package org.apache.karaf.management;

import java.io.IOException;
import java.lang.reflect.InvocationHandler;
import java.lang.reflect.Method;
import java.security.AccessControlContext;
import java.security.AccessController;
import java.security.Principal;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Comparator;
import java.util.Dictionary;
import java.util.Enumeration;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import java.util.TreeSet;
import java.util.regex.Pattern;
import javax.management.Attribute;
import javax.management.AttributeList;
import javax.management.JMException;
import javax.management.MBeanAttributeInfo;
import javax.management.MBeanInfo;
import javax.management.MBeanOperationInfo;
import javax.management.MBeanParameterInfo;
import javax.management.MBeanServer;
import javax.management.ObjectName;
import javax.security.auth.Subject;
import org.apache.felix.framework.util.FelixConstants;
import org.apache.karaf.jaas.boot.principal.RolePrincipal;
import org.apache.karaf.management.internal.BulkRequestContext;
import org.apache.karaf.management.tools.ACLConfigurationParser;
import org.osgi.framework.ServicePermission;
import org.osgi.service.cm.ConfigurationAdmin;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/karaf/system/org/apache/karaf/management/org.apache.karaf.management.server/2.4.0.redhat-630431/org.apache.karaf.management.server-2.4.0.redhat-630431.jar:org/apache/karaf/management/KarafMBeanServerGuard.class */
public class KarafMBeanServerGuard implements InvocationHandler {
    private static final String JMX_ACL_PID_PREFIX = "jmx.acl";
    private static final String JMX_ACL_WHITELIST = "jmx.acl.whitelist";
    private static final String ROLE_WILDCARD = "*";
    private static final String JMX_OBJECTNAME_PROPERTY_WILDCARD = "_";
    private ConfigurationAdmin configAdmin;
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) KarafMBeanServerGuard.class);
    private static final Comparator<String[]> WILDCARD_PID_COMPARATOR = new WildcardPidComparator();

    /* loaded from: input_file:WEB-INF/karaf/system/org/apache/karaf/management/org.apache.karaf.management.server/2.4.0.redhat-630431/org.apache.karaf.management.server-2.4.0.redhat-630431.jar:org/apache/karaf/management/KarafMBeanServerGuard$WildcardPidComparator.class */
    private static class WildcardPidComparator implements Comparator<String[]> {
        private WildcardPidComparator() {
        }

        @Override // java.util.Comparator
        public int compare(String[] strArr, String[] strArr2) {
            if (strArr == null && strArr2 == null) {
                return 0;
            }
            if (strArr == null) {
                return 1;
            }
            if (strArr2 == null) {
                return -1;
            }
            if (strArr.length != strArr2.length) {
                return strArr.length - strArr2.length;
            }
            for (int i = 0; i < strArr.length; i++) {
                if (!strArr[i].equals(strArr2[i])) {
                    if (strArr[i].equals("_")) {
                        return 1;
                    }
                    if (strArr2[i].equals("_")) {
                        return -1;
                    }
                    return strArr[i].compareTo(strArr2[i]);
                }
            }
            return 0;
        }
    }

    public ConfigurationAdmin getConfigAdmin() {
        return this.configAdmin;
    }

    public void setConfigAdmin(ConfigurationAdmin configurationAdmin) {
        this.configAdmin = configurationAdmin;
    }

    @Override // java.lang.reflect.InvocationHandler
    public Object invoke(Object obj, Method method, Object[] objArr) throws Throwable {
        if (method.getParameterTypes().length == 0 || !ObjectName.class.isAssignableFrom(method.getParameterTypes()[0])) {
            return null;
        }
        ObjectName objectName = (ObjectName) objArr[0];
        if ("getAttribute".equals(method.getName())) {
            handleGetAttribute((MBeanServer) obj, objectName, (String) objArr[1]);
            return null;
        }
        if ("getAttributes".equals(method.getName())) {
            handleGetAttributes((MBeanServer) obj, objectName, (String[]) objArr[1]);
            return null;
        }
        if ("setAttribute".equals(method.getName())) {
            handleSetAttribute((MBeanServer) obj, objectName, (Attribute) objArr[1]);
            return null;
        }
        if ("setAttributes".equals(method.getName())) {
            handleSetAttributes((MBeanServer) obj, objectName, (AttributeList) objArr[1]);
            return null;
        }
        if (!"invoke".equals(method.getName())) {
            return null;
        }
        handleInvoke(objectName, (String) objArr[1], (Object[]) objArr[2], (String[]) objArr[3]);
        return null;
    }

    public boolean canInvoke(MBeanServer mBeanServer, ObjectName objectName) throws JMException, IOException {
        return canInvoke((BulkRequestContext) null, mBeanServer, objectName);
    }

    public boolean canInvoke(BulkRequestContext bulkRequestContext, MBeanServer mBeanServer, ObjectName objectName) throws JMException, IOException {
        MBeanInfo mBeanInfo = mBeanServer.getMBeanInfo(objectName);
        for (MBeanOperationInfo mBeanOperationInfo : mBeanInfo.getOperations()) {
            ArrayList arrayList = new ArrayList();
            for (MBeanParameterInfo mBeanParameterInfo : mBeanOperationInfo.getSignature()) {
                arrayList.add(mBeanParameterInfo.getType());
            }
            if (canInvoke(bulkRequestContext, objectName, mBeanOperationInfo.getName(), (String[]) arrayList.toArray(new String[0]))) {
                return true;
            }
        }
        for (MBeanAttributeInfo mBeanAttributeInfo : mBeanInfo.getAttributes()) {
            if (mBeanAttributeInfo.isReadable()) {
                if (canInvoke(bulkRequestContext, objectName, mBeanAttributeInfo.isIs() ? "is" : ServicePermission.GET + mBeanAttributeInfo.getName(), new String[0])) {
                    return true;
                }
            }
            if (mBeanAttributeInfo.isWritable() && canInvoke(bulkRequestContext, objectName, "set" + mBeanAttributeInfo.getName(), new String[]{mBeanAttributeInfo.getType()})) {
                return true;
            }
        }
        return false;
    }

    public boolean canInvoke(MBeanServer mBeanServer, ObjectName objectName, String str) throws JMException, IOException {
        return canInvoke((BulkRequestContext) null, mBeanServer, objectName, str);
    }

    public boolean canInvoke(BulkRequestContext bulkRequestContext, MBeanServer mBeanServer, ObjectName objectName, String str) throws JMException, IOException {
        String trim = str.trim();
        MBeanInfo mBeanInfo = mBeanServer.getMBeanInfo(objectName);
        for (MBeanOperationInfo mBeanOperationInfo : mBeanInfo.getOperations()) {
            if (trim.equals(mBeanOperationInfo.getName())) {
                ArrayList arrayList = new ArrayList();
                for (MBeanParameterInfo mBeanParameterInfo : mBeanOperationInfo.getSignature()) {
                    arrayList.add(mBeanParameterInfo.getType());
                }
                if (canInvoke(bulkRequestContext, objectName, mBeanOperationInfo.getName(), (String[]) arrayList.toArray(new String[0]))) {
                    return true;
                }
            }
        }
        for (MBeanAttributeInfo mBeanAttributeInfo : mBeanInfo.getAttributes()) {
            String name = mBeanAttributeInfo.getName();
            if (trim.equals("is" + name) || trim.equals(ServicePermission.GET + name)) {
                return canInvoke(bulkRequestContext, objectName, trim, new String[0]);
            }
            if (trim.equals("set" + name)) {
                return canInvoke(bulkRequestContext, objectName, trim, new String[]{mBeanAttributeInfo.getType()});
            }
        }
        return false;
    }

    public boolean canInvoke(MBeanServer mBeanServer, ObjectName objectName, String str, String[] strArr) throws IOException {
        return canInvoke(null, mBeanServer, objectName, str, strArr);
    }

    public boolean canInvoke(BulkRequestContext bulkRequestContext, MBeanServer mBeanServer, ObjectName objectName, String str, String[] strArr) throws IOException {
        return canInvoke(bulkRequestContext, objectName, str, strArr);
    }

    private boolean canInvoke(BulkRequestContext bulkRequestContext, ObjectName objectName, String str, String[] strArr) throws IOException {
        if (bulkRequestContext == null) {
            bulkRequestContext = BulkRequestContext.newContext(this.configAdmin);
        }
        if (canBypassRBAC(bulkRequestContext, objectName, str)) {
            return true;
        }
        Iterator<String> it = getRequiredRoles(bulkRequestContext, objectName, str, strArr).iterator();
        while (it.hasNext()) {
            if (currentUserHasRole(bulkRequestContext.getPrincipals(), it.next())) {
                return true;
            }
        }
        return false;
    }

    private void handleGetAttribute(MBeanServer mBeanServer, ObjectName objectName, String str) throws JMException, IOException {
        String str2 = null;
        for (MBeanAttributeInfo mBeanAttributeInfo : mBeanServer.getMBeanInfo(objectName).getAttributes()) {
            if (mBeanAttributeInfo.getName().equals(str)) {
                str2 = mBeanAttributeInfo.isIs() ? "is" : ServicePermission.GET;
            }
        }
        if (str2 == null) {
            LOG.debug("Attribute " + str + " can not be found for MBean " + objectName.toString());
        } else {
            handleInvoke(null, objectName, str2 + str, new Object[0], new String[0]);
        }
    }

    private void handleGetAttributes(MBeanServer mBeanServer, ObjectName objectName, String[] strArr) throws JMException, IOException {
        for (String str : strArr) {
            handleGetAttribute(mBeanServer, objectName, str);
        }
    }

    private void handleSetAttribute(MBeanServer mBeanServer, ObjectName objectName, Attribute attribute) throws JMException, IOException {
        String str = null;
        MBeanAttributeInfo[] attributes = mBeanServer.getMBeanInfo(objectName).getAttributes();
        int length = attributes.length;
        int i = 0;
        while (true) {
            if (i >= length) {
                break;
            }
            MBeanAttributeInfo mBeanAttributeInfo = attributes[i];
            if (mBeanAttributeInfo.getName().equals(attribute.getName())) {
                str = mBeanAttributeInfo.getType();
                break;
            }
            i++;
        }
        if (str == null) {
            throw new IllegalStateException("Attribute data type can not be found");
        }
        handleInvoke(null, objectName, "set" + attribute.getName(), new Object[]{attribute.getValue()}, new String[]{str});
    }

    private void handleSetAttributes(MBeanServer mBeanServer, ObjectName objectName, AttributeList attributeList) throws JMException, IOException {
        Iterator it = attributeList.asList().iterator();
        while (it.hasNext()) {
            handleSetAttribute(mBeanServer, objectName, (Attribute) it.next());
        }
    }

    private boolean canBypassRBAC(BulkRequestContext bulkRequestContext, ObjectName objectName, String str) {
        ArrayList<String> arrayList = new ArrayList();
        Iterator<Dictionary<String, Object>> it = bulkRequestContext.getWhitelistProperties().iterator();
        while (it.hasNext()) {
            Enumeration<String> keys = it.next().keys();
            while (keys.hasMoreElements()) {
                arrayList.add(keys.nextElement());
            }
        }
        for (String str2 : iterateDownPids(getNameSegments(objectName))) {
            if (!str2.equals(JMX_ACL_PID_PREFIX)) {
                for (String str3 : arrayList) {
                    if (str3.split(FelixConstants.PACKAGE_SEPARATOR).length > 1) {
                        if (str3.equals(str2.substring("jmx.acl.".length()) + FelixConstants.PACKAGE_SEPARATOR + str)) {
                            return true;
                        }
                    } else if (str3.equals(str2.substring("jmx.acl.".length()))) {
                        return true;
                    }
                }
            }
        }
        return false;
    }

    void handleInvoke(ObjectName objectName, String str, Object[] objArr, String[] strArr) throws IOException {
        handleInvoke(null, objectName, str, objArr, strArr);
    }

    void handleInvoke(BulkRequestContext bulkRequestContext, ObjectName objectName, String str, Object[] objArr, String[] strArr) throws IOException {
        if (bulkRequestContext == null) {
            bulkRequestContext = BulkRequestContext.newContext(this.configAdmin);
        }
        if (canBypassRBAC(bulkRequestContext, objectName, str)) {
            return;
        }
        Iterator<String> it = getRequiredRoles(bulkRequestContext, objectName, str, objArr, strArr).iterator();
        while (it.hasNext()) {
            if (currentUserHasRole(it.next())) {
                return;
            }
        }
        throw new SecurityException("Insufficient roles/credentials for operation");
    }

    List<String> getRequiredRoles(ObjectName objectName, String str, String[] strArr) throws IOException {
        return getRequiredRoles(BulkRequestContext.newContext(this.configAdmin), objectName, str, null, strArr);
    }

    List<String> getRequiredRoles(BulkRequestContext bulkRequestContext, ObjectName objectName, String str, String[] strArr) throws IOException {
        return getRequiredRoles(bulkRequestContext, objectName, str, null, strArr);
    }

    List<String> getRequiredRoles(ObjectName objectName, String str, Object[] objArr, String[] strArr) throws IOException {
        return getRequiredRoles(BulkRequestContext.newContext(this.configAdmin), objectName, str, objArr, strArr);
    }

    List<String> getRequiredRoles(BulkRequestContext bulkRequestContext, ObjectName objectName, String str, Object[] objArr, String[] strArr) throws IOException {
        Iterator<String> it = iterateDownPids(getNameSegments(objectName)).iterator();
        while (it.hasNext()) {
            String generalPid = getGeneralPid(bulkRequestContext.getAllPids(), it.next());
            if (generalPid.length() > 0) {
                Dictionary<String, Object> configuration = bulkRequestContext.getConfiguration(generalPid);
                ArrayList arrayList = new ArrayList();
                if (ACLConfigurationParser.getRolesForInvocation(str, objArr, strArr, configuration, arrayList) != ACLConfigurationParser.Specificity.NO_MATCH) {
                    return arrayList;
                }
            }
        }
        return Collections.emptyList();
    }

    private String getGeneralPid(List<String> list, String str) {
        String[] split = str.split(Pattern.quote("."));
        TreeSet treeSet = new TreeSet(WILDCARD_PID_COMPARATOR);
        Iterator<String> it = list.iterator();
        while (it.hasNext()) {
            String[] split2 = it.next().split(Pattern.quote("."));
            if (split2.length == split.length) {
                boolean z = true;
                int i = 0;
                while (true) {
                    if (i >= split2.length) {
                        break;
                    }
                    if (!split2[i].equals("_") && !split2[i].equals(split[i])) {
                        z = false;
                        break;
                    }
                    i++;
                }
                if (z) {
                    treeSet.add(split2);
                }
            }
        }
        Iterator it2 = treeSet.iterator();
        if (!it2.hasNext()) {
            return "";
        }
        StringBuilder sb = new StringBuilder();
        for (String str2 : (String[]) it2.next()) {
            if (sb.length() > 0) {
                sb.append(".");
            }
            sb.append(str2);
        }
        return sb.toString();
    }

    private List<String> getNameSegments(ObjectName objectName) {
        ArrayList arrayList = new ArrayList();
        arrayList.add(objectName.getDomain());
        for (String str : objectName.getKeyPropertyListString().split("[,]")) {
            int indexOf = str.indexOf(61);
            if (indexOf >= 0) {
                String keyProperty = objectName.getKeyProperty(str.substring(0, indexOf));
                if (str.substring(0, indexOf).equals("type")) {
                    arrayList.add(1, keyProperty);
                } else {
                    arrayList.add(keyProperty);
                }
            }
        }
        return arrayList;
    }

    private List<String> iterateDownPids(List<String> list) {
        ArrayList arrayList = new ArrayList();
        for (int size = list.size(); size > 0; size--) {
            StringBuilder sb = new StringBuilder();
            sb.append(JMX_ACL_PID_PREFIX);
            for (int i = 0; i < size; i++) {
                sb.append('.');
                sb.append(list.get(i));
            }
            arrayList.add(sb.toString());
        }
        arrayList.add(JMX_ACL_PID_PREFIX);
        return arrayList;
    }

    static boolean currentUserHasRole(String str) {
        Subject subject;
        if ("*".equals(str)) {
            return true;
        }
        AccessControlContext context = AccessController.getContext();
        if (context == null || (subject = Subject.getSubject(context)) == null) {
            return false;
        }
        return currentUserHasRole(subject.getPrincipals(), str);
    }

    static boolean currentUserHasRole(Set<Principal> set, String str) {
        String name;
        String str2;
        if ("*".equals(str)) {
            return true;
        }
        int indexOf = str.indexOf(58);
        if (indexOf > 0) {
            name = str.substring(0, indexOf);
            str2 = str.substring(indexOf + 1);
        } else {
            name = RolePrincipal.class.getName();
            str2 = str;
        }
        for (Principal principal : set) {
            if (name.equals(principal.getClass().getName()) && str2.equals(principal.getName())) {
                return true;
            }
        }
        return false;
    }
}
