package com.sun.enterprise.admin.util;

import com.sun.enterprise.config.serverbeans.Domain;
import com.sun.enterprise.config.serverbeans.SecureAdmin;
import com.sun.enterprise.config.serverbeans.SecureAdminPrincipal;
import java.lang.annotation.Annotation;
import java.security.Principal;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.inject.Inject;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.TextInputCallback;
import javax.security.auth.login.LoginException;
import javax.security.auth.spi.LoginModule;
import org.glassfish.common.util.admin.AdminAuthenticator;
import org.glassfish.common.util.admin.AuthTokenManager;
import org.glassfish.common.util.admin.RestSessionManager;
import org.glassfish.hk2.api.PerLookup;
import org.glassfish.hk2.api.ServiceLocator;
import org.glassfish.internal.api.LocalPassword;
import org.jvnet.hk2.annotations.Service;

@Service
@PerLookup
/* loaded from: input_file:MICRO-INF/runtime/admin-util.jar:com/sun/enterprise/admin/util/AdminLoginModule.class */
public class AdminLoginModule implements LoginModule {
    private static final Logger LOGGER = GenericAdminAuthenticator.ADMSEC_LOGGER;
    private static final Level PROGRESS_LEVEL = Level.FINE;

    @Inject
    private Domain domain;

    @Inject
    private AuthTokenManager authTokenManager;

    @Inject
    private LocalPassword localPassword;

    @Inject
    private RestSessionManager restSessionManager;
    private boolean isAuthenticated;
    private Subject subject;
    private CallbackHandler callbackHandler;
    private SecureAdmin secureAdmin = null;
    private final Subject subjectToAssemble = new Subject();
    private final UsernamePasswordAuthenticator usernamePasswordAuth = new UsernamePasswordAuthenticator();
    private final PrincipalAuthenticator principalAuth = new PrincipalAuthenticator();
    private final AdminIndicatorAuthenticator adminIndicatorAuth = new AdminIndicatorAuthenticator();
    private final AdminTokenAuthenticator adminTokenAuth = new AdminTokenAuthenticator();
    private final RemoteHostAuthenticator remoteHostAuth = new RemoteHostAuthenticator();
    private final RestAdminAuthenticator restTokenAuthenticator = new RestAdminAuthenticator();
    private List<Callback> callbacks = new ArrayList(Arrays.asList(this.usernamePasswordAuth.nameCB, this.usernamePasswordAuth.pwCB, this.principalAuth.cb, this.adminIndicatorAuth.cb, this.adminTokenAuth.cb, this.remoteHostAuth.cb, this.restTokenAuthenticator.restTokenCB, this.restTokenAuthenticator.remoteAddrCB));
    private List<AdminAuthenticator> authenticators = new ArrayList(Arrays.asList(this.usernamePasswordAuth, this.principalAuth, this.adminIndicatorAuth, this.adminTokenAuth, this.restTokenAuthenticator));

    /* loaded from: input_file:MICRO-INF/runtime/admin-util.jar:com/sun/enterprise/admin/util/AdminLoginModule$AdminIndicatorAuthenticator.class */
    class AdminIndicatorAuthenticator extends TextAuthenticator {
        AdminIndicatorAuthenticator() {
            super(AdminAuthenticator.AuthenticatorType.ADMIN_INDICATOR);
        }

        @Override // org.glassfish.common.util.admin.AdminAuthenticator
        public boolean identify(Subject subject) throws LoginException {
            if (AdminLoginModule.this.secureAdmin == null) {
                return false;
            }
            String text = this.textCB.getText();
            SpecialAdminIndicatorChecker specialAdminIndicatorChecker = new SpecialAdminIndicatorChecker(text, AdminLoginModule.this.secureAdmin.getSpecialAdminIndicator(), AdminLoginModule.this.remoteHostAuth.textCB.getText());
            if (specialAdminIndicatorChecker.result() == SpecialAdminIndicatorChecker.Result.MISMATCHED) {
                throw new LoginException();
            }
            if (specialAdminIndicatorChecker.result() != SpecialAdminIndicatorChecker.Result.MATCHED) {
                return false;
            }
            subject.getPrincipals().add(new AdminIndicatorPrincipal(text));
            return true;
        }
    }

    /* loaded from: input_file:MICRO-INF/runtime/admin-util.jar:com/sun/enterprise/admin/util/AdminLoginModule$AdminTokenAuthenticator.class */
    class AdminTokenAuthenticator extends TextAuthenticator {
        AdminTokenAuthenticator() {
            super(AdminAuthenticator.AuthenticatorType.ADMIN_TOKEN);
        }

        @Override // org.glassfish.common.util.admin.AdminAuthenticator
        public boolean identify(Subject subject) throws LoginException {
            if (AdminLoginModule.this.authTokenManager == null) {
                return false;
            }
            Subject subject2 = null;
            String text = this.textCB.getText();
            if (text != null) {
                subject2 = AdminLoginModule.this.authTokenManager.findToken(text);
                if (subject2 != null) {
                    AdminLoginModule.LOGGER.log(AdminLoginModule.PROGRESS_LEVEL, "Recognized valid limited-use token");
                    AdminLoginModule.this.updateFromSubject(subject, subject2);
                    subject.getPrincipals().add(new AdminTokenPrincipal(text));
                }
            }
            return subject2 != null;
        }
    }

    /* loaded from: input_file:MICRO-INF/runtime/admin-util.jar:com/sun/enterprise/admin/util/AdminLoginModule$Authenticator.class */
    abstract class Authenticator implements AdminAuthenticator {
        private final AdminAuthenticator.AuthenticatorType type;
        final Callback cb;

        Authenticator(AdminAuthenticator.AuthenticatorType authenticatorType, Callback callback) {
            this.type = authenticatorType;
            this.cb = callback;
        }

        @Override // org.glassfish.common.util.admin.AdminAuthenticator
        public List<Callback> callbacks() {
            return new ArrayList(Arrays.asList(this.cb));
        }

        @Override // org.glassfish.common.util.admin.AdminAuthenticator
        public AdminAuthenticator.AuthenticatorType type() {
            return this.type;
        }
    }

    /* loaded from: input_file:MICRO-INF/runtime/admin-util.jar:com/sun/enterprise/admin/util/AdminLoginModule$PrincipalAuthenticator.class */
    class PrincipalAuthenticator extends Authenticator {
        private final PrincipalCallback pcb;

        PrincipalAuthenticator() {
            super(AdminAuthenticator.AuthenticatorType.PRINCIPAL, new PrincipalCallback());
            this.pcb = (PrincipalCallback) this.cb;
        }

        @Override // org.glassfish.common.util.admin.AdminAuthenticator
        public boolean identify(Subject subject) {
            Principal principal = this.pcb.getPrincipal();
            if (principal != null) {
                if (isPrincipalFromGlassFish(principal) && AdminLoginModule.this.usernamePasswordAuth.isActive()) {
                    AdminLoginModule.LOGGER.log(AdminLoginModule.PROGRESS_LEVEL, "Detected console request - not adding SSL principal to the subject");
                    return false;
                }
                subject.getPrincipals().add(principal);
                AdminLoginModule.LOGGER.log(AdminLoginModule.PROGRESS_LEVEL, "Attaching Principal {0}", principal.getName());
            }
            return principal != null;
        }

        private boolean isPrincipalFromGlassFish(Principal principal) {
            Iterator<SecureAdminPrincipal> it = AdminLoginModule.this.secureAdmin.getSecureAdminPrincipal().iterator();
            while (it.hasNext()) {
                if (it.next().getDn().equals(principal.getName())) {
                    return true;
                }
            }
            return false;
        }
    }

    /* loaded from: input_file:MICRO-INF/runtime/admin-util.jar:com/sun/enterprise/admin/util/AdminLoginModule$PrincipalCallback.class */
    static class PrincipalCallback implements Callback {
        private Principal p;

        PrincipalCallback() {
        }

        public void setPrincipal(Principal principal) {
            this.p = principal;
        }

        public Principal getPrincipal() {
            return this.p;
        }
    }

    /* loaded from: input_file:MICRO-INF/runtime/admin-util.jar:com/sun/enterprise/admin/util/AdminLoginModule$RemoteHostAuthenticator.class */
    class RemoteHostAuthenticator extends TextAuthenticator {
        RemoteHostAuthenticator() {
            super(AdminAuthenticator.AuthenticatorType.REMOTE_HOST);
        }

        @Override // org.glassfish.common.util.admin.AdminAuthenticator
        public boolean identify(Subject subject) throws LoginException {
            return false;
        }
    }

    /* loaded from: input_file:MICRO-INF/runtime/admin-util.jar:com/sun/enterprise/admin/util/AdminLoginModule$RestAdminAuthenticator.class */
    class RestAdminAuthenticator extends Authenticator {
        private TextInputCallback restTokenCB;
        private TextInputCallback remoteAddrCB;

        RestAdminAuthenticator() {
            super(AdminAuthenticator.AuthenticatorType.REST_TOKEN, null);
            this.restTokenCB = new TextInputCallback(AdminAuthenticator.REST_TOKEN_NAME);
            this.remoteAddrCB = new TextInputCallback(AdminAuthenticator.REMOTE_ADDR_NAME);
        }

        @Override // com.sun.enterprise.admin.util.AdminLoginModule.Authenticator, org.glassfish.common.util.admin.AdminAuthenticator
        public List<Callback> callbacks() {
            return new ArrayList(Arrays.asList(this.cb, this.remoteAddrCB));
        }

        @Override // org.glassfish.common.util.admin.AdminAuthenticator
        public boolean identify(Subject subject) throws LoginException {
            Subject authenticate;
            if (AdminLoginModule.this.restSessionManager == null) {
                return false;
            }
            boolean z = false;
            String text = this.restTokenCB.getText();
            String text2 = this.remoteAddrCB.getText();
            if (text != null && text2 != null && (authenticate = AdminLoginModule.this.restSessionManager.authenticate(text, text2)) != null) {
                z = true;
                AdminLoginModule.this.updateFromSubject(subject, authenticate);
                AdminLoginModule.LOGGER.log(AdminLoginModule.PROGRESS_LEVEL, "Detected ReST token");
            }
            return z;
        }
    }

    /* loaded from: input_file:MICRO-INF/runtime/admin-util.jar:com/sun/enterprise/admin/util/AdminLoginModule$SpecialAdminIndicatorChecker.class */
    private static class SpecialAdminIndicatorChecker {
        private final Result result;

        /* JADX INFO: Access modifiers changed from: private */
        /* loaded from: input_file:MICRO-INF/runtime/admin-util.jar:com/sun/enterprise/admin/util/AdminLoginModule$SpecialAdminIndicatorChecker$Result.class */
        public enum Result {
            NOT_IN_REQUEST,
            MATCHED,
            MISMATCHED
        }

        private SpecialAdminIndicatorChecker(String str, String str2, String str3) {
            Level level = Level.FINER;
            if (str == null) {
                AdminLoginModule.LOGGER.log(level, "Admin request contains no domain ID; this is OK - continuing");
                this.result = Result.NOT_IN_REQUEST;
            } else if (str.equals(str2)) {
                this.result = Result.MATCHED;
                AdminLoginModule.LOGGER.log(level, "Admin request contains expected domain ID");
            } else {
                AdminLoginModule.LOGGER.log(Level.WARNING, AdminLoggerInfo.mForeignDomainID, new Object[]{str3, str, str2});
                this.result = Result.MISMATCHED;
            }
        }

        /* JADX INFO: Access modifiers changed from: private */
        public Result result() {
            return this.result;
        }
    }

    /* loaded from: input_file:MICRO-INF/runtime/admin-util.jar:com/sun/enterprise/admin/util/AdminLoginModule$TextAuthenticator.class */
    abstract class TextAuthenticator extends Authenticator {
        final TextInputCallback textCB;

        TextAuthenticator(AdminAuthenticator.AuthenticatorType authenticatorType) {
            super(authenticatorType, new TextInputCallback(authenticatorType.name()));
            this.textCB = this.cb;
        }
    }

    /* loaded from: input_file:MICRO-INF/runtime/admin-util.jar:com/sun/enterprise/admin/util/AdminLoginModule$UsernamePasswordAuthenticator.class */
    class UsernamePasswordAuthenticator extends Authenticator {
        final NameCallback nameCB;
        final PasswordCallback pwCB;

        UsernamePasswordAuthenticator() {
            super(AdminAuthenticator.AuthenticatorType.USERNAME_PASSWORD, null);
            this.nameCB = new NameCallback("username");
            this.pwCB = new PasswordCallback("password", false);
        }

        boolean isActive() {
            return (this.nameCB.getName() == null && this.pwCB.getPassword() == null) ? false : true;
        }

        @Override // org.glassfish.common.util.admin.AdminAuthenticator
        public boolean identify(Subject subject) throws LoginException {
            if (AdminLoginModule.this.localPassword == null) {
                return false;
            }
            boolean isLocalPassword = AdminLoginModule.this.localPassword.isLocalPassword(new String(this.pwCB.getPassword()));
            if (isLocalPassword) {
                subject.getPrincipals().add(new AdminLocalPasswordPrincipal());
                AdminLoginModule.LOGGER.log(AdminLoginModule.PROGRESS_LEVEL, "AdminLoginModule detected local password");
            }
            return isLocalPassword;
        }

        @Override // com.sun.enterprise.admin.util.AdminLoginModule.Authenticator, org.glassfish.common.util.admin.AdminAuthenticator
        public List<Callback> callbacks() {
            return new ArrayList(Arrays.asList(this.nameCB, this.pwCB));
        }
    }

    public void initialize(Subject subject, CallbackHandler callbackHandler, Map<String, ?> map, Map<String, ?> map2) {
        if (callbackHandler instanceof AdminCallbackHandler) {
            findServices(((AdminCallbackHandler) callbackHandler).getServiceLocator());
        }
        this.subject = subject;
        this.callbackHandler = callbackHandler;
    }

    private void findServices(ServiceLocator serviceLocator) {
        this.domain = (Domain) serviceLocator.getService(Domain.class, new Annotation[0]);
        this.secureAdmin = this.domain.getSecureAdmin();
        this.authTokenManager = (AuthTokenManager) serviceLocator.getService(AuthTokenManager.class, new Annotation[0]);
        this.localPassword = (LocalPassword) serviceLocator.getService(LocalPassword.class, new Annotation[0]);
        this.restSessionManager = (RestSessionManager) serviceLocator.getService(RestSessionManager.class, new Annotation[0]);
    }

    public boolean login() throws LoginException {
        if (this.callbackHandler == null) {
            throw new LoginException(Strings.get("secure.admin.noCallbackHandler"));
        }
        try {
            this.callbackHandler.handle((Callback[]) this.callbacks.toArray(new Callback[this.callbacks.size()]));
            this.isAuthenticated = false;
            Iterator<AdminAuthenticator> it = this.authenticators.iterator();
            while (it.hasNext()) {
                this.isAuthenticated |= it.next().identify(this.subjectToAssemble);
            }
            LOGGER.log(PROGRESS_LEVEL, "login returning {0}", Boolean.valueOf(this.isAuthenticated));
            if (this.isAuthenticated) {
                return this.isAuthenticated;
            }
            throw new LoginException();
        } catch (Exception e) {
            LoginException loginException = new LoginException();
            loginException.initCause(e);
            throw loginException;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void updateFromSubject(Subject subject, Subject subject2) {
        subject.getPrincipals().addAll(subject2.getPrincipals());
        subject.getPrivateCredentials().addAll(subject2.getPrivateCredentials());
        subject.getPublicCredentials().addAll(subject2.getPublicCredentials());
    }

    public boolean commit() throws LoginException {
        if (!this.isAuthenticated) {
            return false;
        }
        updateFromSubject(this.subject, this.subjectToAssemble);
        LOGGER.log(PROGRESS_LEVEL, "commiting");
        Level level = Level.FINER;
        if (!LOGGER.isLoggable(level)) {
            return true;
        }
        LOGGER.log(level, "Following identity attached to subject: {0} principals, {1} private credentials, {2} public credentials", new Object[]{Integer.valueOf(this.subjectToAssemble.getPrincipals().size()), Integer.valueOf(this.subjectToAssemble.getPrivateCredentials().size()), Integer.valueOf(this.subjectToAssemble.getPublicCredentials().size())});
        Iterator<Principal> it = this.subjectToAssemble.getPrincipals().iterator();
        while (it.hasNext()) {
            LOGGER.log(level, "  principal: {0}", it.next().getName());
        }
        Iterator<Object> it2 = this.subjectToAssemble.getPrivateCredentials().iterator();
        while (it2.hasNext()) {
            LOGGER.log(level, "  private credential: {0}", it2.next());
        }
        Iterator<Object> it3 = this.subjectToAssemble.getPublicCredentials().iterator();
        while (it3.hasNext()) {
            LOGGER.log(level, "  public credential: {0}", it3.next());
        }
        return true;
    }

    public boolean abort() throws LoginException {
        if (!this.isAuthenticated) {
            return false;
        }
        LOGGER.log(PROGRESS_LEVEL, "aborting");
        removeAddedInfo();
        return true;
    }

    public boolean logout() throws LoginException {
        LOGGER.log(PROGRESS_LEVEL, "logging out");
        removeAddedInfo();
        return true;
    }

    private void removeAddedInfo() {
        this.subject.getPrincipals().removeAll(this.subjectToAssemble.getPrincipals());
        this.subject.getPrivateCredentials().removeAll(this.subjectToAssemble.getPrivateCredentials());
        this.subject.getPublicCredentials().removeAll(this.subjectToAssemble.getPublicCredentials());
    }
}
