package edu.internet2.middleware.grouper.ws;

import edu.internet2.middleware.grouper.Group;
import edu.internet2.middleware.grouper.GroupFinder;
import edu.internet2.middleware.grouper.GroupSave;
import edu.internet2.middleware.grouper.GrouperSession;
import edu.internet2.middleware.grouper.MemberFinder;
import edu.internet2.middleware.grouper.SubjectFinder;
import edu.internet2.middleware.grouper.audit.GrouperEngineBuiltin;
import edu.internet2.middleware.grouper.authentication.GrouperOidc;
import edu.internet2.middleware.grouper.authentication.GrouperPassword;
import edu.internet2.middleware.grouper.authentication.GrouperPublicPrivateKeyJwt;
import edu.internet2.middleware.grouper.authentication.GrouperTrustedJwt;
import edu.internet2.middleware.grouper.cache.GrouperCache;
import edu.internet2.middleware.grouper.cfg.GrouperHibernateConfig;
import edu.internet2.middleware.grouper.exception.GroupNotFoundException;
import edu.internet2.middleware.grouper.exception.GrouperSessionException;
import edu.internet2.middleware.grouper.exception.SessionException;
import edu.internet2.middleware.grouper.hibernate.GrouperContext;
import edu.internet2.middleware.grouper.hooks.beans.GrouperContextTypeBuiltIn;
import edu.internet2.middleware.grouper.hooks.beans.HooksContext;
import edu.internet2.middleware.grouper.instrumentation.InstrumentationThread;
import edu.internet2.middleware.grouper.j2ee.Authentication;
import edu.internet2.middleware.grouper.j2ee.ServletRequestUtils;
import edu.internet2.middleware.grouper.misc.GrouperSessionHandler;
import edu.internet2.middleware.grouper.misc.GrouperStartup;
import edu.internet2.middleware.grouper.privs.PrivilegeHelper;
import edu.internet2.middleware.grouper.util.GrouperUtil;
import edu.internet2.middleware.grouper.ws.coresoap.WsSubjectLookup;
import edu.internet2.middleware.grouper.ws.exceptions.GrouperWsException;
import edu.internet2.middleware.grouper.ws.exceptions.WsInvalidQueryException;
import edu.internet2.middleware.grouper.ws.security.WsCustomAuthentication;
import edu.internet2.middleware.grouper.ws.security.WsGrouperDefaultAuthentication;
import edu.internet2.middleware.grouper.ws.util.GrouperWsLog;
import edu.internet2.middleware.grouper.ws.util.GrouperWsLongRunningLog;
import edu.internet2.middleware.grouperClient.collections.MultiKey;
import edu.internet2.middleware.subject.Subject;
import edu.internet2.middleware.subject.SubjectNotFoundException;
import java.io.IOException;
import java.security.Principal;
import java.text.SimpleDateFormat;
import java.util.Date;
import java.util.LinkedHashMap;
import java.util.Map;
import java.util.Set;
import java.util.Vector;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.axis2.context.MessageContext;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.lang.exception.ExceptionUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.log4j.NDC;
import org.apache.ws.security.WSSecurityEngineResult;
import org.apache.ws.security.handler.WSHandlerResult;

/* loaded from: input_file:edu/internet2/middleware/grouper/ws/GrouperServiceJ2ee.class */
public class GrouperServiceJ2ee implements Filter {
    private static final long serialVersionUID = 1;
    private static final Log LOG = LogFactory.getLog(GrouperServiceJ2ee.class);
    private static GrouperCache<MultiKey, Boolean> actAsCache = null;
    private static GrouperCache<MultiKey, Boolean> grouperActAsCache = null;
    private static GrouperCache<MultiKey, Boolean> subjectAllowedCache = null;
    private static ThreadLocal<HttpServlet> threadLocalServlet = new ThreadLocal<>();
    private static ThreadLocal<HttpServletRequest> threadLocalRequest = new ThreadLocal<>();
    private static ThreadLocal<Long> threadLocalRequestStartMillis = new ThreadLocal<>();
    private static ThreadLocal<HttpServletResponse> threadLocalResponse = new ThreadLocal<>();
    private static SimpleDateFormat timeFormat = new SimpleDateFormat("HH:mm:ss.SSS");
    private static boolean inittedOnce = false;

    public static long retrieveRequestStartMillis() {
        return GrouperUtil.longValue(threadLocalRequestStartMillis.get(), 0L);
    }

    public static String parameterValue(Map<String, String[]> map, HttpServletRequest httpServletRequest, String str) {
        if (httpServletRequest == null) {
            if (map == null || map.isEmpty() || !map.containsKey(str)) {
                return null;
            }
            return map.get(str)[0];
        }
        String[] parameterValues = httpServletRequest.getParameterValues(str);
        if (parameterValues == null || parameterValues.length == 0) {
            return null;
        }
        if (parameterValues.length > 1) {
            throw new RuntimeException("Multiple request parameter values where detected for key: " + str + ", when only one is expected: " + GrouperUtil.toStringForLog(parameterValues));
        }
        return parameterValues[0];
    }

    public static String retrieveUserPrincipalNameFromRequest() {
        String name;
        HttpServletRequest retrieveHttpServletRequest = retrieveHttpServletRequest();
        GrouperUtil.assertion(retrieveHttpServletRequest != null, "HttpServletRequest is null, is the GrouperServiceServlet mapped in the web.xml?");
        Principal userPrincipal = retrieveHttpServletRequest.getUserPrincipal();
        if (userPrincipal == null) {
            name = retrieveHttpServletRequest.getRemoteUser();
            if (StringUtils.isBlank(name)) {
                name = (String) retrieveHttpServletRequest.getAttribute("REMOTE_USER");
            }
        } else {
            name = userPrincipal.getName();
        }
        GrouperUtil.assertion(StringUtils.isNotBlank(name), "There is no user logged in, make sure the container requires authentication");
        return name;
    }

    public static Subject retrieveSubjectLoggedIn() {
        String trimToNull;
        Map<String, Object> retrieveDebugMap = retrieveDebugMap();
        String propertyString = GrouperWsConfig.getPropertyString(GrouperWsConfig.WS_SECURITY_NON_RAMPART_AUTHENTICATION_CLASS, WsGrouperDefaultAuthentication.class.getName());
        String str = (String) retrieveHttpServletRequest().getAttribute("REMOTE_USER");
        if (StringUtils.isBlank(str)) {
            if (wssecServlet()) {
                Vector vector = (Vector) MessageContext.getCurrentMessageContext().getProperty("RECV_RESULTS");
                if (vector == null) {
                    throw new RuntimeException("No Rampart security results!");
                }
                LOG.debug("Number of rampart results: " + vector.size());
                int i = 0;
                loop0: while (true) {
                    if (i >= vector.size()) {
                        break;
                    }
                    Vector results = ((WSHandlerResult) vector.get(i)).getResults();
                    for (int i2 = 0; i2 < results.size(); i2++) {
                        WSSecurityEngineResult wSSecurityEngineResult = (WSSecurityEngineResult) results.get(i2);
                        if (wSSecurityEngineResult.getAction() == 1 && wSSecurityEngineResult.getPrincipal() != null) {
                            str = wSSecurityEngineResult.getPrincipal().getName();
                            break loop0;
                        }
                    }
                    i++;
                }
                GrouperUtil.assertion(StringUtils.isNotBlank(str), "There is no Rampart user logged in, make sure the container requires authentication");
            } else {
                str = ((WsCustomAuthentication) GrouperUtil.newInstance(GrouperUtil.forName(propertyString))).retrieveLoggedInSubjectId(retrieveHttpServletRequest());
            }
        }
        if (StringUtils.isBlank(str)) {
            throw new WsInvalidQueryException("No user is logged in");
        }
        if (StringUtils.contains(str, GrouperWsConfig.WS_SEPARATOR)) {
            String[] splitTrim = GrouperUtil.splitTrim(str, GrouperWsConfig.WS_SEPARATOR);
            trimToNull = splitTrim[0];
            str = splitTrim[1];
        } else {
            trimToNull = StringUtils.trimToNull(GrouperWsConfig.retrieveConfig().propertyValueString(GrouperWsConfig.WS_LOGGED_IN_SUBJECT_DEFAULT_SOURCE));
        }
        String propertyString2 = GrouperWsConfig.getPropertyString("ws.security.prependToUserIdForSubjectLookup");
        if (!StringUtils.isBlank(propertyString2)) {
            str = propertyString2 + str;
        }
        if (NDC.getDepth() == 0) {
            StringBuilder sb = new StringBuilder("< ");
            if (!StringUtils.isBlank(trimToNull)) {
                sb.append(trimToNull).append(" - ");
            }
            sb.append(str).append(" - ");
            HttpServletRequest retrieveHttpServletRequest = retrieveHttpServletRequest();
            if (retrieveHttpServletRequest != null) {
                sb.append(retrieveHttpServletRequest.getRemoteAddr());
            }
            sb.append(" >");
            NDC.push(sb.toString());
        }
        retrieveDebugMap.put("userIdLoggedIn", str);
        GrouperSession startRootSession = GrouperSession.startRootSession(false);
        try {
            final String str2 = trimToNull;
            final String str3 = str;
            Subject subject = (Subject) GrouperSession.callbackGrouperSession(startRootSession, new GrouperSessionHandler() { // from class: edu.internet2.middleware.grouper.ws.GrouperServiceJ2ee.1
                public Object callback(GrouperSession grouperSession) throws GrouperSessionException {
                    try {
                        if (str2 == null) {
                            return SubjectFinder.findByIdOrIdentifier(str3, true);
                        }
                        for (String str4 : GrouperUtil.splitTrim(str2, ",")) {
                            Subject findByIdOrIdentifierAndSource = SubjectFinder.findByIdOrIdentifierAndSource(str3, str4, false);
                            if (findByIdOrIdentifierAndSource != null) {
                                return findByIdOrIdentifierAndSource;
                            }
                        }
                        throw new SubjectNotFoundException("Unable to find subject in source type(s): " + str2);
                    } catch (Exception e) {
                        throw new RuntimeException("Cant find subject from login id: " + str3, e);
                    }
                }
            });
            if (subject != null) {
                retrieveDebugMap.put("userIdLoggedInSource", subject.getSourceId());
                if (!StringUtils.equals(subject.getId(), (String) retrieveDebugMap.get("userIdLoggedIn"))) {
                    retrieveDebugMap.put("userIdLoggedInSubjectId", subject.getId());
                }
            }
            Subject retrieveSubjectGrouperActAsHelper = retrieveSubjectGrouperActAsHelper(subject);
            if (retrieveSubjectGrouperActAsHelper != null && subject != null && !StringUtils.equals(retrieveSubjectGrouperActAsHelper.getId(), subject.getId())) {
                retrieveDebugMap.put("userIdActAsSource", retrieveSubjectGrouperActAsHelper.getSourceId());
                retrieveDebugMap.put("userIdActAsSubjectId", retrieveSubjectGrouperActAsHelper.getId());
            }
            GrouperContext.retrieveDefaultContext().setLoggedInMemberId(MemberFinder.findBySubject(startRootSession, retrieveSubjectGrouperActAsHelper, true).getUuid());
            GrouperSession.stopQuietly(startRootSession);
            return retrieveSubjectGrouperActAsHelper;
        } catch (Throwable th) {
            GrouperSession.stopQuietly(startRootSession);
            throw th;
        }
    }

    private static Subject retrieveSubjectGrouperActAsHelper(final Subject subject) {
        Subject findByIdentifierAndSource;
        String propertyValueString = GrouperWsConfig.retrieveConfig().propertyValueString("ws.grouper.act.as.group");
        if (StringUtils.isBlank(propertyValueString) || subject == null) {
            LOG.debug("No grouperActAs configured");
            return subject;
        }
        HttpServletRequest retrieveHttpServletRequest = retrieveHttpServletRequest();
        String header = retrieveHttpServletRequest.getHeader("X-Grouper-actAsSubjectId");
        String header2 = retrieveHttpServletRequest.getHeader("X-Grouper-actAsSubjectIdentifier");
        String header3 = retrieveHttpServletRequest.getHeader("X-Grouper-actAsSourceId");
        if (StringUtils.isBlank(header3)) {
            if (StringUtils.isBlank(header) && StringUtils.isBlank(header2)) {
                return subject;
            }
            throw new RuntimeException("If X-Grouper-actAsSubjectId or X-Grouper-actAsSubjectIdentifier is set, then you must have a X-Grouper-actAsSourceId!");
        }
        if (!StringUtils.isBlank(header) && !StringUtils.isBlank(header2)) {
            throw new RuntimeException("You can only have one of X-Grouper-actAsSubjectId or X-Grouper-actAsSubjectIdentifier set!");
        }
        if (StringUtils.isBlank(header) && StringUtils.isBlank(header2)) {
            throw new RuntimeException("You must have one of X-Grouper-actAsSubjectId or X-Grouper-actAsSubjectIdentifier set if X-Grouper-actAsSourceId is set!");
        }
        try {
            String str = new String(new Base64().decode(header3.getBytes("UTF-8")), "UTF-8");
            if (!StringUtils.isBlank(header)) {
                header = new String(new Base64().decode(header.getBytes("UTF-8")), "UTF-8");
            } else if (!StringUtils.isBlank(header2)) {
                header2 = new String(new Base64().decode(header2.getBytes("UTF-8")), "UTF-8");
            }
            try {
                try {
                    GrouperSession start = GrouperSession.start(SubjectFinder.findRootSubject());
                    if (!StringUtils.isBlank(header)) {
                        findByIdentifierAndSource = SubjectFinder.findByIdAndSource(header, str, true);
                    } else {
                        if (StringUtils.isBlank(header2)) {
                            throw new RuntimeException("Why am I here?");
                        }
                        findByIdentifierAndSource = SubjectFinder.findByIdentifierAndSource(header2, str, true);
                    }
                    final Subject subject2 = findByIdentifierAndSource;
                    final MultiKey multiKey = new MultiKey(subject.getId(), subject.getSource().getId(), findByIdentifierAndSource.getId(), findByIdentifierAndSource.getSource().getId());
                    Boolean bool = actAsCacheMinutes() > 0 ? (Boolean) grouperActAsCache().get(multiKey) : false;
                    if (bool != null && Boolean.TRUE.equals(bool)) {
                        LOG.debug("grouperActAs retrieved from cache");
                        Subject subject3 = findByIdentifierAndSource;
                        GrouperSession.stopQuietly(start);
                        return subject3;
                    }
                    Subject subject4 = (Subject) GrouperSession.callbackGrouperSession(start, new GrouperSessionHandler() { // from class: edu.internet2.middleware.grouper.ws.GrouperServiceJ2ee.2
                        public Object callback(GrouperSession grouperSession) throws GrouperSessionException {
                            if (!PrivilegeHelper.isWheelOrRoot(subject)) {
                                return null;
                            }
                            GrouperServiceJ2ee.access$000().put(multiKey, Boolean.TRUE);
                            if (GrouperServiceJ2ee.LOG.isDebugEnabled()) {
                                GrouperServiceJ2ee.LOG.debug("grouperActAs allowed since logged in user is wheel or root: " + GrouperUtil.subjectToString(subject));
                            }
                            return subject2;
                        }
                    });
                    if (subject4 != null) {
                        GrouperSession.stopQuietly(start);
                        return subject4;
                    }
                    int i = 0;
                    for (String str2 : GrouperUtil.splitTrim(propertyValueString, ",")) {
                        try {
                            if (StringUtils.contains(str2, GrouperWsConfig.WS_SEPARATOR)) {
                                String[] splitTrim = GrouperUtil.splitTrim(str2, GrouperWsConfig.WS_SEPARATOR);
                                String str3 = splitTrim[0];
                                String str4 = splitTrim[1];
                                Group findByName = GroupFinder.findByName(start, str3, true);
                                Group findByName2 = GroupFinder.findByName(start, str4, true);
                                if (findByName.hasMember(subject) && findByName2.hasMember(findByIdentifierAndSource)) {
                                    if (LOG.isDebugEnabled()) {
                                        LOG.debug("grouperActAs allowed since logged in user is in group: " + str3 + ", and act as user is in group: " + str4);
                                    }
                                    actAsCache().put(multiKey, Boolean.TRUE);
                                    Subject subject5 = findByIdentifierAndSource;
                                    GrouperSession.stopQuietly(start);
                                    return subject5;
                                }
                            } else if (GroupFinder.findByName(start, propertyValueString, true).hasMember(subject)) {
                                if (LOG.isDebugEnabled()) {
                                    LOG.debug("grouperActAs allowed since logged in user is in group: " + propertyValueString);
                                }
                                actAsCache().put(multiKey, Boolean.TRUE);
                                Subject subject6 = findByIdentifierAndSource;
                                GrouperSession.stopQuietly(start);
                                return subject6;
                            }
                            i++;
                        } catch (Exception e) {
                            LOG.error("Problem with groupEntry: " + str2 + ", loggedInUser: " + subject + ", actAsSubject: " + findByIdentifierAndSource, e);
                        }
                    }
                    if (i == 0) {
                        throw new RuntimeException("Problems seeing if web service user '" + subject + "' can actAs the other subject: '" + findByIdentifierAndSource + "'");
                    }
                    throw new RuntimeException("A web service is specifying an actAsUser, but the groups specified in ws.act.as.group in the grouper-ws.properties  does not have a valid rule for member: '" + subject + "', and actAs: '" + findByIdentifierAndSource + "'");
                } catch (SessionException e2) {
                    throw new RuntimeException((Throwable) e2);
                }
            } catch (Throwable th) {
                GrouperSession.stopQuietly((GrouperSession) null);
                throw th;
            }
        } catch (Exception e3) {
            throw new RuntimeException("Problem with: source: '" + header3 + "', id: '" + header + "', or identifier: '" + header2 + "'", e3);
        }
    }

    private static GrouperCache<MultiKey, Boolean> actAsCache() {
        if (actAsCache == null) {
            int actAsCacheMinutes = actAsCacheMinutes();
            synchronized (GrouperServiceJ2ee.class) {
                if (actAsCache == null) {
                    actAsCache = new GrouperCache<>(GrouperServiceJ2ee.class.getName() + "grouperWsActAsCache", 10000, false, 86400, actAsCacheMinutes * 60, false);
                }
            }
        }
        return actAsCache;
    }

    private static GrouperCache<MultiKey, Boolean> grouperActAsCache() {
        if (grouperActAsCache == null) {
            int actAsCacheMinutes = actAsCacheMinutes();
            synchronized (GrouperServiceJ2ee.class) {
                if (grouperActAsCache == null) {
                    grouperActAsCache = new GrouperCache<>(GrouperServiceJ2ee.class.getName() + "grouperGrouperWsActAsCache", 10000, false, 86400, actAsCacheMinutes * 60, false);
                }
            }
        }
        return grouperActAsCache;
    }

    private static int actAsCacheMinutes() {
        return GrouperWsConfig.retrieveConfig().propertyValueInt(GrouperWsConfig.WS_ACT_AS_CACHE_MINUTES, 5);
    }

    private static GrouperCache<MultiKey, Boolean> subjectAllowedCache() {
        if (subjectAllowedCache == null) {
            int propertyValueInt = GrouperWsConfig.retrieveConfig().propertyValueInt(GrouperWsConfig.WS_CLIENT_USER_GROUP_CACHE_MINUTES, 5);
            synchronized (GrouperServiceJ2ee.class) {
                if (subjectAllowedCache == null) {
                    subjectAllowedCache = new GrouperCache<>(GrouperServiceJ2ee.class.getName() + "grouperWsAllowedCache", 10000, false, 86400, propertyValueInt * 60, false);
                }
            }
        }
        return subjectAllowedCache;
    }

    public static Subject retrieveSubjectActAs(WsSubjectLookup wsSubjectLookup) throws WsInvalidQueryException {
        Subject retrieveSubjectActAsHelper = retrieveSubjectActAsHelper(wsSubjectLookup);
        HooksContext.assignSubjectActAs(retrieveSubjectActAsHelper);
        GrouperContext retrieveDefaultContext = GrouperContext.retrieveDefaultContext();
        GrouperSession staticGrouperSession = GrouperSession.staticGrouperSession(false);
        retrieveDefaultContext.setLoggedInMemberIdActAs(MemberFinder.findBySubject(staticGrouperSession == null ? GrouperSession.startRootSession(false) : staticGrouperSession.internal_getRootSession(), retrieveSubjectActAsHelper, true).getUuid());
        return retrieveSubjectActAsHelper;
    }

    private static Subject retrieveSubjectActAsHelper(WsSubjectLookup wsSubjectLookup) throws WsInvalidQueryException {
        final Subject retrieveSubjectLoggedIn = retrieveSubjectLoggedIn();
        HooksContext.assignSubjectLoggedIn(retrieveSubjectLoggedIn);
        final String propertyValueString = GrouperWsConfig.retrieveConfig().propertyValueString(GrouperWsConfig.WS_CLIENT_USER_GROUP_NAME);
        String id = retrieveSubjectLoggedIn.getId();
        if (!StringUtils.isBlank(propertyValueString)) {
            GrouperSession grouperSession = null;
            try {
                try {
                    final MultiKey multiKey = new MultiKey(id, retrieveSubjectLoggedIn.getSource().getId());
                    Boolean bool = (Boolean) subjectAllowedCache().get(multiKey);
                    if (bool == null) {
                        grouperSession = GrouperSession.startRootSession();
                        GrouperSession.internal_callbackRootGrouperSession(new GrouperSessionHandler() { // from class: edu.internet2.middleware.grouper.ws.GrouperServiceJ2ee.3
                            public Object callback(GrouperSession grouperSession2) throws GrouperSessionException {
                                Group save;
                                try {
                                    save = GroupFinder.findByName(grouperSession2, propertyValueString, true);
                                } catch (GroupNotFoundException e) {
                                    save = new GroupSave().assignName(propertyValueString).assignCreateParentStemsIfNotExist(true).save();
                                }
                                if (save.hasMember(retrieveSubjectLoggedIn)) {
                                    GrouperServiceJ2ee.access$200().put(multiKey, true);
                                    return null;
                                }
                                GrouperServiceJ2ee.access$200().put(multiKey, false);
                                throw new RuntimeException("User is not authorized: " + retrieveSubjectLoggedIn + ", " + save);
                            }
                        });
                    } else if (!bool.booleanValue()) {
                        throw new RuntimeException("User is not authorized: " + retrieveSubjectLoggedIn);
                    }
                } catch (Exception e) {
                    String str = "user: '" + id + "' is not a member of group: '" + propertyValueString + "', and therefore is not authorized to use the app (configured in local grouper-ws.properties ws.client.user.group.name";
                    if (e.getMessage().startsWith("User is not authorized: ")) {
                        LOG.error(str);
                        throw new GrouperWsException("User is not authorized", e).assignLogStack(false);
                    }
                    LOG.error(str, e);
                    throw new GrouperWsException("User is not authorized", e);
                }
            } finally {
                GrouperSession.stopQuietly((GrouperSession) null);
            }
        }
        if (wsSubjectLookup == null || wsSubjectLookup.blank()) {
            return retrieveSubjectLoggedIn;
        }
        GrouperSession startRootSession = GrouperSession.startRootSession();
        try {
            Subject retrieveSubject = wsSubjectLookup.retrieveSubject("actAsSubject");
            GrouperSession.stopQuietly(startRootSession);
            if (StringUtils.equals(id, retrieveSubject.getId()) && StringUtils.equals(retrieveSubjectLoggedIn.getSource().getId(), retrieveSubject.getSource().getId())) {
                return retrieveSubjectLoggedIn;
            }
            MultiKey multiKey2 = new MultiKey(id, retrieveSubjectLoggedIn.getSource().getId(), retrieveSubject.getId(), retrieveSubject.getSource().getId());
            if ((actAsCacheMinutes() > 0 ? (Boolean) actAsCache().get(multiKey2) : false) != null) {
                Boolean bool2 = Boolean.TRUE;
                if (bool2.equals(bool2)) {
                    return retrieveSubject;
                }
            }
            GrouperSession grouperSession2 = null;
            try {
                try {
                    grouperSession2 = GrouperSession.start(retrieveSubjectLoggedIn);
                    if (PrivilegeHelper.isRoot(grouperSession2)) {
                        actAsCache().put(multiKey2, Boolean.TRUE);
                        GrouperSession.stopQuietly(grouperSession2);
                        return retrieveSubject;
                    }
                    GrouperSession.stopQuietly(grouperSession2);
                    String propertyValueString2 = GrouperWsConfig.retrieveConfig().propertyValueString(GrouperWsConfig.WS_ACT_AS_GROUP);
                    if (StringUtils.isBlank(propertyValueString2)) {
                        throw new WsInvalidQueryException("A web service is specifying an actAsUser, but there is no 'ws.act.as.group' specified in the grouper-ws.properties");
                    }
                    try {
                        try {
                            GrouperSession start = GrouperSession.start(SubjectFinder.findRootSubject());
                            int i = 0;
                            for (String str2 : GrouperUtil.splitTrim(propertyValueString2, ",")) {
                                try {
                                    if (StringUtils.contains(str2, GrouperWsConfig.WS_SEPARATOR)) {
                                        String[] splitTrim = GrouperUtil.splitTrim(str2, GrouperWsConfig.WS_SEPARATOR);
                                        String str3 = splitTrim[0];
                                        String str4 = splitTrim[1];
                                        Group findByName = GroupFinder.findByName(start, str3, true);
                                        Group findByName2 = GroupFinder.findByName(start, str4, true);
                                        if (findByName.hasMember(retrieveSubjectLoggedIn) && findByName2.hasMember(retrieveSubject)) {
                                            actAsCache().put(multiKey2, Boolean.TRUE);
                                            GrouperSession.stopQuietly(start);
                                            return retrieveSubject;
                                        }
                                    } else if (GroupFinder.findByName(start, propertyValueString2, true).hasMember(retrieveSubjectLoggedIn)) {
                                        actAsCache().put(multiKey2, Boolean.TRUE);
                                        GrouperSession.stopQuietly(start);
                                        return retrieveSubject;
                                    }
                                    i++;
                                } catch (Exception e2) {
                                    LOG.error("Problem with groupEntry: " + str2 + ", loggedInUser: " + retrieveSubjectLoggedIn + ", actAsSubject: " + retrieveSubject, e2);
                                }
                            }
                            if (i == 0) {
                                throw new RuntimeException("Problems seeing if web service user '" + retrieveSubjectLoggedIn + "' can actAs the other subject: '" + retrieveSubject + "'");
                            }
                            throw new RuntimeException("A web service is specifying an actAsUser, but the groups specified in ws.act.as.group in the grouper-ws.properties  does not have a valid rule for member: '" + retrieveSubjectLoggedIn + "', and actAs: '" + retrieveSubject + "'");
                        } catch (SessionException e3) {
                            throw new RuntimeException((Throwable) e3);
                        }
                    } catch (Throwable th) {
                        GrouperSession.stopQuietly((GrouperSession) null);
                        throw th;
                    }
                } finally {
                    GrouperSession.stopQuietly(grouperSession2);
                }
            } catch (SessionException e4) {
                throw new RuntimeException((Throwable) e4);
            }
        } catch (Throwable th2) {
            GrouperSession.stopQuietly(startRootSession);
            throw th2;
        }
    }

    public static HttpServletRequest retrieveHttpServletRequest() {
        return threadLocalRequest.get();
    }

    public static HttpServlet retrieveHttpServlet() {
        return threadLocalServlet.get();
    }

    public static boolean wssecServlet() {
        return GrouperUtil.booleanValue(retrieveHttpServlet().getServletConfig().getInitParameter("wssec"), false);
    }

    public static void assignHttpServlet(HttpServlet httpServlet) {
        threadLocalServlet.set(httpServlet);
    }

    public static HttpServletResponse retrieveHttpServletResponse() {
        return threadLocalResponse.get();
    }

    public void destroy() {
        InstrumentationThread.shutdownThread();
    }

    public static Map<String, Object> retrieveDebugMap() {
        HttpServletRequest retrieveHttpServletRequest = retrieveHttpServletRequest();
        if (retrieveHttpServletRequest == null) {
            return new LinkedHashMap();
        }
        Map<String, Object> map = (Map) retrieveHttpServletRequest.getAttribute("debugMap");
        if (map == null) {
            map = new LinkedHashMap();
            retrieveHttpServletRequest.setAttribute("debugMap", map);
        }
        return map;
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        LinkedHashMap linkedHashMap = new LinkedHashMap();
        Long valueOf = Long.valueOf(System.nanoTime());
        try {
            try {
                servletRequest.setCharacterEncoding("UTF-8");
                servletResponse.setCharacterEncoding("UTF-8");
                HttpServletRequest wsHttpServletRequest = new WsHttpServletRequest((HttpServletRequest) servletRequest);
                String header = wsHttpServletRequest.getHeader("Authorization");
                if (StringUtils.isNotBlank(header) && header.startsWith("Bearer jwtTrusted_")) {
                    Subject decode = new GrouperTrustedJwt().assignBearerTokenHeader(header).decode();
                    if (decode == null) {
                        ((HttpServletResponse) servletResponse).sendError(401, "Unauthorized");
                        GrouperWsLog.wsLog(linkedHashMap, valueOf);
                        GrouperWsLongRunningLog.wsLog(linkedHashMap, valueOf);
                        threadLocalRequest.remove();
                        threadLocalResponse.remove();
                        threadLocalRequestStartMillis.remove();
                        threadLocalServlet.remove();
                        HooksContext.clearThreadLocal();
                        ServletRequestUtils.requestEnd();
                        return;
                    }
                    wsHttpServletRequest.setAttribute("REMOTE_USER", decode.getSourceId() + GrouperWsConfig.WS_SEPARATOR + decode.getId());
                } else if (StringUtils.isNotBlank(header) && (header.startsWith("Bearer oidc_") || header.startsWith("Bearer oidcWithRedirectUri_"))) {
                    Subject decode2 = new GrouperOidc().assignBearerTokenHeader(header).decode();
                    if (decode2 == null) {
                        ((HttpServletResponse) servletResponse).sendError(401, "Unauthorized");
                        GrouperWsLog.wsLog(linkedHashMap, valueOf);
                        GrouperWsLongRunningLog.wsLog(linkedHashMap, valueOf);
                        threadLocalRequest.remove();
                        threadLocalResponse.remove();
                        threadLocalRequestStartMillis.remove();
                        threadLocalServlet.remove();
                        HooksContext.clearThreadLocal();
                        ServletRequestUtils.requestEnd();
                        return;
                    }
                    wsHttpServletRequest.setAttribute("REMOTE_USER", decode2.getSourceId() + GrouperWsConfig.WS_SEPARATOR + decode2.getId());
                } else if (StringUtils.isNotBlank(header) && header.startsWith("Bearer jwtUser_")) {
                    Subject decode3 = new GrouperPublicPrivateKeyJwt().assignBearerTokenHeader(header).decode(wsHttpServletRequest.getRemoteAddr());
                    if (decode3 == null) {
                        ((HttpServletResponse) servletResponse).sendError(401, "Unauthorized");
                        GrouperWsLog.wsLog(linkedHashMap, valueOf);
                        GrouperWsLongRunningLog.wsLog(linkedHashMap, valueOf);
                        threadLocalRequest.remove();
                        threadLocalResponse.remove();
                        threadLocalRequestStartMillis.remove();
                        threadLocalServlet.remove();
                        HooksContext.clearThreadLocal();
                        ServletRequestUtils.requestEnd();
                        return;
                    }
                    wsHttpServletRequest.setAttribute("REMOTE_USER", decode3.getSourceId() + GrouperWsConfig.WS_SEPARATOR + decode3.getId());
                } else if (!GrouperHibernateConfig.retrieveConfig().propertyValueBoolean("grouper.is.ws.basicAuthn", false)) {
                    String propertyValueString = GrouperWsConfig.retrieveConfig().propertyValueString(GrouperWsConfig.WS_SECURITY_NON_RAMPART_AUTHENTICATION_CLASS, null);
                    boolean propertyValueBoolean = GrouperWsConfig.retrieveConfig().propertyValueBoolean("ws.security.non-rampart.error.401.authentication.error", true);
                    if (!StringUtils.isEmpty(propertyValueString) && propertyValueBoolean && StringUtils.isBlank(((WsCustomAuthentication) GrouperUtil.newInstance(GrouperUtil.forName(propertyValueString))).retrieveLoggedInSubjectId(wsHttpServletRequest))) {
                        ((HttpServletResponse) servletResponse).setHeader("WWW-Authenticate", "Basic realm=\"Protected\"");
                        ((HttpServletResponse) servletResponse).sendError(401, "Unauthorized");
                        GrouperWsLog.wsLog(linkedHashMap, valueOf);
                        GrouperWsLongRunningLog.wsLog(linkedHashMap, valueOf);
                        threadLocalRequest.remove();
                        threadLocalResponse.remove();
                        threadLocalRequestStartMillis.remove();
                        threadLocalServlet.remove();
                        HooksContext.clearThreadLocal();
                        ServletRequestUtils.requestEnd();
                        return;
                    }
                } else {
                    if (!new Authentication().authenticate(header, GrouperPassword.Application.WS, wsHttpServletRequest.getRemoteAddr())) {
                        ((HttpServletResponse) servletResponse).setHeader("WWW-Authenticate", "Basic realm=\"Protected\"");
                        ((HttpServletResponse) servletResponse).sendError(401, "Unauthorized");
                        GrouperWsLog.wsLog(linkedHashMap, valueOf);
                        GrouperWsLongRunningLog.wsLog(linkedHashMap, valueOf);
                        threadLocalRequest.remove();
                        threadLocalResponse.remove();
                        threadLocalRequestStartMillis.remove();
                        threadLocalServlet.remove();
                        HooksContext.clearThreadLocal();
                        ServletRequestUtils.requestEnd();
                        return;
                    }
                    wsHttpServletRequest.setAttribute("REMOTE_USER", Authentication.retrieveUsername(header));
                }
                wsHttpServletRequest.setAttribute("debugMap", linkedHashMap);
                NDC.clear();
                threadLocalServlet.remove();
                threadLocalRequest.set(wsHttpServletRequest);
                Map<String, Object> retrieveDebugMap = retrieveDebugMap();
                threadLocalResponse.set((HttpServletResponse) servletResponse);
                threadLocalRequestStartMillis.set(Long.valueOf(System.currentTimeMillis()));
                GrouperContextTypeBuiltIn.setDefaultContext(GrouperContextTypeBuiltIn.GROUPER_WS);
                HooksContext.setAttributeThreadLocal("HttpServletRequest", wsHttpServletRequest, false);
                HooksContext.setAttributeThreadLocal("HttpSession", wsHttpServletRequest.getSession(), false);
                HooksContext.setAttributeThreadLocal("HttpServletResponse", servletResponse, false);
                GrouperContext createNewDefaultContext = GrouperContext.createNewDefaultContext(GrouperEngineBuiltin.WS, false, false);
                String defaultIfBlank = StringUtils.defaultIfBlank(wsHttpServletRequest.getHeader("X-Forwarded-For"), wsHttpServletRequest.getRemoteAddr());
                createNewDefaultContext.setCallerIpAddress(defaultIfBlank);
                retrieveDebugMap.put("start", timeFormat.format(new Date()));
                retrieveDebugMap.put("remoteAddr", defaultIfBlank);
                retrieveDebugMap.put("requestUrl", wsHttpServletRequest.getRequestURL());
                filterChain.doFilter(wsHttpServletRequest, servletResponse);
                GrouperWsLog.wsLog(retrieveDebugMap, valueOf);
                GrouperWsLongRunningLog.wsLog(retrieveDebugMap, valueOf);
                threadLocalRequest.remove();
                threadLocalResponse.remove();
                threadLocalRequestStartMillis.remove();
                threadLocalServlet.remove();
                HooksContext.clearThreadLocal();
                ServletRequestUtils.requestEnd();
            } catch (ServletException e) {
                handleException(e);
                throw e;
            } catch (IOException e2) {
                handleException(e2);
                throw e2;
            } catch (RuntimeException e3) {
                LOG.info("error in request", e3);
                linkedHashMap.put("exception", ExceptionUtils.getFullStackTrace(e3));
                handleException(e3);
                throw e3;
            }
        } catch (Throwable th) {
            GrouperWsLog.wsLog(linkedHashMap, valueOf);
            GrouperWsLongRunningLog.wsLog(linkedHashMap, valueOf);
            threadLocalRequest.remove();
            threadLocalResponse.remove();
            threadLocalRequestStartMillis.remove();
            threadLocalServlet.remove();
            HooksContext.clearThreadLocal();
            ServletRequestUtils.requestEnd();
            throw th;
        }
    }

    private void handleException(IOException iOException) throws IOException {
        handleExceptionHelper(iOException);
    }

    private void handleException(ServletException servletException) throws ServletException {
        handleExceptionHelper(servletException);
    }

    private void handleException(RuntimeException runtimeException) throws ServletException {
        handleExceptionHelper(runtimeException);
    }

    private void handleExceptionHelper(Throwable th) throws Throwable {
        LOG.error("Error processing request", th);
        if (GrouperWsConfig.retrieveConfig().propertyValueBoolean("ws.throwExceptionsToClient", true)) {
            throw new RuntimeException("Error processing request, check logs", th);
        }
    }

    public void init(FilterConfig filterConfig) throws ServletException {
        GrouperContext.createNewDefaultContext(GrouperEngineBuiltin.WS, false, false);
        GrouperStartup.startup();
        GrouperStartup.waitForGrouperStartup();
        InstrumentationThread.startThread(GrouperEngineBuiltin.WS, (Set) null);
        initOnce();
    }

    private static void initGroup(final String str) {
        if (StringUtils.isBlank(str)) {
            return;
        }
        GrouperSession.internal_callbackRootGrouperSession(new GrouperSessionHandler() { // from class: edu.internet2.middleware.grouper.ws.GrouperServiceJ2ee.4
            public Object callback(GrouperSession grouperSession) throws GrouperSessionException {
                Group findByName = GroupFinder.findByName(grouperSession, str, false);
                if (findByName == null) {
                    return null;
                }
                GroupFinder.groupCacheAsRootAddSystemGroup(findByName);
                return null;
            }
        });
    }

    private static void initOnce() {
        if (inittedOnce) {
            return;
        }
        synchronized (GrouperServiceJ2ee.class) {
            if (!inittedOnce) {
                for (String str : new String[]{GrouperWsConfig.retrieveConfig().propertyValueString("browser.debug.group"), GrouperWsConfig.retrieveConfig().propertyValueString("ws.grouper.act.as.group")}) {
                    if (!StringUtils.isBlank(str)) {
                        for (String str2 : GrouperUtil.splitTrim(str, ",")) {
                            if (StringUtils.contains(str2, GrouperWsConfig.WS_SEPARATOR)) {
                                String[] splitTrim = GrouperUtil.splitTrim(str2, GrouperWsConfig.WS_SEPARATOR);
                                initGroup(splitTrim[0]);
                                initGroup(splitTrim[1]);
                            } else {
                                initGroup(str2);
                            }
                        }
                    }
                }
                initGroup(GrouperWsConfig.retrieveConfig().propertyValueString(GrouperWsConfig.WS_CLIENT_USER_GROUP_NAME));
                inittedOnce = true;
            }
        }
    }

    static /* synthetic */ GrouperCache access$000() {
        return actAsCache();
    }

    static /* synthetic */ GrouperCache access$200() {
        return subjectAllowedCache();
    }
}
