package com.gemstone.gemfire.management.internal.security;

import com.gemstone.gemfire.GemFireConfigException;
import com.gemstone.gemfire.LogWriter;
import com.gemstone.gemfire.cache.Cache;
import com.gemstone.gemfire.cache.operations.OperationContext;
import com.gemstone.gemfire.distributed.DistributedMember;
import com.gemstone.gemfire.distributed.internal.DistributionConfig;
import com.gemstone.gemfire.internal.logging.LogService;
import com.gemstone.gemfire.management.internal.security.ResourceOperationContext;
import com.gemstone.gemfire.security.AuthenticationFailedException;
import com.gemstone.gemfire.security.Authenticator;
import com.gemstone.gemfire.security.NotAuthorizedException;
import java.io.File;
import java.io.FileReader;
import java.io.IOException;
import java.security.Principal;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Properties;
import java.util.Set;
import javax.management.remote.JMXPrincipal;
import org.json.JSONArray;
import org.json.JSONException;
import org.json.JSONObject;

/* loaded from: input_file:com/gemstone/gemfire/management/internal/security/JSONAuthorization.class */
public class JSONAuthorization implements com.gemstone.gemfire.security.AccessControl, Authenticator {
    private static Map<String, User> acl = null;
    private Principal principal = null;

    /* loaded from: input_file:com/gemstone/gemfire/management/internal/security/JSONAuthorization$Role.class */
    public static class Role {
        String[] permissions;
        String name;
        String regionName;
        String serverGroup;
    }

    /* loaded from: input_file:com/gemstone/gemfire/management/internal/security/JSONAuthorization$User.class */
    public static class User {
        String name;
        Role[] roles;
        String pwd;
    }

    public static JSONAuthorization create() throws IOException, JSONException {
        if (acl == null) {
            readSecurityDescriptor(readDefault());
        }
        return new JSONAuthorization();
    }

    public JSONAuthorization() {
        if (acl == null) {
            try {
                readSecurityDescriptor(readDefault());
            } catch (IOException e) {
                throw new GemFireConfigException("Error creating JSONAuth", e);
            } catch (JSONException e2) {
                throw new GemFireConfigException("Error creating JSONAuth", e2);
            }
        }
    }

    public static Set<ResourceOperationContext.ResourceOperationCode> getAuthorizedOps(User user, ResourceOperationContext resourceOperationContext) {
        HashSet hashSet = new HashSet();
        for (Role role : user.roles) {
            for (String str : role.permissions) {
                ResourceOperationContext.ResourceOperationCode parse = ResourceOperationContext.ResourceOperationCode.parse(str);
                if (role.regionName == null && role.serverGroup == null) {
                    addPermissions(parse, hashSet);
                } else if (role.regionName != null) {
                    LogService.getLogger().info("This role requires region=" + role.regionName);
                    if (resourceOperationContext instanceof CLIOperationContext) {
                        String str2 = ((CLIOperationContext) resourceOperationContext).getCommandOptions().get("region");
                        if (str2 == null || !str2.equals(role.regionName)) {
                            LogService.getLogger().info("Not adding permission " + parse + " since region=" + str2 + " does not match");
                        } else {
                            addPermissions(parse, hashSet);
                        }
                    }
                }
            }
        }
        LogService.getLogger().info("Final set of permisions " + hashSet);
        return hashSet;
    }

    private static void addPermissions(ResourceOperationContext.ResourceOperationCode resourceOperationCode, Set<ResourceOperationContext.ResourceOperationCode> set) {
        if (resourceOperationCode != null) {
            if (resourceOperationCode.getChildren() == null) {
                set.add(resourceOperationCode);
                return;
            }
            for (ResourceOperationContext.ResourceOperationCode resourceOperationCode2 : resourceOperationCode.getChildren()) {
                set.add(resourceOperationCode2);
            }
        }
    }

    private static String readDefault() throws IOException, JSONException {
        File file = new File(System.getProperty(ResourceConstants.RESORUCE_SEC_DESCRIPTOR, ResourceConstants.RESORUCE_DEFAULT_SEC_DESCRIPTOR));
        FileReader fileReader = new FileReader(file);
        char[] cArr = new char[(int) file.length()];
        fileReader.read(cArr);
        String str = new String(cArr);
        fileReader.close();
        return str;
    }

    public JSONAuthorization(String str) throws IOException, JSONException {
        readSecurityDescriptor(str);
    }

    private static void readSecurityDescriptor(String str) throws IOException, JSONException {
        JSONObject jSONObject = new JSONObject(str);
        acl = new HashMap();
        readUsers(acl, jSONObject, readRoles(jSONObject));
    }

    private static void readUsers(Map<String, User> map, JSONObject jSONObject, Map<String, Role> map2) throws JSONException {
        JSONArray jSONArray = jSONObject.getJSONArray("users");
        for (int i = 0; i < jSONArray.length(); i++) {
            JSONObject jSONObject2 = jSONArray.getJSONObject(i);
            User user = new User();
            user.name = jSONObject2.getString("name");
            if (jSONObject2.has("password")) {
                user.pwd = jSONObject2.getString("password");
            } else {
                user.pwd = user.name;
            }
            JSONArray jSONArray2 = jSONObject2.getJSONArray(DistributionConfig.ROLES_NAME);
            user.roles = new Role[jSONArray2.length()];
            for (int i2 = 0; i2 < jSONArray2.length(); i2++) {
                String string = jSONArray2.getString(i2);
                user.roles[i2] = map2.get(string);
                if (user.roles[i2] == null) {
                    throw new RuntimeException("Role not present " + string);
                }
            }
            map.put(user.name, user);
        }
    }

    private static Map<String, Role> readRoles(JSONObject jSONObject) throws JSONException {
        HashMap hashMap = new HashMap();
        JSONArray jSONArray = jSONObject.getJSONArray(DistributionConfig.ROLES_NAME);
        for (int i = 0; i < jSONArray.length(); i++) {
            JSONObject jSONObject2 = jSONArray.getJSONObject(i);
            Role role = new Role();
            role.name = jSONObject2.getString("name");
            if (jSONObject2.has("operationsAllowed")) {
                JSONArray jSONArray2 = jSONObject2.getJSONArray("operationsAllowed");
                role.permissions = new String[jSONArray2.length()];
                for (int i2 = 0; i2 < jSONArray2.length(); i2++) {
                    role.permissions[i2] = jSONArray2.getString(i2);
                }
            } else if (!jSONObject2.has("inherit")) {
                throw new RuntimeException("Role " + role.name + " does not have any permission neither it inherits any parent role");
            }
            hashMap.put(role.name, role);
            if (jSONObject2.has("region")) {
                role.regionName = jSONObject2.getString("region");
            }
            if (jSONObject2.has("serverGroup")) {
                role.serverGroup = jSONObject2.getString("serverGroup");
            }
        }
        for (int i3 = 0; i3 < jSONArray.length(); i3++) {
            JSONObject jSONObject3 = jSONArray.getJSONObject(i3);
            Role role2 = (Role) hashMap.get(jSONObject3.getString("name"));
            if (role2 == null) {
                throw new RuntimeException("Role not present " + role2);
            }
            if (jSONObject3.has("inherit")) {
                JSONArray jSONArray3 = jSONObject3.getJSONArray("inherit");
                for (int i4 = 0; i4 < jSONArray3.length(); i4++) {
                    String string = jSONArray3.getString(i4);
                    Role role3 = (Role) hashMap.get(string);
                    if (role3 == null) {
                        throw new RuntimeException("Role not present " + string);
                    }
                    String[] strArr = new String[(role2.permissions != null ? role2.permissions.length : 0) + role3.permissions.length];
                    int i5 = 0;
                    if (role2.permissions != null) {
                        while (i5 < role2.permissions.length) {
                            strArr[i5] = role2.permissions[i5];
                            i5++;
                        }
                    }
                    for (int i6 = 0; i6 < role3.permissions.length; i6++) {
                        strArr[i5 + i6] = role3.permissions[i6];
                    }
                    role2.permissions = strArr;
                }
            }
        }
        return hashMap;
    }

    public static Map<String, User> getAcl() {
        return acl;
    }

    @Override // com.gemstone.gemfire.cache.CacheCallback
    public void close() {
    }

    @Override // com.gemstone.gemfire.security.AccessControl
    public boolean authorizeOperation(String str, OperationContext operationContext) {
        User user;
        if (this.principal == null || (user = acl.get(this.principal.getName())) == null) {
            return false;
        }
        LogService.getLogger().info("Context received " + operationContext);
        ResourceOperationContext resourceOperationContext = (ResourceOperationContext) operationContext;
        LogService.getLogger().info("Checking for code " + resourceOperationContext.getResourceOperationCode());
        if (resourceOperationContext.getResourceOperationCode() == null) {
            return true;
        }
        boolean z = false;
        Iterator<ResourceOperationContext.ResourceOperationCode> it = getAuthorizedOps(user, (ResourceOperationContext) operationContext).iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            ResourceOperationContext.ResourceOperationCode next = it.next();
            if (resourceOperationContext.getResourceOperationCode().equals(next)) {
                z = true;
                LogService.getLogger().info("found code " + next.toString());
                break;
            }
        }
        if (z) {
            return true;
        }
        LogService.getLogger().info("Did not find code " + resourceOperationContext.getResourceOperationCode());
        return false;
    }

    @Override // com.gemstone.gemfire.security.AccessControl
    public void init(Principal principal, DistributedMember distributedMember, Cache cache) throws NotAuthorizedException {
        this.principal = principal;
    }

    @Override // com.gemstone.gemfire.security.Authenticator
    public Principal authenticate(Properties properties, DistributedMember distributedMember) throws AuthenticationFailedException {
        String property = properties.getProperty(ManagementInterceptor.USER_NAME);
        String property2 = properties.getProperty(ManagementInterceptor.PASSWORD);
        User user = acl.get(property);
        if (user == null) {
            throw new AuthenticationFailedException("Wrong username/password");
        }
        LogService.getLogger().info("User=" + property + " pwd=" + property2);
        if (property != null && !user.pwd.equals(property2) && !"".equals(property)) {
            throw new AuthenticationFailedException("Wrong username/password");
        }
        LogService.getLogger().info("Authentication successful!! for " + property);
        return new JMXPrincipal(property);
    }

    @Override // com.gemstone.gemfire.security.Authenticator
    public void init(Properties properties, LogWriter logWriter, LogWriter logWriter2) throws AuthenticationFailedException {
    }
}
