package org.jboss.as.web.security;

import java.io.IOException;
import java.security.AccessController;
import java.security.PrivilegedAction;
import java.util.Map;
import javax.security.jacc.PolicyContext;
import javax.servlet.ServletException;
import javax.servlet.http.HttpSession;
import org.apache.catalina.Manager;
import org.apache.catalina.Session;
import org.apache.catalina.Wrapper;
import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response;
import org.apache.catalina.valves.ValveBase;
import org.jboss.as.server.deployment.DeploymentUnit;
import org.jboss.as.web.WebLogger;
import org.jboss.as.web.deployment.WarMetaData;
import org.jboss.metadata.javaee.jboss.RunAsIdentityMetaData;
import org.jboss.metadata.web.jboss.JBossWebMetaData;
import org.jboss.security.RunAsIdentity;
import org.jboss.security.SecurityContext;
import org.jboss.security.SecurityRolesAssociation;
import org.jboss.security.SecurityUtil;
import org.jboss.security.SimplePrincipal;

/* loaded from: input_file:org/jboss/as/web/security/SecurityContextAssociationValve.class */
public class SecurityContextAssociationValve extends ValveBase {
    private final String securityDomain;
    private final Map<String, RunAsIdentityMetaData> runAsIdentity;
    private final String contextId;
    private static final ThreadLocal<Request> activeRequest = new ThreadLocal<>();

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/jboss/as/web/security/SecurityContextAssociationValve$SetContextIDAction.class */
    public static class SetContextIDAction implements PrivilegedAction<String> {
        private String contextID;

        SetContextIDAction(String str) {
            this.contextID = str;
        }

        /* JADX WARN: Can't rename method to resolve collision */
        @Override // java.security.PrivilegedAction
        public String run() {
            String contextID = PolicyContext.getContextID();
            PolicyContext.setContextID(this.contextID);
            return contextID;
        }
    }

    public SecurityContextAssociationValve(DeploymentUnit deploymentUnit) {
        JBossWebMetaData mergedJBossWebMetaData = ((WarMetaData) deploymentUnit.getAttachment(WarMetaData.ATTACHMENT_KEY)).getMergedJBossWebMetaData();
        String unprefixSecurityDomain = SecurityUtil.unprefixSecurityDomain(mergedJBossWebMetaData.getSecurityDomain());
        unprefixSecurityDomain = unprefixSecurityDomain == null ? "jboss-web-policy" : unprefixSecurityDomain;
        String name = deploymentUnit.getName();
        name = deploymentUnit.getParent() != null ? deploymentUnit.getParent().getName() + "!" + name : name;
        this.securityDomain = unprefixSecurityDomain;
        this.runAsIdentity = mergedJBossWebMetaData.getRunAsIdentity();
        this.contextId = name;
    }

    public void invoke(Request request, Response response) throws IOException, ServletException {
        activeRequest.set(request);
        Session session = null;
        Object principal = request.getPrincipal();
        JBossGenericPrincipal jBossGenericPrincipal = null;
        HttpSession session2 = request.getSession(false);
        WebLogger.WEB_SECURITY_LOGGER.tracef("Begin invoke, caller=" + principal, new Object[0]);
        boolean z = false;
        SecurityContext securityContext = SecurityActions.getSecurityContext();
        if (securityContext == null) {
            z = true;
            securityContext = SecurityActions.createSecurityContext(this.securityDomain);
            SecurityActions.setSecurityContextOnAssociation(securityContext);
        }
        String str = null;
        Wrapper wrapper = null;
        try {
            try {
                wrapper = request.getWrapper();
                if (wrapper != null) {
                    String name = wrapper.getName();
                    RunAsIdentityMetaData runAsIdentityMetaData = this.runAsIdentity.get(name);
                    RunAsIdentity runAsIdentity = null;
                    if (runAsIdentityMetaData != null) {
                        WebLogger.WEB_SECURITY_LOGGER.tracef(name + ", runAs: " + runAsIdentityMetaData, new Object[0]);
                        runAsIdentity = new RunAsIdentity(runAsIdentityMetaData.getRoleName(), runAsIdentityMetaData.getPrincipalName(), runAsIdentityMetaData.getRunAsRoles());
                    }
                    SecurityActions.pushRunAsIdentity(runAsIdentity);
                }
                Manager manager = this.container.getManager();
                if (manager != null && session2 != null) {
                    try {
                        session = manager.findSession(session2.getId());
                    } catch (IOException e) {
                    }
                }
                if (principal == null || !(principal instanceof JBossGenericPrincipal)) {
                    if (session != null) {
                        jBossGenericPrincipal = (JBossGenericPrincipal) session.getPrincipal();
                    }
                    if (jBossGenericPrincipal == null) {
                        Session sessionInternal = request.getSessionInternal(false);
                        if (sessionInternal != null) {
                            jBossGenericPrincipal = (JBossGenericPrincipal) sessionInternal.getNote("org.apache.catalina.authenticator.PRINCIPAL");
                        }
                    }
                } else {
                    jBossGenericPrincipal = (JBossGenericPrincipal) principal;
                }
                if (jBossGenericPrincipal != null) {
                    WebLogger.WEB_SECURITY_LOGGER.tracef("Restoring principal info from cache", new Object[0]);
                    if (z) {
                        securityContext.getUtil().createSubjectInfo(new SimplePrincipal(jBossGenericPrincipal.getName()), jBossGenericPrincipal.getCredentials(), jBossGenericPrincipal.getSubject());
                    }
                }
            } catch (Throwable th) {
                WebLogger.WEB_SECURITY_LOGGER.tracef("End invoke, caller=" + principal, new Object[0]);
                SecurityActions.clearSecurityContext();
                SecurityRolesAssociation.setSecurityRoles((Map) null);
                setContextID(str);
                activeRequest.set(null);
                throw th;
            }
        } catch (Throwable th2) {
            WebLogger.WEB_SECURITY_LOGGER.debug("Failed to determine servlet", th2);
        }
        str = setContextID(this.contextId);
        getNext().invoke(request, response);
        if (wrapper != null) {
            SecurityActions.popRunAsIdentity();
        }
        WebLogger.WEB_SECURITY_LOGGER.tracef("End invoke, caller=" + principal, new Object[0]);
        SecurityActions.clearSecurityContext();
        SecurityRolesAssociation.setSecurityRoles((Map) null);
        setContextID(str);
        activeRequest.set(null);
    }

    public static Request getActiveRequest() {
        return activeRequest.get();
    }

    private String setContextID(String str) {
        return (String) AccessController.doPrivileged(new SetContextIDAction(this.contextId));
    }
}
