package org.eclipse.jetty.security;

import java.io.IOException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.CopyOnWriteArrayList;
import java.util.concurrent.CopyOnWriteArraySet;
import javax.servlet.HttpConstraintElement;
import javax.servlet.HttpMethodConstraintElement;
import javax.servlet.ServletSecurityElement;
import javax.servlet.annotation.ServletSecurity;
import org.apache.commons.configuration.tree.DefaultExpressionEngine;
import org.eclipse.jetty.http.PathMap;
import org.eclipse.jetty.server.HttpConfiguration;
import org.eclipse.jetty.server.Request;
import org.eclipse.jetty.server.Response;
import org.eclipse.jetty.server.UserIdentity;
import org.eclipse.jetty.server.handler.ContextHandler;
import org.eclipse.jetty.util.URIUtil;
import org.eclipse.jetty.util.component.DumpableCollection;
import org.eclipse.jetty.util.log.Log;
import org.eclipse.jetty.util.log.Logger;
import org.eclipse.jetty.util.security.Constraint;

/* loaded from: input_file:jetty-security-9.4.30.v20200611.jar:org/eclipse/jetty/security/ConstraintSecurityHandler.class */
public class ConstraintSecurityHandler extends SecurityHandler implements ConstraintAware {
    private static final Logger LOG = Log.getLogger((Class<?>) SecurityHandler.class);
    private static final String OMISSION_SUFFIX = ".omission";
    private static final String ALL_METHODS = "*";
    private final List<ConstraintMapping> _constraintMappings = new CopyOnWriteArrayList();
    private final Set<String> _roles = new CopyOnWriteArraySet();
    private final PathMap<Map<String, RoleInfo>> _constraintMap = new PathMap<>();
    private boolean _denyUncoveredMethods = false;

    public static Constraint createConstraint() {
        return new Constraint();
    }

    public static Constraint createConstraint(Constraint constraint) {
        try {
            return (Constraint) constraint.clone();
        } catch (CloneNotSupportedException e) {
            throw new IllegalStateException(e);
        }
    }

    public static Constraint createConstraint(String str, boolean z, String[] strArr, int i) {
        Constraint createConstraint = createConstraint();
        if (str != null) {
            createConstraint.setName(str);
        }
        createConstraint.setAuthenticate(z);
        createConstraint.setRoles(strArr);
        createConstraint.setDataConstraint(i);
        return createConstraint;
    }

    public static Constraint createConstraint(String str, HttpConstraintElement httpConstraintElement) {
        return createConstraint(str, httpConstraintElement.getRolesAllowed(), httpConstraintElement.getEmptyRoleSemantic(), httpConstraintElement.getTransportGuarantee());
    }

    public static Constraint createConstraint(String str, String[] strArr, ServletSecurity.EmptyRoleSemantic emptyRoleSemantic, ServletSecurity.TransportGuarantee transportGuarantee) {
        Constraint createConstraint = createConstraint();
        if (strArr != null && strArr.length != 0) {
            createConstraint.setAuthenticate(true);
            createConstraint.setRoles(strArr);
            createConstraint.setName(str + "-RolesAllowed");
        } else if (emptyRoleSemantic.equals(ServletSecurity.EmptyRoleSemantic.DENY)) {
            createConstraint.setName(str + "-Deny");
            createConstraint.setAuthenticate(true);
        } else {
            createConstraint.setName(str + "-Permit");
            createConstraint.setAuthenticate(false);
        }
        createConstraint.setDataConstraint(transportGuarantee.equals(ServletSecurity.TransportGuarantee.CONFIDENTIAL) ? 2 : 0);
        return createConstraint;
    }

    public static List<ConstraintMapping> getConstraintMappingsForPath(String str, List<ConstraintMapping> list) {
        if (str == null || "".equals(str.trim()) || list == null || list.size() == 0) {
            return Collections.emptyList();
        }
        ArrayList arrayList = new ArrayList();
        for (ConstraintMapping constraintMapping : list) {
            if (str.equals(constraintMapping.getPathSpec())) {
                arrayList.add(constraintMapping);
            }
        }
        return arrayList;
    }

    public static List<ConstraintMapping> removeConstraintMappingsForPath(String str, List<ConstraintMapping> list) {
        if (str == null || "".equals(str.trim()) || list == null || list.size() == 0) {
            return Collections.emptyList();
        }
        ArrayList arrayList = new ArrayList();
        for (ConstraintMapping constraintMapping : list) {
            if (!str.equals(constraintMapping.getPathSpec())) {
                arrayList.add(constraintMapping);
            }
        }
        return arrayList;
    }

    public static List<ConstraintMapping> createConstraintsWithMappingsForPath(String str, String str2, ServletSecurityElement servletSecurityElement) {
        ArrayList arrayList = new ArrayList();
        ConstraintMapping constraintMapping = null;
        if (servletSecurityElement.getEmptyRoleSemantic() != ServletSecurity.EmptyRoleSemantic.PERMIT || servletSecurityElement.getRolesAllowed().length != 0 || servletSecurityElement.getTransportGuarantee() != ServletSecurity.TransportGuarantee.NONE) {
            Constraint createConstraint = createConstraint(str, servletSecurityElement);
            constraintMapping = new ConstraintMapping();
            constraintMapping.setPathSpec(str2);
            constraintMapping.setConstraint(createConstraint);
            arrayList.add(constraintMapping);
        }
        ArrayList arrayList2 = new ArrayList();
        Collection<HttpMethodConstraintElement> httpMethodConstraints = servletSecurityElement.getHttpMethodConstraints();
        if (httpMethodConstraints != null) {
            for (HttpMethodConstraintElement httpMethodConstraintElement : httpMethodConstraints) {
                Constraint createConstraint2 = createConstraint(str, httpMethodConstraintElement);
                ConstraintMapping constraintMapping2 = new ConstraintMapping();
                constraintMapping2.setConstraint(createConstraint2);
                constraintMapping2.setPathSpec(str2);
                if (httpMethodConstraintElement.getMethodName() != null) {
                    constraintMapping2.setMethod(httpMethodConstraintElement.getMethodName());
                    arrayList2.add(httpMethodConstraintElement.getMethodName());
                }
                arrayList.add(constraintMapping2);
            }
        }
        if (arrayList2.size() > 0 && constraintMapping != null) {
            constraintMapping.setMethodOmissions((String[]) arrayList2.toArray(new String[arrayList2.size()]));
        }
        return arrayList;
    }

    @Override // org.eclipse.jetty.security.ConstraintAware
    public List<ConstraintMapping> getConstraintMappings() {
        return this._constraintMappings;
    }

    @Override // org.eclipse.jetty.security.ConstraintAware
    public Set<String> getRoles() {
        return this._roles;
    }

    public void setConstraintMappings(List<ConstraintMapping> list) {
        setConstraintMappings(list, null);
    }

    public void setConstraintMappings(ConstraintMapping[] constraintMappingArr) {
        setConstraintMappings(Arrays.asList(constraintMappingArr), null);
    }

    @Override // org.eclipse.jetty.security.ConstraintAware
    public void setConstraintMappings(List<ConstraintMapping> list, Set<String> set) {
        this._constraintMappings.clear();
        this._constraintMappings.addAll(list);
        if (set == null) {
            set = new HashSet();
            Iterator<ConstraintMapping> it = list.iterator();
            while (it.hasNext()) {
                String[] roles = it.next().getConstraint().getRoles();
                if (roles != null) {
                    for (String str : roles) {
                        if (!"*".equals(str)) {
                            set.add(str);
                        }
                    }
                }
            }
        }
        setRoles(set);
        if (isStarted()) {
            Iterator<ConstraintMapping> it2 = this._constraintMappings.iterator();
            while (it2.hasNext()) {
                processConstraintMapping(it2.next());
            }
        }
    }

    public void setRoles(Set<String> set) {
        this._roles.clear();
        this._roles.addAll(set);
    }

    @Override // org.eclipse.jetty.security.ConstraintAware
    public void addConstraintMapping(ConstraintMapping constraintMapping) {
        this._constraintMappings.add(constraintMapping);
        if (constraintMapping.getConstraint() != null && constraintMapping.getConstraint().getRoles() != null) {
            for (String str : constraintMapping.getConstraint().getRoles()) {
                if (!"*".equals(str) && !Constraint.ANY_AUTH.equals(str)) {
                    addRole(str);
                }
            }
        }
        if (isStarted()) {
            processConstraintMapping(constraintMapping);
        }
    }

    @Override // org.eclipse.jetty.security.ConstraintAware
    public void addRole(String str) {
        boolean add = this._roles.add(str);
        if (isStarted() && add) {
            Iterator<Map<String, RoleInfo>> it = this._constraintMap.values().iterator();
            while (it.hasNext()) {
                for (RoleInfo roleInfo : it.next().values()) {
                    if (roleInfo.isAnyRole()) {
                        roleInfo.addRole(str);
                    }
                }
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.eclipse.jetty.security.SecurityHandler, org.eclipse.jetty.server.handler.AbstractHandler, org.eclipse.jetty.util.component.ContainerLifeCycle, org.eclipse.jetty.util.component.AbstractLifeCycle
    public void doStart() throws Exception {
        this._constraintMap.clear();
        if (this._constraintMappings != null) {
            Iterator<ConstraintMapping> it = this._constraintMappings.iterator();
            while (it.hasNext()) {
                processConstraintMapping(it.next());
            }
        }
        checkPathsWithUncoveredHttpMethods();
        super.doStart();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.eclipse.jetty.security.SecurityHandler, org.eclipse.jetty.server.handler.AbstractHandler, org.eclipse.jetty.util.component.ContainerLifeCycle, org.eclipse.jetty.util.component.AbstractLifeCycle
    public void doStop() throws Exception {
        super.doStop();
        this._constraintMap.clear();
    }

    protected void processConstraintMapping(ConstraintMapping constraintMapping) {
        Map<String, RoleInfo> map = this._constraintMap.get(constraintMapping.getPathSpec());
        if (map == null) {
            map = new HashMap();
            this._constraintMap.put(constraintMapping.getPathSpec(), (String) map);
        }
        RoleInfo roleInfo = map.get("*");
        if (roleInfo == null || !roleInfo.isForbidden()) {
            if (constraintMapping.getMethodOmissions() != null && constraintMapping.getMethodOmissions().length > 0) {
                processConstraintMappingWithMethodOmissions(constraintMapping, map);
                return;
            }
            String method = constraintMapping.getMethod();
            if (method == null) {
                method = "*";
            }
            RoleInfo roleInfo2 = map.get(method);
            if (roleInfo2 == null) {
                roleInfo2 = new RoleInfo();
                map.put(method, roleInfo2);
                if (roleInfo != null) {
                    roleInfo2.combine(roleInfo);
                }
            }
            if (roleInfo2.isForbidden()) {
                return;
            }
            configureRoleInfo(roleInfo2, constraintMapping);
            if (roleInfo2.isForbidden() && method.equals("*")) {
                map.clear();
                map.put("*", roleInfo2);
            }
        }
    }

    protected void processConstraintMappingWithMethodOmissions(ConstraintMapping constraintMapping, Map<String, RoleInfo> map) {
        String[] methodOmissions = constraintMapping.getMethodOmissions();
        StringBuilder sb = new StringBuilder();
        for (int i = 0; i < methodOmissions.length; i++) {
            if (i > 0) {
                sb.append(DefaultExpressionEngine.DEFAULT_PROPERTY_DELIMITER);
            }
            sb.append(methodOmissions[i]);
        }
        sb.append(OMISSION_SUFFIX);
        RoleInfo roleInfo = new RoleInfo();
        map.put(sb.toString(), roleInfo);
        configureRoleInfo(roleInfo, constraintMapping);
    }

    protected void configureRoleInfo(RoleInfo roleInfo, ConstraintMapping constraintMapping) {
        roleInfo.setForbidden(constraintMapping.getConstraint().isForbidden());
        roleInfo.setUserDataConstraint(UserDataConstraint.get(constraintMapping.getConstraint().getDataConstraint()));
        if (roleInfo.isForbidden()) {
            return;
        }
        roleInfo.setChecked(constraintMapping.getConstraint().getAuthenticate());
        if (roleInfo.isChecked()) {
            if (constraintMapping.getConstraint().isAnyRole()) {
                Iterator<String> it = this._roles.iterator();
                while (it.hasNext()) {
                    roleInfo.addRole(it.next());
                }
                roleInfo.setAnyRole(true);
                return;
            }
            if (constraintMapping.getConstraint().isAnyAuth()) {
                roleInfo.setAnyAuth(true);
                return;
            }
            for (String str : constraintMapping.getConstraint().getRoles()) {
                if (!this._roles.contains(str)) {
                    throw new IllegalArgumentException("Attempt to use undeclared role: " + str + ", known roles: " + this._roles);
                }
                roleInfo.addRole(str);
            }
        }
    }

    @Override // org.eclipse.jetty.security.SecurityHandler
    protected RoleInfo prepareConstraintInfo(String str, Request request) {
        Map<String, RoleInfo> match = this._constraintMap.match(str);
        if (match == null) {
            return null;
        }
        String method = request.getMethod();
        RoleInfo roleInfo = match.get(method);
        if (roleInfo == null) {
            ArrayList arrayList = new ArrayList();
            RoleInfo roleInfo2 = match.get("*");
            if (roleInfo2 != null) {
                arrayList.add(roleInfo2);
            }
            for (Map.Entry<String, RoleInfo> entry : match.entrySet()) {
                if (entry.getKey() != null && entry.getKey().endsWith(OMISSION_SUFFIX) && !entry.getKey().contains(method)) {
                    arrayList.add(entry.getValue());
                }
            }
            if (arrayList.size() == 0 && isDenyUncoveredHttpMethods()) {
                roleInfo = new RoleInfo();
                roleInfo.setForbidden(true);
            } else if (arrayList.size() == 1) {
                roleInfo = (RoleInfo) arrayList.get(0);
            } else {
                roleInfo = new RoleInfo();
                roleInfo.setUserDataConstraint(UserDataConstraint.None);
                Iterator it = arrayList.iterator();
                while (it.hasNext()) {
                    roleInfo.combine((RoleInfo) it.next());
                }
            }
        }
        return roleInfo;
    }

    @Override // org.eclipse.jetty.security.SecurityHandler
    protected boolean checkUserDataPermissions(String str, Request request, Response response, RoleInfo roleInfo) throws IOException {
        if (roleInfo == null) {
            return true;
        }
        if (roleInfo.isForbidden()) {
            return false;
        }
        UserDataConstraint userDataConstraint = roleInfo.getUserDataConstraint();
        if (userDataConstraint == null || userDataConstraint == UserDataConstraint.None) {
            return true;
        }
        HttpConfiguration httpConfiguration = Request.getBaseRequest(request).getHttpChannel().getHttpConfiguration();
        if (userDataConstraint != UserDataConstraint.Confidential && userDataConstraint != UserDataConstraint.Integral) {
            throw new IllegalArgumentException("Invalid dataConstraint value: " + userDataConstraint);
        }
        if (request.isSecure()) {
            return true;
        }
        if (httpConfiguration.getSecurePort() > 0) {
            String newURI = URIUtil.newURI(httpConfiguration.getSecureScheme(), request.getServerName(), httpConfiguration.getSecurePort(), request.getRequestURI(), request.getQueryString());
            response.setContentLength(0);
            response.sendRedirect(newURI);
        } else {
            response.sendError(403, "!Secure");
        }
        request.setHandled(true);
        return false;
    }

    @Override // org.eclipse.jetty.security.SecurityHandler
    protected boolean isAuthMandatory(Request request, Response response, Object obj) {
        return obj != null && ((RoleInfo) obj).isChecked();
    }

    @Override // org.eclipse.jetty.security.SecurityHandler
    protected boolean checkWebResourcePermissions(String str, Request request, Response response, Object obj, UserIdentity userIdentity) throws IOException {
        if (obj == null) {
            return true;
        }
        RoleInfo roleInfo = (RoleInfo) obj;
        if (!roleInfo.isChecked()) {
            return true;
        }
        if (roleInfo.isAnyAuth() && request.getUserPrincipal() != null) {
            return true;
        }
        boolean z = false;
        Iterator<String> it = roleInfo.getRoles().iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            if (userIdentity.isUserInRole(it.next(), null)) {
                z = true;
                break;
            }
        }
        if (roleInfo.isAnyRole() && request.getUserPrincipal() != null && z) {
            return true;
        }
        return z;
    }

    @Override // org.eclipse.jetty.util.component.ContainerLifeCycle, org.eclipse.jetty.util.component.Dumpable
    public void dump(Appendable appendable, String str) throws IOException {
        dumpObjects(appendable, str, DumpableCollection.from("roles", this._roles), DumpableCollection.from("constraints", this._constraintMap.entrySet()));
    }

    @Override // org.eclipse.jetty.security.ConstraintAware
    public void setDenyUncoveredHttpMethods(boolean z) {
        this._denyUncoveredMethods = z;
    }

    @Override // org.eclipse.jetty.security.ConstraintAware
    public boolean isDenyUncoveredHttpMethods() {
        return this._denyUncoveredMethods;
    }

    @Override // org.eclipse.jetty.security.ConstraintAware
    public boolean checkPathsWithUncoveredHttpMethods() {
        Set<String> pathsWithUncoveredHttpMethods = getPathsWithUncoveredHttpMethods();
        if (pathsWithUncoveredHttpMethods == null || pathsWithUncoveredHttpMethods.isEmpty()) {
            return false;
        }
        Iterator<String> it = pathsWithUncoveredHttpMethods.iterator();
        while (it.hasNext()) {
            LOG.warn("{} has uncovered http methods for path: {}", ContextHandler.getCurrentContext(), it.next());
        }
        if (!LOG.isDebugEnabled()) {
            return true;
        }
        LOG.debug(new Throwable());
        return true;
    }

    public Set<String> getPathsWithUncoveredHttpMethods() {
        if (this._denyUncoveredMethods) {
            return Collections.emptySet();
        }
        HashSet hashSet = new HashSet();
        for (String str : this._constraintMap.keySet()) {
            Map<String, RoleInfo> map = this._constraintMap.get(str);
            if (map.get("*") == null) {
                boolean omissionsExist = omissionsExist(str, map);
                for (String str2 : map.keySet()) {
                    if (str2.endsWith(OMISSION_SUFFIX)) {
                        Iterator<String> it = getOmittedMethods(str2).iterator();
                        while (it.hasNext()) {
                            if (!map.containsKey(it.next())) {
                                hashSet.add(str);
                            }
                        }
                    } else if (!omissionsExist) {
                        hashSet.add(str);
                    }
                }
            }
        }
        return hashSet;
    }

    protected boolean omissionsExist(String str, Map<String, RoleInfo> map) {
        if (map == null) {
            return false;
        }
        boolean z = false;
        Iterator<String> it = map.keySet().iterator();
        while (it.hasNext()) {
            if (it.next().endsWith(OMISSION_SUFFIX)) {
                z = true;
            }
        }
        return z;
    }

    protected Set<String> getOmittedMethods(String str) {
        if (str == null || !str.endsWith(OMISSION_SUFFIX)) {
            return Collections.emptySet();
        }
        String[] split = str.split("\\.");
        HashSet hashSet = new HashSet();
        for (int i = 0; i < split.length - 1; i++) {
            hashSet.add(split[i]);
        }
        return hashSet;
    }
}
