package com.sun.enterprise.admin.util;

import com.sun.enterprise.config.serverbeans.AdminService;
import com.sun.enterprise.config.serverbeans.AuthRealm;
import com.sun.enterprise.config.serverbeans.Domain;
import com.sun.enterprise.config.serverbeans.SecureAdmin;
import com.sun.enterprise.config.serverbeans.SecurityService;
import com.sun.enterprise.security.SecurityContext;
import com.sun.enterprise.security.auth.realm.file.FileRealm;
import com.sun.enterprise.security.auth.realm.file.FileRealmUser;
import com.sun.enterprise.util.LocalStringManagerImpl;
import com.sun.enterprise.util.net.NetUtils;
import jakarta.inject.Inject;
import jakarta.inject.Named;
import java.io.File;
import java.io.IOException;
import java.rmi.server.RemoteServer;
import java.rmi.server.ServerNotActiveException;
import java.security.Principal;
import java.util.Enumeration;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.management.remote.JMXAuthenticator;
import javax.security.auth.Subject;
import javax.security.auth.login.LoginException;
import org.glassfish.api.admin.ServerEnvironment;
import org.glassfish.api.container.Sniffer;
import org.glassfish.common.util.admin.AuthTokenManager;
import org.glassfish.grizzly.http.server.Request;
import org.glassfish.hk2.api.PostConstruct;
import org.glassfish.hk2.api.ServiceLocator;
import org.glassfish.internal.api.AdminAccessController;
import org.glassfish.internal.api.LocalPassword;
import org.glassfish.internal.api.RemoteAdminAccessException;
import org.glassfish.internal.api.ServerContext;
import org.glassfish.logging.annotation.LoggerInfo;
import org.glassfish.security.common.Group;
import org.glassfish.security.services.api.authentication.AuthenticationService;
import org.jvnet.hk2.annotations.ContractsProvided;
import org.jvnet.hk2.annotations.Optional;
import org.jvnet.hk2.annotations.Service;

@ContractsProvided({JMXAuthenticator.class, AdminAccessController.class})
@Service
/* loaded from: input_file:com/sun/enterprise/admin/util/GenericAdminAuthenticator.class */
public class GenericAdminAuthenticator implements AdminAccessController, JMXAuthenticator, PostConstruct {

    @Inject
    ServiceLocator habitat;

    @Inject
    @Named("security")
    @Optional
    Sniffer snif;

    @Inject
    @Named(ServerEnvironment.DEFAULT_INSTANCE_NAME)
    volatile SecurityService ss;

    @Inject
    @Named(ServerEnvironment.DEFAULT_INSTANCE_NAME)
    volatile AdminService as;

    @Inject
    LocalPassword localPassword;

    @Inject
    ServerContext sc;

    @Inject
    Domain domain;

    @Inject
    private AuthTokenManager authTokenManager;
    private SecureAdmin secureAdmin;

    @Inject
    ServerEnvironment serverEnv;

    @Inject
    private AuthenticationService authService;

    @LoggerInfo(subsystem = "ADMSEC", description = "Admin security")
    private static final String ADMSEC_LOGGER_NAME = "jakarta.enterprise.system.tools.admin.security";
    static final Logger ADMSEC_LOGGER = Logger.getLogger(ADMSEC_LOGGER_NAME, AdminLoggerInfo.SHARED_LOGMESSAGE_RESOURCE);
    private static LocalStringManagerImpl lsm = new LocalStringManagerImpl(GenericAdminAuthenticator.class);

    @Override // org.glassfish.hk2.api.PostConstruct
    public synchronized void postConstruct() {
        this.secureAdmin = this.domain.getSecureAdmin();
        if (this.as.usesFileRealm()) {
            try {
                AuthRealm associatedAuthRealm = this.as.getAssociatedAuthRealm();
                if (!FileRealm.class.getName().equals(associatedAuthRealm.getClassname()) || new FileRealm(associatedAuthRealm.getPropertyValue("file")).hasAuthenticatableUser()) {
                    return;
                }
                ADMSEC_LOGGER.log(Level.SEVERE, AdminLoggerInfo.mSecureAdminEmptyPassword);
                throw new IllegalStateException(ADMSEC_LOGGER.getResourceBundle().getString(AdminLoggerInfo.mSecureAdminEmptyPassword));
            } catch (Exception e) {
                ADMSEC_LOGGER.log(Level.SEVERE, AdminLoggerInfo.mUnexpectedException, (Throwable) e);
                throw new RuntimeException(e);
            }
        }
    }

    @Override // org.glassfish.internal.api.AdminAccessController
    public Subject loginAsAdmin(String str, String str2, String str3, String str4) throws LoginException {
        return authenticate(str, str2.toCharArray(), str3, str4);
    }

    @Override // org.glassfish.internal.api.AdminAccessController
    public Subject loginAsAdmin(Request request) throws LoginException {
        return loginAsAdmin(request, null);
    }

    @Override // org.glassfish.internal.api.AdminAccessController
    public Subject loginAsAdmin(Request request, String str) throws LoginException {
        try {
            return authenticate(request, str);
        } catch (IOException e) {
            LoginException loginException = new LoginException();
            loginException.initCause(e);
            throw loginException;
        }
    }

    private boolean isInAdminGroup(String str, String str2) {
        return this.as.getAssociatedAuthRealm().getGroupMapping() == null || ensureGroupMembership(str, str2);
    }

    private boolean ensureGroupMembership(String str, String str2) {
        try {
            for (Principal principal : SecurityContext.getCurrent().getPrincipalSet()) {
                if ((principal instanceof Group) && ((Group) principal).getName().equals("asadmin")) {
                    return true;
                }
            }
            ADMSEC_LOGGER.fine("User is not a member of the special admin group");
            return false;
        } catch (Exception e) {
            ADMSEC_LOGGER.log(Level.FINE, "User is not a member of the special admin group: {0}", (Throwable) e);
            return false;
        }
    }

    private Subject authenticate(Request request, String str) throws IOException, LoginException {
        AdminCallbackHandler adminCallbackHandler = new AdminCallbackHandler(this.habitat, request, str, getDefaultAdminUser(), this.localPassword);
        try {
            Subject login = this.authService.login(adminCallbackHandler, null);
            rejectRemoteAdminIfDisabled(adminCallbackHandler);
            consumeTokenIfPresent(request);
            if (ADMSEC_LOGGER.isLoggable(Level.FINE)) {
                Logger logger = ADMSEC_LOGGER;
                Level level = Level.FINE;
                Object[] objArr = new Object[5];
                objArr[0] = adminCallbackHandler.pw().getUserName();
                objArr[1] = adminCallbackHandler.clientPrincipal() == null ? "null" : adminCallbackHandler.clientPrincipal().getName();
                objArr[2] = adminCallbackHandler.tkn();
                objArr[3] = adminCallbackHandler.adminIndicator();
                objArr[4] = adminCallbackHandler.remoteHost();
                logger.log(level, "*** Login worked\n  user={0}\n  dn={1}\n  tkn={2}\n  admInd={3}\n  host={4}\n", objArr);
            }
            return login;
        } catch (RemoteAdminAccessException e) {
            String contextPath = request.getContextPath();
            if (ADMSEC_LOGGER.isLoggable(Level.FINE)) {
                Logger logger2 = ADMSEC_LOGGER;
                Level level2 = Level.FINE;
                Object[] objArr2 = new Object[6];
                objArr2[0] = adminCallbackHandler.pw().getUserName();
                objArr2[1] = adminCallbackHandler.clientPrincipal() == null ? "null" : adminCallbackHandler.clientPrincipal().getName();
                objArr2[2] = adminCallbackHandler.tkn();
                objArr2[3] = adminCallbackHandler.adminIndicator();
                objArr2[4] = adminCallbackHandler.remoteHost();
                objArr2[5] = contextPath;
                logger2.log(level2, "*** RemoteAdminAccessException during auth for {5}\n  user={0}\n  dn={1}\n  tkn={2}\n  admInd={3}\n  host={4}\n", objArr2);
            }
            throw e;
        } catch (LoginException e2) {
            String contextPath2 = request.getContextPath();
            if (ADMSEC_LOGGER.isLoggable(Level.FINE)) {
                Logger logger3 = ADMSEC_LOGGER;
                Level level3 = Level.FINE;
                Object[] objArr3 = new Object[6];
                objArr3[0] = adminCallbackHandler.pw().getUserName();
                objArr3[1] = adminCallbackHandler.clientPrincipal() == null ? "null" : adminCallbackHandler.clientPrincipal().getName();
                objArr3[2] = adminCallbackHandler.tkn();
                objArr3[3] = adminCallbackHandler.adminIndicator();
                objArr3[4] = adminCallbackHandler.remoteHost();
                objArr3[5] = contextPath2;
                logger3.log(level3, "*** LoginException during auth for {5}\n  user={0}\n  dn={1}\n  tkn={2}\n  admInd={3}\n  host={4}\n", objArr3);
            }
            throw e2;
        }
    }

    private void rejectRemoteAdminIfDisabled(String str) throws RemoteAdminAccessException {
        if (!SecureAdmin.Util.isEnabled(this.secureAdmin) && !NetUtils.isThisHostLocal(str)) {
            throw new RemoteAdminAccessException();
        }
    }

    private void rejectRemoteAdminIfDisabled(AdminCallbackHandler adminCallbackHandler) throws RemoteAdminAccessException {
        if (this.secureAdmin == null || this.secureAdmin.getSpecialAdminIndicator().equals(adminCallbackHandler.adminIndicator()) || adminCallbackHandler.tkn() != null) {
            return;
        }
        rejectRemoteAdminIfDisabled(adminCallbackHandler.getRemoteHost());
    }

    private Subject consumeTokenIfPresent(Request request) {
        Subject subject = null;
        String header = request.getHeader(SecureAdmin.Util.ADMIN_ONE_TIME_AUTH_TOKEN_HEADER_NAME);
        if (header != null) {
            subject = this.authTokenManager.consumeToken(header);
        }
        return subject;
    }

    private String getDefaultAdminUser() {
        AuthRealm associatedAuthRealm = this.as.getAssociatedAuthRealm();
        if (associatedAuthRealm == null) {
            return null;
        }
        if (!FileRealm.class.getName().equals(associatedAuthRealm.getClassname())) {
            ADMSEC_LOGGER.fine("CAN'T FIND DEFAULT ADMIN USER: IT'S NOT A FILE REALM");
            return null;
        }
        String propertyValue = associatedAuthRealm.getPropertyValue("file");
        if (propertyValue != null) {
            File file = new File(propertyValue);
            if (file.exists()) {
                try {
                    FileRealm fileRealm = new FileRealm(file.getAbsolutePath());
                    String str = null;
                    Enumeration<String> userNames = fileRealm.getUserNames();
                    while (userNames.hasMoreElements()) {
                        String nextElement = userNames.nextElement();
                        for (String str2 : ((FileRealmUser) fileRealm.getUser(nextElement)).getGroups()) {
                            if (str2.equals("asadmin")) {
                                if (str != null) {
                                    ADMSEC_LOGGER.log(Level.FINE, "There are multiple admin users so we cannot use any as a default");
                                    return null;
                                }
                                str = nextElement;
                            }
                        }
                    }
                    if (str == null) {
                        ADMSEC_LOGGER.log(Level.FINE, "There are no admin users so we cannot use any as a default");
                    } else {
                        ADMSEC_LOGGER.log(Level.FINE, "Will use \"{0}\", if needed, for a default admin user", str);
                    }
                    return str;
                } catch (Exception e) {
                    ADMSEC_LOGGER.log(Level.WARNING, AdminLoggerInfo.mAdminUserSearchError, (Throwable) e);
                    return null;
                }
            }
        }
        ADMSEC_LOGGER.fine("CAN'T FIND DEFAULT ADMIN USER: THE KEYFILE DOES NOT EXIST");
        return null;
    }

    private Subject authenticate(String str, char[] cArr, String str2, String str3) throws LoginException {
        if (str.isEmpty()) {
            str = getDefaultAdminUser();
        }
        if (!isInAdminGroup(str, str2)) {
            throw new LoginException();
        }
        try {
            rejectRemoteAdminIfDisabled(str3);
            Subject login = this.authService.login(str, cArr, null);
            if (ADMSEC_LOGGER.isLoggable(Level.FINE)) {
                ADMSEC_LOGGER.log(Level.FINE, "*** Login worked\n  user={0}\n  host={1}\n", new Object[]{str, str3});
            }
            return login;
        } catch (RemoteAdminAccessException e) {
            if (ADMSEC_LOGGER.isLoggable(Level.FINE)) {
                ADMSEC_LOGGER.log(Level.FINE, "*** RemoteAdminAccessException during auth\n  user={0}\n  host={1}\n  realm={2}\n", new Object[]{str, str3, str2});
            }
            throw e;
        } catch (LoginException e2) {
            if (ADMSEC_LOGGER.isLoggable(Level.FINE)) {
                ADMSEC_LOGGER.log(Level.FINE, "*** LoginException during auth\n  user={0}\n  host={1}\n  realm={2}", new Object[]{str, str3, str2});
            }
            throw e2;
        }
    }

    public Subject authenticate(Object obj) {
        String str = "";
        char[] charArray = "".toCharArray();
        String str2 = null;
        if (obj instanceof String[]) {
            String[] strArr = (String[]) obj;
            if (strArr.length == 1) {
                str = strArr[0];
            } else if (strArr.length >= 2) {
                str = strArr[0];
                charArray = strArr[1] != null ? strArr[1].toCharArray() : "".toCharArray();
            }
            if (strArr.length > 2) {
                str2 = strArr[2];
            } else {
                try {
                    str2 = RemoteServer.getClientHost();
                } catch (ServerNotActiveException e) {
                    throw new RuntimeException((Throwable) e);
                }
            }
        }
        String authRealmName = this.as.getSystemJmxConnector().getAuthRealmName();
        if (authRealmName == null) {
            authRealmName = this.as.getAuthRealmName();
        }
        try {
            loginAsAdmin(str, new String(charArray), authRealmName, str2);
            return null;
        } catch (LoginException e2) {
            if (ADMSEC_LOGGER.isLoggable(Level.FINE)) {
                ADMSEC_LOGGER.log(Level.FINE, "*** LoginException during JMX auth\n  user={0}\n  host={1}\n  realm={2}", new Object[]{str, str2, authRealmName});
            }
            throw new SecurityException(e2);
        }
    }
}
