package com.sun.enterprise.container.common;

import com.sun.enterprise.admin.util.AdminConstants;
import com.sun.enterprise.config.serverbeans.AdminService;
import com.sun.enterprise.config.serverbeans.AuthRealm;
import com.sun.enterprise.config.serverbeans.SecurityService;
import com.sun.enterprise.security.SecurityContext;
import com.sun.enterprise.security.SecurityLifecycle;
import com.sun.enterprise.security.SecuritySniffer;
import com.sun.enterprise.security.auth.login.LoginContextDriver;
import com.sun.enterprise.security.auth.realm.NoSuchUserException;
import com.sun.enterprise.security.auth.realm.file.FileRealm;
import com.sun.enterprise.security.auth.realm.file.FileRealmUser;
import com.sun.enterprise.util.LocalStringManagerImpl;
import java.io.File;
import java.util.Enumeration;
import java.util.logging.Logger;
import javax.management.remote.JMXAuthenticator;
import javax.security.auth.Subject;
import javax.security.auth.login.LoginException;
import org.glassfish.internal.api.AdminAccessController;
import org.glassfish.internal.api.LocalPassword;
import org.glassfish.internal.api.ServerContext;
import org.glassfish.security.common.Group;
import org.jvnet.hk2.annotations.ContractProvided;
import org.jvnet.hk2.annotations.Inject;
import org.jvnet.hk2.annotations.Service;
import org.jvnet.hk2.component.Habitat;

@Service
@ContractProvided(JMXAuthenticator.class)
/* loaded from: input_file:com/sun/enterprise/container/common/GenericAdminAuthenticator.class */
public class GenericAdminAuthenticator implements AdminAccessController, JMXAuthenticator {

    @Inject
    Habitat habitat;

    @Inject
    SecuritySniffer snif;

    @Inject
    volatile SecurityService ss;

    @Inject
    volatile AdminService as;

    @Inject
    LocalPassword localPassword;

    @Inject
    ServerContext sc;
    private static LocalStringManagerImpl lsm = new LocalStringManagerImpl(GenericAdminAuthenticator.class);
    private final Logger logger = Logger.getAnonymousLogger();

    @Override // org.glassfish.internal.api.AdminAccessController
    public boolean loginAsAdmin(String str, String str2, String str3) throws LoginException {
        if (isLocalPassword(str, str2)) {
            return true;
        }
        if (this.as.usesFileRealm()) {
            return handleFileRealm(str, str2);
        }
        ClassLoader classLoader = null;
        boolean z = false;
        try {
            classLoader = Thread.currentThread().getContextClassLoader();
            if (!this.sc.getCommonClassLoader().equals(classLoader)) {
                Thread.currentThread().setContextClassLoader(this.sc.getCommonClassLoader());
                z = true;
            }
            this.habitat.getInhabitantByType(SecurityLifecycle.class).get2();
            this.snif.setup(System.getProperty("com.sun.aas.installRoot") + "/modules/security", Logger.getAnonymousLogger());
            LoginContextDriver.login(str, str2.toCharArray(), str3);
            if (this.as.getAssociatedAuthRealm().getGroupMapping() == null) {
                if (z) {
                    Thread.currentThread().setContextClassLoader(classLoader);
                }
                return true;
            }
            boolean ensureGroupMembership = ensureGroupMembership(str, str3);
            if (z) {
                Thread.currentThread().setContextClassLoader(classLoader);
            }
            return ensureGroupMembership;
        } catch (Exception e) {
            if (z) {
                Thread.currentThread().setContextClassLoader(classLoader);
            }
            return false;
        } catch (Throwable th) {
            if (z) {
                Thread.currentThread().setContextClassLoader(classLoader);
            }
            throw th;
        }
    }

    private boolean ensureGroupMembership(String str, String str2) {
        try {
            for (Object obj : SecurityContext.getCurrent().getPrincipalSet()) {
                if ((obj instanceof Group) && ((Group) obj).getName().equals(AdminConstants.DOMAIN_ADMIN_GROUP_NAME)) {
                    return true;
                }
            }
            this.logger.fine("User is not the member of the special admin group");
            return false;
        } catch (Exception e) {
            this.logger.fine("User is not the member of the special admin group: " + e.getMessage());
            return false;
        }
    }

    private boolean handleFileRealm(String str, String str2) throws LoginException {
        if (str == null || str.length() == 0) {
            String defaultAdminUser = getDefaultAdminUser();
            if (defaultAdminUser != null) {
                str = defaultAdminUser;
                this.logger.fine("Using default user: " + defaultAdminUser);
            } else {
                this.logger.fine("No default user");
            }
        }
        try {
            AuthRealm associatedAuthRealm = this.as.getAssociatedAuthRealm();
            if (!FileRealm.class.getName().equals(associatedAuthRealm.getClassname())) {
                return false;
            }
            FileRealm fileRealm = new FileRealm(associatedAuthRealm.getPropertyValue("file"));
            for (String str3 : ((FileRealmUser) fileRealm.getUser(str)).getGroups()) {
                if (str3.equals(AdminConstants.DOMAIN_ADMIN_GROUP_NAME)) {
                    return fileRealm.authenticate(str, str2.toCharArray()) != null;
                }
            }
            return false;
        } catch (NoSuchUserException e) {
            return false;
        } catch (Exception e2) {
            LoginException loginException = new LoginException(e2.getMessage());
            loginException.initCause(e2);
            throw loginException;
        }
    }

    private String getDefaultAdminUser() {
        AuthRealm associatedAuthRealm = this.as.getAssociatedAuthRealm();
        if (associatedAuthRealm == null) {
            throw new RuntimeException("Warning: Configuration is bad, realm: " + this.as.getAuthRealmName() + " does not exist!");
        }
        if (!FileRealm.class.getName().equals(associatedAuthRealm.getClassname())) {
            this.logger.fine("CAN'T FIND DEFAULT ADMIN USER: IT'S NOT A FILE REALM");
            return null;
        }
        String propertyValue = associatedAuthRealm.getPropertyValue("file");
        if (propertyValue != null) {
            File file = new File(propertyValue);
            if (file.exists()) {
                try {
                    FileRealm fileRealm = new FileRealm(file.getAbsolutePath());
                    Enumeration<String> userNames = fileRealm.getUserNames();
                    if (!userNames.hasMoreElements()) {
                        return null;
                    }
                    String nextElement = userNames.nextElement();
                    if (userNames.hasMoreElements()) {
                        return null;
                    }
                    String[] groups = ((FileRealmUser) fileRealm.getUser(nextElement)).getGroups();
                    if (0 >= groups.length) {
                        return null;
                    }
                    if (groups[0].equals(AdminConstants.DOMAIN_ADMIN_GROUP_NAME)) {
                        this.logger.fine("Attempting access using default admin user: " + nextElement);
                    }
                    return nextElement;
                } catch (Exception e) {
                    return null;
                }
            }
        }
        this.logger.fine("CAN'T FIND DEFAULT ADMIN USER: THE KEYFILE DOES NOT EXIST");
        return null;
    }

    private boolean isLocalPassword(String str, String str2) {
        if (this.localPassword.isLocalPassword(str2)) {
            this.logger.fine("Allowing access using local password");
            return true;
        }
        this.logger.finest("Password is not the local password");
        return false;
    }

    public Subject authenticate(Object obj) {
        String str = "";
        String str2 = "";
        if (obj instanceof String[]) {
            String[] strArr = (String[]) obj;
            if (strArr.length == 1) {
                str = strArr[0];
            } else if (strArr.length >= 2) {
                str = strArr[0];
                str2 = strArr[1];
                if (str2 == null) {
                    str2 = "";
                }
            }
        }
        String authRealmName = this.as.getSystemJmxConnector().getAuthRealmName();
        if (authRealmName == null) {
            authRealmName = this.as.getAuthRealmName();
        }
        try {
            if (loginAsAdmin(str, str2, authRealmName)) {
                return null;
            }
            throw new SecurityException(lsm.getLocalString("authentication.failed", "User [{0}] does not have administration access", str));
        } catch (LoginException e) {
            throw new SecurityException(e);
        }
    }
}
