package eu.cec.digit.ecas.client.resolver.session;

import eu.cec.digit.ecas.client.logging.Logger;
import eu.cec.digit.ecas.client.resolver.ExceptionVersion;
import eu.cec.digit.ecas.client.resolver.logging.LoggerFactory;
import java.io.Serializable;
import java.lang.reflect.Field;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.Map;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;
import javax.servlet.http.HttpSessionActivationListener;
import javax.servlet.http.HttpSessionBindingListener;

/* loaded from: input_file:eu/cec/digit/ecas/client/resolver/session/AbstractHttpSessionHandler.class */
public abstract class AbstractHttpSessionHandler implements HttpSessionHandler, Serializable {
    private static final long serialVersionUID = -6981881159906393950L;
    private static final Logger LOG;
    protected static final String PHISHING_WARNING = "Therefore all your applications are not adequately protected against session-fixation attacks! You should not use this Servlet Container for a production-grade application!";
    static Class class$eu$cec$digit$ecas$client$resolver$session$AbstractHttpSessionHandler;
    static Class class$javax$servlet$http$HttpSession;

    /* JADX INFO: Access modifiers changed from: protected */
    public static String identityHashCodeString(Object obj) {
        return new StringBuffer().append(obj.getClass().getName()).append("@").append(Integer.toHexString(System.identityHashCode(obj))).toString();
    }

    protected boolean checkHttpSessionLeak(Object obj) {
        Class<? super Object> superclass;
        Class cls;
        Class cls2;
        if (null == obj) {
            return false;
        }
        Class<?> cls3 = obj.getClass();
        for (Field field : cls3.getFields()) {
            if (class$javax$servlet$http$HttpSession == null) {
                cls2 = class$("javax.servlet.http.HttpSession");
                class$javax$servlet$http$HttpSession = cls2;
            } else {
                cls2 = class$javax$servlet$http$HttpSession;
            }
            if (cls2.isAssignableFrom(field.getType())) {
                return true;
            }
        }
        Class<?> cls4 = cls3;
        do {
            for (Field field2 : cls4.getDeclaredFields()) {
                if (class$javax$servlet$http$HttpSession == null) {
                    cls = class$("javax.servlet.http.HttpSession");
                    class$javax$servlet$http$HttpSession = cls;
                } else {
                    cls = class$javax$servlet$http$HttpSession;
                }
                if (cls.isAssignableFrom(field2.getType())) {
                    return true;
                }
            }
            superclass = cls4.getSuperclass();
            cls4 = superclass;
        } while (superclass != null);
        return false;
    }

    @Override // eu.cec.digit.ecas.client.resolver.session.HttpSessionHandler
    public void clearSession(HttpSession httpSession) throws IllegalStateException {
        Enumeration attributeNames = httpSession.getAttributeNames();
        while (attributeNames.hasMoreElements()) {
            httpSession.removeAttribute((String) attributeNames.nextElement());
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Map copySessionAttributes(HttpSession httpSession) {
        HashMap hashMap = new HashMap();
        Enumeration attributeNames = httpSession.getAttributeNames();
        while (attributeNames.hasMoreElements()) {
            String str = (String) attributeNames.nextElement();
            Object attribute = httpSession.getAttribute(str);
            if (!mustNotCopyAttribute(str, attribute)) {
                if (LOG.isDebugEnabled()) {
                    LOG.debug(new StringBuffer().append("Backing up session attribute name: \"").append(str).append("\", with value \"").append(attribute).append("\"").toString());
                }
                hashMap.put(str, attribute);
            }
        }
        return hashMap;
    }

    @Override // eu.cec.digit.ecas.client.resolver.session.HttpSessionHandler
    public void invalidateSession(HttpServletRequest httpServletRequest) throws IllegalStateException, IllegalArgumentException {
        if (null == httpServletRequest) {
            throw new IllegalArgumentException("request cannot be null");
        }
        HttpSession existingSession = getExistingSession(httpServletRequest);
        if (null != existingSession) {
            invalidateSession(existingSession);
        }
    }

    @Override // eu.cec.digit.ecas.client.resolver.session.HttpSessionHandler
    public void invalidateSession(HttpSession httpSession) throws IllegalStateException, IllegalArgumentException {
        if (null == httpSession) {
            throw new IllegalArgumentException("session cannot be null");
        }
        synchronized (httpSession) {
            try {
                try {
                    try {
                        Method method = httpSession.getClass().getMethod("isValid", new Class[0]);
                        method.setAccessible(true);
                        if (((Boolean) method.invoke(httpSession, new Object[0])).booleanValue()) {
                            httpSession.invalidate();
                        }
                    } catch (IllegalAccessException e) {
                        IllegalStateException illegalStateException = new IllegalStateException(e.getMessage());
                        ExceptionVersion.initCause(illegalStateException, e);
                        throw illegalStateException;
                    }
                } catch (NoSuchMethodException e2) {
                    try {
                        httpSession.invalidate();
                    } catch (IllegalStateException e3) {
                    }
                }
            } catch (InvocationTargetException e4) {
                Throwable targetException = e4.getTargetException();
                IllegalStateException illegalStateException2 = new IllegalStateException(targetException.getMessage());
                ExceptionVersion.initCause(illegalStateException2, targetException);
                throw illegalStateException2;
            }
        }
    }

    protected boolean mustNotCopyAttribute(String str, Object obj) {
        if (obj instanceof HttpSessionBindingListener) {
            if (!LOG.isDebugEnabled()) {
                return true;
            }
            LOG.debug(new StringBuffer().append("Not Backing up session attribute name: \"").append(str).append("\", with value \"").append(obj).append("\" because it implements javax.servlet.http.HttpSessionBindingListener.").toString());
            return true;
        }
        if (obj instanceof HttpSessionActivationListener) {
            if (!LOG.isDebugEnabled()) {
                return true;
            }
            LOG.debug(new StringBuffer().append("Not Backing up session attribute name: \"").append(str).append("\", with value \"").append(obj).append("\" because it implements javax.servlet.http.HttpSessionActivationListener.").toString());
            return true;
        }
        if (!checkHttpSessionLeak(obj)) {
            return false;
        }
        if (!LOG.isWarnEnabled()) {
            return true;
        }
        LOG.warn(new StringBuffer().append("Not Backing up session attribute name: \"").append(str).append("\", with value \"").append(obj).append("\" because it would have leaked the invalidated HttpSession.").toString());
        return true;
    }

    @Override // eu.cec.digit.ecas.client.resolver.session.HttpSessionHandler
    public HttpSession renewSession(HttpServletRequest httpServletRequest, HttpSession httpSession) {
        if (httpSession.isNew()) {
            return httpSession;
        }
        String id = httpSession.getId();
        boolean isDebugEnabled = LOG.isDebugEnabled();
        Map copySessionAttributes = copySessionAttributes(httpSession);
        String str = null;
        if (isDebugEnabled) {
            str = httpSession.toString();
        }
        invalidateSession(httpSession);
        HttpSession orCreateSession = getOrCreateSession(httpServletRequest);
        synchronized (orCreateSession) {
            String id2 = orCreateSession.getId();
            if (isDebugEnabled) {
                LOG.debug(new StringBuffer().append("Current request class: ").append(httpServletRequest.getClass().getName()).toString());
                LOG.debug(new StringBuffer().append("Current request: ").append(httpServletRequest).toString());
                LOG.debug(new StringBuffer().append("Old session class: ").append(httpSession.getClass().getName()).toString());
                LOG.debug(new StringBuffer().append("Old session: ").append(str).toString());
                LOG.debug(new StringBuffer().append("Current session class: ").append(orCreateSession.getClass().getName()).toString());
                LOG.debug(new StringBuffer().append("Current session: ").append(orCreateSession).toString());
                LOG.debug(new StringBuffer().append("Current session #isNew(): ").append(orCreateSession.isNew()).toString());
                LOG.debug(new StringBuffer().append("Old session ID: \"").append(id).append("\"").toString());
                LOG.debug(new StringBuffer().append("New session ID: \"").append(id2).append("\"").toString());
                LOG.debug(new StringBuffer().append("request.getSession(false): \"").append(httpServletRequest.getSession(false)).append("\"").toString());
                LOG.debug(new StringBuffer().append("request.getSession(false).getId(): \"").append(null == httpServletRequest.getSession(false) ? "" : httpServletRequest.getSession(false).getId()).append("\"").toString());
            }
            if (!orCreateSession.isNew()) {
                if (LOG.isErrorEnabled()) {
                    LOG.error("This Servlet Container does not renew HttpSessions. Therefore all your applications are not adequately protected against session-fixation attacks! You should not use this Servlet Container for a production-grade application!");
                }
                throw new SecurityException("This Servlet Container does not renew HttpSessions. Therefore all your applications are not adequately protected against session-fixation attacks! You should not use this Servlet Container for a production-grade application!");
            }
            if (id.equals(id2)) {
                if (LOG.isErrorEnabled()) {
                    LOG.error("This Servlet Container does not change the HttpSession ID when a new HttpSession is created. Therefore all your applications are not adequately protected against session-fixation attacks! You should not use this Servlet Container for a production-grade application!");
                }
                throw new SecurityException("This Servlet Container does not change the HttpSession ID when a new HttpSession is created. Therefore all your applications are not adequately protected against session-fixation attacks! You should not use this Servlet Container for a production-grade application!");
            }
            restoreSessionAttributes(copySessionAttributes, orCreateSession);
        }
        return orCreateSession;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void restoreSessionAttributes(Map map, HttpSession httpSession) {
        for (Map.Entry entry : map.entrySet()) {
            String str = (String) entry.getKey();
            Object value = entry.getValue();
            Object attribute = httpSession.getAttribute(str);
            if (null != attribute) {
                if (LOG.isDebugEnabled()) {
                    LOG.debug(new StringBuffer().append("Not restoring back session attribute name: \"").append(str).append("\", because already present in the new session with value \"").append(attribute).append("\"").toString());
                }
            } else if (LOG.isDebugEnabled()) {
                LOG.debug(new StringBuffer().append("Restoring back session attribute name: \"").append(str).append("\", with value \"").append(value).append("\"").toString());
            }
            httpSession.setAttribute(str, value);
        }
    }

    @Override // eu.cec.digit.ecas.client.resolver.session.HttpSessionHandler
    public abstract HttpSession getOrCreateSession(HttpServletRequest httpServletRequest) throws IllegalStateException, SessionCreationRuntimeException;

    @Override // eu.cec.digit.ecas.client.resolver.session.HttpSessionHandler
    public abstract HttpSession getExistingSession(HttpServletRequest httpServletRequest);

    static Class class$(String str) {
        try {
            return Class.forName(str);
        } catch (ClassNotFoundException e) {
            throw new NoClassDefFoundError(e.getMessage());
        }
    }

    static {
        Class cls;
        LoggerFactory loggerFactory = LoggerFactory.getInstance();
        if (class$eu$cec$digit$ecas$client$resolver$session$AbstractHttpSessionHandler == null) {
            cls = class$("eu.cec.digit.ecas.client.resolver.session.AbstractHttpSessionHandler");
            class$eu$cec$digit$ecas$client$resolver$session$AbstractHttpSessionHandler = cls;
        } else {
            cls = class$eu$cec$digit$ecas$client$resolver$session$AbstractHttpSessionHandler;
        }
        LOG = loggerFactory.getLogger(cls);
    }
}
