package org.apache.openejb.core.security;

import java.io.Serializable;
import java.lang.reflect.Method;
import java.security.AccessControlContext;
import java.security.AccessControlException;
import java.security.AccessController;
import java.security.Policy;
import java.security.Principal;
import java.security.PrivilegedAction;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Enumeration;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedHashSet;
import java.util.List;
import java.util.Map;
import java.util.Properties;
import java.util.Set;
import java.util.UUID;
import java.util.concurrent.ConcurrentHashMap;
import javax.security.auth.Subject;
import javax.security.auth.login.LoginException;
import javax.security.jacc.EJBMethodPermission;
import javax.security.jacc.PolicyConfigurationFactory;
import javax.servlet.http.HttpServletRequest;
import org.apache.openejb.BeanContext;
import org.apache.openejb.InterfaceType;
import org.apache.openejb.api.resource.DestroyableResource;
import org.apache.openejb.core.ThreadContext;
import org.apache.openejb.core.ThreadContextListener;
import org.apache.openejb.core.security.JaccProvider;
import org.apache.openejb.core.security.jaas.GroupPrincipal;
import org.apache.openejb.core.security.jacc.BasicJaccProvider;
import org.apache.openejb.core.security.jacc.BasicPolicyConfiguration;
import org.apache.openejb.loader.SystemInstance;
import org.apache.openejb.spi.CallerPrincipal;
import org.apache.openejb.spi.SecurityService;
import org.apache.openejb.util.JavaSecurityManagers;

/* loaded from: input_file:lib/openejb-core-7.0.8.jar:org/apache/openejb/core/security/AbstractSecurityService.class */
public abstract class AbstractSecurityService implements DestroyableResource, SecurityService<UUID>, ThreadContextListener, BasicPolicyConfiguration.RoleResolver {
    private static final Map<Object, Identity> identities = new ConcurrentHashMap();
    protected static final ThreadLocal<Identity> clientIdentity = new ThreadLocal<>();
    protected String defaultUser;
    private String realmName;
    protected Subject defaultSubject;
    protected SecurityContext defaultContext;

    /* loaded from: input_file:lib/openejb-core-7.0.8.jar:org/apache/openejb/core/security/AbstractSecurityService$Group.class */
    public static class Group implements java.security.acl.Group {
        private final List<Principal> members = new ArrayList();
        private final String name;

        public Group(String str) {
            this.name = str;
        }

        @Override // java.security.acl.Group
        public boolean addMember(Principal principal) {
            return this.members.add(principal);
        }

        @Override // java.security.acl.Group
        public boolean removeMember(Principal principal) {
            return this.members.remove(principal);
        }

        @Override // java.security.acl.Group
        public boolean isMember(Principal principal) {
            return this.members.contains(principal);
        }

        @Override // java.security.acl.Group
        public Enumeration<? extends Principal> members() {
            return Collections.enumeration(this.members);
        }

        @Override // java.security.Principal
        public String getName() {
            return this.name;
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    /* loaded from: input_file:lib/openejb-core-7.0.8.jar:org/apache/openejb/core/security/AbstractSecurityService$Identity.class */
    public static class Identity implements Serializable {
        private final Subject subject;
        private final UUID token;

        public Identity(Subject subject) {
            this.subject = subject;
            this.token = UUID.randomUUID();
        }

        public Identity(Subject subject, UUID uuid) {
            this.subject = subject;
            this.token = uuid;
        }

        public Subject getSubject() {
            return this.subject;
        }

        public UUID getToken() {
            return this.token;
        }
    }

    /* loaded from: input_file:lib/openejb-core-7.0.8.jar:org/apache/openejb/core/security/AbstractSecurityService$ProvidedSecurityContext.class */
    public static final class ProvidedSecurityContext {
        public final SecurityContext context;

        public ProvidedSecurityContext(SecurityContext securityContext) {
            this.context = securityContext;
        }
    }

    /* loaded from: input_file:lib/openejb-core-7.0.8.jar:org/apache/openejb/core/security/AbstractSecurityService$SecurityContext.class */
    public static final class SecurityContext {
        public final Subject subject;
        public final AccessControlContext acc;

        public SecurityContext(Subject subject) {
            this.subject = subject;
            this.acc = (AccessControlContext) Subject.doAsPrivileged(subject, new PrivilegedAction() { // from class: org.apache.openejb.core.security.AbstractSecurityService.SecurityContext.1
                @Override // java.security.PrivilegedAction
                public Object run() {
                    return AccessController.getContext();
                }
            }, (AccessControlContext) null);
        }
    }

    @CallerPrincipal
    /* loaded from: input_file:lib/openejb-core-7.0.8.jar:org/apache/openejb/core/security/AbstractSecurityService$User.class */
    public static class User implements Principal {
        private final String name;

        public User(String str) {
            this.name = str;
        }

        @Override // java.security.Principal
        public String getName() {
            return this.name;
        }

        @Override // java.security.Principal
        public boolean equals(Object obj) {
            if (this == obj) {
                return true;
            }
            if (obj == null || getClass() != obj.getClass()) {
                return false;
            }
            User user = (User) User.class.cast(obj);
            return this.name == null ? user.name == null : this.name.equals(user.name);
        }

        @Override // java.security.Principal
        public int hashCode() {
            if (this.name != null) {
                return this.name.hashCode();
            }
            return 0;
        }
    }

    public AbstractSecurityService() {
        this(autoJaccProvider());
    }

    public AbstractSecurityService(String str) {
        this.defaultUser = "guest";
        this.realmName = "PropertiesLogin";
        JavaSecurityManagers.setSystemProperty(JaccProvider.class.getName(), str);
        installJacc();
        ThreadContext.addThreadContextListener(this);
        updateSecurityContext();
        SystemInstance.get().setComponent(BasicPolicyConfiguration.RoleResolver.class, this);
    }

    @Override // org.apache.openejb.api.resource.DestroyableResource
    public void destroyResource() {
    }

    @Override // org.apache.openejb.spi.SecurityService
    public void onLogout(HttpServletRequest httpServletRequest) {
        clientIdentity.remove();
    }

    public String getRealmName() {
        return this.realmName;
    }

    public void setRealmName(String str) {
        this.realmName = str;
    }

    public String getDefaultUser() {
        return this.defaultUser;
    }

    public void setDefaultUser(String str) {
        this.defaultUser = str;
        updateSecurityContext();
    }

    private void updateSecurityContext() {
        this.defaultSubject = createSubject(this.defaultUser, this.defaultUser);
        this.defaultContext = new SecurityContext(this.defaultSubject);
    }

    @Override // org.apache.openejb.spi.Service
    public void init(Properties properties) throws Exception {
    }

    /* JADX WARN: Can't rename method to resolve collision */
    @Override // org.apache.openejb.spi.SecurityService
    public UUID login(String str, String str2) throws LoginException {
        return login(this.realmName, str, str2);
    }

    @Override // org.apache.openejb.core.security.jacc.BasicPolicyConfiguration.RoleResolver
    public Set<String> getLogicalRoles(Principal[] principalArr, Set<String> set) {
        LinkedHashSet linkedHashSet = new LinkedHashSet(principalArr.length);
        for (Principal principal : principalArr) {
            String name = principal.getName();
            if (set.contains(name)) {
                linkedHashSet.add(name);
            }
        }
        return linkedHashSet;
    }

    @Override // org.apache.openejb.core.ThreadContextListener
    public void contextEntered(ThreadContext threadContext, ThreadContext threadContext2) {
        JavaSecurityManagers.setContextID(threadContext2.getBeanContext().getModuleID());
        ProvidedSecurityContext providedSecurityContext = (ProvidedSecurityContext) threadContext2.get(ProvidedSecurityContext.class);
        SecurityContext securityContext = threadContext != null ? (SecurityContext) threadContext.get(SecurityContext.class) : providedSecurityContext != null ? providedSecurityContext.context : null;
        if (providedSecurityContext == null && (securityContext == null || securityContext == this.defaultContext)) {
            Identity identity = clientIdentity.get();
            securityContext = identity != null ? new SecurityContext(identity.subject) : getDefaultContext();
        }
        threadContext2.set(SecurityContext.class, securityContext);
    }

    public UUID overrideWithRunAsContext(ThreadContext threadContext, BeanContext beanContext, BeanContext beanContext2) {
        Subject runAsSubject = getRunAsSubject(beanContext);
        if (beanContext2 != null && runAsSubject == null) {
            runAsSubject = getRunAsSubject(beanContext2);
        }
        threadContext.set(SecurityContext.class, new SecurityContext(runAsSubject));
        return disassociate();
    }

    public Subject getRunAsSubject(BeanContext beanContext) {
        if (beanContext == null) {
            return null;
        }
        return createRunAsSubject(beanContext.getRunAsUser(), beanContext.getRunAs());
    }

    protected Subject createRunAsSubject(String str, String str2) {
        return createSubject(str, str2);
    }

    @Override // org.apache.openejb.core.ThreadContextListener
    public void contextExited(ThreadContext threadContext, ThreadContext threadContext2) {
        if (threadContext2 == null) {
            JavaSecurityManagers.setContextID(null);
        } else {
            JavaSecurityManagers.setContextID(threadContext2.getBeanContext().getModuleID());
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public UUID registerSubject(Subject subject) {
        Identity identity = new Identity(subject);
        UUID token = identity.getToken();
        identities.put(token, identity);
        return token;
    }

    @Override // org.apache.openejb.spi.SecurityService
    public void logout(UUID uuid) throws LoginException {
        if (identities.get(uuid) == null) {
            throw new LoginException("Identity is not currently logged in: " + uuid);
        }
        identities.remove(uuid);
    }

    protected void unregisterSubject(Object obj) {
        identities.remove(obj);
    }

    @Override // org.apache.openejb.spi.SecurityService
    public void associate(UUID uuid) throws LoginException {
        Identity identity = clientIdentity.get();
        if (identity != null && identity.getToken() != null) {
            throw new LoginException("Thread already associated with a client identity.  Refusing to overwrite. (current=" + identity.getToken() + "/" + identity.getSubject() + ", refused=" + uuid + ")");
        }
        if (uuid == null) {
            throw new NullPointerException("The security token passed in is null");
        }
        Identity identity2 = identities.get(uuid);
        if (identity2 == null) {
            throw new LoginException("Identity is not currently logged in: " + uuid);
        }
        clientIdentity.set(identity2);
    }

    /* JADX WARN: Can't rename method to resolve collision */
    @Override // org.apache.openejb.spi.SecurityService
    public UUID disassociate() {
        try {
            Identity identity = clientIdentity.get();
            UUID token = identity == null ? null : identity.getToken();
            clientIdentity.remove();
            return token;
        } catch (Throwable th) {
            clientIdentity.remove();
            throw th;
        }
    }

    @Override // org.apache.openejb.spi.SecurityService
    public boolean isCallerInRole(String str) {
        if (str == null) {
            throw new IllegalArgumentException("Role must not be null");
        }
        ThreadContext threadContext = ThreadContext.getThreadContext();
        if (threadContext == null) {
            return false;
        }
        SecurityContext securityContext = (SecurityContext) threadContext.get(SecurityContext.class);
        if ("**".equals(str)) {
            return securityContext != this.defaultContext;
        }
        Iterator it = securityContext.subject.getPrincipals(Group.class).iterator();
        while (it.hasNext()) {
            if (((Group) it.next()).getName().equals(str)) {
                return true;
            }
        }
        Iterator it2 = securityContext.subject.getPrincipals(GroupPrincipal.class).iterator();
        while (it2.hasNext()) {
            if (((GroupPrincipal) it2.next()).getName().equals(str)) {
                return true;
            }
        }
        return false;
    }

    @Override // org.apache.openejb.spi.SecurityService
    public Principal getCallerPrincipal() {
        ThreadContext threadContext = ThreadContext.getThreadContext();
        if (threadContext != null) {
            return getCallerPrincipal(((SecurityContext) threadContext.get(SecurityContext.class)).subject.getPrincipals());
        }
        Identity identity = clientIdentity.get();
        if (identity != null) {
            return getCallerPrincipal(identity.getSubject().getPrincipals());
        }
        return null;
    }

    private Principal getCallerPrincipal(Set<Principal> set) {
        if (set.isEmpty()) {
            return null;
        }
        for (Principal principal : set) {
            if (principal.getClass().isAnnotationPresent(CallerPrincipal.class)) {
                return principal;
            }
        }
        return set.iterator().next();
    }

    @Override // org.apache.openejb.spi.SecurityService
    public boolean isCallerAuthorized(Method method, InterfaceType interfaceType) {
        ThreadContext threadContext = ThreadContext.getThreadContext();
        try {
            String ejbName = threadContext.getBeanContext().getEjbName();
            String specName = interfaceType == null ? null : interfaceType.getSpecName();
            if ("LocalBean".equals(specName) || "LocalBeanHome".equals(specName)) {
                specName = null;
            }
            Identity identity = clientIdentity.get();
            (identity == null ? (SecurityContext) threadContext.get(SecurityContext.class) : new SecurityContext(identity.getSubject())).acc.checkPermission(new EJBMethodPermission(ejbName, specName, method));
            return true;
        } catch (AccessControlException e) {
            return false;
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public static String autoJaccProvider() {
        return SystemInstance.isInitialized() ? SystemInstance.get().getProperty(JaccProvider.class.getName(), BasicJaccProvider.class.getName()) : BasicJaccProvider.class.getName();
    }

    protected static void installJacc() {
        ClassLoader contextClassLoader = Thread.currentThread().getContextClassLoader();
        try {
            try {
                if (JavaSecurityManagers.getSystemProperty("javax.security.jacc.PolicyConfigurationFactory.provider") == null) {
                    JavaSecurityManagers.setSystemProperty("javax.security.jacc.PolicyConfigurationFactory.provider", JaccProvider.Factory.class.getName());
                    Thread.currentThread().setContextClassLoader(JaccProvider.Factory.class.getClassLoader());
                }
                PolicyConfigurationFactory.getPolicyConfigurationFactory();
                Thread.currentThread().setContextClassLoader(contextClassLoader);
                String property = SystemInstance.get().getOptions().getProperties().getProperty("javax.security.jacc.policy.provider");
                if (property != null && Policy.getPolicy() == null) {
                    installPolicy(property);
                }
                if (JaccProvider.Policy.class.getName().equals(Policy.getPolicy().getClass().getName())) {
                    return;
                }
                installPolicy(JaccProvider.Policy.class.getName());
            } catch (Exception e) {
                throw new IllegalStateException("Could not install JACC Policy Configuration Factory: " + JavaSecurityManagers.getSystemProperty("javax.security.jacc.PolicyConfigurationFactory.provider"), e);
            }
        } catch (Throwable th) {
            Thread.currentThread().setContextClassLoader(contextClassLoader);
            throw th;
        }
    }

    private static void installPolicy(String str) {
        try {
            Policy policy = (Policy) Class.forName(str, true, Thread.currentThread().getContextClassLoader()).newInstance();
            policy.refresh();
            Policy.setPolicy(policy);
        } catch (Exception e) {
            throw new IllegalStateException("Could not install JACC Policy Provider: " + str, e);
        }
    }

    protected Subject createSubject(String str, String str2) {
        if (str == null) {
            return null;
        }
        User user = new User(str);
        Group group = new Group(str2);
        group.addMember(user);
        HashSet hashSet = new HashSet();
        hashSet.add(user);
        hashSet.add(group);
        return new Subject(true, hashSet, new HashSet(), new HashSet());
    }

    @Override // org.apache.openejb.spi.SecurityService
    public Object currentState() {
        return clientIdentity.get();
    }

    /* JADX WARN: Multi-variable type inference failed */
    @Override // org.apache.openejb.spi.SecurityService
    public void setState(Object obj) {
        if (Identity.class.isInstance(obj)) {
            clientIdentity.set(Identity.class.cast(obj));
        } else if (obj == null) {
            clientIdentity.remove();
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public SecurityContext getDefaultContext() {
        return this.defaultContext;
    }
}
