package org.directwebremoting.impl;

import java.lang.reflect.Method;
import java.lang.reflect.Modifier;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.servlet.http.HttpServletRequest;
import org.directwebremoting.WebContextFactory;
import org.directwebremoting.extend.AccessControl;
import org.directwebremoting.extend.AccessDeniedException;
import org.directwebremoting.extend.MethodDeclaration;

/* loaded from: input_file:WEB-INF/lib/dwr-3.0.2-RELEASE.jar:org/directwebremoting/impl/DefaultAccessControl.class */
public class DefaultAccessControl implements AccessControl {
    protected boolean exposeInternals = false;
    protected Map<String, Policy> policyMap = new HashMap();
    protected Map<String, Set<String>> roleRestrictMap = new HashMap();
    protected static final String PACKAGE_DWR_DENY = "org.directwebremoting.";
    protected static final String PACKAGE_ALLOW_CREATE = "org.directwebremoting.export.";
    protected static final String PACKAGE_ALLOW_CONVERT = "org.directwebremoting.io.";

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:WEB-INF/lib/dwr-3.0.2-RELEASE.jar:org/directwebremoting/impl/DefaultAccessControl$Policy.class */
    public static class Policy {
        boolean defaultAllow = true;
        List<String> rules = new ArrayList();

        Policy() {
        }
    }

    @Override // org.directwebremoting.extend.AccessControl
    public void assertGeneralExecutionIsPossible(String str, MethodDeclaration methodDeclaration) throws SecurityException {
        assertRoleRestriction(str, methodDeclaration.getName());
        assertGeneralDisplayable(str, methodDeclaration);
    }

    @Override // org.directwebremoting.extend.AccessControl
    public void assertMethodExecutionIsPossible(Class<?> cls, Method method) throws SecurityException {
        assertMethodDisplayable(cls, method);
    }

    @Override // org.directwebremoting.extend.AccessControl
    public void assertGeneralDisplayable(String str, MethodDeclaration methodDeclaration) throws SecurityException {
        assertIsExecutable(str, methodDeclaration.getName());
        if (this.exposeInternals) {
            return;
        }
        assertParametersNotDwrInternal(methodDeclaration);
    }

    @Override // org.directwebremoting.extend.AccessControl
    public void assertMethodDisplayable(Class<?> cls, Method method) throws SecurityException {
        assertIsMethodPublic(method);
        assertIsNotOnBaseObject(method);
        if (this.exposeInternals) {
            return;
        }
        assertClassNotDwrInternal(cls);
    }

    @Override // org.directwebremoting.extend.AccessControl
    public void addRoleRestriction(String str, String str2, String str3) {
        String str4 = str + '.' + str2;
        Set<String> set = this.roleRestrictMap.get(str4);
        if (set == null) {
            set = new HashSet();
            this.roleRestrictMap.put(str4, set);
        }
        set.add(str3);
    }

    @Override // org.directwebremoting.extend.AccessControl
    public void addIncludeRule(String str, String str2) {
        Policy policy = getPolicy(str);
        if (policy.defaultAllow) {
            if (!policy.rules.isEmpty()) {
                throw new IllegalArgumentException("The module '" + str + "' uses mixed include and exclude statements");
            }
            policy.defaultAllow = false;
        }
        policy.rules.add(str2);
    }

    @Override // org.directwebremoting.extend.AccessControl
    public void addExcludeRule(String str, String str2) {
        Policy policy = getPolicy(str);
        if (!policy.defaultAllow) {
            if (!policy.rules.isEmpty()) {
                throw new IllegalArgumentException("The module '" + str + "' uses mixed include and exclude statements");
            }
            policy.defaultAllow = true;
        }
        policy.rules.add(str2);
    }

    protected void assertRoleRestriction(String str, String str2) {
        Set<String> roleRestrictions = getRoleRestrictions(str, str2);
        if (roleRestrictions == null || roleRestrictions.isEmpty()) {
            return;
        }
        HttpServletRequest httpServletRequest = WebContextFactory.get().getHttpServletRequest();
        assertAuthenticationIsValid(httpServletRequest);
        assertAllowedByRoles(httpServletRequest, roleRestrictions);
    }

    protected Set<String> getRoleRestrictions(String str, String str2) {
        return this.roleRestrictMap.get(str + '.' + str2);
    }

    protected static void assertAuthenticationIsValid(HttpServletRequest httpServletRequest) throws SecurityException {
        httpServletRequest.getSession();
        if (!httpServletRequest.isRequestedSessionIdValid()) {
            throw new LoginRequiredException("Session timed out, or invalid");
        }
        if (httpServletRequest.getRemoteUser() == null) {
            throw new LoginRequiredException("No valid authentication details");
        }
    }

    protected static void assertAllowedByRoles(HttpServletRequest httpServletRequest, Set<String> set) throws SecurityException {
        for (String str : set) {
            if ("*".equals(str) || httpServletRequest.isUserInRole(str)) {
                return;
            }
        }
        throw new AccessDeniedException("User is not in role for this method.");
    }

    protected static void assertIsMethodPublic(Method method) {
        if (!Modifier.isPublic(method.getModifiers())) {
            throw new SecurityException("The method is not declared public");
        }
    }

    protected static void assertIsNotOnBaseObject(Method method) {
        try {
            throw new SecurityException("Methods defined in java.lang.Object are not accessible (" + Object.class.getMethod(method.getName(), method.getParameterTypes()).getName() + ").");
        } catch (NoSuchMethodException e) {
        }
    }

    protected void assertIsExecutable(String str, String str2) throws SecurityException {
        Policy policy = this.policyMap.get(str);
        if (policy == null) {
            return;
        }
        String str3 = null;
        Iterator<String> it = policy.rules.iterator();
        while (it.hasNext() && str3 == null) {
            String next = it.next();
            if (str2.equals(next)) {
                str3 = next;
            }
        }
        if (policy.defaultAllow && str3 != null) {
            throw new SecurityException("Method access is denied by rules in dwr.xml");
        }
        if (!policy.defaultAllow && str3 == null) {
            throw new SecurityException("Method access is denied by rules in dwr.xml");
        }
    }

    protected static void assertParametersNotDwrInternal(MethodDeclaration methodDeclaration) {
        for (int i = 0; i < methodDeclaration.getParameterTypes().length; i++) {
            Class<?> cls = methodDeclaration.getParameterTypes()[i];
            if (cls.getName().startsWith(PACKAGE_DWR_DENY) && !cls.getName().startsWith(PACKAGE_ALLOW_CONVERT)) {
                throw new SecurityException("Methods containing parameters defined by DWR can not be remoted");
            }
        }
    }

    protected static void assertClassNotDwrInternal(Class<?> cls) {
        String name = cls.getName();
        if (name.startsWith(PACKAGE_DWR_DENY) && !name.startsWith(PACKAGE_ALLOW_CREATE)) {
            throw new SecurityException("Methods defined by DWR can not be remoted");
        }
    }

    protected Policy getPolicy(String str) {
        Policy policy = this.policyMap.get(str);
        if (policy == null) {
            policy = new Policy();
            this.policyMap.put(str, policy);
        }
        return policy;
    }

    public void setExposeInternals(boolean z) {
        this.exposeInternals = z;
    }
}
