package org.alfresco.repo.web.scripts;

import java.io.IOException;
import java.net.SocketException;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.function.Supplier;
import javax.transaction.UserTransaction;
import org.alfresco.error.AlfrescoRuntimeException;
import org.alfresco.error.ExceptionStackUtil;
import org.alfresco.repo.model.Repository;
import org.alfresco.repo.security.authentication.AuthenticationUtil;
import org.alfresco.repo.transaction.AlfrescoTransactionSupport;
import org.alfresco.repo.transaction.RetryingTransactionHelper;
import org.alfresco.repo.transaction.TooBusyException;
import org.alfresco.repo.web.scripts.bean.LoginPost;
import org.alfresco.repo.webdav.WebDAV;
import org.alfresco.service.cmr.repository.NodeRef;
import org.alfresco.service.cmr.security.AuthorityService;
import org.alfresco.service.descriptor.DescriptorService;
import org.alfresco.service.transaction.TransactionService;
import org.alfresco.util.TempFileProvider;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.context.ApplicationEvent;
import org.springframework.context.event.ContextRefreshedEvent;
import org.springframework.extensions.webscripts.AbstractRuntimeContainer;
import org.springframework.extensions.webscripts.Authenticator;
import org.springframework.extensions.webscripts.Description;
import org.springframework.extensions.webscripts.ServerModel;
import org.springframework.extensions.webscripts.WebScript;
import org.springframework.extensions.webscripts.WebScriptException;
import org.springframework.extensions.webscripts.WebScriptRequest;
import org.springframework.extensions.webscripts.WebScriptResponse;

/* loaded from: input_file:org/alfresco/repo/web/scripts/RepositoryContainer.class */
public class RepositoryContainer extends AbstractRuntimeContainer {
    protected static final Log logger = LogFactory.getLog(RepositoryContainer.class);
    private Repository repository;
    private RepositoryImageResolver imageResolver;
    private TransactionService transactionService;
    private RetryingTransactionHelper fallbackTransactionHelper;
    private AuthorityService authorityService;
    private DescriptorService descriptorService;
    private boolean encryptTempFiles = false;
    private String tempDirectoryName = null;
    private int memoryThreshold = 4194304;
    private long maxContentSize = 4294967296L;
    private Supplier<TempOutputStream> streamFactory = null;
    private String preserveHeadersPattern = null;
    private Class<?>[] notPublicExceptions = new Class[0];
    private Class<?>[] publicExceptions = new Class[0];

    public void setup() {
        this.streamFactory = TempOutputStream.factory(TempFileProvider.getTempDir(this.tempDirectoryName), this.memoryThreshold, this.maxContentSize, this.encryptTempFiles);
    }

    public void setEncryptTempFiles(Boolean bool) {
        if (bool != null) {
            this.encryptTempFiles = bool.booleanValue();
        }
    }

    public void setTempDirectoryName(String str) {
        this.tempDirectoryName = str;
    }

    public void setMemoryThreshold(Integer num) {
        if (num != null) {
            this.memoryThreshold = num.intValue();
        }
    }

    public void setMaxContentSize(Long l) {
        if (l != null) {
            this.maxContentSize = l.longValue();
        }
    }

    public void setPreserveHeadersPattern(String str) {
        this.preserveHeadersPattern = str;
    }

    public void setRepository(Repository repository) {
        this.repository = repository;
    }

    public void setRepositoryImageResolver(RepositoryImageResolver repositoryImageResolver) {
        this.imageResolver = repositoryImageResolver;
    }

    public void setTransactionService(TransactionService transactionService) {
        this.transactionService = transactionService;
    }

    public void setFallbackTransactionHelper(RetryingTransactionHelper retryingTransactionHelper) {
        this.fallbackTransactionHelper = retryingTransactionHelper;
    }

    public void setDescriptorService(DescriptorService descriptorService) {
        this.descriptorService = descriptorService;
    }

    public void setAuthorityService(AuthorityService authorityService) {
        this.authorityService = authorityService;
    }

    public void setNotPublicExceptions(List<Class<?>> list) {
        this.notPublicExceptions = new Class[0];
        if (null == list || list.isEmpty()) {
            return;
        }
        this.notPublicExceptions = (Class[]) list.toArray(this.notPublicExceptions);
    }

    public Class<?>[] getNotPublicExceptions() {
        return this.notPublicExceptions;
    }

    public void setPublicExceptions(List<Class<?>> list) {
        this.publicExceptions = new Class[0];
        if (null == list || list.isEmpty()) {
            return;
        }
        this.publicExceptions = (Class[]) list.toArray(this.publicExceptions);
    }

    public Class<?>[] getPublicExceptions() {
        return this.publicExceptions;
    }

    public ServerModel getDescription() {
        return new RepositoryServerModel(this.descriptorService.getCurrentRepositoryDescriptor(), this.descriptorService.getServerDescriptor());
    }

    public Map<String, Object> getScriptParameters() {
        HashMap hashMap = new HashMap(super.getScriptParameters());
        addRepoParameters(hashMap);
        return hashMap;
    }

    public Map<String, Object> getTemplateParameters() {
        return (Map) this.fallbackTransactionHelper.doInTransaction(() -> {
            HashMap hashMap = new HashMap(super.getTemplateParameters());
            hashMap.put("imageresolver", this.imageResolver.getImageResolver());
            addRepoParameters(hashMap);
            return hashMap;
        }, true);
    }

    private void addRepoParameters(Map<String, Object> map) {
        if (AlfrescoTransactionSupport.getTransactionId() == null || AuthenticationUtil.getFullAuthentication() == null) {
            return;
        }
        Object rootHome = this.repository.getRootHome();
        if (rootHome != null) {
            map.put("roothome", rootHome);
        }
        Object companyHome = this.repository.getCompanyHome();
        if (companyHome != null) {
            map.put("companyhome", companyHome);
        }
        NodeRef fullyAuthenticatedPerson = this.repository.getFullyAuthenticatedPerson();
        if (fullyAuthenticatedPerson != null) {
            map.put("person", fullyAuthenticatedPerson);
            Object userHome = this.repository.getUserHome(fullyAuthenticatedPerson);
            if (userHome != null) {
                map.put("userhome", userHome);
            }
        }
    }

    public void executeScript(WebScriptRequest webScriptRequest, WebScriptResponse webScriptResponse, Authenticator authenticator) throws IOException {
        try {
            executeScriptInternal(webScriptRequest, webScriptResponse, authenticator);
        } catch (RuntimeException e) {
            Throwable cause = ExceptionStackUtil.getCause(e, this.notPublicExceptions);
            if (ExceptionStackUtil.getCause(e, this.publicExceptions) != null || cause == null) {
                throw e;
            }
            String numericalId = (e instanceof AlfrescoRuntimeException ? (AlfrescoRuntimeException) e : new AlfrescoRuntimeException("WebScript execution failed", e)).getNumericalId();
            logger.error("Server error (" + numericalId + ")", e);
            throw new RuntimeException("Server error (" + numericalId + ").  Details can be found in the server logs.");
        }
    }

    protected void executeScriptInternal(WebScriptRequest webScriptRequest, WebScriptResponse webScriptResponse, Authenticator authenticator) throws IOException {
        WebScript webScript = webScriptRequest.getServiceMatch().getWebScript();
        Description description = webScript.getDescription();
        boolean isDebugEnabled = logger.isDebugEnabled();
        Description.RequiredAuthentication requiredAuthentication = getRequiredAuthentication();
        Description.RequiredAuthentication requiredAuthentication2 = (description.getRequiredAuthentication().compareTo(requiredAuthentication) >= 0 || authenticator.emptyCredentials()) ? description.getRequiredAuthentication() : requiredAuthentication;
        boolean isGuest = webScriptRequest.isGuest();
        if (requiredAuthentication2 == Description.RequiredAuthentication.none) {
            transactionedExecuteAs(webScript, webScriptRequest, webScriptResponse);
            return;
        }
        if (requiredAuthentication2 != Description.RequiredAuthentication.guest && isGuest) {
            throw new WebScriptException(401, "Web Script " + description.getId() + " requires user authentication; however, a guest has attempted access.");
        }
        try {
            AuthenticationUtil.pushAuthentication();
            if (isDebugEnabled) {
                String fullyAuthenticatedUser = AuthenticationUtil.getFullyAuthenticatedUser();
                logger.debug("Current authentication: " + (fullyAuthenticatedUser == null ? "unauthenticated" : "authenticated as " + fullyAuthenticatedUser));
                logger.debug("Authentication required: " + requiredAuthentication2);
                logger.debug("Guest login requested: " + isGuest);
            }
            RetryingTransactionHelper.RetryingTransactionCallback retryingTransactionCallback = () -> {
                if (authenticator != null && !authenticator.authenticate(requiredAuthentication2, isGuest)) {
                    return false;
                }
                checkScriptAccess(requiredAuthentication2, description.getId());
                if (isDebugEnabled) {
                    String fullyAuthenticatedUser2 = AuthenticationUtil.getFullyAuthenticatedUser();
                    logger.debug("Authentication: " + (fullyAuthenticatedUser2 == null ? "unauthenticated" : "authenticated as " + fullyAuthenticatedUser2));
                }
                return true;
            };
            boolean isReadOnly = this.transactionService.isReadOnly();
            if (!((Boolean) this.transactionService.getRetryingTransactionHelper().doInTransaction(retryingTransactionCallback, isReadOnly, !isReadOnly && AlfrescoTransactionSupport.getTransactionReadState() == AlfrescoTransactionSupport.TxnReadState.TXN_READ_ONLY)).booleanValue()) {
                throw new WebScriptException(401, "Authentication failed for Web Script " + description.getId());
            }
            transactionedExecuteAs(webScript, webScriptRequest, webScriptResponse, requiredAuthentication2);
            AuthenticationUtil.popAuthentication();
            if (isDebugEnabled) {
                String fullyAuthenticatedUser2 = AuthenticationUtil.getFullyAuthenticatedUser();
                logger.debug("Authentication reset: " + (fullyAuthenticatedUser2 == null ? "unauthenticated" : "authenticated as " + fullyAuthenticatedUser2));
            }
        } catch (Throwable th) {
            AuthenticationUtil.popAuthentication();
            if (isDebugEnabled) {
                String fullyAuthenticatedUser3 = AuthenticationUtil.getFullyAuthenticatedUser();
                logger.debug("Authentication reset: " + (fullyAuthenticatedUser3 == null ? "unauthenticated" : "authenticated as " + fullyAuthenticatedUser3));
            }
            throw th;
        }
    }

    private boolean isSystemUser() {
        return Objects.equals(AuthenticationUtil.getFullyAuthenticatedUser(), AuthenticationUtil.getSystemUserName());
    }

    private boolean isSysAdminUser() {
        return this.authorityService.hasSysAdminAuthority();
    }

    private boolean isAdmin() {
        return this.authorityService.hasAdminAuthority();
    }

    public final boolean isAdminOrSystemUser() {
        return isAdmin() || isSystemUser();
    }

    private void checkGuestAccess(Description.RequiredAuthentication requiredAuthentication, String str) {
        if (requiredAuthentication == Description.RequiredAuthentication.user || requiredAuthentication == Description.RequiredAuthentication.admin || requiredAuthentication == Description.RequiredAuthentication.sysadmin) {
            String fullyAuthenticatedUser = AuthenticationUtil.getFullyAuthenticatedUser();
            String runAsUser = AuthenticationUtil.getRunAsUser();
            if (fullyAuthenticatedUser == null || ((fullyAuthenticatedUser.equals(runAsUser) && this.authorityService.hasGuestAuthority()) || (!fullyAuthenticatedUser.equals(runAsUser) && this.authorityService.isGuestAuthority(fullyAuthenticatedUser)))) {
                throw new WebScriptException(401, "Web Script " + str + " requires user authentication; however, a guest has attempted access.");
            }
        }
    }

    private void checkScriptAccess(Description.RequiredAuthentication requiredAuthentication, String str) {
        checkGuestAccess(requiredAuthentication, str);
        if (requiredAuthentication == Description.RequiredAuthentication.sysadmin && !isSysAdminUser() && !isAdminOrSystemUser()) {
            throw new WebScriptException(401, "Web Script " + str + " requires system-admin authentication; however, a non-system-admin has attempted access.");
        }
        if (requiredAuthentication == Description.RequiredAuthentication.admin && !isAdminOrSystemUser()) {
            throw new WebScriptException(401, "Web Script " + str + " requires admin authentication; however, a non-admin has attempted access.");
        }
    }

    protected void transactionedExecute(WebScript webScript, WebScriptRequest webScriptRequest, WebScriptResponse webScriptResponse) throws IOException {
        Description description = webScript.getDescription();
        try {
            if (description.getRequiredTransaction() == Description.RequiredTransaction.none) {
                webScript.execute(webScriptRequest, webScriptResponse);
                return;
            }
        } catch (IOException e) {
            handleIOException(e);
        }
        Description.RequiredTransactionParameters requiredTransactionParameters = description.getRequiredTransactionParameters();
        BufferedRequest newBufferedRequest = newBufferedRequest(requiredTransactionParameters, webScriptRequest, this.streamFactory);
        try {
            BufferedResponse newBufferedResponse = newBufferedResponse(requiredTransactionParameters, webScriptResponse, this.streamFactory);
            try {
                boolean z = description.getRequiredTransactionParameters().getCapability() == Description.TransactionCapability.readonly;
                boolean z2 = description.getRequiredTransaction() == Description.RequiredTransaction.requiresnew;
                if (logger.isDebugEnabled() && !z && WebDAV.METHOD_GET.equalsIgnoreCase(description.getMethod())) {
                    logger.debug("Webscript with URL '" + webScriptRequest.getURL() + "' is a GET request but it's descriptor has declared a readwrite transaction is required");
                }
                try {
                    RetryingTransactionHelper retryingTransactionHelper = this.transactionService.getRetryingTransactionHelper();
                    if (webScript instanceof LoginPost) {
                        retryingTransactionHelper.setForceWritable(true);
                    }
                    retryingTransactionHelper.doInTransaction(() -> {
                        try {
                            try {
                                if (logger.isDebugEnabled()) {
                                    logger.debug("Begin retry transaction block: " + description.getRequiredTransaction() + "," + description.getRequiredTransactionParameters().getCapability());
                                }
                                if (newBufferedRequest == null || newBufferedResponse == null) {
                                    webScript.execute(webScriptRequest, webScriptResponse);
                                } else {
                                    newBufferedRequest.reset();
                                    newBufferedResponse.reset(this.preserveHeadersPattern);
                                    webScript.execute(newBufferedRequest, newBufferedResponse);
                                }
                                if (!logger.isDebugEnabled()) {
                                    return null;
                                }
                                logger.debug("End retry transaction block: " + description.getRequiredTransaction() + "," + description.getRequiredTransactionParameters().getCapability());
                                return null;
                            } catch (Exception e2) {
                                if (logger.isDebugEnabled()) {
                                    logger.debug("Transaction exception: " + description.getRequiredTransaction() + ": " + e2.getMessage());
                                    UserTransaction activeUserTransaction = RetryingTransactionHelper.getActiveUserTransaction();
                                    if (activeUserTransaction != null) {
                                        logger.debug("Transaction status: " + activeUserTransaction.getStatus());
                                    }
                                }
                                UserTransaction activeUserTransaction2 = RetryingTransactionHelper.getActiveUserTransaction();
                                if (activeUserTransaction2 != null && activeUserTransaction2.getStatus() != 1) {
                                    if (logger.isDebugEnabled()) {
                                        logger.debug("Marking web script transaction for rollback");
                                    }
                                    try {
                                        activeUserTransaction2.setRollbackOnly();
                                    } catch (Throwable th) {
                                        if (logger.isDebugEnabled()) {
                                            logger.debug("Caught and ignoring exception during marking for rollback: " + th.getMessage());
                                        }
                                    }
                                }
                                throw e2;
                            }
                        } catch (Throwable th2) {
                            if (logger.isDebugEnabled()) {
                                logger.debug("End retry transaction block: " + description.getRequiredTransaction() + "," + description.getRequiredTransactionParameters().getCapability());
                            }
                            throw th2;
                        }
                    }, z, z2);
                    if (newBufferedResponse != null) {
                        newBufferedResponse.writeResponse();
                    }
                    if (newBufferedResponse != null) {
                        newBufferedResponse.close();
                    }
                    if (newBufferedRequest != null) {
                        newBufferedRequest.close();
                    }
                } catch (TooBusyException e2) {
                    throw new WebScriptException(503, e2.getMessage(), e2);
                }
            } catch (Throwable th) {
                if (newBufferedResponse != null) {
                    try {
                        newBufferedResponse.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
                throw th;
            }
        } catch (Throwable th3) {
            if (newBufferedRequest != null) {
                try {
                    newBufferedRequest.close();
                } catch (Throwable th4) {
                    th3.addSuppressed(th4);
                }
            }
            throw th3;
        }
    }

    private static void handleIOException(IOException iOException) throws IOException {
        Throwable cause = ExceptionStackUtil.getCause(iOException, new Class[]{SocketException.class});
        Class<?> cls = null;
        try {
            cls = Class.forName("org.apache.catalina.connector.ClientAbortException");
        } catch (ClassNotFoundException e) {
        }
        if ((cause == null || !cause.getMessage().contains("Broken pipe")) && (cls == null || ExceptionStackUtil.getCause(iOException, new Class[]{cls}) == null)) {
            throw iOException;
        }
        if (logger.isDebugEnabled()) {
            logger.warn("Client has cut off communication", iOException);
        } else {
            logger.info("Client has cut off communication");
        }
    }

    private void transactionedExecuteAs(WebScript webScript, WebScriptRequest webScriptRequest, WebScriptResponse webScriptResponse) throws IOException {
        String runAs = webScript.getDescription().getRunAs();
        if (runAs == null) {
            transactionedExecute(webScript, webScriptRequest, webScriptResponse);
        } else {
            AuthenticationUtil.runAs(() -> {
                transactionedExecute(webScript, webScriptRequest, webScriptResponse);
                return null;
            }, runAs);
        }
    }

    private void transactionedExecuteAs(WebScript webScript, WebScriptRequest webScriptRequest, WebScriptResponse webScriptResponse, Description.RequiredAuthentication requiredAuthentication) throws IOException {
        if (requiredAuthentication == Description.RequiredAuthentication.sysadmin && isSysAdminUser() && !isAdmin()) {
            AuthenticationUtil.runAs(() -> {
                transactionedExecute(webScript, webScriptRequest, webScriptResponse);
                return null;
            }, "System");
        } else {
            transactionedExecuteAs(webScript, webScriptRequest, webScriptResponse);
        }
    }

    public void onApplicationEvent(ApplicationEvent applicationEvent) {
        if ((applicationEvent instanceof ContextRefreshedEvent) && ((ContextRefreshedEvent) applicationEvent).getApplicationContext().equals(this.applicationContext)) {
            AuthenticationUtil.runAs(() -> {
                reset();
                return null;
            }, AuthenticationUtil.getSystemUserName());
        }
    }

    public Description.RequiredAuthentication getRequiredAuthentication() {
        return AuthenticationUtil.isMtEnabled() ? Description.RequiredAuthentication.guest : Description.RequiredAuthentication.none;
    }

    public boolean authenticate(Authenticator authenticator, Description.RequiredAuthentication requiredAuthentication) {
        if (authenticator == null) {
            return false;
        }
        AuthenticationUtil.clearCurrentSecurityContext();
        return authenticator.authenticate(requiredAuthentication, false);
    }

    public void reset() {
        this.transactionService.getRetryingTransactionHelper().doInTransaction(() -> {
            internalReset();
            return null;
        }, true, false);
    }

    private void internalReset() {
        super.reset();
    }

    private static BufferedRequest newBufferedRequest(Description.RequiredTransactionParameters requiredTransactionParameters, WebScriptRequest webScriptRequest, Supplier<TempOutputStream> supplier) {
        if (requiredTransactionParameters.getCapability() == Description.TransactionCapability.readwrite && requiredTransactionParameters.getBufferSize() > 0) {
            return new BufferedRequest(webScriptRequest, supplier);
        }
        return null;
    }

    private static BufferedResponse newBufferedResponse(Description.RequiredTransactionParameters requiredTransactionParameters, WebScriptResponse webScriptResponse, Supplier<TempOutputStream> supplier) {
        if (requiredTransactionParameters.getCapability() != Description.TransactionCapability.readwrite) {
            return null;
        }
        if (requiredTransactionParameters.getBufferSize() > 0) {
            if (logger.isDebugEnabled()) {
                logger.debug("Creating Transactional Response for ReadWrite transaction; buffersize=" + requiredTransactionParameters.getBufferSize());
            }
            return new BufferedResponse(webScriptResponse, requiredTransactionParameters.getBufferSize(), supplier);
        }
        if (!logger.isDebugEnabled()) {
            return null;
        }
        logger.debug("Transactional Response bypassed for ReadWrite - buffersize=0");
        return null;
    }
}
