package com.ibm.ws.webcontainer.security;

import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.security.authorization.jacc.JaccService;
import com.ibm.ws.webcontainer.osgi.WebContainer;
import com.ibm.ws.webcontainer.security.metadata.MatchResponse;
import com.ibm.ws.webcontainer.security.metadata.SecurityConstraint;
import com.ibm.ws.webcontainer.security.metadata.SecurityConstraintCollection;
import com.ibm.ws.webcontainer.security.metadata.SecurityConstraintCollectionImpl;
import com.ibm.ws.webcontainer.security.metadata.SecurityMetadata;
import com.ibm.ws.webcontainer.security.metadata.WebResourceCollection;
import com.ibm.wsspi.adaptable.module.Container;
import com.ibm.wsspi.adaptable.module.UnableToAdaptException;
import com.ibm.wsspi.kernel.service.utils.AtomicServiceReference;
import com.ibm.wsspi.webcontainer.collaborator.WebAppInitializationCollaborator;
import com.ibm.wsspi.webcontainer.metadata.WebModuleMetaData;
import com.ibm.wsspi.webcontainer.servlet.IServletConfig;
import com.ibm.wsspi.webcontainer.webapp.WebAppConfig;
import java.util.ArrayList;
import java.util.Collection;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import javax.servlet.HttpConstraintElement;
import javax.servlet.HttpMethodConstraintElement;
import javax.servlet.ServletSecurityElement;
import javax.servlet.annotation.ServletSecurity;
import org.osgi.framework.ServiceReference;
import org.osgi.service.component.ComponentContext;

@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
/* loaded from: input_file:wlp/lib/com.ibm.ws.webcontainer.security_1.0.10.jar:com/ibm/ws/webcontainer/security/ServletStartedListener.class */
public class ServletStartedListener implements WebAppInitializationCollaborator {
    private static final TraceComponent tc = Tr.register(ServletStartedListener.class);
    private static final String[] STANDARD_METHODS = {"GET", "POST", "PUT", "DELETE", "HEAD", "OPTIONS", "TRACE"};
    protected static final String KEY_JACC_SERVICE = "jaccService";
    private final AtomicServiceReference<JaccService> jaccService = new AtomicServiceReference<>(KEY_JACC_SERVICE);
    static final long serialVersionUID = -8552109196587983859L;

    protected void setJaccService(ServiceReference<JaccService> serviceReference) {
        this.jaccService.setReference(serviceReference);
    }

    protected void unsetJaccService(ServiceReference<JaccService> serviceReference) {
        this.jaccService.unsetReference(serviceReference);
    }

    protected void activate(ComponentContext componentContext) {
        this.jaccService.activate(componentContext);
    }

    protected void deactivate(ComponentContext componentContext) {
        this.jaccService.deactivate(componentContext);
    }

    @Override // com.ibm.wsspi.webcontainer.collaborator.WebAppInitializationCollaborator
    public void starting(Container container) {
    }

    @Override // com.ibm.wsspi.webcontainer.collaborator.WebAppInitializationCollaborator
    public void started(Container container) {
        JaccService service;
        try {
            WebAppConfig webAppConfig = (WebAppConfig) container.adapt(WebAppConfig.class);
            SecurityMetadata securityMetadata = getSecurityMetadata(webAppConfig);
            updateSecurityMetadata(securityMetadata, webAppConfig);
            setModuleSecurityMetaData(container, securityMetadata);
            if (WebContainer.getServletContainerSpecLevel() >= 31) {
                notifyDeployOfUncoveredMethods(webAppConfig);
            }
            if (checkDynamicAnnotation(webAppConfig) && (service = this.jaccService.getService()) != null) {
                service.propagateWebConstraints(webAppConfig.getApplicationName(), webAppConfig.getModuleName(), webAppConfig);
            }
        } catch (UnableToAdaptException e) {
            FFDCFilter.processException(e, "com.ibm.ws.webcontainer.security.ServletStartedListener", "103", this, new Object[]{container});
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "There was a problem setting the security meta data.", e);
            }
        }
    }

    @Override // com.ibm.wsspi.webcontainer.collaborator.WebAppInitializationCollaborator
    public void stopping(Container container) {
    }

    @Override // com.ibm.wsspi.webcontainer.collaborator.WebAppInitializationCollaborator
    public void stopped(Container container) {
    }

    public void notifyDeployOfUncoveredMethods(WebAppConfig webAppConfig) {
        SecurityConstraintCollection securityConstraintCollection;
        MatchResponse matchResponse = MatchResponse.NO_MATCH_RESPONSE;
        boolean z = false;
        SecurityMetadata securityMetadata = getSecurityMetadata(webAppConfig);
        if (securityMetadata == null || (securityConstraintCollection = securityMetadata.getSecurityConstraintCollection()) == null) {
            return;
        }
        List<SecurityConstraint> securityConstraints = securityConstraintCollection.getSecurityConstraints();
        ArrayList<String> arrayList = new ArrayList();
        Iterator<SecurityConstraint> it = securityConstraints.iterator();
        while (it.hasNext()) {
            for (WebResourceCollection webResourceCollection : it.next().getWebResourceCollections()) {
                if (!z && webResourceCollection.getDenyUncoveredHttpMethods()) {
                    z = true;
                }
                for (String str : webResourceCollection.getUrlPatterns()) {
                    if (!arrayList.contains(str)) {
                        arrayList.add(str);
                    }
                }
            }
        }
        for (String str2 : arrayList) {
            ArrayList arrayList2 = new ArrayList();
            ArrayList arrayList3 = new ArrayList();
            for (String str3 : STANDARD_METHODS) {
                MatchResponse matchResponse2 = securityConstraintCollection.getMatchResponse(str2, str3);
                if (MatchResponse.DENY_MATCH_RESPONSE.equals(matchResponse2)) {
                    arrayList2.add(str3);
                }
                if (MatchResponse.NO_MATCH_RESPONSE.equals(matchResponse2)) {
                    arrayList3.add(str3);
                }
            }
            String str4 = "";
            boolean z2 = false;
            Iterator it2 = arrayList2.iterator();
            while (it2.hasNext()) {
                str4 = str4.concat((String) it2.next()).concat(" ");
                z2 = true;
            }
            String str5 = "";
            boolean z3 = false;
            Iterator it3 = arrayList3.iterator();
            while (it3.hasNext()) {
                str5 = str5.concat((String) it3.next()).concat(" ");
                z3 = true;
            }
            if (z) {
                if (z2) {
                    Tr.info(tc, "UNCOVERED_HTTP_METHODS_FOUND", str2, webAppConfig.getApplicationName(), str4);
                }
            } else if (z3) {
                Tr.info(tc, "UNCOVERED_HTTP_METHODS_FOUND_AND_UNPROTECTED", str2, webAppConfig.getApplicationName(), str5);
            }
        }
    }

    private void updateSecurityMetadata(SecurityMetadata securityMetadata, WebAppConfig webAppConfig) {
        Iterator<IServletConfig> servletInfos = webAppConfig.getServletInfos();
        while (servletInfos.hasNext()) {
            IServletConfig next = servletInfos.next();
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "Updating servlet: " + next.getServletName(), new Object[0]);
            }
            updateSecurityMetadataWithRunAs(securityMetadata, next);
            updateSecurityMetadataWithSecurityConstraints(securityMetadata, next);
        }
    }

    public void updateSecurityMetadataWithRunAs(SecurityMetadata securityMetadata, IServletConfig iServletConfig) {
        String runAsRole = iServletConfig.getRunAsRole();
        if (runAsRole != null) {
            String servletName = iServletConfig.getServletName();
            Map<String, String> runAsMap = securityMetadata.getRunAsMap();
            if (runAsMap.get(servletName) == null) {
                runAsMap.put(servletName, runAsRole);
                List<String> roles = securityMetadata.getRoles();
                if (!roles.contains(runAsRole)) {
                    roles.add(runAsRole);
                }
                if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                    Tr.debug(tc, "Added runAs role: " + runAsRole, new Object[0]);
                }
            }
        }
    }

    public void updateSecurityMetadataWithSecurityConstraints(SecurityMetadata securityMetadata, IServletConfig iServletConfig) {
        List<String> mappings;
        ServletSecurityElement servletSecurity = iServletConfig.getServletSecurity();
        if (servletSecurity == null || (mappings = iServletConfig.getMappings()) == null) {
            return;
        }
        List<SecurityConstraint> list = null;
        SecurityConstraintCollection securityConstraintCollection = securityMetadata.getSecurityConstraintCollection();
        HashSet hashSet = new HashSet();
        if (securityConstraintCollection != null) {
            list = securityConstraintCollection.getSecurityConstraints();
            Iterator<SecurityConstraint> it = securityConstraintCollection.getSecurityConstraints().iterator();
            while (it.hasNext()) {
                Iterator<WebResourceCollection> it2 = it.next().getWebResourceCollections().iterator();
                while (it2.hasNext()) {
                    hashSet.addAll(it2.next().getUrlPatterns());
                }
            }
        }
        ArrayList arrayList = new ArrayList(mappings);
        arrayList.removeAll(hashSet);
        List<SecurityConstraint> createSecurityConstraints = createSecurityConstraints(securityMetadata, servletSecurity, arrayList);
        if (list == null) {
            list = new ArrayList();
        }
        list.addAll(createSecurityConstraints);
        if (securityConstraintCollection == null) {
            SecurityConstraintCollectionImpl securityConstraintCollectionImpl = new SecurityConstraintCollectionImpl(list);
            securityConstraintCollectionImpl.addSecurityConstraints(list);
            securityMetadata.setSecurityConstraintCollection(securityConstraintCollectionImpl);
        }
    }

    private List<SecurityConstraint> createSecurityConstraints(SecurityMetadata securityMetadata, ServletSecurityElement servletSecurityElement, Collection<String> collection) {
        ArrayList arrayList = new ArrayList();
        arrayList.add(getConstraintFromHttpElement(securityMetadata, collection, servletSecurityElement));
        arrayList.addAll(getConstraintsFromHttpMethodElement(securityMetadata, collection, servletSecurityElement));
        return arrayList;
    }

    private SecurityConstraint getConstraintFromHttpElement(SecurityMetadata securityMetadata, Collection<String> collection, ServletSecurityElement servletSecurityElement) {
        ArrayList arrayList = new ArrayList();
        if (!servletSecurityElement.getMethodNames().isEmpty()) {
            arrayList.addAll(servletSecurityElement.getMethodNames());
        }
        WebResourceCollection webResourceCollection = new WebResourceCollection((List) collection, new ArrayList(), arrayList, securityMetadata.isDenyUncoveredHttpMethods());
        ArrayList arrayList2 = new ArrayList();
        arrayList2.add(webResourceCollection);
        return createSecurityConstraint(securityMetadata, arrayList2, servletSecurityElement, true);
    }

    private List<SecurityConstraint> getConstraintsFromHttpMethodElement(SecurityMetadata securityMetadata, Collection<String> collection, ServletSecurityElement servletSecurityElement) {
        ArrayList arrayList = new ArrayList();
        for (HttpMethodConstraintElement httpMethodConstraintElement : servletSecurityElement.getHttpMethodConstraints()) {
            String methodName = httpMethodConstraintElement.getMethodName();
            ArrayList arrayList2 = new ArrayList();
            arrayList2.add(methodName);
            WebResourceCollection webResourceCollection = new WebResourceCollection((List) collection, arrayList2, new ArrayList(), securityMetadata.isDenyUncoveredHttpMethods());
            List<WebResourceCollection> arrayList3 = new ArrayList<>();
            arrayList3.add(webResourceCollection);
            arrayList.add(createSecurityConstraint(securityMetadata, arrayList3, httpMethodConstraintElement, false));
        }
        return arrayList;
    }

    private SecurityConstraint createSecurityConstraint(SecurityMetadata securityMetadata, List<WebResourceCollection> list, HttpConstraintElement httpConstraintElement, boolean z) {
        List<String> createRoles = createRoles(httpConstraintElement);
        List<String> roles = securityMetadata.getRoles();
        for (String str : createRoles) {
            if (!roles.contains(str)) {
                roles.add(str);
            }
        }
        return new SecurityConstraint(list, createRoles, isSSLRequired(httpConstraintElement), isAccessPrecluded(httpConstraintElement), z, isAccessUncovered(httpConstraintElement));
    }

    private List<String> createRoles(HttpConstraintElement httpConstraintElement) {
        String[] rolesAllowed = httpConstraintElement.getRolesAllowed();
        ArrayList arrayList = new ArrayList();
        for (String str : rolesAllowed) {
            arrayList.add(str);
        }
        return arrayList;
    }

    private boolean isSSLRequired(HttpConstraintElement httpConstraintElement) {
        boolean z = false;
        if (httpConstraintElement.getTransportGuarantee() != ServletSecurity.TransportGuarantee.NONE) {
            z = true;
        }
        return z;
    }

    private boolean isAccessPrecluded(HttpConstraintElement httpConstraintElement) {
        boolean z = false;
        String[] rolesAllowed = httpConstraintElement.getRolesAllowed();
        if ((rolesAllowed == null || rolesAllowed.length == 0) && ServletSecurity.EmptyRoleSemantic.DENY == httpConstraintElement.getEmptyRoleSemantic()) {
            z = true;
        }
        return z;
    }

    private boolean isAccessUncovered(HttpConstraintElement httpConstraintElement) {
        boolean z = false;
        String[] rolesAllowed = httpConstraintElement.getRolesAllowed();
        if ((rolesAllowed == null || rolesAllowed.length == 0) && ServletSecurity.EmptyRoleSemantic.PERMIT == httpConstraintElement.getEmptyRoleSemantic()) {
            z = true;
        }
        return z;
    }

    private void setModuleSecurityMetaData(Container container, SecurityMetadata securityMetadata) {
        try {
            ((WebModuleMetaData) container.adapt(WebModuleMetaData.class)).setSecurityMetaData(securityMetadata);
        } catch (UnableToAdaptException e) {
            FFDCFilter.processException(e, "com.ibm.ws.webcontainer.security.ServletStartedListener", "461", this, new Object[]{container, securityMetadata});
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "There was a problem setting the security meta data.", e);
            }
        }
    }

    private SecurityMetadata getSecurityMetadata(WebAppConfig webAppConfig) {
        return (SecurityMetadata) webAppConfig.getMetaData().getSecurityMetaData();
    }

    protected boolean checkDynamicAnnotation(WebAppConfig webAppConfig) {
        boolean z = false;
        Iterator<IServletConfig> servletInfos = webAppConfig.getServletInfos();
        while (true) {
            if (!servletInfos.hasNext()) {
                break;
            }
            IServletConfig next = servletInfos.next();
            List<String> mappings = next.getMappings();
            if (next.getServletSecurity() != null && mappings != null && !mappings.isEmpty()) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "*** Found dynamic security constraints for servlet: " + next.getServletName(), new Object[0]);
                }
                z = true;
            }
        }
        return z;
    }
}
