package org.codehaus.plexus.redback.struts2.interceptor;

import com.google.common.collect.Lists;
import com.opensymphony.xwork2.Action;
import com.opensymphony.xwork2.ActionContext;
import com.opensymphony.xwork2.ActionInvocation;
import java.util.List;
import javax.inject.Inject;
import javax.servlet.http.HttpSession;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.lang.SystemUtils;
import org.apache.struts2.ServletActionContext;
import org.codehaus.plexus.redback.authorization.AuthorizationResult;
import org.codehaus.plexus.redback.system.SecuritySession;
import org.codehaus.plexus.redback.system.SecuritySystem;
import org.codehaus.plexus.redback.system.SecuritySystemConstants;
import org.codehaus.plexus.util.LineOrientedInterpolatingReader;
import org.codehaus.redback.integration.interceptor.SecureAction;
import org.codehaus.redback.integration.interceptor.SecureActionBundle;
import org.codehaus.redback.integration.interceptor.SecureActionException;
import org.springframework.beans.factory.xml.BeanDefinitionParserDelegate;
import org.springframework.context.annotation.Scope;
import org.springframework.stereotype.Controller;

@Scope("prototype")
@Controller("redbackSecureActionInterceptor")
/* loaded from: input_file:WEB-INF/lib/redback-struts2-integration-1.4.jar:org/codehaus/plexus/redback/struts2/interceptor/SecureActionInterceptor.class */
public class SecureActionInterceptor extends AbstractHttpRequestTrackerInterceptor {
    private static final String REQUIRES_AUTHORIZATION = "requires-authorization";
    private static final String REQUIRES_AUTHENTICATION = "requires-authentication";
    private static final String HTTP_HEADER_REFERER = "Referer";

    @Inject
    private SecuritySystem securitySystem;
    private String trackerName = BeanDefinitionParserDelegate.DEPENDENCY_CHECK_SIMPLE_ATTRIBUTE_VALUE;
    private String enableReferrerCheck;

    @Override // com.opensymphony.xwork2.interceptor.AbstractInterceptor, com.opensymphony.xwork2.interceptor.Interceptor
    public void destroy() {
    }

    @Override // com.opensymphony.xwork2.interceptor.AbstractInterceptor, com.opensymphony.xwork2.interceptor.Interceptor
    public String intercept(ActionInvocation actionInvocation) throws Exception {
        ActionContext context = ActionContext.getContext();
        Action action = (Action) context.getActionInvocation().getAction();
        this.logger.debug("SecureActionInterceptor: processing {}", action.getClass().getName());
        if (Boolean.valueOf(this.enableReferrerCheck).booleanValue()) {
            this.logger.debug("Referrer security check enabled.");
            executeReferrerSecurityCheck();
        }
        try {
            if (action instanceof SecureAction) {
                SecureAction secureAction = (SecureAction) action;
                SecureActionBundle secureActionBundle = secureAction.getSecureActionBundle();
                if (secureActionBundle == null) {
                    this.logger.error("Null bundle detected.");
                    return actionInvocation.invoke();
                }
                if (secureActionBundle == SecureActionBundle.OPEN) {
                    this.logger.debug("Bundle.OPEN detected.");
                    return actionInvocation.invoke();
                }
                SecuritySession securitySession = (SecuritySession) context.getSession().get(SecuritySystemConstants.SECURITY_SESSION_KEY);
                if (secureActionBundle.requiresAuthentication() && (securitySession == null || !securitySession.isAuthenticated())) {
                    this.logger.debug("not authenticated, need to authenticate for this action");
                    return processRequiresAuthentication(actionInvocation);
                }
                List<SecureActionBundle.AuthorizationTuple> authorizationTuples = secureActionBundle.getAuthorizationTuples();
                if (authorizationTuples != null && authorizationTuples.size() > 0) {
                    if (securitySession == null) {
                        this.logger.debug("session required for authorization to run");
                        return processRequiresAuthentication(actionInvocation);
                    }
                    for (SecureActionBundle.AuthorizationTuple authorizationTuple : authorizationTuples) {
                        this.logger.debug("checking authz for {}", authorizationTuple.toString());
                        AuthorizationResult authorize = this.securitySystem.authorize(securitySession, authorizationTuple.getOperation(), authorizationTuple.getResource());
                        this.logger.debug("checking the interceptor authz {} for {}", Boolean.valueOf(authorize.isAuthorized()), authorizationTuple.toString());
                        if (authorize.isAuthorized()) {
                            if (this.logger.isDebugEnabled()) {
                                this.logger.debug("{} is authorized for action {} by {}", Lists.newArrayList(securitySession.getUser().getPrincipal(), secureAction.getClass().getName(), authorizationTuple.toString()));
                            }
                            return actionInvocation.invoke();
                        }
                    }
                    return processRequiresAuthorization(actionInvocation);
                }
            } else {
                this.logger.debug("SecureActionInterceptor: {} not a secure action", action.getClass().getName());
            }
            this.logger.debug("not a secure action {}", action.getClass().getName());
            String invoke = actionInvocation.invoke();
            this.logger.debug("Passing invocation up, result is [{}] on call {}", invoke, actionInvocation.getAction().getClass().getName());
            return invoke;
        } catch (SecureActionException e) {
            this.logger.error("can't generate the SecureActionBundle, deny access: " + e.getMessage());
            return processRequiresAuthentication(actionInvocation);
        }
    }

    private void executeReferrerSecurityCheck() {
        String header = ServletActionContext.getRequest().getHeader(HTTP_HEADER_REFERER);
        this.logger.debug("HTTP Referer header: {}", header);
        String[] splitPreserveAllTokens = StringUtils.splitPreserveAllTokens(header, "/", 3);
        if (splitPreserveAllTokens == null) {
            this.logger.warn("HTTP Referer header is null.");
            return;
        }
        String str = splitPreserveAllTokens.length < 3 ? header : splitPreserveAllTokens[splitPreserveAllTokens.length - 1];
        this.logger.debug("Calculated virtual path: {}", str);
        String realPath = ServletActionContext.getServletContext().getRealPath(str);
        if (StringUtils.isNotEmpty(realPath)) {
            if (SystemUtils.IS_OS_WINDOWS) {
                realPath = StringUtils.replace(realPath, LineOrientedInterpolatingReader.DEFAULT_ESCAPE_SEQ, "/");
            }
            if (realPath.endsWith(str)) {
                this.logger.debug("HTTP Referer header path found in server.");
            } else {
                String str2 = "Failed referrer security check: Request did not come from the same server. Detected HTTP Referer header is '" + header + "'.";
                this.logger.error(str2);
                throw new RuntimeException(str2);
            }
        }
    }

    protected String processRequiresAuthorization(ActionInvocation actionInvocation) {
        addActionInvocation(actionInvocation).setBackTrack();
        return REQUIRES_AUTHORIZATION;
    }

    protected String processRequiresAuthentication(ActionInvocation actionInvocation) {
        HttpSession session = ServletActionContext.getRequest().getSession();
        if (session != null) {
            session.removeAttribute(SecuritySystemConstants.SECURITY_SESSION_KEY);
        }
        addActionInvocation(actionInvocation).setBackTrack();
        return REQUIRES_AUTHENTICATION;
    }

    public SecuritySystem getSecuritySystem() {
        return this.securitySystem;
    }

    public void setSecuritySystem(SecuritySystem securitySystem) {
        this.securitySystem = securitySystem;
    }

    @Override // org.codehaus.plexus.redback.struts2.interceptor.AbstractHttpRequestTrackerInterceptor
    protected String getTrackerName() {
        return this.trackerName;
    }

    public String getEnableReferrerCheck() {
        return this.enableReferrerCheck;
    }

    public void setEnableReferrerCheck(String str) {
        this.enableReferrerCheck = str;
    }

    public void setTrackerName(String str) {
        this.trackerName = str;
    }
}
