest().getUserPrincipal() != null) {
                    if (existsCookie(httpServletRequest, "WASReqURL")) {
                        removeWasReqUrlCookie(httpServletRequest, httpServletResponse);
                        return AuthenticationStatus.SUCCESS;
                    }
                    if (!this.isCustomHAM) {
                        return AuthenticationStatus.SUCCESS;
                    }
                }
                return isInitialProtectedUrl(httpMessageContext) ? gotoLoginPage(this.mpp.getAuthMechProperties(getClass(invocationContext)), httpServletRequest, httpServletResponse, httpMessageContext) : invocationContext.proceed();
            }
            Tr.error(tc, "JAVAEESEC_CDI_ERROR_LOGIN_TO_CONTINUE_DOES_NOT_EXIST", new Object[0]);
            proceed = AuthenticationStatus.SEND_FAILURE;
        }
        return proceed;
    }

    private boolean isJSecurityCheck(HttpServletRequest httpServletRequest) {
        return httpServletRequest.getRequestURI().contains("/j_security_check");
    }

    private boolean existCredential(HttpMessageContext httpMessageContext) {
        AuthenticationParameters authParameters = httpMessageContext.getAuthParameters();
        return (authParameters == null || authParameters.getCredential() == null) ? false : true;
    }

    private boolean isInitialProtectedUrl(HttpMessageContext httpMessageContext) {
        return httpMessageContext.isProtected();
    }

    private boolean existsCookie(HttpServletRequest httpServletRequest, String str) {
        Cookie[] cookies = httpServletRequest.getCookies();
        return (cookies == null || CookieHelper.getCookieValues(cookies, str) == null) ? false : true;
    }

    protected AuthenticationStatus gotoLoginPage(Properties properties, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, HttpMessageContext httpMessageContext) throws IOException {
        RequestDispatcher requestDispatcher;
        String resolveString = resolveString((String) properties.get("loginPage"), this._loginPage);
        String resolveString2 = resolveString((String) properties.get("errorPage"), this._errorPage);
        boolean booleanValue = resolveBoolean((String) properties.get("useForwardToLoginExpression"), this._isForward).booleanValue();
        AuthenticationStatus authenticationStatus = AuthenticationStatus.SEND_CONTINUE;
        if (this._useGlobalLogin.booleanValue()) {
            updateFormLoginConfiguration("", "");
        } else {
            updateFormLoginConfiguration(resolveString, resolveString2);
        }
        setCookies(httpServletRequest, httpServletResponse);
        if (this._useGlobalLogin.booleanValue() || booleanValue) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "The request will be forwarded to the login page.", new Object[0]);
            }
            if (this._useGlobalLogin.booleanValue()) {
                ServletContext context = httpServletRequest.getServletContext().getContext(this._formLoginContextRoot);
                if (context == null) {
                    throw new IllegalArgumentException("The context root " + this._formLoginContextRoot + " is not valid. Please make sure that the attribute contextRootForFormAuthenticationMechanism is set properly, and the form login page which is specified by the attribute loginFormURL is valid.");
                }
                requestDispatcher = context.getRequestDispatcher(resolveString);
            } else {
                requestDispatcher = httpServletRequest.getRequestDispatcher(resolveString);
            }
            try {
                if (httpServletRequest.getMethod().equalsIgnoreCase("POST") && (httpServletRequest instanceof IExtendedRequest)) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Set GET method instead of original POST method for preventing a potential JSF error.", new Object[0]);
                    }
                    ((IExtendedRequest) httpServletRequest).setMethod("GET");
                }
                requestDispatcher.forward(httpServletRequest, httpServletResponse);
            } catch (Exception e) {
                FFDCFilter.processException(e, "com.ibm.ws.security.javaeesec.cdi.beans.LoginToContinueInterceptor", "239", this, new Object[]{properties, httpServletRequest, httpServletResponse, httpMessageContext});
                authenticationStatus = AuthenticationStatus.SEND_FAILURE;
            }
        } else {
            httpServletResponse.setStatus(302);
            httpServletResponse.sendRedirect(httpServletResponse.encodeURL(getUrl(httpServletRequest, resolveString, false)));
        }
        return authenticationStatus;
    }

    private Boolean resolveBoolean(String str, Boolean bool, boolean z, boolean z2) {
        Boolean bool2 = null;
        if (str == null || str.isEmpty()) {
            bool2 = bool != null ? bool : Boolean.TRUE;
        } else if (!z2 && ModulePropertiesUtils.getInstance().isImmediateEval(str) && z) {
            bool2 = resolveBoolean(str);
        }
        return bool2;
    }

    private Boolean resolveBoolean(String str, Boolean bool) {
        return bool != null ? Boolean.valueOf(bool.booleanValue()) : resolveBoolean(str);
    }

    protected Boolean resolveBoolean(String str) {
        Boolean bool = Boolean.TRUE;
        if (str != null && !str.isEmpty()) {
            bool = (Boolean) getELProcessorWithAppModuleBeanManagerELResolver().eval(ModulePropertiesUtils.getInstance().extractExpression(str));
        }
        return bool;
    }

    private String resolveString(String str, String str2, boolean z, boolean z2) {
        String str3 = null;
        if (!ModulePropertiesUtils.getInstance().isELExpression(str)) {
            str3 = str != null ? str : str2;
        } else if (!z2 && ModulePropertiesUtils.getInstance().isImmediateEval(str) && z) {
            str3 = resolveString(str);
        }
        return str3;
    }

    private String resolveString(String str, String str2) {
        return str2 != null ? str2 : resolveString(str);
    }

    protected String resolveString(String str) {
        String str2 = null;
        if (str != null && !str.isEmpty()) {
            str2 = (String) getELProcessorWithAppModuleBeanManagerELResolver().eval(ModulePropertiesUtils.getInstance().extractExpression(str));
        }
        return str2;
    }

    private void updateFormLoginConfiguration(String str, String str2) {
        if (str == null || str2 == null) {
            return;
        }
        LoginConfigurationImpl loginConfigurationImpl = new LoginConfigurationImpl("FORM", (String) null, new FormLoginConfigurationImpl(str, str2));
        SecurityMetadata securityMetadata = getSecurityMetadata();
        if (securityMetadata != null) {
            securityMetadata.setLoginConfiguration(loginConfigurationImpl);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "LoginConfiguration was updated. " + loginConfigurationImpl, new Object[0]);
            }
        }
    }

    protected SecurityMetadata getSecurityMetadata() {
        return WebConfigUtils.getSecurityMetadata();
    }

    protected void postLoginProcess(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException, RuntimeException {
        WebAppSecurityConfig webAppSecurityConfig = getWebAppSecurityConfig();
        String storedReq = getStoredReq(httpServletRequest, webAppSecurityConfig.createReferrerURLCookieHandler());
        if (storedReq != null && storedReq.length() > 0) {
            ReferrerURLCookieHandler.isReferrerHostValid(PasswordNullifier.nullifyParams(httpServletRequest.getRequestURL().toString()), PasswordNullifier.nullifyParams(storedReq), webAppSecurityConfig.getWASReqURLRedirectDomainNames());
        }
        if (httpServletRequest.getRequestURL().equals(storedReq)) {
            httpServletResponse.setStatus(200);
        } else {
            httpServletResponse.setHeader("Location", httpServletResponse.encodeURL(storedReq));
            httpServletResponse.setStatus(302);
        }
        httpServletRequest.setAttribute(ATTR_DONE_LOGIN_PROCESS, Boolean.TRUE);
    }

    protected void rediectErrorPage(Properties properties, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        String resolveString = resolveString((String) properties.get("errorPage"), this._errorPage);
        if (resolveString != null) {
            httpServletResponse.sendRedirect(httpServletResponse.encodeURL(getUrl(httpServletRequest, resolveString, this._useGlobalLogin.booleanValue())));
        }
        httpServletRequest.setAttribute(ATTR_DONE_LOGIN_PROCESS, Boolean.TRUE);
    }

    protected void removeWasReqUrlCookie(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException, RuntimeException {
        getWebAppSecurityConfig().createReferrerURLCookieHandler().invalidateReferrerURLCookie(httpServletRequest, httpServletResponse, "WASReqURL");
    }

    @Sensitive
    private String getStoredReq(HttpServletRequest httpServletRequest, ReferrerURLCookieHandler referrerURLCookieHandler) {
        String referrerURLFromCookies = referrerURLCookieHandler.getReferrerURLFromCookies(httpServletRequest, "WASReqURL");
        if (referrerURLFromCookies == null) {
            referrerURLFromCookies = "";
        } else if (referrerURLFromCookies.equals("/")) {
            referrerURLFromCookies = "";
        } else if (referrerURLFromCookies.startsWith("/")) {
            referrerURLFromCookies = referrerURLFromCookies.substring(1);
        }
        return referrerURLFromCookies;
    }

    private void setCookies(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        WebAppSecurityConfig webAppSecurityConfig = getWebAppSecurityConfig();
        if (allowToAddCookieToResponse(webAppSecurityConfig, httpServletRequest)) {
            AuthenticationResult authenticationResult = new AuthenticationResult(AuthResult.REDIRECT, "dummy");
            if ("POST".equalsIgnoreCase(httpServletRequest.getMethod())) {
                new PostParameterHelper(webAppSecurityConfig).save(httpServletRequest, httpServletResponse, authenticationResult, true);
            }
            ReferrerURLCookieHandler createReferrerURLCookieHandler = getWebAppSecurityConfig().createReferrerURLCookieHandler();
            String queryString = httpServletRequest.getQueryString();
            createReferrerURLCookieHandler.setReferrerURLCookie(httpServletRequest, authenticationResult, httpServletRequest.getRequestURL().append(queryString != null ? "?" + queryString : "").toString());
            Iterator it = authenticationResult.getCookies().iterator();
            while (it.hasNext()) {
                httpServletResponse.addCookie((Cookie) it.next());
            }
        }
    }

    private String getUrl(HttpServletRequest httpServletRequest, String str, boolean z) {
        StringBuilder sb = new StringBuilder(httpServletRequest.getRequestURL());
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "getURL : uri : " + str, new Object[]{", requestURL : " + ((Object) sb) + ", appendContextRoot : " + z});
        }
        sb.replace(sb.indexOf("/", sb.indexOf("//") + 2), sb.length(), normalizeURL(str, z ? this._formLoginContextRoot : httpServletRequest.getContextPath()));
        return sb.toString();
    }

    private String normalizeURL(String str, String str2) {
        if (str2.equals("/")) {
            str2 = "";
        }
        if (!str.startsWith("/")) {
            str = "/" + str;
        }
        return str2 + str;
    }

    private boolean allowToAddCookieToResponse(WebAppSecurityConfig webAppSecurityConfig, HttpServletRequest httpServletRequest) {
        boolean isSecure = httpServletRequest.isSecure();
        if (!webAppSecurityConfig.getSSORequiresSSL() || isSecure) {
            return true;
        }
        if (!tc.isDebugEnabled()) {
            return false;
        }
        Tr.debug(tc, "SSO requires SSL. The cookie will not be sent back because the request is not over https.", new Object[0]);
        return false;
    }

    protected boolean isMethodToIntercept(InvocationContext invocationContext) {
        return METHOD_TO_INTERCEPT.equals(invocationContext.getMethod().getName());
    }

    protected Class getClass(InvocationContext invocationContext) {
        return invocationContext.getMethod().getDeclaringClass();
    }

    protected Class getTargetClass(InvocationContext invocationContext) {
        return invocationContext.getTarget().getClass().getSuperclass();
    }

    protected boolean isCustomHAM(Class cls) {
        return (CustomFormAuthenticationMechanism.class.equals(cls) || FormAuthenticationMechanism.class.equals(cls)) ? false : true;
    }

    protected ModulePropertiesProvider getModulePropertiesProvider() {
        Instance select = getCDI().select(ModulePropertiesProvider.class, new Annotation[0]);
        if (select != null) {
            return (ModulePropertiesProvider) select.get();
        }
        return null;
    }

    private boolean isNewAuth(HttpMessageContext httpMessageContext) {
        AuthenticationParameters authParameters = httpMessageContext.getAuthParameters();
        if (authParameters != null) {
            return authParameters.isNewAuthentication();
        }
        return false;
    }

    protected CDI getCDI() {
        return CDI.current();
    }

    protected void setMPP(ModulePropertiesProvider modulePropertiesProvider) {
        this.mpp = modulePropertiesProvider;
    }

    protected WebAppSecurityConfig getWebAppSecurityConfig() {
        return WebConfigUtils.getWebAppSecurityConfig();
    }

    protected ELProcessor getELProcessorWithAppModuleBeanManagerELResolver() {
        return CDIHelper.getELProcessor();
    }

    protected String getErrorPage() {
        return this._errorPage;
    }

    protected String getLoginPage() {
        return this._loginPage;
    }

    protected Boolean getIsForward() {
        return this._isForward;
    }

    protected Boolean getUseGlobalLogin() {
        return this._useGlobalLogin;
    }
}
