package com.ibm.ws.webcontainer.security;

import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.security.jwtsso.token.proxy.JwtSSOTokenHelper;
import com.ibm.ws.security.krb5.SpnegoUtil;
import com.ibm.ws.webcontainer.security.internal.CertificateLoginAuthenticator;
import com.ibm.ws.webcontainer.security.metadata.FormLoginConfiguration;
import com.ibm.ws.webcontainer.security.metadata.LoginConfiguration;
import com.ibm.ws.webcontainer.security.metadata.MatchResponse;
import com.ibm.ws.webcontainer.security.metadata.SecurityMetadata;
import java.security.cert.X509Certificate;
import java.util.List;
import java.util.Map;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

@InjectedFFDC
@TraceObjectField(fieldName = "$$$tc$$$", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
/* loaded from: input_file:com/ibm/ws/webcontainer/security/WebRequestImpl.class */
public class WebRequestImpl implements WebRequest {
    private static final String AUTHORIZATION_HEADER = "Authorization";
    private static final String BEARER_AUTHORIZATION_METHOD = "Bearer ";
    private final HttpServletRequest request;
    private final HttpServletResponse response;
    private final String appName;
    private final WebSecurityContext webSecurityContext;
    private final MatchResponse matchResponse;
    private final SecurityMetadata securityMetadata;
    private final WebAppSecurityConfig config;
    private boolean formLoginRedirect;
    private boolean callAfterSSO;
    private boolean unprotectedURI;
    private boolean specialUnprotectedURI;
    private Map<String, Object> propMap;
    private boolean requestAuthenticate;
    private boolean disableClientCertFailOver;
    private boolean continueAfterUnprotectedURI;
    private final SpnegoUtil spnegoUtil;
    static final long serialVersionUID = -996881289243552154L;
    private static final /* synthetic */ TraceComponent $$$tc$$$ = Tr.register(WebRequestImpl.class);

    public WebRequestImpl(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, SecurityMetadata securityMetadata, WebAppSecurityConfig webAppSecurityConfig) {
        this(httpServletRequest, httpServletResponse, null, null, securityMetadata, null, webAppSecurityConfig);
    }

    public WebRequestImpl(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str, WebSecurityContext webSecurityContext, SecurityMetadata securityMetadata, MatchResponse matchResponse, WebAppSecurityConfig webAppSecurityConfig) {
        this.formLoginRedirect = true;
        this.callAfterSSO = true;
        this.unprotectedURI = false;
        this.specialUnprotectedURI = false;
        this.propMap = null;
        this.requestAuthenticate = false;
        this.disableClientCertFailOver = false;
        this.continueAfterUnprotectedURI = true;
        this.spnegoUtil = new SpnegoUtil();
        this.request = httpServletRequest;
        this.response = httpServletResponse;
        this.appName = str;
        this.webSecurityContext = webSecurityContext;
        this.matchResponse = matchResponse;
        this.securityMetadata = securityMetadata;
        this.config = webAppSecurityConfig;
    }

    @Override // com.ibm.ws.webcontainer.security.WebRequest
    public HttpServletRequest getHttpServletRequest() {
        return this.request;
    }

    @Override // com.ibm.ws.webcontainer.security.WebRequest
    public HttpServletResponse getHttpServletResponse() {
        return this.response;
    }

    @Override // com.ibm.ws.webcontainer.security.WebRequest
    public String getApplicationName() {
        return this.appName;
    }

    @Override // com.ibm.ws.webcontainer.security.WebRequest
    public WebSecurityContext getWebSecurityContext() {
        return this.webSecurityContext;
    }

    @Override // com.ibm.ws.webcontainer.security.WebRequest
    public boolean isFormLoginRedirectEnabled() {
        return this.formLoginRedirect;
    }

    @Override // com.ibm.ws.webcontainer.security.WebRequest
    public List<String> getRequiredRoles() {
        return this.matchResponse.getRoles();
    }

    @Override // com.ibm.ws.webcontainer.security.WebRequest
    public boolean isSSLRequired() {
        return this.matchResponse.isSSLRequired();
    }

    @Override // com.ibm.ws.webcontainer.security.WebRequest
    public boolean isAccessPrecluded() {
        return this.matchResponse.isAccessPrecluded();
    }

    @Override // com.ibm.ws.webcontainer.security.WebRequest
    public SecurityMetadata getSecurityMetadata() {
        return this.securityMetadata;
    }

    @Override // com.ibm.ws.webcontainer.security.WebRequest
    public LoginConfiguration getLoginConfig() {
        return this.securityMetadata != null ? this.securityMetadata.getLoginConfiguration() : null;
    }

    @Override // com.ibm.ws.webcontainer.security.WebRequest
    public FormLoginConfiguration getFormLoginConfiguration() {
        return this.securityMetadata.getLoginConfiguration().getFormLoginConfiguration();
    }

    @Override // com.ibm.ws.webcontainer.security.WebRequest
    public MatchResponse getMatchResponse() {
        return this.matchResponse;
    }

    private boolean determineIfRequestHasAuthenticationData() {
        return isBasicAuthHeaderInRequest(this.request) || isClientCertHeaderInRequest(this.request) || isSSOCookieInRequest(this.request) || this.spnegoUtil.isSpnegoOrKrb5Token(this.request.getHeader("Authorization"));
    }

    private boolean isBasicAuthHeaderInRequest(HttpServletRequest httpServletRequest) {
        String header = httpServletRequest.getHeader("Authorization");
        return header != null && header.startsWith("Basic ");
    }

    private boolean isClientCertHeaderInRequest(HttpServletRequest httpServletRequest) {
        boolean z = false;
        LoginConfiguration loginConfig = getLoginConfig();
        String str = null;
        if (loginConfig != null) {
            str = loginConfig.getAuthenticationMethod();
        }
        if (LoginConfiguration.CLIENT_CERT.equals(str)) {
            X509Certificate[] x509CertificateArr = (X509Certificate[]) httpServletRequest.getAttribute(CertificateLoginAuthenticator.PEER_CERTIFICATES);
            z = x509CertificateArr != null && x509CertificateArr.length > 0;
        }
        return z;
    }

    private boolean isSSOCookieInRequest(HttpServletRequest httpServletRequest) {
        return isJwtCookieInRequest(httpServletRequest) || isBearerAuthorizationHeaderInRequest(httpServletRequest) || canUseLTPATokenFromRequest(httpServletRequest);
    }

    private boolean isJwtCookieInRequest(HttpServletRequest httpServletRequest) {
        String jwtCookieName = JwtSSOTokenHelper.getJwtCookieName();
        if (jwtCookieName == null) {
            return false;
        }
        return CookieHelper.hasCookie(httpServletRequest.getCookies(), jwtCookieName);
    }

    private boolean isBearerAuthorizationHeaderInRequest(HttpServletRequest httpServletRequest) {
        String header = httpServletRequest.getHeader("Authorization");
        return header != null && header.startsWith(BEARER_AUTHORIZATION_METHOD);
    }

    private boolean canUseLTPATokenFromRequest(HttpServletRequest httpServletRequest) {
        return JwtSSOTokenHelper.shouldUseLtpaIfJwtAbsent() && isLtpaCookieInRequest(httpServletRequest);
    }

    private boolean isLtpaCookieInRequest(HttpServletRequest httpServletRequest) {
        boolean z = false;
        Cookie[] cookies = httpServletRequest.getCookies();
        if (cookies != null && cookies.length > 0) {
            String sSOCookieName = this.config.getSSOCookieName();
            z = CookieHelper.hasCookie(cookies, sSOCookieName);
            if (!z) {
                boolean z2 = this.config != null && this.config.isUseOnlyCustomCookieName();
                if (!"LtpaToken2".equalsIgnoreCase(sSOCookieName) && !z2) {
                    z = CookieHelper.hasCookie(cookies, "LtpaToken2");
                }
            }
        }
        return z;
    }

    @Override // com.ibm.ws.webcontainer.security.WebRequest
    public boolean hasAuthenticationData() {
        return determineIfRequestHasAuthenticationData();
    }

    @Override // com.ibm.ws.webcontainer.security.WebRequest
    public boolean isUnprotectedURI() {
        return this.unprotectedURI;
    }

    @Override // com.ibm.ws.webcontainer.security.WebRequest
    public void setUnprotectedURI(boolean z) {
        this.unprotectedURI = z;
    }

    @Override // com.ibm.ws.webcontainer.security.WebRequest
    public void disableFormLoginRedirect() {
        this.formLoginRedirect = false;
    }

    @Override // com.ibm.ws.webcontainer.security.WebRequest
    public boolean isProviderSpecialUnprotectedURI() {
        return this.specialUnprotectedURI;
    }

    @Override // com.ibm.ws.webcontainer.security.WebRequest
    public void setProviderSpecialUnprotectedURI(boolean z) {
        this.specialUnprotectedURI = z;
    }

    @Override // com.ibm.ws.webcontainer.security.WebRequest
    public void setCallAfterSSO(boolean z) {
        this.callAfterSSO = z;
    }

    @Override // com.ibm.ws.webcontainer.security.WebRequest
    public boolean isCallAfterSSO() {
        return this.callAfterSSO;
    }

    @Override // com.ibm.ws.webcontainer.security.WebRequest
    public void setContinueAfterUnprotectedURI(boolean z) {
        this.continueAfterUnprotectedURI = z;
    }

    @Override // com.ibm.ws.webcontainer.security.WebRequest
    public boolean isContinueAfterUnprotectedURI() {
        return this.continueAfterUnprotectedURI;
    }

    @Override // com.ibm.ws.webcontainer.security.WebRequest
    public Map<String, Object> getProperties() {
        return this.propMap;
    }

    @Override // com.ibm.ws.webcontainer.security.WebRequest
    public void setProperties(Map<String, Object> map) {
        this.propMap = map;
    }

    @Override // com.ibm.ws.webcontainer.security.WebRequest
    public boolean isRequestAuthenticate() {
        return this.requestAuthenticate;
    }

    @Override // com.ibm.ws.webcontainer.security.WebRequest
    public void setRequestAuthenticate(boolean z) {
        this.requestAuthenticate = z;
    }

    @Override // com.ibm.ws.webcontainer.security.WebRequest
    public boolean isDisableClientCertFailOver() {
        return this.disableClientCertFailOver;
    }

    @Override // com.ibm.ws.webcontainer.security.WebRequest
    public void setDisableClientCertFailOver(boolean z) {
        this.disableClientCertFailOver = z;
    }
}
