package com.sun.enterprise.security.provider;

import com.sun.enterprise.util.LocalStringManagerImpl;
import fish.payara.jacc.ContextProvider;
import fish.payara.jacc.JaccConfigurationFactory;
import java.io.File;
import java.net.MalformedURLException;
import java.net.URI;
import java.net.URISyntaxException;
import java.net.URL;
import java.security.AccessController;
import java.security.CodeSource;
import java.security.NoSuchAlgorithmException;
import java.security.Permission;
import java.security.PermissionCollection;
import java.security.Permissions;
import java.security.Policy;
import java.security.PrivilegedAction;
import java.security.ProtectionDomain;
import java.security.Security;
import java.util.Collections;
import java.util.Enumeration;
import java.util.Iterator;
import java.util.List;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.management.MBeanPermission;
import javax.security.jacc.EJBRoleRefPermission;
import javax.security.jacc.PolicyContext;
import javax.security.jacc.PolicyContextException;
import javax.security.jacc.WebResourcePermission;
import javax.security.jacc.WebRoleRefPermission;
import org.apache.derby.iapi.services.classfile.VMDescriptor;
import sun.net.www.ParseUtil;
import sun.security.util.PropertyExpander;

/* loaded from: input_file:com/sun/enterprise/security/provider/JDKPolicyFileWrapper.class */
public class JDKPolicyFileWrapper extends Policy {
    private static final String POLICY = "java.security.policy";
    private static final String POLICY_URL = "jdkPolicyFile.url.";
    private static final String AUTH_POLICY = "java.security.auth.policy";
    private static final String AUTH_POLICY_URL = "auth.policy.url.";
    private static final String REUSE = "java.security.Policy.supportsReuse";
    private static final String IGNORE_REENTRANCY_PROP_NAME = "com.sun.enterprise.security.provider.PolicyWrapper.ignoreReentrancy";
    private static final boolean AVOID_REENTRANCY;
    private static ThreadLocal<Object> reentrancyStatus;
    private static ThreadLocal<Boolean> contextProviderReentry;
    private static Logger logger = Logger.getLogger("javax.enterprise.system.core.security");
    private static LocalStringManagerImpl localStrings = new LocalStringManagerImpl(JDKPolicyFileWrapper.class);
    private static final String FORCE_APP_REFRESH_PROP_NAME = "com.sun.enterprise.security.provider.PolicyWrapper.force_app_refresh";
    private static final boolean FORCE_APP_REFRESH = Boolean.getBoolean(FORCE_APP_REFRESH_PROP_NAME);
    private Policy jdkPolicyFile = getNewPolicy();
    private long refreshTime = 0;

    public JDKPolicyFileWrapper() {
        defaultContextChanged();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Policy getNewPolicy() {
        try {
            return Policy.getInstance("JavaPolicy", null);
        } catch (NoSuchAlgorithmException e) {
            throw new IllegalStateException(e);
        }
    }

    @Override // java.security.Policy
    public PermissionCollection getPermissions(CodeSource codeSource) {
        String contextID = PolicyContext.getContextID();
        ContextProvider contextProvider = getContextProvider(contextID, getPolicyFactory());
        if (contextProvider == null) {
            PolicyConfigurationImpl policyConfigForContext = getPolicyConfigForContext(contextID);
            PermissionCollection permissions = getPolicy(policyConfigForContext).getPermissions(codeSource);
            if (permissions != null) {
                permissions = removeExcludedPermissions(policyConfigForContext, permissions);
            }
            if (logger.isLoggable(Level.FINEST)) {
                logger.finest("JACC Policy Provider: PolicyWrapper.getPermissions(cs), context (" + contextID + ")  codesource (" + codeSource + ") permissions: " + permissions);
            }
            return permissions;
        }
        if (contextProviderReentry.get().booleanValue()) {
            return Policy.UNSUPPORTED_EMPTY_COLLECTION;
        }
        contextProviderReentry.set(true);
        try {
            PermissionCollection permissions2 = contextProvider.getPolicy().getPermissions(codeSource);
            contextProviderReentry.set(false);
            return permissions2;
        } catch (Throwable th) {
            contextProviderReentry.set(false);
            throw th;
        }
    }

    @Override // java.security.Policy
    public PermissionCollection getPermissions(ProtectionDomain protectionDomain) {
        String contextID = PolicyContext.getContextID();
        ContextProvider contextProvider = getContextProvider(contextID, getPolicyFactory());
        if (contextProvider == null) {
            PolicyConfigurationImpl policyConfigForContext = getPolicyConfigForContext(contextID);
            PermissionCollection permissions = getPolicy(policyConfigForContext).getPermissions(protectionDomain);
            if (permissions != null) {
                permissions = removeExcludedPermissions(policyConfigForContext, permissions);
            }
            if (logger.isLoggable(Level.FINEST)) {
                logger.finest("JACC Policy Provider: PolicyWrapper.getPermissions(d), context (" + contextID + ") permissions: " + permissions);
            }
            return permissions;
        }
        if (contextProviderReentry.get().booleanValue()) {
            return Policy.UNSUPPORTED_EMPTY_COLLECTION;
        }
        contextProviderReentry.set(true);
        try {
            PermissionCollection permissions2 = contextProvider.getPolicy().getPermissions(protectionDomain);
            contextProviderReentry.set(false);
            return permissions2;
        } catch (Throwable th) {
            contextProviderReentry.set(false);
            throw th;
        }
    }

    @Override // java.security.Policy
    public boolean implies(ProtectionDomain protectionDomain, Permission permission) {
        if (!AVOID_REENTRANCY) {
            return doImplies(protectionDomain, permission);
        }
        byte[] bArr = (byte[]) reentrancyStatus.get();
        if (bArr[0] == 1) {
            return true;
        }
        bArr[0] = 1;
        try {
            boolean doImplies = doImplies(protectionDomain, permission);
            bArr[0] = 0;
            return doImplies;
        } catch (Throwable th) {
            bArr[0] = 0;
            throw th;
        }
    }

    @Override // java.security.Policy
    public void refresh() {
        if (logger.isLoggable(Level.FINE)) {
            logger.fine("JACC Policy Provider: Refreshing Policy files!");
        }
        this.jdkPolicyFile.refresh();
        boolean defaultContextChanged = defaultContextChanged();
        PolicyConfigurationFactoryImpl policyFactory = getPolicyFactory();
        List<PolicyConfigurationImpl> policyConfigurationImpls = policyFactory != null ? policyFactory.getPolicyConfigurationImpls() : null;
        if (policyConfigurationImpls != null) {
            for (PolicyConfigurationImpl policyConfigurationImpl : policyConfigurationImpls) {
                if (policyConfigurationImpl != null) {
                    policyConfigurationImpl.refresh(defaultContextChanged);
                }
            }
        }
        try {
            if (PolicyContext.getHandlerKeys().contains("java.security.Policy.supportsReuse")) {
                PolicyContext.getContext("java.security.Policy.supportsReuse");
            }
        } catch (PolicyContextException e) {
            throw new IllegalStateException(e.toString());
        }
    }

    private PolicyConfigurationImpl getPolicyConfigForContext(String str) {
        PolicyConfigurationImpl policyConfigurationImpl = null;
        PolicyConfigurationFactoryImpl policyFactory = getPolicyFactory();
        if (str != null && policyFactory != null) {
            policyConfigurationImpl = policyFactory.getPolicyConfigurationImpl(str);
            if (policyConfigurationImpl == null) {
                logMsg(Level.WARNING, "pc.unknown_policy_context", str);
            }
        }
        return policyConfigurationImpl;
    }

    private ContextProvider getContextProvider(String str, JaccConfigurationFactory jaccConfigurationFactory) {
        if (jaccConfigurationFactory == null || str == null) {
            return null;
        }
        return jaccConfigurationFactory.getContextProviderByPolicyContextId(str);
    }

    private Policy getPolicy(PolicyConfigurationImpl policyConfigurationImpl) {
        Policy policy;
        if (policyConfigurationImpl != null && (policy = policyConfigurationImpl.getPolicy()) != null) {
            return policy;
        }
        return this.jdkPolicyFile;
    }

    private static Permissions getExcludedPolicy(PolicyConfigurationImpl policyConfigurationImpl) {
        if (policyConfigurationImpl != null) {
            return policyConfigurationImpl.getExcludedPolicy();
        }
        return null;
    }

    private static PermissionCollection removeExcludedPermissions(PolicyConfigurationImpl policyConfigurationImpl, PermissionCollection permissionCollection) {
        PermissionCollection permissionCollection2 = permissionCollection;
        Permissions excludedPolicy = getExcludedPolicy(policyConfigurationImpl);
        if (excludedPolicy != null && excludedPolicy.elements().hasMoreElements()) {
            permissionCollection2 = null;
            boolean z = true;
            Iterator it = Collections.list(permissionCollection.elements()).iterator();
            while (it.hasNext()) {
                Permission permission = (Permission) it.next();
                if (grantedIsExcluded(permission, excludedPolicy)) {
                    z = false;
                } else {
                    if (permissionCollection2 == null) {
                        permissionCollection2 = new Permissions();
                    }
                    permissionCollection2.add(permission);
                }
            }
            if (z) {
                permissionCollection2 = permissionCollection;
            }
        }
        return permissionCollection2;
    }

    private static boolean grantedIsExcluded(Permission permission, Permissions permissions) {
        boolean z = false;
        if (permissions != null) {
            if (permissions.implies(permission)) {
                z = true;
            } else {
                Enumeration<Permission> elements = permissions.elements();
                while (!z && elements.hasMoreElements()) {
                    if (permission.implies(elements.nextElement())) {
                        z = true;
                    }
                }
            }
        }
        if (logger.isLoggable(Level.FINEST) && z) {
            logger.finest("JACC Policy Provider: permission is excluded: " + permission);
        }
        return z;
    }

    private boolean doImplies(ProtectionDomain protectionDomain, Permission permission) {
        ContextProvider contextProvider;
        String contextID = PolicyContext.getContextID();
        if (contextID != null && (contextProvider = getContextProvider(contextID, getPolicyFactory())) != null) {
            if (contextProviderReentry.get().booleanValue()) {
                return false;
            }
            contextProviderReentry.set(true);
            try {
                boolean implies = contextProvider.getPolicy().implies(protectionDomain, permission);
                contextProviderReentry.set(false);
                return implies;
            } catch (Throwable th) {
                contextProviderReentry.set(false);
                throw th;
            }
        }
        PolicyConfigurationImpl policyConfigForContext = getPolicyConfigForContext(contextID);
        boolean implies2 = getPolicy(policyConfigForContext).implies(protectionDomain, permission);
        if (implies2) {
            Permissions excludedPolicy = getExcludedPolicy(policyConfigForContext);
            if (excludedPolicy != null) {
                implies2 = !grantedIsExcluded(permission, excludedPolicy);
            }
        } else {
            logImpliesFailure(permission, contextID, protectionDomain);
        }
        if (!implies2 && logger.isLoggable(Level.FINEST)) {
            logDenies(permission, contextID);
        }
        return implies2;
    }

    private void logImpliesFailure(final Permission permission, final String str, final ProtectionDomain protectionDomain) {
        if ((permission instanceof WebResourcePermission) || (permission instanceof MBeanPermission) || (permission instanceof WebRoleRefPermission) || (permission instanceof EJBRoleRefPermission)) {
            return;
        }
        if (logger.isLoggable(Level.FINE)) {
            Exception exc = new Exception();
            exc.fillInStackTrace();
            logger.log(Level.FINE, "JACC Policy Provider, failed Permission Check at :", (Throwable) exc);
        }
        AccessController.doPrivileged(new PrivilegedAction<Object>() { // from class: com.sun.enterprise.security.provider.JDKPolicyFileWrapper.3
            @Override // java.security.PrivilegedAction
            public Object run() {
                JDKPolicyFileWrapper.logger.info("JACC Policy Provider: Failed Permission Check, context(" + str + ")- permission(" + permission + VMDescriptor.ENDMETHOD);
                if (!JDKPolicyFileWrapper.logger.isLoggable(Level.FINE)) {
                    return null;
                }
                JDKPolicyFileWrapper.logger.fine("Domain that failed(" + protectionDomain + VMDescriptor.ENDMETHOD);
                return null;
            }
        });
    }

    private void logDenies(Permission permission, String str) {
        logger.log(Level.FINEST, () -> {
            return "JACC Policy Provider: PolicyWrapper.implies, context (" + str + ")-result was(false) permission (" + permission + VMDescriptor.ENDMETHOD;
        });
    }

    synchronized boolean defaultContextChanged() {
        if (FORCE_APP_REFRESH) {
            return true;
        }
        long timeStamp = getTimeStamp(POLICY, POLICY_URL) + getTimeStamp(AUTH_POLICY, AUTH_POLICY_URL);
        boolean z = this.refreshTime != timeStamp;
        this.refreshTime = timeStamp;
        return z;
    }

    private static long getTimeStamp(final String str, final String str2) {
        return ((Long) AccessController.doPrivileged(new PrivilegedAction<Long>() { // from class: com.sun.enterprise.security.provider.JDKPolicyFileWrapper.4
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedAction
            public Long run() {
                long j = 0;
                if (JDKPolicyFileWrapper.access$100()) {
                    String property = System.getProperty(str);
                    if (property != null) {
                        boolean z = false;
                        if (property.startsWith("=")) {
                            z = true;
                            property = property.substring(1);
                        }
                        j = 0 + JDKPolicyFileWrapper.getLastModifiedFromPolicyProperty(property);
                        if (z) {
                            return Long.valueOf(j);
                        }
                    }
                }
                return Long.valueOf(j + JDKPolicyFileWrapper.getLastModifiedFromUrlNames(str2));
            }
        })).longValue();
    }

    private static boolean allowSystemProperties() {
        return "true".equalsIgnoreCase(Security.getProperty("jdkPolicyFile.allowSystemProperty"));
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static long getLastModifiedFromUrlNames(String str) {
        long j = 0;
        int i = 1;
        while (true) {
            String property = Security.getProperty(str + i);
            if (property == null) {
                return j;
            }
            try {
                URL policyUrl = getPolicyUrl(property);
                if ("file".equals(policyUrl.getProtocol())) {
                    String decode = ParseUtil.decode(policyUrl.getFile().replace('/', File.separatorChar));
                    File file = new File(decode);
                    if (file.exists()) {
                        j += file.lastModified();
                        logMsg(Level.FINE, "pc.file_refreshed", decode);
                    } else {
                        logMsg(Level.FINE, "pc.file_not_refreshed", decode);
                    }
                } else {
                    logMsg(Level.FINE, "pc.file_not_refreshed", policyUrl);
                }
            } catch (Exception e) {
            }
            i++;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static long getLastModifiedFromPolicyProperty(String str) {
        try {
            String expand = PropertyExpander.expand(str);
            File file = new File(expand);
            boolean exists = file.exists();
            if (!exists) {
                URL url = new URL(expand);
                if ("file".equals(url.getProtocol())) {
                    expand = ParseUtil.decode(url.getFile().replace('/', File.separatorChar));
                    file = new File(expand);
                    exists = file.exists();
                }
            }
            return getLastModifiedTime(exists, file, expand);
        } catch (Exception e) {
            return 0L;
        }
    }

    private static long getLastModifiedTime(boolean z, File file, String str) {
        if (z) {
            logMsg(Level.FINE, "pc.file_refreshed", str);
            return file.lastModified();
        }
        logMsg(Level.FINE, "pc.file_not_refreshed", str);
        return 0L;
    }

    private static URL getPolicyUrl(String str) throws MalformedURLException, PropertyExpander.ExpandException, URISyntaxException {
        String replace = PropertyExpander.expand(str).replace(File.separatorChar, '/');
        return (str.startsWith("file:${java.home}/") || str.startsWith("file:${user.home}/")) ? new File(replace.substring(5)).toURI().toURL() : new URI(replace).toURL();
    }

    private PolicyConfigurationFactoryImpl getPolicyFactory() {
        return PolicyConfigurationFactoryImpl.getInstance();
    }

    private static void logMsg(Level level, String str, Object... objArr) {
        if (logger.isLoggable(level)) {
            logMsg(level, str, objArr, null);
        }
    }

    private static String logMsg(Level level, String str, Object[] objArr, String str2) {
        String localString = str == null ? str2 : localStrings.getLocalString(str, str2 == null ? str : str2, objArr);
        logger.log(level, localString);
        return localString;
    }

    static /* synthetic */ boolean access$100() {
        return allowSystemProperties();
    }

    static {
        AVOID_REENTRANCY = (Boolean.getBoolean(IGNORE_REENTRANCY_PROP_NAME) || System.getSecurityManager() == null) ? false : true;
        if (AVOID_REENTRANCY) {
            reentrancyStatus = new ThreadLocal<Object>() { // from class: com.sun.enterprise.security.provider.JDKPolicyFileWrapper.1
                @Override // java.lang.ThreadLocal
                protected synchronized Object initialValue() {
                    return new byte[]{0};
                }
            };
        }
        contextProviderReentry = new ThreadLocal<Boolean>() { // from class: com.sun.enterprise.security.provider.JDKPolicyFileWrapper.2
            /* JADX INFO: Access modifiers changed from: protected */
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.lang.ThreadLocal
            public Boolean initialValue() {
                return false;
            }
        };
    }
}
