package com.openexchange.ajax;

import com.openexchange.ajax.helper.BrowserDetector;
import com.openexchange.ajax.login.HashCalculator;
import com.openexchange.config.ConfigurationService;
import com.openexchange.configuration.ClientWhitelist;
import com.openexchange.configuration.CookieHashSource;
import com.openexchange.configuration.ServerConfig;
import com.openexchange.exception.OXException;
import com.openexchange.groupware.contexts.Context;
import com.openexchange.groupware.contexts.impl.ContextExceptionCodes;
import com.openexchange.groupware.contexts.impl.ContextStorage;
import com.openexchange.groupware.ldap.LdapExceptionCode;
import com.openexchange.groupware.ldap.User;
import com.openexchange.groupware.ldap.UserExceptionCode;
import com.openexchange.groupware.ldap.UserStorage;
import com.openexchange.java.Autoboxing;
import com.openexchange.java.Strings;
import com.openexchange.log.ForceLog;
import com.openexchange.log.LogFactory;
import com.openexchange.log.LogProperties;
import com.openexchange.log.Props;
import com.openexchange.server.ServiceExceptionCode;
import com.openexchange.server.services.ServerServiceRegistry;
import com.openexchange.session.Session;
import com.openexchange.sessiond.SessionExceptionCodes;
import com.openexchange.sessiond.SessiondService;
import com.openexchange.sessiond.impl.IPRange;
import com.openexchange.sessiond.impl.SubnetMask;
import com.openexchange.tools.servlet.http.Cookies;
import com.openexchange.tools.servlet.http.Tools;
import com.openexchange.tools.session.ServerSession;
import com.openexchange.tools.session.ServerSessionAdapter;
import java.io.IOException;
import java.lang.reflect.UndeclaredThrowableException;
import java.util.Arrays;
import java.util.Collections;
import java.util.EnumSet;
import java.util.Enumeration;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Set;
import java.util.concurrent.atomic.AtomicBoolean;
import java.util.concurrent.locks.Lock;
import java.util.concurrent.locks.ReentrantLock;
import javax.servlet.ServletConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.logging.Log;

/* loaded from: input_file:com/openexchange/ajax/SessionServlet.class */
public abstract class SessionServlet extends AJAXServlet {
    private static final long serialVersionUID = -8308340875362868795L;
    public static final String SESSION_KEY = "sessionObject";
    public static final String PUBLIC_SESSION_KEY = "publicSessionObject";
    public static final String SESSION_WHITELIST_FILE = "noipcheck.cnf";
    private static volatile ClientWhitelist clientWhitelist;
    protected static volatile CookieHashSource hashSource;
    private static volatile boolean rangesLoaded;
    private static volatile SubnetMask allowedSubnet;
    protected static final Set<LogProperties.Name> LOG_PROPERTIES;
    private static volatile Integer maxConcurrentRequests;
    private static final Log LOG = com.openexchange.log.Log.valueOf(LogFactory.getLog(SessionServlet.class));
    private static final boolean INFO = LOG.isInfoEnabled();
    private static final boolean DEBUG = LOG.isDebugEnabled();
    private static final List<IPRange> RANGES = new LinkedList();
    private static final AtomicBoolean INITIALIZED = new AtomicBoolean();
    private static volatile boolean checkIP = true;
    private static final Lock RANGE_LOCK = new ReentrantLock();

    public void init(ServletConfig servletConfig) throws ServletException {
        super.init(servletConfig);
        if (INITIALIZED.compareAndSet(false, true)) {
            checkIP = Boolean.parseBoolean(servletConfig.getInitParameter(ServerConfig.Property.IP_CHECK.getPropertyName()));
            hashSource = CookieHashSource.parse(servletConfig.getInitParameter(ServerConfig.Property.COOKIE_HASH.getPropertyName()));
            clientWhitelist = new ClientWhitelist().add(servletConfig.getInitParameter(ServerConfig.Property.IP_CHECK_WHITELIST.getPropertyName()));
            allowedSubnet = new SubnetMask(servletConfig.getInitParameter(ServerConfig.Property.IP_MASK_V4.getPropertyName()), servletConfig.getInitParameter(ServerConfig.Property.IP_MASK_V6.getPropertyName()));
        }
        initRanges(servletConfig);
    }

    private void initRanges(ServletConfig servletConfig) {
        if (rangesLoaded) {
            return;
        }
        if (!checkIP) {
            rangesLoaded = true;
            return;
        }
        String initParameter = servletConfig.getInitParameter(SESSION_WHITELIST_FILE);
        if (initParameter == null) {
            ConfigurationService configurationService = (ConfigurationService) ServerServiceRegistry.getInstance().getService(ConfigurationService.class);
            if (configurationService == null) {
                return;
            } else {
                initParameter = configurationService.getText(SESSION_WHITELIST_FILE);
            }
        }
        rangesLoaded = true;
        if (initParameter != null) {
            LOG.info("Exceptions from IP Check have been defined.");
            RANGE_LOCK.lock();
            try {
                RANGES.clear();
                for (String str : Strings.splitByCRLF(initParameter)) {
                    String replaceAll = str.replaceAll("\\s", "");
                    if (!replaceAll.equals("") && (replaceAll.length() == 0 || replaceAll.charAt(0) != '#')) {
                        RANGES.add(IPRange.parseRange(replaceAll));
                    }
                }
                RANGE_LOCK.unlock();
            } catch (Throwable th) {
                RANGE_LOCK.unlock();
                throw th;
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void initializeSession(HttpServletRequest httpServletRequest) throws OXException {
        if (null != getSessionObject(httpServletRequest, true)) {
            return;
        }
        SessiondService sessiondService = (SessiondService) ServerServiceRegistry.getInstance().getService(SessiondService.class);
        if (sessiondService == null) {
            throw ServiceExceptionCode.SERVICE_UNAVAILABLE.create(new Object[]{SessiondService.class.getName()});
        }
        ServerSession serverSession = null;
        String parameter = httpServletRequest.getParameter(AJAXServlet.PARAMETER_SESSION);
        if (parameter != null && !parameter.equals("")) {
            String sessionId = getSessionId(httpServletRequest);
            serverSession = getSession(httpServletRequest, sessionId, sessiondService);
            verifySession(httpServletRequest, sessiondService, sessionId, serverSession);
            rememberSession(httpServletRequest, serverSession);
        }
        Cookie[] cookies = httpServletRequest.getCookies();
        if (cookies != null) {
            ServerSession serverSession2 = null;
            int length = cookies.length;
            int i = 0;
            while (true) {
                if (i >= length) {
                    break;
                }
                Cookie cookie = cookies[i];
                if (Login.PUBLIC_SESSION_NAME.equals(cookie.getName())) {
                    String value = cookie.getValue();
                    serverSession2 = (null == value || null == serverSession || !value.equals(serverSession.getParameter(Session.PARAM_ALTERNATIVE_ID))) ? ServerSessionAdapter.valueOf(sessiondService.getSessionByAlternativeId(cookie.getValue())) : serverSession;
                } else {
                    i++;
                }
            }
            if (serverSession2 != null) {
                checkSecret(hashSource, httpServletRequest, serverSession2);
                verifySession(httpServletRequest, sessiondService, serverSession2.getSessionID(), serverSession2);
                rememberPublicSession(httpServletRequest, serverSession2);
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void verifySession(HttpServletRequest httpServletRequest, SessiondService sessiondService, String str, ServerSession serverSession) throws OXException {
        if (!str.equals(serverSession.getSessionID())) {
            if (INFO) {
                LOG.info("Request's session identifier \"" + str + "\" differs from the one indicated by SessionD service \"" + serverSession.getSessionID() + "\".");
            }
            throw SessionExceptionCodes.WRONG_SESSION.create();
        }
        Context context = serverSession.getContext();
        if (context.isEnabled()) {
            checkIP(serverSession, httpServletRequest.getRemoteAddr());
            return;
        }
        sessiondService.removeSession(str);
        if (INFO) {
            LOG.info("The context " + context.getContextId() + " associated with session is locked.");
        }
        throw SessionExceptionCodes.CONTEXT_LOCKED.create();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    /* JADX WARN: Removed duplicated region for block: B:58:0x01df  */
    /* JADX WARN: Removed duplicated region for block: B:60:? A[RETURN, SYNTHETIC] */
    @Override // com.openexchange.ajax.AJAXServlet
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    public void service(javax.servlet.http.HttpServletRequest r6, javax.servlet.http.HttpServletResponse r7) throws javax.servlet.ServletException, java.io.IOException {
        /*
            Method dump skipped, instructions count: 538
            To view this dump add '--comments-level debug' option
        */
        throw new UnsupportedOperationException("Method not decompiled: com.openexchange.ajax.SessionServlet.service(javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse):void");
    }

    private static int getMaxConcurrentRequests(ServerSession serverSession) {
        Integer num = maxConcurrentRequests;
        if (null == num) {
            synchronized (SessionServlet.class) {
                num = maxConcurrentRequests;
                if (null == num) {
                    Integer valueOf = Integer.valueOf(getMaxConcurrentRequests0(serverSession));
                    maxConcurrentRequests = valueOf;
                    num = valueOf;
                }
            }
        }
        return num.intValue();
    }

    private static int getMaxConcurrentRequests0(ServerSession serverSession) {
        if (serverSession == null) {
            return 0;
        }
        Set<String> set = serverSession.getUser().getAttributes().get("ajax.maxCount");
        if (null == set || set.isEmpty()) {
            try {
                return ServerConfig.getInt(ServerConfig.Property.DEFAULT_MAX_CONCURRENT_AJAX_REQUESTS);
            } catch (OXException e) {
                return Integer.parseInt(ServerConfig.Property.DEFAULT_MAX_CONCURRENT_AJAX_REQUESTS.getDefaultValue());
            }
        }
        try {
            return Integer.parseInt(set.iterator().next());
        } catch (NumberFormatException e2) {
            try {
                return ServerConfig.getInt(ServerConfig.Property.DEFAULT_MAX_CONCURRENT_AJAX_REQUESTS);
            } catch (OXException e3) {
                return Integer.parseInt(ServerConfig.Property.DEFAULT_MAX_CONCURRENT_AJAX_REQUESTS.getDefaultValue());
            }
        }
    }

    protected void superService(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException, IOException {
        super.service(httpServletRequest, httpServletResponse);
    }

    private void checkIP(Session session, String str) throws OXException {
        checkIP(checkIP, getRanges(), session, str, clientWhitelist);
    }

    private List<IPRange> getRanges() {
        return RANGES;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void handleSessiondException(OXException oXException, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        try {
            if (isIpCheckError(oXException)) {
                try {
                    SessiondService sessiondService = (SessiondService) ServerServiceRegistry.getInstance().getService(SessiondService.class);
                    String sessionId = getSessionId(httpServletRequest);
                    removeOXCookies(getSession(httpServletRequest, sessionId, sessiondService).getHash(), httpServletRequest, httpServletResponse);
                    removeJSESSIONID(httpServletRequest, httpServletResponse);
                    sessiondService.removeSession(sessionId);
                    LogProperties.removeLogProperties(LOG_PROPERTIES);
                } catch (Exception e) {
                    LOG.error("Cookies could not be removed.", e);
                    LogProperties.removeLogProperties(LOG_PROPERTIES);
                }
            }
        } catch (Throwable th) {
            LogProperties.removeLogProperties(LOG_PROPERTIES);
            throw th;
        }
    }

    public static boolean isIpCheckError(OXException oXException) {
        SessionExceptionCodes sessionExceptionCodes = SessionExceptionCodes.WRONG_CLIENT_IP;
        return sessionExceptionCodes.equals(oXException) && sessionExceptionCodes.getCategory().equals(oXException.getCategory());
    }

    public static void checkIP(boolean z, List<IPRange> list, Session session, String str, ClientWhitelist clientWhitelist2) throws OXException {
        if (null == str || !str.equals(session.getLocalIp())) {
            if (z && !isWhitelistedFromIPCheck(str, list) && !isWhitelistedClient(session, clientWhitelist2) && !allowedSubnet.areInSameSubnet(str, session.getLocalIp())) {
                if (INFO) {
                    StringBuilder sb = new StringBuilder(96);
                    sb.append("Request to server denied (IP check activated) for session: ");
                    sb.append(session.getSessionID());
                    sb.append(". Client login IP changed from ");
                    sb.append(session.getLocalIp());
                    sb.append(" to ");
                    sb.append(null == str ? "<missing>" : str);
                    sb.append(" and is not covered by IP white-list or netmask.");
                    LOG.info(sb.toString());
                }
                throw SessionExceptionCodes.WRONG_CLIENT_IP.create();
            }
            if (null != str && (!z || isWhitelistedClient(session, clientWhitelist2))) {
                session.setLocalIp(str);
            }
            if (!DEBUG || isWhitelistedFromIPCheck(str, list) || isWhitelistedClient(session, clientWhitelist2)) {
                return;
            }
            StringBuilder sb2 = new StringBuilder(64);
            sb2.append("Session ");
            sb2.append(session.getSessionID());
            sb2.append(" requests now from ");
            sb2.append(str);
            sb2.append(" but login came from ");
            sb2.append(session.getLocalIp());
            LOG.debug(sb2.toString());
        }
    }

    private static boolean isWhitelistedClient(Session session, ClientWhitelist clientWhitelist2) {
        return (null == clientWhitelist2 || clientWhitelist2.isEmpty() || !clientWhitelist2.isAllowed(session.getClient())) ? false : true;
    }

    public static boolean isWhitelistedFromIPCheck(String str, List<IPRange> list) {
        Iterator<IPRange> it = list.iterator();
        while (it.hasNext()) {
            if (it.next().contains(str)) {
                return true;
            }
        }
        return false;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public static String getSessionId(ServletRequest servletRequest) throws OXException {
        String parameter = servletRequest.getParameter(AJAXServlet.PARAMETER_SESSION);
        if (null != parameter) {
            return parameter;
        }
        if (INFO) {
            StringBuilder sb = new StringBuilder(32);
            sb.append("Parameter \"").append(AJAXServlet.PARAMETER_SESSION).append("\" not found");
            if (DEBUG) {
                sb.append(": ");
                Enumeration parameterNames = servletRequest.getParameterNames();
                while (parameterNames.hasMoreElements()) {
                    sb.append(parameterNames.nextElement());
                    sb.append(',');
                }
                if (sb.length() > 0) {
                    sb.setCharAt(sb.length() - 1, '.');
                }
            }
            LOG.info(sb.toString());
        }
        throw SessionExceptionCodes.SESSION_PARAMETER_MISSING.create();
    }

    public ServerSession getSession(HttpServletRequest httpServletRequest, String str, SessiondService sessiondService) throws OXException {
        return getSession(hashSource, httpServletRequest, str, sessiondService);
    }

    public static ServerSession getSession(CookieHashSource cookieHashSource, HttpServletRequest httpServletRequest, String str, SessiondService sessiondService) throws OXException {
        int code;
        Session session = sessiondService.getSession(str);
        if (null == session) {
            if (INFO) {
                LOG.info("There is no session associated with session identifier: " + str);
            }
            throw SessionExceptionCodes.SESSION_EXPIRED.create(new Object[]{str});
        }
        Props logProperties = LogProperties.getLogProperties();
        logProperties.put(LogProperties.Name.SESSION_SESSION_ID, str);
        logProperties.put(LogProperties.Name.SESSION_USER_ID, Integer.valueOf(session.getUserId()));
        logProperties.put(LogProperties.Name.SESSION_CONTEXT_ID, Integer.valueOf(session.getContextId()));
        String client = session.getClient();
        logProperties.put(LogProperties.Name.SESSION_CLIENT_ID, client == null ? BrowserDetector.UNKNOWN : client);
        logProperties.put(LogProperties.Name.SESSION_SESSION, session);
        checkSecret(cookieHashSource, httpServletRequest, session);
        try {
            Context context = ContextStorage.getInstance().getContext(session.getContextId());
            User user = UserStorage.getInstance().getUser(session.getUserId(), context);
            if (user.isMailEnabled()) {
                return ServerSessionAdapter.valueOf(session, context, user);
            }
            if (INFO) {
                LOG.info("User " + user.getId() + " in context " + context.getContextId() + " is not activated.");
            }
            throw SessionExceptionCodes.SESSION_EXPIRED.create(new Object[]{session.getSessionID()});
        } catch (UndeclaredThrowableException e) {
            throw UserExceptionCode.USER_NOT_FOUND.create(e, Autoboxing.I(session.getUserId()), Autoboxing.I(session.getContextId()));
        } catch (OXException e2) {
            if (ContextExceptionCodes.NOT_FOUND.equals(e2)) {
                sessiondService.removeSession(str);
                if (INFO) {
                    LOG.info("The context associated with session \"" + str + "\" cannot be found. Obviously an outdated session which is invalidated now.");
                }
                throw SessionExceptionCodes.SESSION_EXPIRED.create(new Object[]{str});
            }
            if (!UserExceptionCode.USER_NOT_FOUND.getPrefix().equals(e2.getPrefix()) || (UserExceptionCode.USER_NOT_FOUND.getNumber() != (code = e2.getCode()) && LdapExceptionCode.USER_NOT_FOUND.getNumber() != code)) {
                throw e2;
            }
            sessiondService.removeSession(str);
            if (INFO) {
                LOG.info("The user associated with session \"" + str + "\" cannot be found. Obviously an outdated session which is invalidated now.");
            }
            throw SessionExceptionCodes.SESSION_EXPIRED.create(new Object[]{str});
        }
    }

    public static void checkSecret(CookieHashSource cookieHashSource, HttpServletRequest httpServletRequest, Session session) throws OXException {
        String extractSecret = extractSecret(cookieHashSource, httpServletRequest, session.getHash(), session.getClient());
        if (extractSecret == null || !session.getSecret().equals(extractSecret)) {
            if (INFO && null != extractSecret) {
                LOG.info("Session secret is different. Given secret \"" + extractSecret + "\" differs from secret in session \"" + session.getSecret() + "\".");
            }
            throw SessionExceptionCodes.WRONG_SESSION_SECRET.create();
        }
    }

    public static String extractSecret(CookieHashSource cookieHashSource, HttpServletRequest httpServletRequest, String str, String str2) {
        Cookie[] cookies = httpServletRequest.getCookies();
        if (null == cookies) {
            if (!INFO) {
                return null;
            }
            LOG.info("Missing Cookies in HTTP request. No session secret can be looked up.");
            return null;
        }
        String str3 = Login.SECRET_PREFIX + getHash(cookieHashSource, httpServletRequest, str, str2);
        for (Cookie cookie : cookies) {
            if (str3.equals(cookie.getName())) {
                return cookie.getValue();
            }
        }
        if (!INFO) {
            return null;
        }
        LOG.info("Didn't found an appropriate Cookie for name \"" + str3 + "\" (CookieHashSource=" + cookieHashSource.toString() + ") which provides the session secret.");
        return null;
    }

    public static String getHash(CookieHashSource cookieHashSource, HttpServletRequest httpServletRequest, String str, String str2) {
        return CookieHashSource.REMEMBER == cookieHashSource ? str : HashCalculator.getInstance().getHash(httpServletRequest, str2);
    }

    public static void rememberSession(HttpServletRequest httpServletRequest, ServerSession serverSession) {
        httpServletRequest.setAttribute(SESSION_KEY, serverSession);
        serverSession.setParameter(Tools.JSESSIONID_COOKIE, httpServletRequest.getSession().getId());
    }

    public static void rememberPublicSession(HttpServletRequest httpServletRequest, ServerSession serverSession) {
        httpServletRequest.setAttribute(PUBLIC_SESSION_KEY, serverSession);
        serverSession.setParameter(Tools.JSESSIONID_COOKIE, httpServletRequest.getSession().getId());
    }

    public static void removeOXCookies(String str, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        Cookie[] cookies = httpServletRequest.getCookies();
        if (cookies == null) {
            return;
        }
        List asList = Arrays.asList(Login.SESSION_PREFIX + str, Login.SECRET_PREFIX + str, Login.PUBLIC_SESSION_NAME);
        for (Cookie cookie : cookies) {
            String name = cookie.getName();
            Iterator it = asList.iterator();
            while (it.hasNext()) {
                if (name.startsWith((String) it.next())) {
                    String value = cookie.getValue();
                    Cookie cookie2 = new Cookie(name, value);
                    cookie2.setPath("/");
                    String domainValue = Cookies.getDomainValue(httpServletRequest.getServerName());
                    if (null != domainValue) {
                        cookie2.setDomain(domainValue);
                        Cookie cookie3 = new Cookie(name, value);
                        cookie3.setPath("/");
                        cookie3.setMaxAge(0);
                        httpServletResponse.addCookie(cookie3);
                    }
                    cookie2.setMaxAge(0);
                    httpServletResponse.addCookie(cookie2);
                }
            }
        }
    }

    public static void removeJSESSIONID(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        Cookie[] cookies = httpServletRequest.getCookies();
        if (cookies == null) {
            return;
        }
        for (Cookie cookie : cookies) {
            String name = cookie.getName();
            if (Tools.JSESSIONID_COOKIE.equals(name)) {
                String value = cookie.getValue();
                Cookie cookie2 = new Cookie(name, value);
                cookie2.setPath("/");
                String extractDomainValue = Cookies.extractDomainValue(value);
                if (null != extractDomainValue) {
                    cookie2.setDomain(extractDomainValue);
                    Cookie cookie3 = new Cookie(name, value);
                    cookie3.setPath("/");
                    cookie3.setMaxAge(0);
                    httpServletResponse.addCookie(cookie3);
                }
                cookie2.setMaxAge(0);
                httpServletResponse.addCookie(cookie2);
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public static ServerSession getSessionObject(ServletRequest servletRequest) {
        return getSessionObject(servletRequest, false);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public static ServerSession getSessionObject(ServletRequest servletRequest, boolean z) {
        if (servletRequest.getAttribute(SESSION_KEY) != null) {
            return (ServerSession) servletRequest.getAttribute(SESSION_KEY);
        }
        if (z) {
            return (ServerSession) servletRequest.getAttribute(PUBLIC_SESSION_KEY);
        }
        Props optLogProperties = LogProperties.optLogProperties();
        if (null == optLogProperties) {
            return null;
        }
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        optLogProperties.put(LogProperties.Name.SERVLET_SERVLET_PATH, ForceLog.valueOf(httpServletRequest.getServletPath()));
        String pathInfo = httpServletRequest.getPathInfo();
        if (null != pathInfo) {
            optLogProperties.put(LogProperties.Name.SERVLET_PATH_INFO, ForceLog.valueOf(pathInfo));
        }
        String queryString = httpServletRequest.getQueryString();
        if (null == queryString) {
            return null;
        }
        optLogProperties.put(LogProperties.Name.SERVLET_QUERY_STRING, ForceLog.valueOf(queryString));
        return null;
    }

    static {
        EnumSet noneOf = EnumSet.noneOf(LogProperties.Name.class);
        noneOf.add(LogProperties.Name.SESSION_SESSION_ID);
        noneOf.add(LogProperties.Name.SESSION_USER_ID);
        noneOf.add(LogProperties.Name.SESSION_CONTEXT_ID);
        noneOf.add(LogProperties.Name.SESSION_CLIENT_ID);
        noneOf.add(LogProperties.Name.SESSION_SESSION);
        LOG_PROPERTIES = Collections.unmodifiableSet(noneOf);
    }
}
