package com.sun.enterprise.container.common;

import com.sun.enterprise.admin.util.AdminConstants;
import com.sun.enterprise.config.serverbeans.AdminService;
import com.sun.enterprise.config.serverbeans.AuthRealm;
import com.sun.enterprise.config.serverbeans.Domain;
import com.sun.enterprise.config.serverbeans.SecureAdmin;
import com.sun.enterprise.config.serverbeans.SecureAdminInternalUser;
import com.sun.enterprise.config.serverbeans.SecureAdminPrincipal;
import com.sun.enterprise.config.serverbeans.SecurityService;
import com.sun.enterprise.security.SecurityContext;
import com.sun.enterprise.security.SecurityLifecycle;
import com.sun.enterprise.security.SecuritySniffer;
import com.sun.enterprise.security.auth.login.LoginContextDriver;
import com.sun.enterprise.security.auth.realm.NoSuchUserException;
import com.sun.enterprise.security.auth.realm.file.FileRealm;
import com.sun.enterprise.security.auth.realm.file.FileRealmUser;
import com.sun.enterprise.security.ssl.SSLUtils;
import com.sun.enterprise.util.LocalStringManagerImpl;
import com.sun.enterprise.util.net.NetUtils;
import com.sun.logging.LogDomains;
import java.io.File;
import java.io.UnsupportedEncodingException;
import java.net.URLEncoder;
import java.rmi.server.RemoteServer;
import java.rmi.server.ServerNotActiveException;
import java.security.KeyStore;
import java.security.Principal;
import java.util.Collections;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.management.remote.JMXAuthenticator;
import javax.security.auth.Subject;
import javax.security.auth.login.LoginException;
import org.apache.taglibs.standard.tag.common.fmt.MessageSupport;
import org.glassfish.api.admin.ServerEnvironment;
import org.glassfish.common.util.admin.AuthTokenManager;
import org.glassfish.internal.api.AdminAccessController;
import org.glassfish.internal.api.LocalPassword;
import org.glassfish.internal.api.ServerContext;
import org.glassfish.security.common.Group;
import org.jvnet.hk2.annotations.ContractProvided;
import org.jvnet.hk2.annotations.Inject;
import org.jvnet.hk2.annotations.Service;
import org.jvnet.hk2.component.Habitat;
import org.jvnet.hk2.component.PostConstruct;

@Service
@ContractProvided(JMXAuthenticator.class)
/* loaded from: input_file:com/sun/enterprise/container/common/GenericAdminAuthenticator.class */
public class GenericAdminAuthenticator implements AdminAccessController, JMXAuthenticator, PostConstruct {

    @Inject
    Habitat habitat;

    @Inject
    SecuritySniffer snif;

    @Inject
    volatile SecurityService ss;

    @Inject
    volatile AdminService as;

    @Inject
    LocalPassword localPassword;

    @Inject
    ServerContext sc;

    @Inject
    Domain domain;

    @Inject
    private AuthTokenManager authTokenManager;
    private SecureAdmin secureAdmin;

    @Inject
    ServerEnvironment serverEnv;
    private static LocalStringManagerImpl lsm = new LocalStringManagerImpl(GenericAdminAuthenticator.class);
    private static final Logger logger = LogDomains.getLogger(GenericAdminAuthenticator.class, "javax.enterprise.system.tools.admin");
    private SSLUtils sslUtils = null;
    private KeyStore truststore = null;
    private Map<String, Principal> serverPrincipals = new HashMap();

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/sun/enterprise/container/common/GenericAdminAuthenticator$SpecialAdminIndicatorChecker.class */
    public static class SpecialAdminIndicatorChecker {
        private final Result _result;

        /* JADX INFO: Access modifiers changed from: private */
        /* loaded from: input_file:com/sun/enterprise/container/common/GenericAdminAuthenticator$SpecialAdminIndicatorChecker$Result.class */
        public enum Result {
            NOT_IN_REQUEST,
            MATCHED,
            MISMATCHED
        }

        private SpecialAdminIndicatorChecker(SecureAdmin secureAdmin, Logger logger, Map<String, String> map, String str) {
            String str2 = map.get(SecureAdmin.Util.ADMIN_INDICATOR_HEADER_NAME);
            if (str2 == null) {
                logger.fine("Admin request contains no domain ID; this is OK - continuing");
                this._result = Result.NOT_IN_REQUEST;
            } else if (str2.equals(SecureAdmin.Util.configuredAdminIndicator(secureAdmin))) {
                this._result = Result.MATCHED;
                logger.fine("Admin request contains expected domain ID");
            } else {
                logger.log(Level.WARNING, GenericAdminAuthenticator.lsm.getLocalString("foreign.domain.ID", "An admin request arrived from {0} with the domain identifier {1} which does not match the domain identifier {2} configured for this server's domain; rejecting the request", str, str2, secureAdmin.getSpecialAdminIndicator()));
                this._result = Result.MISMATCHED;
            }
        }

        /* JADX INFO: Access modifiers changed from: private */
        public Result result() {
            return this._result;
        }
    }

    @Override // org.jvnet.hk2.component.PostConstruct
    public void postConstruct() {
        this.secureAdmin = this.domain.getSecureAdmin();
        if (this.as.usesFileRealm()) {
            try {
                AuthRealm associatedAuthRealm = this.as.getAssociatedAuthRealm();
                if (!FileRealm.class.getName().equals(associatedAuthRealm.getClassname()) || new FileRealm(associatedAuthRealm.getPropertyValue("file")).hasAuthenticatableUser()) {
                    return;
                }
                String localString = lsm.getLocalString("secure.admin.empty.password", "The server requires a valid admin password to be set before it can start. Please set a password using the change-admin-password command.");
                logger.log(Level.SEVERE, localString);
                throw new IllegalStateException(localString);
            } catch (Exception e) {
                logger.log(Level.SEVERE, e.getMessage());
                throw new RuntimeException(e);
            }
        }
    }

    @Override // org.glassfish.internal.api.AdminAccessController
    public AdminAccessController.Access loginAsAdmin(String str, String str2, String str3, String str4) throws LoginException {
        return loginAsAdmin(str, str2, str3, str4, Collections.EMPTY_MAP, null);
    }

    @Override // org.glassfish.internal.api.AdminAccessController
    public synchronized AdminAccessController.Access loginAsAdmin(String str, String str2, String str3, String str4, Map<String, String> map, Principal principal) throws LoginException {
        String str5;
        SpecialAdminIndicatorChecker specialAdminIndicatorChecker = new SpecialAdminIndicatorChecker(this.secureAdmin, logger, map, str4);
        if (specialAdminIndicatorChecker.result() == SpecialAdminIndicatorChecker.Result.MISMATCHED) {
            return AdminAccessController.Access.NONE;
        }
        if (isLocalPassword(str, str2)) {
            logger.fine("Accepted locally-provisioned password authentication");
            return AdminAccessController.Access.FULL;
        }
        if (authenticateUsingOneTimeToken(map.get(SecureAdmin.Util.ADMIN_ONE_TIME_AUTH_TOKEN_HEADER_NAME))) {
            logger.log(Level.FINE, "Authenticated using one-time auth token");
            return AdminAccessController.Access.FULL;
        }
        if (authorizeUsingCert(principal)) {
            logger.log(Level.FINE, "Authenticated SSL client auth principal {0}", principal.getName());
            return AdminAccessController.Access.FULL;
        }
        AdminAccessController.Access checkRemoteAccess = checkRemoteAccess(str4, specialAdminIndicatorChecker.result() == SpecialAdminIndicatorChecker.Result.MATCHED);
        if (!checkRemoteAccess.isOK()) {
            logger.log(Level.FINE, "Rejected remote access attempt, returning {0}", checkRemoteAccess.name());
            return checkRemoteAccess;
        }
        if (!this.as.usesFileRealm()) {
            boolean z = false;
            try {
                try {
                    ClassLoader contextClassLoader = Thread.currentThread().getContextClassLoader();
                    if (!this.sc.getCommonClassLoader().equals(contextClassLoader)) {
                        Thread.currentThread().setContextClassLoader(this.sc.getCommonClassLoader());
                        z = true;
                    }
                    this.habitat.getInhabitantByType(SecurityLifecycle.class).get2();
                    this.snif.setup(System.getProperty("com.sun.aas.installRoot") + "/modules/security", Logger.getAnonymousLogger());
                    LoginContextDriver.login(str, str2.toCharArray(), str3);
                    AdminAccessController.Access access = this.as.getAssociatedAuthRealm().getGroupMapping() == null || ensureGroupMembership(str, str3) ? AdminAccessController.Access.FULL : AdminAccessController.Access.NONE;
                    if (z) {
                        Thread.currentThread().setContextClassLoader(contextClassLoader);
                    }
                    return access;
                } catch (Exception e) {
                    AdminAccessController.Access access2 = AdminAccessController.Access.NONE;
                    if (0 != 0) {
                        Thread.currentThread().setContextClassLoader(null);
                    }
                    return access2;
                }
            } catch (Throwable th) {
                if (0 != 0) {
                    Thread.currentThread().setContextClassLoader(null);
                }
                throw th;
            }
        }
        boolean handleFileRealm = handleFileRealm(str, str2);
        Logger logger2 = logger;
        Level level = Level.FINE;
        Object[] objArr = new Object[2];
        objArr[0] = str;
        objArr[1] = handleFileRealm ? "passed" : "failed";
        logger2.log(level, "Not an oterwise \"trusted sender\"; file realm user authentication {1} for admin user {0}", objArr);
        if (!handleFileRealm) {
            String str6 = "";
            try {
                str5 = URLEncoder.encode(str, "UTF-8");
            } catch (UnsupportedEncodingException e2) {
                str5 = MessageSupport.UNDEFINED_KEY;
                str6 = e2.getLocalizedMessage();
            }
            logger.log(Level.INFO, lsm.getLocalString("authentication.failed", "User [{0}] from host {1} does not have administration access", str5, str4) + str6);
            checkRemoteAccess = AdminAccessController.Access.NONE;
        } else if (!this.serverEnv.isInstance()) {
            logger.log(Level.FINE, "Granting admin access for this request; user/password authenticated as a valid admin account");
        } else if (isAuthorizedInternalUser(str)) {
            checkRemoteAccess = AdminAccessController.Access.FULL;
            logger.log(Level.FINE, "Granting access to this instance; user is set up as an internal admin user");
        } else {
            checkRemoteAccess = AdminAccessController.Access.READONLY;
            logger.log(Level.FINE, "Restricting the admin request to this instance to read-only access");
        }
        return checkRemoteAccess;
    }

    private AdminAccessController.Access checkRemoteAccess(String str, boolean z) {
        AdminAccessController.Access access;
        if (this.serverEnv.isDas()) {
            if (NetUtils.isThisHostLocal(str) || SecureAdmin.Util.isEnabled(this.secureAdmin)) {
                access = AdminAccessController.Access.FULL;
            } else {
                logger.log(Level.FINE, "Forbidding the admin request to the DAS; the request is remote and secure admin is not enabled");
                access = AdminAccessController.Access.FORBIDDEN;
            }
        } else if (z) {
            access = AdminAccessController.Access.FULL;
            logger.log(Level.FINE, "Granting access for the admin request to this instance; the request contained the correct unique ID");
        } else {
            access = AdminAccessController.Access.READONLY;
            logger.log(Level.FINE, "Granting read-only access for the admin request to this instance; full access was refused because the request lacked the unique ID or contained an incorrect one");
        }
        return access;
    }

    private boolean isAuthorizedInternalUser(String str) {
        Iterator<SecureAdminInternalUser> it = SecureAdmin.Util.secureAdminInternalUsers(this.secureAdmin).iterator();
        while (it.hasNext()) {
            if (it.next().getUsername().equals(str)) {
                return true;
            }
        }
        return false;
    }

    private boolean authorizeUsingCert(Principal principal) throws LoginException {
        if (principal == null) {
            return false;
        }
        try {
            if (isPrincipalAuthorized(principal)) {
                logger.log(Level.FINE, "Cert {0} recognized as authorized admin cert", principal.toString());
                return true;
            }
            logger.log(Level.FINE, "Authenticated cert {0} is not separately authorized for admin operations", principal.toString());
            return false;
        } catch (Exception e) {
            LoginException loginException = new LoginException();
            loginException.initCause(e);
            throw loginException;
        }
    }

    private boolean isPrincipalAuthorized(Principal principal) {
        String name = principal.getName();
        Iterator<SecureAdminPrincipal> it = SecureAdmin.Util.secureAdminPrincipals(this.secureAdmin, this.habitat).iterator();
        while (it.hasNext()) {
            if (it.next().getDn().equals(name)) {
                return true;
            }
        }
        return false;
    }

    private boolean authenticateUsingOneTimeToken(String str) {
        if (str == null) {
            return false;
        }
        return this.authTokenManager.consumeToken(str);
    }

    private boolean ensureGroupMembership(String str, String str2) {
        try {
            for (Object obj : SecurityContext.getCurrent().getPrincipalSet()) {
                if ((obj instanceof Group) && ((Group) obj).getName().equals(AdminConstants.DOMAIN_ADMIN_GROUP_NAME)) {
                    return true;
                }
            }
            logger.fine("User is not the member of the special admin group");
            return false;
        } catch (Exception e) {
            logger.log(Level.FINE, "User is not the member of the special admin group: {0}", e.getMessage());
            return false;
        }
    }

    private boolean handleFileRealm(String str, String str2) throws LoginException {
        if (str == null || str.length() == 0) {
            String defaultAdminUser = getDefaultAdminUser();
            if (defaultAdminUser != null) {
                str = defaultAdminUser;
                logger.log(Level.FINE, "Using default user: {0}", defaultAdminUser);
            } else {
                logger.fine("No default user");
            }
        }
        try {
            AuthRealm associatedAuthRealm = this.as.getAssociatedAuthRealm();
            if (!FileRealm.class.getName().equals(associatedAuthRealm.getClassname())) {
                return false;
            }
            FileRealm fileRealm = new FileRealm(associatedAuthRealm.getPropertyValue("file"));
            for (String str3 : ((FileRealmUser) fileRealm.getUser(str)).getGroups()) {
                if (str3.equals(AdminConstants.DOMAIN_ADMIN_GROUP_NAME)) {
                    return fileRealm.authenticate(str, str2.toCharArray()) != null;
                }
            }
            return false;
        } catch (NoSuchUserException e) {
            return false;
        } catch (Exception e2) {
            LoginException loginException = new LoginException(e2.getMessage());
            loginException.initCause(e2);
            throw loginException;
        }
    }

    private String getDefaultAdminUser() {
        AuthRealm associatedAuthRealm = this.as.getAssociatedAuthRealm();
        if (associatedAuthRealm == null) {
            throw new RuntimeException("Warning: Configuration is bad, realm: " + this.as.getAuthRealmName() + " does not exist!");
        }
        if (!FileRealm.class.getName().equals(associatedAuthRealm.getClassname())) {
            logger.fine("CAN'T FIND DEFAULT ADMIN USER: IT'S NOT A FILE REALM");
            return null;
        }
        String propertyValue = associatedAuthRealm.getPropertyValue("file");
        if (propertyValue != null) {
            File file = new File(propertyValue);
            if (file.exists()) {
                try {
                    FileRealm fileRealm = new FileRealm(file.getAbsolutePath());
                    Enumeration<String> userNames = fileRealm.getUserNames();
                    if (!userNames.hasMoreElements()) {
                        return null;
                    }
                    String nextElement = userNames.nextElement();
                    if (userNames.hasMoreElements()) {
                        return null;
                    }
                    String[] groups = ((FileRealmUser) fileRealm.getUser(nextElement)).getGroups();
                    if (0 >= groups.length) {
                        return null;
                    }
                    if (groups[0].equals(AdminConstants.DOMAIN_ADMIN_GROUP_NAME)) {
                        logger.log(Level.FINE, "Attempting access using default admin user: {0}", nextElement);
                    }
                    return nextElement;
                } catch (Exception e) {
                    return null;
                }
            }
        }
        logger.fine("CAN'T FIND DEFAULT ADMIN USER: THE KEYFILE DOES NOT EXIST");
        return null;
    }

    private boolean isLocalPassword(String str, String str2) {
        if (this.localPassword.isLocalPassword(str2)) {
            logger.fine("Allowing access using local password");
            return true;
        }
        logger.finest("Password is not the local password");
        return false;
    }

    public Subject authenticate(Object obj) {
        String str = "";
        String str2 = "";
        String str3 = null;
        if (obj instanceof String[]) {
            String[] strArr = (String[]) obj;
            if (strArr.length == 1) {
                str = strArr[0];
            } else if (strArr.length >= 2) {
                str = strArr[0];
                str2 = strArr[1];
                if (str2 == null) {
                    str2 = "";
                }
            }
            if (strArr.length > 2) {
                str3 = strArr[2];
            } else {
                try {
                    str3 = RemoteServer.getClientHost();
                } catch (ServerNotActiveException e) {
                    throw new RuntimeException((Throwable) e);
                }
            }
        }
        String authRealmName = this.as.getSystemJmxConnector().getAuthRealmName();
        if (authRealmName == null) {
            authRealmName = this.as.getAuthRealmName();
        }
        try {
            if (loginAsAdmin(str, str2, authRealmName, str3).isOK()) {
                return null;
            }
            String localString = lsm.getLocalString("authentication.failed", "User [{0}] from host {1} does not have administration access", str, str3);
            logger.log(Level.INFO, localString);
            throw new SecurityException(localString);
        } catch (LoginException e2) {
            throw new SecurityException(e2);
        }
    }
}
