package org.glassfish.ejb.security.application;

import com.sun.ejb.EjbInvocation;
import com.sun.enterprise.deployment.EjbIORConfigurationDescriptor;
import com.sun.enterprise.deployment.RunAsIdentityDescriptor;
import com.sun.enterprise.security.SecurityContext;
import com.sun.enterprise.security.SecurityManager;
import com.sun.enterprise.security.auth.login.LoginContextDriver;
import com.sun.enterprise.security.authorize.PolicyContextHandlerImpl;
import com.sun.enterprise.security.common.AppservAccessController;
import com.sun.enterprise.security.ee.PermissionCache;
import com.sun.enterprise.security.ee.PermissionCacheFactory;
import com.sun.enterprise.security.ee.SecurityUtil;
import com.sun.enterprise.security.ee.audit.AppServerAuditManager;
import com.sun.logging.LogDomains;
import jakarta.security.jacc.EJBMethodPermission;
import jakarta.security.jacc.PolicyContext;
import java.lang.reflect.Method;
import java.net.MalformedURLException;
import java.net.URI;
import java.net.URISyntaxException;
import java.security.AccessControlContext;
import java.security.AccessControlException;
import java.security.AccessController;
import java.security.CodeSource;
import java.security.Principal;
import java.security.PrivilegedAction;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.security.ProtectionDomain;
import java.security.cert.Certificate;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import java.util.WeakHashMap;
import java.util.logging.Level;
import java.util.logging.Logger;
import java.util.stream.Collectors;
import javax.security.auth.Subject;
import javax.security.auth.SubjectDomainCombiner;
import org.glassfish.api.invocation.ComponentInvocation;
import org.glassfish.api.invocation.InvocationException;
import org.glassfish.api.invocation.InvocationManager;
import org.glassfish.deployment.common.SecurityRoleMapperFactory;
import org.glassfish.ejb.deployment.descriptor.EjbDescriptor;
import org.glassfish.ejb.security.factory.EJBSecurityManagerFactory;
import org.glassfish.exousia.AuthorizationService;
import org.glassfish.exousia.permissions.RolesToPermissionsTransformer;
import org.glassfish.exousia.spi.PrincipalMapper;
import org.glassfish.external.probe.provider.PluginPoint;
import org.glassfish.external.probe.provider.StatsProviderManager;

/* loaded from: input_file:org/glassfish/ejb/security/application/EJBSecurityManager.class */
public final class EJBSecurityManager implements SecurityManager {
    private PermissionCache uncheckedMethodPermissionCache;
    private final EjbDescriptor deploymentDescriptor;
    private final InvocationManager invocationManager;
    private final EJBSecurityManagerFactory ejbSecurityManagerFactory;
    private final RunAsIdentityDescriptor runAs;
    private final AuthorizationService authorizationService;
    private static volatile EjbSecurityStatsProvider ejbStatsProvider;
    private String contextId;
    private CodeSource applicationCodeSource;
    private String codebase;
    private String ejbName;
    private String realmName;
    private AppServerAuditManager auditManager;
    private static final Logger _logger = LogDomains.getLogger(EJBSecurityManager.class, LogDomains.EJB_LOGGER);
    private static final PolicyContextHandlerImpl pcHandlerImpl = PolicyContextHandlerImpl.getInstance();
    private static final CodeSource managerCodeSource = EJBSecurityManager.class.getProtectionDomain().getCodeSource();
    private final Map<Set<Principal>, ProtectionDomain> applicationProtectionDomainCache = Collections.synchronizedMap(new WeakHashMap());
    private final Map<Set<Principal>, ProtectionDomain> managerProtectionDomainCache = Collections.synchronizedMap(new WeakHashMap());
    private final Map<Set<Principal>, AccessControlContext> accessControlContextCache = Collections.synchronizedMap(new WeakHashMap());
    private final EjbSecurityProbeProvider probeProvider = new EjbSecurityProbeProvider();
    private final SecurityRoleMapperFactory roleMapperFactory = SecurityUtil.getRoleMapperFactory();

    public EJBSecurityManager(EjbDescriptor ejbDescriptor, InvocationManager invocationManager, EJBSecurityManagerFactory eJBSecurityManagerFactory) throws Exception {
        this.deploymentDescriptor = ejbDescriptor;
        this.invocationManager = invocationManager;
        this.ejbSecurityManagerFactory = eJBSecurityManagerFactory;
        this.runAs = getRunAs(this.deploymentDescriptor);
        setEnterpriseBeansStatsProvider();
        this.contextId = getContextID(this.deploymentDescriptor);
        this.roleMapperFactory.setAppNameForContext(this.deploymentDescriptor.getApplication().getRegistrationName(), this.contextId);
        this.applicationCodeSource = getApplicationCodeSource(this.contextId);
        this.ejbName = this.deploymentDescriptor.getName();
        this.realmName = getRealmName(this.deploymentDescriptor);
        _logger.log(Level.FINE, () -> {
            return "JACC: Context id (id under which all EJB's in application will be created) = " + this.contextId;
        });
        _logger.log(Level.FINE, () -> {
            return "Codebase (module id for ejb " + this.ejbName + ") = " + this.codebase;
        });
        this.uncheckedMethodPermissionCache = PermissionCacheFactory.createPermissionCache(this.contextId, this.applicationCodeSource, EJBMethodPermission.class, this.ejbName);
        this.auditManager = eJBSecurityManagerFactory.getAuditManager();
        this.authorizationService = new AuthorizationService(getContextID(ejbDescriptor), () -> {
            return SecurityContext.getCurrent().getSubject();
        }, (PrincipalMapper) null);
        this.authorizationService.setProtectionDomainCreator(set -> {
            return getCachedProtectionDomain(set, true);
        });
        this.authorizationService.addPermissionsToPolicy(GlassFishToExousiaConverter.convertEJBMethodPermissions(ejbDescriptor, this.contextId));
        this.authorizationService.addPermissionsToPolicy(RolesToPermissionsTransformer.createEnterpriseBeansRoleRefPermission((Set) ejbDescriptor.getEjbBundleDescriptor().getRoles().stream().map(role -> {
            return role.getName();
        }).collect(Collectors.toSet()), GlassFishToExousiaConverter.getSecurityRoleRefsFromBundle(ejbDescriptor)));
    }

    public static String getContextID(EjbDescriptor ejbDescriptor) {
        return SecurityUtil.getContextID(ejbDescriptor.getEjbBundleDescriptor());
    }

    @Override // com.sun.enterprise.security.SecurityManager
    public boolean authorize(ComponentInvocation componentInvocation) {
        boolean z;
        if (!(componentInvocation instanceof EjbInvocation)) {
            return false;
        }
        EjbInvocation ejbInvocation = (EjbInvocation) componentInvocation;
        if (ejbInvocation.getAuth() != null) {
            return ejbInvocation.getAuth().booleanValue();
        }
        pcHandlerImpl.getHandlerData().setInvocation(ejbInvocation);
        SecurityContext current = SecurityContext.getCurrent();
        try {
            z = this.authorizationService.checkBeanMethodPermission(this.ejbName, ejbInvocation.getMethodInterface(), ejbInvocation.method, current.getPrincipalSet());
        } catch (Throwable th) {
            _logger.log(Level.SEVERE, "jacc_policy_context_exception", th);
            z = false;
        }
        ejbInvocation.setAuth(z);
        doAuditAuthorize(current, ejbInvocation, z);
        if (z && ejbInvocation.isWebService && !ejbInvocation.isPreInvokeDone()) {
            preInvoke(ejbInvocation);
        }
        return z;
    }

    @Override // com.sun.enterprise.security.SecurityManager
    public boolean isCallerInRole(String str) {
        if (_logger.isLoggable(Level.FINE)) {
            _logger.entering("EJBSecurityManager", "isCallerInRole", str);
        }
        SecurityContext securityContext = getSecurityContext();
        return this.authorizationService.checkBeanRoleRefPermission(this.ejbName, str, securityContext != null ? securityContext.getPrincipalSet() : null);
    }

    @Override // com.sun.enterprise.security.SecurityManager
    public void preInvoke(ComponentInvocation componentInvocation) {
        if (this.runAs == null) {
            componentInvocation.setPreInvokeDone(true);
            return;
        }
        boolean z = false;
        if (componentInvocation instanceof EjbInvocation) {
            z = ((EjbInvocation) componentInvocation).isWebService;
        }
        if ((!z || (componentInvocation.getAuth() != null && componentInvocation.getAuth().booleanValue())) && !componentInvocation.isPreInvokeDone()) {
            componentInvocation.setOldSecurityContext(SecurityContext.getCurrent());
            loginForRunAs();
            componentInvocation.setPreInvokeDone(true);
        }
    }

    @Override // com.sun.enterprise.security.SecurityManager
    public Object invoke(final Method method, boolean z, final Object obj, final Object[] objArr) throws Throwable {
        if ((z && getUsesCallerIdentity()) || System.getSecurityManager() == null) {
            return this.authorizationService.invokeBeanMethod(obj, method, objArr);
        }
        try {
            return doAsPrivileged(new PrivilegedExceptionAction<Object>() { // from class: org.glassfish.ejb.security.application.EJBSecurityManager.1
                @Override // java.security.PrivilegedExceptionAction
                public Object run() throws Exception {
                    return method.invoke(obj, objArr);
                }
            });
        } catch (PrivilegedActionException e) {
            throw e.getCause();
        }
    }

    @Override // com.sun.enterprise.security.SecurityManager
    public void postInvoke(final ComponentInvocation componentInvocation) {
        if (this.runAs == null || !componentInvocation.isPreInvokeDone()) {
            return;
        }
        AppservAccessController.doPrivileged(new PrivilegedAction<Object>() { // from class: org.glassfish.ejb.security.application.EJBSecurityManager.2
            @Override // java.security.PrivilegedAction
            public Object run() {
                SecurityContext.setCurrent((SecurityContext) componentInvocation.getOldSecurityContext());
                return null;
            }
        });
    }

    @Override // com.sun.enterprise.security.SecurityManager
    public Subject getCurrentSubject() {
        return SecurityContext.getCurrent().getSubject();
    }

    @Override // com.sun.enterprise.security.SecurityManager
    public Principal getCallerPrincipal() {
        SecurityContext securityContext = getSecurityContext();
        return securityContext == null ? SecurityContext.getDefaultCallerPrincipal() : securityContext.getCallerPrincipal();
    }

    @Override // com.sun.enterprise.security.SecurityManager
    public void destroy() {
        try {
            this.authorizationService.refresh();
            PermissionCacheFactory.removePermissionCache(this.uncheckedMethodPermissionCache);
            this.uncheckedMethodPermissionCache = null;
            this.roleMapperFactory.removeAppNameForContext(this.contextId);
        } catch (IllegalStateException e) {
            _logger.log(Level.WARNING, "ejbsm.could_not_delete", (Throwable) e);
        }
        this.probeProvider.securityManagerDestructionStartedEvent(this.ejbName);
        this.ejbSecurityManagerFactory.getManager(this.contextId, this.ejbName, true);
        this.probeProvider.securityManagerDestructionEndedEvent(this.ejbName);
        this.probeProvider.securityManagerDestructionEvent(this.ejbName);
    }

    @Override // com.sun.enterprise.security.SecurityManager
    public Object doAsPrivileged(PrivilegedExceptionAction<Object> privilegedExceptionAction) throws Throwable {
        AccessControlContext cachedAccessControlContext = getCachedAccessControlContext(SecurityContext.getCurrent());
        return this.authorizationService.runInScope(() -> {
            return AccessController.doPrivileged(privilegedExceptionAction, cachedAccessControlContext);
        });
    }

    private boolean getUsesCallerIdentity() {
        return this.runAs == null;
    }

    private static CodeSource getApplicationCodeSource(String str) throws Exception {
        CodeSource codeSource = null;
        try {
            try {
                URI uri = new URI("file:///" + str.replace(' ', '_'));
                if (uri != null) {
                    codeSource = new CodeSource(uri.toURL(), (Certificate[]) null);
                }
                return codeSource;
            } catch (URISyntaxException e) {
                _logger.log(Level.SEVERE, "JACC_createurierror", (Throwable) e);
                throw new RuntimeException(e);
            }
        } catch (MalformedURLException e2) {
            _logger.log(Level.SEVERE, "JACC_ejbsm.codesourceerror", (Throwable) e2);
            throw new RuntimeException(e2);
        }
    }

    private ProtectionDomain getCachedProtectionDomain(Set<Principal> set, boolean z) {
        ProtectionDomain protectionDomain;
        CodeSource codeSource;
        if (z) {
            protectionDomain = this.applicationProtectionDomainCache.get(set);
            codeSource = this.applicationCodeSource;
        } else {
            protectionDomain = this.managerProtectionDomainCache.get(set);
            codeSource = managerCodeSource;
        }
        if (protectionDomain == null) {
            protectionDomain = new ProtectionDomain(codeSource, null, null, set == null ? null : (Principal[]) set.toArray(new Principal[set.size()]));
            HashSet hashSet = set != null ? new HashSet(set) : new HashSet();
            if (z) {
                this.applicationProtectionDomainCache.put(hashSet, protectionDomain);
            } else {
                this.managerProtectionDomainCache.put(hashSet, protectionDomain);
            }
            _logger.fine(() -> {
                return "Authorization: new ProtectionDomain added to cache";
            });
        }
        if (_logger.isLoggable(Level.FINE)) {
            if (set == null) {
                _logger.fine("Authorization: returning cached ProtectionDomain PrincipalSet: null");
            } else {
                StringBuilder sb = null;
                Principal[] principalArr = (Principal[]) set.toArray(new Principal[set.size()]);
                for (int i = 0; i < principalArr.length; i++) {
                    if (i == 0) {
                        sb = new StringBuilder(principalArr[i].toString());
                    } else {
                        sb.append(" " + principalArr[i].toString());
                    }
                }
                _logger.fine("Authorization: returning cached ProtectionDomain - CodeSource: (" + codeSource + ") PrincipalSet: " + sb);
            }
        }
        return protectionDomain;
    }

    private AccessControlContext getCachedAccessControlContext(SecurityContext securityContext) throws Exception {
        Set<Principal> principalSet = securityContext.getPrincipalSet();
        AccessControlContext accessControlContext = this.accessControlContextCache.get(principalSet);
        if (accessControlContext == null) {
            final ProtectionDomain[] protectionDomainArr = {getCachedProtectionDomain(principalSet, false)};
            try {
                if (principalSet != null) {
                    final Subject subject = securityContext.getSubject();
                    accessControlContext = (AccessControlContext) AccessController.doPrivileged(new PrivilegedExceptionAction<AccessControlContext>() { // from class: org.glassfish.ejb.security.application.EJBSecurityManager.3
                        /* JADX WARN: Can't rename method to resolve collision */
                        @Override // java.security.PrivilegedExceptionAction
                        public AccessControlContext run() throws Exception {
                            return new AccessControlContext(new AccessControlContext(protectionDomainArr), new SubjectDomainCombiner(subject));
                        }
                    });
                } else {
                    accessControlContext = new AccessControlContext(protectionDomainArr);
                }
                if (principalSet != null) {
                    this.accessControlContextCache.put(new HashSet(principalSet), accessControlContext);
                }
                _logger.fine("Authorization: new AccessControlContext added to cache");
            } catch (Exception e) {
                _logger.log(Level.SEVERE, "java_security.security_context_exception", (Throwable) e);
                throw e;
            }
        }
        return accessControlContext;
    }

    private void loginForRunAs() {
        AppservAccessController.doPrivileged(new PrivilegedAction<Object>() { // from class: org.glassfish.ejb.security.application.EJBSecurityManager.4
            @Override // java.security.PrivilegedAction
            public Object run() {
                LoginContextDriver.loginPrincipal(EJBSecurityManager.this.runAs.getPrincipal(), EJBSecurityManager.this.realmName);
                return null;
            }
        });
    }

    @Override // com.sun.enterprise.security.SecurityManager
    public void resetPolicyContext() {
        if (System.getSecurityManager() == null) {
            PolicyContextHandlerImpl.getInstance().reset();
            PolicyContext.setContextID(null);
            return;
        }
        try {
            AppservAccessController.doPrivileged(new PrivilegedExceptionAction<Object>() { // from class: org.glassfish.ejb.security.application.EJBSecurityManager.5
                @Override // java.security.PrivilegedExceptionAction
                public Object run() throws Exception {
                    PolicyContextHandlerImpl.getInstance().reset();
                    PolicyContext.setContextID(null);
                    return null;
                }
            });
        } catch (PrivilegedActionException e) {
            Throwable cause = e.getCause();
            if (cause instanceof AccessControlException) {
                _logger.log(Level.SEVERE, "jacc_policy_context_security_exception", cause);
            } else {
                _logger.log(Level.SEVERE, "jacc_policy_context_exception", cause);
            }
            throw new RuntimeException(cause);
        }
    }

    private SecurityContext getSecurityContext() {
        if (this.runAs == null) {
            return SecurityContext.getCurrent();
        }
        ComponentInvocation currentInvocation = this.invocationManager.getCurrentInvocation();
        if (currentInvocation == null) {
            throw new InvocationException();
        }
        return (SecurityContext) currentInvocation.getOldSecurityContext();
    }

    private String getRealmName(EjbDescriptor ejbDescriptor) {
        String realm = ejbDescriptor.getApplication().getRealm();
        if (realm == null) {
            Iterator<EjbIORConfigurationDescriptor> it = ejbDescriptor.getIORConfigurationDescriptors().iterator();
            while (it.hasNext()) {
                realm = it.next().getRealmName();
            }
        }
        return realm;
    }

    private RunAsIdentityDescriptor getRunAs(EjbDescriptor ejbDescriptor) {
        if (ejbDescriptor.getUsesCallerIdentity().booleanValue()) {
            return null;
        }
        RunAsIdentityDescriptor runAsIdentity = ejbDescriptor.getRunAsIdentity();
        if (runAsIdentity != null && _logger.isLoggable(Level.FINE)) {
            _logger.log(Level.FINE, ejbDescriptor.getEjbClassName() + " will run-as: " + runAsIdentity.getPrincipal() + " (" + runAsIdentity.getRoleName() + ")");
        }
        return runAsIdentity;
    }

    private void setEnterpriseBeansStatsProvider() {
        if (ejbStatsProvider == null) {
            synchronized (EjbSecurityStatsProvider.class) {
                if (ejbStatsProvider == null) {
                    ejbStatsProvider = new EjbSecurityStatsProvider();
                    StatsProviderManager.register("security", PluginPoint.SERVER, "security/ejb", ejbStatsProvider);
                }
            }
        }
    }

    private void doAuditAuthorize(SecurityContext securityContext, EjbInvocation ejbInvocation, boolean z) {
        if (this.auditManager.isAuditOn()) {
            String name = securityContext.getCallerPrincipal().getName();
            this.auditManager.ejbInvocation(name, this.ejbName, ejbInvocation.method.toString(), z);
            _logger.fine(() -> {
                return " (Caller) = " + name;
            });
        }
    }
}
