package org.apache.karaf.service.guard.impl;

import java.io.IOException;
import java.lang.reflect.Method;
import java.security.AccessControlContext;
import java.security.AccessController;
import java.security.Principal;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Dictionary;
import java.util.Enumeration;
import java.util.HashSet;
import java.util.Hashtable;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.TreeMap;
import java.util.concurrent.BlockingQueue;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.ConcurrentMap;
import java.util.concurrent.LinkedBlockingQueue;
import java.util.regex.Pattern;
import javax.security.auth.Subject;
import org.apache.aries.proxy.InvocationListener;
import org.apache.aries.proxy.ProxyManager;
import org.apache.aries.proxy.UnableToProxyException;
import org.apache.felix.service.command.CommandProcessor;
import org.apache.karaf.jaas.boot.principal.RolePrincipal;
import org.apache.karaf.service.guard.tools.ACLConfigurationParser;
import org.osgi.framework.Bundle;
import org.osgi.framework.BundleContext;
import org.osgi.framework.Filter;
import org.osgi.framework.InvalidSyntaxException;
import org.osgi.framework.ServiceEvent;
import org.osgi.framework.ServiceFactory;
import org.osgi.framework.ServiceListener;
import org.osgi.framework.ServiceReference;
import org.osgi.framework.ServiceRegistration;
import org.osgi.service.cm.Configuration;
import org.osgi.service.cm.ConfigurationAdmin;
import org.osgi.util.tracker.ServiceTracker;
import org.osgi.util.tracker.ServiceTrackerCustomizer;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/karaf/system/org/apache/karaf/service/org.apache.karaf.service.guard/2.4.0.redhat-630481/org.apache.karaf.service.guard-2.4.0.redhat-630481.jar:org/apache/karaf/service/guard/impl/GuardProxyCatalog.class */
public class GuardProxyCatalog implements ServiceListener {
    public static final String KARAF_SECURED_SERVICES_SYSPROP = "karaf.secured.services";
    public static final String SERVICE_GUARD_ROLES_PROPERTY = "org.apache.karaf.service.guard.roles";
    public static final String KARAF_SECURED_COMMAND_COMPULSORY_ROLES_PROPERTY = "karaf.secured.command.compulsory.roles";
    static final String PROXY_CREATOR_THREAD_NAME = "Secure OSGi Service Proxy Creator";
    static final String SERVICE_ACL_PREFIX = "org.apache.karaf.service.acl.";
    static final String SERVICE_GUARD_KEY = "service.guard";
    private static final String ROLE_WILDCARD = "*";
    private final BundleContext myBundleContext;
    final ServiceTracker<ConfigurationAdmin, ConfigurationAdmin> configAdminTracker;
    final ServiceTracker<ProxyManager, ProxyManager> proxyManagerTracker;
    final String compulsoryRoles;
    static final String PROXY_SERVICE_KEY = "." + GuardProxyCatalog.class.getName();
    static final Logger LOG = LoggerFactory.getLogger((Class<?>) GuardProxyCatalog.class);
    private static final Pattern JAVA_METHOD_NAME_PATTERN = Pattern.compile("[a-zA-Z_$][a-zA-Z0-9_$]*");
    private final Map<String, Filter> filters = new ConcurrentHashMap();
    final ConcurrentMap<Long, ServiceRegistrationHolder> proxyMap = new ConcurrentHashMap();
    final BlockingQueue<CreateProxyRunnable> createProxyQueue = new LinkedBlockingQueue();
    volatile boolean runProxyCreator = true;
    volatile Thread proxyCreatorThread = null;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:WEB-INF/karaf/system/org/apache/karaf/service/org.apache.karaf.service.guard/2.4.0.redhat-630481/org.apache.karaf.service.guard-2.4.0.redhat-630481.jar:org/apache/karaf/service/guard/impl/GuardProxyCatalog$CreateProxyRunnable.class */
    public interface CreateProxyRunnable {
        long getOriginalServiceID();

        void run(ProxyManager proxyManager) throws Exception;
    }

    /* loaded from: input_file:WEB-INF/karaf/system/org/apache/karaf/service/org.apache.karaf.service.guard/2.4.0.redhat-630481/org.apache.karaf.service.guard-2.4.0.redhat-630481.jar:org/apache/karaf/service/guard/impl/GuardProxyCatalog$ProxyInvocationListener.class */
    class ProxyInvocationListener implements InvocationListener {
        private final ServiceReference<?> serviceReference;

        ProxyInvocationListener(ServiceReference<?> serviceReference) {
            this.serviceReference = serviceReference;
        }

        @Override // org.apache.aries.proxy.InvocationListener
        public Object preInvoke(Object obj, Method method, Object[] objArr) throws Throwable {
            String[] strArr = new String[method.getParameterTypes().length];
            for (int i = 0; i < method.getParameterTypes().length; i++) {
                strArr[i] = method.getParameterTypes()[i].getName();
            }
            TreeMap treeMap = new TreeMap();
            boolean z = false;
            Object obj2 = null;
            for (Configuration configuration : GuardProxyCatalog.this.getServiceGuardConfigs()) {
                obj2 = configuration.getProperties().get(GuardProxyCatalog.SERVICE_GUARD_KEY);
                if ((obj2 instanceof String) && GuardProxyCatalog.this.myBundleContext.createFilter((String) obj2).match(this.serviceReference)) {
                    z = true;
                    ArrayList arrayList = new ArrayList();
                    ACLConfigurationParser.Specificity rolesForInvocation = ACLConfigurationParser.getRolesForInvocation(method.getName(), objArr, strArr, configuration.getProperties(), arrayList);
                    if (rolesForInvocation != ACLConfigurationParser.Specificity.NO_MATCH) {
                        treeMap.put(rolesForInvocation, arrayList);
                        if (rolesForInvocation == ACLConfigurationParser.Specificity.ARGUMENT_MATCH) {
                            break;
                        }
                    } else {
                        continue;
                    }
                }
            }
            if (!z) {
                if (GuardProxyCatalog.this.compulsoryRoles == null || !(obj2 instanceof String) || ((String) obj2).indexOf(CommandProcessor.COMMAND_SCOPE) <= 0 || ((String) obj2).indexOf("osgi.command.functio") <= 0) {
                    return null;
                }
                treeMap.put(ACLConfigurationParser.Specificity.NAME_MATCH, ACLConfigurationParser.parseRoles(GuardProxyCatalog.this.compulsoryRoles));
            }
            if (treeMap.size() == 0) {
                GuardProxyCatalog.LOG.info("Service {} has role mapping, but assigned no roles to method {}", this.serviceReference, method);
                throw new SecurityException("Insufficient credentials.");
            }
            List<String> list = (List) treeMap.values().iterator().next();
            for (String str : list) {
                if (GuardProxyCatalog.currentUserHasRole(str)) {
                    GuardProxyCatalog.LOG.trace("Allow user with role {} to invoke service {} method {}", str, this.serviceReference, method);
                    return null;
                }
            }
            GuardProxyCatalog.LOG.info("Current user does not have required roles ({}) for service {} method {} and/or arguments", list, this.serviceReference, method);
            throw new SecurityException("Insufficient credentials.");
        }

        @Override // org.apache.aries.proxy.InvocationListener
        public void postInvokeExceptionalReturn(Object obj, Object obj2, Method method, Throwable th) throws Throwable {
        }

        @Override // org.apache.aries.proxy.InvocationListener
        public void postInvoke(Object obj, Object obj2, Method method, Object obj3) throws Throwable {
        }
    }

    /* loaded from: input_file:WEB-INF/karaf/system/org/apache/karaf/service/org.apache.karaf.service.guard/2.4.0.redhat-630481/org.apache.karaf.service.guard-2.4.0.redhat-630481.jar:org/apache/karaf/service/guard/impl/GuardProxyCatalog$ProxyServiceFactory.class */
    class ProxyServiceFactory implements ServiceFactory<Object> {
        private final ProxyManager pm;
        private final ServiceReference<?> originalRef;

        ProxyServiceFactory(ProxyManager proxyManager, ServiceReference<?> serviceReference) {
            this.pm = proxyManager;
            this.originalRef = serviceReference;
        }

        @Override // org.osgi.framework.ServiceFactory
        /* renamed from: getService */
        public Object getService2(Bundle bundle, ServiceRegistration<Object> serviceRegistration) {
            HashSet hashSet = new HashSet();
            Object service = bundle.getBundleContext().getService(this.originalRef);
            Class<?> cls = service.getClass();
            while (true) {
                Class<?> cls2 = cls;
                if (Object.class.equals(cls2)) {
                    break;
                }
                hashSet.add(cls2);
                hashSet.addAll(Arrays.asList(cls2.getInterfaces()));
                cls = cls2.getSuperclass();
            }
            Iterator it = hashSet.iterator();
            while (it.hasNext()) {
                Class cls3 = (Class) it.next();
                if ((cls3.getModifiers() & 5) == 0 || (cls3.getModifiers() & 16) > 0 || cls3.isAnonymousClass() || cls3.isLocalClass()) {
                    it.remove();
                } else {
                    Method[] declaredMethods = cls3.getDeclaredMethods();
                    int length = declaredMethods.length;
                    int i = 0;
                    while (true) {
                        if (i >= length) {
                            break;
                        }
                        if ((declaredMethods[i].getModifiers() & 16) > 0) {
                            it.remove();
                            break;
                        }
                        i++;
                    }
                }
            }
            try {
                return this.pm.createInterceptingProxy(this.originalRef.getBundle(), hashSet, service, new ProxyInvocationListener(this.originalRef));
            } catch (UnableToProxyException e) {
                throw new RuntimeException(e);
            }
        }

        @Override // org.osgi.framework.ServiceFactory
        public void ungetService(Bundle bundle, ServiceRegistration<Object> serviceRegistration, Object obj) {
            bundle.getBundleContext().ungetService(this.originalRef);
        }
    }

    /* loaded from: input_file:WEB-INF/karaf/system/org/apache/karaf/service/org.apache.karaf.service.guard/2.4.0.redhat-630481/org.apache.karaf.service.guard-2.4.0.redhat-630481.jar:org/apache/karaf/service/guard/impl/GuardProxyCatalog$ServiceProxyCreatorCustomizer.class */
    class ServiceProxyCreatorCustomizer implements ServiceTrackerCustomizer<ProxyManager, ProxyManager> {
        ServiceProxyCreatorCustomizer() {
        }

        /* JADX WARN: Can't rename method to resolve collision */
        @Override // org.osgi.util.tracker.ServiceTrackerCustomizer
        public ProxyManager addingService(ServiceReference<ProxyManager> serviceReference) {
            GuardProxyCatalog.this.runProxyCreator = true;
            ProxyManager proxyManager = (ProxyManager) GuardProxyCatalog.this.myBundleContext.getService(serviceReference);
            if (GuardProxyCatalog.this.proxyCreatorThread == null && proxyManager != null) {
                GuardProxyCatalog.this.proxyCreatorThread = newProxyProducingThread(proxyManager);
            }
            return proxyManager;
        }

        private Thread newProxyProducingThread(final ProxyManager proxyManager) {
            Thread thread = new Thread(new Runnable() { // from class: org.apache.karaf.service.guard.impl.GuardProxyCatalog.ServiceProxyCreatorCustomizer.1
                @Override // java.lang.Runnable
                public void run() {
                    while (GuardProxyCatalog.this.runProxyCreator) {
                        CreateProxyRunnable createProxyRunnable = null;
                        try {
                            createProxyRunnable = GuardProxyCatalog.this.createProxyQueue.take();
                        } catch (InterruptedException e) {
                        }
                        if (createProxyRunnable != null) {
                            try {
                                createProxyRunnable.run(proxyManager);
                            } catch (Exception e2) {
                                GuardProxyCatalog.LOG.warn("Problem creating secured service proxy", (Throwable) e2);
                            }
                        }
                    }
                    GuardProxyCatalog.this.proxyCreatorThread = null;
                }
            });
            thread.setName(GuardProxyCatalog.PROXY_CREATOR_THREAD_NAME);
            thread.setDaemon(true);
            thread.start();
            return thread;
        }

        @Override // org.osgi.util.tracker.ServiceTrackerCustomizer
        public void modifiedService(ServiceReference<ProxyManager> serviceReference, ProxyManager proxyManager) {
        }

        @Override // org.osgi.util.tracker.ServiceTrackerCustomizer
        public void removedService(ServiceReference<ProxyManager> serviceReference, ProxyManager proxyManager) {
            GuardProxyCatalog.this.stopProxyCreator();
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:WEB-INF/karaf/system/org/apache/karaf/service/org.apache.karaf.service.guard/2.4.0.redhat-630481/org.apache.karaf.service.guard-2.4.0.redhat-630481.jar:org/apache/karaf/service/guard/impl/GuardProxyCatalog$ServiceRegistrationHolder.class */
    public static class ServiceRegistrationHolder {
        volatile ServiceRegistration<?> registration;

        ServiceRegistrationHolder() {
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public GuardProxyCatalog(BundleContext bundleContext) throws Exception {
        LOG.trace("Starting GuardProxyCatalog");
        this.myBundleContext = bundleContext;
        this.compulsoryRoles = System.getProperty(KARAF_SECURED_COMMAND_COMPULSORY_ROLES_PROPERTY);
        if (this.compulsoryRoles == null) {
            LOG.info("No compulsory roles for a karaf command without the ACL as its system property is not set: {}", KARAF_SECURED_COMMAND_COMPULSORY_ROLES_PROPERTY);
        }
        bundleContext.addServiceListener(this);
        Filter nonProxyFilter = getNonProxyFilter(bundleContext, ConfigurationAdmin.class);
        LOG.trace("Creating Config Admin Tracker using filter {}", nonProxyFilter);
        this.configAdminTracker = new ServiceTracker<>(bundleContext, nonProxyFilter, (ServiceTrackerCustomizer) null);
        this.configAdminTracker.open();
        Filter nonProxyFilter2 = getNonProxyFilter(bundleContext, ProxyManager.class);
        LOG.trace("Creating Proxy Manager Tracker using filter {}", nonProxyFilter2);
        this.proxyManagerTracker = new ServiceTracker<>(bundleContext, nonProxyFilter2, new ServiceProxyCreatorCustomizer());
        this.proxyManagerTracker.open();
    }

    static Filter getNonProxyFilter(BundleContext bundleContext, Class<?> cls) throws InvalidSyntaxException {
        return bundleContext.createFilter("(&(objectClass=" + cls.getName() + ")(!(" + PROXY_SERVICE_KEY + "=*)))");
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void close() {
        LOG.trace("Stopping GuardProxyCatalog");
        stopProxyCreator();
        this.proxyManagerTracker.close();
        this.configAdminTracker.close();
        this.myBundleContext.removeServiceListener(this);
        try {
            Iterator<ServiceRegistrationHolder> it = this.proxyMap.values().iterator();
            while (it.hasNext()) {
                ServiceRegistration<?> serviceRegistration = it.next().registration;
                if (serviceRegistration != null) {
                    LOG.info("Unregistering proxy service of {} with properties {}", serviceRegistration.getReference().getProperty("objectClass"), copyProperties(serviceRegistration.getReference()));
                    serviceRegistration.unregister();
                }
            }
        } catch (Exception e) {
            LOG.debug("The ServiceReference become invalid: ", (Throwable) e);
        }
        this.proxyMap.clear();
    }

    @Override // org.osgi.framework.ServiceListener
    public void serviceChanged(ServiceEvent serviceEvent) {
        ServiceReference<?> serviceReference = serviceEvent.getServiceReference();
        if (serviceEvent.getType() == 1 || isProxy(serviceReference)) {
            return;
        }
        Long l = (Long) serviceReference.getProperty("service.id");
        if (serviceEvent.getType() == 4) {
            handleOriginalServiceUnregistering(l);
        }
        if ((serviceEvent.getType() & 10) > 0) {
            handleOriginalServiceModifed(l, serviceReference);
        }
    }

    private void handleOriginalServiceUnregistering(Long l) {
        Iterator it = this.createProxyQueue.iterator();
        while (it.hasNext()) {
            if (l.equals(Long.valueOf(((CreateProxyRunnable) it.next()).getOriginalServiceID()))) {
                it.remove();
            }
        }
        ServiceRegistrationHolder remove = this.proxyMap.remove(l);
        if (remove == null || remove.registration == null) {
            return;
        }
        remove.registration.unregister();
    }

    private void handleOriginalServiceModifed(Long l, ServiceReference<?> serviceReference) {
        ServiceRegistration<?> serviceRegistration;
        ServiceRegistrationHolder serviceRegistrationHolder = this.proxyMap.get(l);
        if (serviceRegistrationHolder == null || (serviceRegistration = serviceRegistrationHolder.registration) == null) {
            return;
        }
        Object property = serviceRegistration.getReference().getProperty(SERVICE_GUARD_ROLES_PROPERTY);
        Dictionary<String, ?> proxyProperties = proxyProperties(serviceReference);
        if (property != 0) {
            proxyProperties.put(SERVICE_GUARD_ROLES_PROPERTY, property);
        } else {
            proxyProperties.remove(SERVICE_GUARD_ROLES_PROPERTY);
        }
        serviceRegistration.setProperties(proxyProperties);
    }

    boolean isProxy(ServiceReference<?> serviceReference) {
        return serviceReference.getProperty(PROXY_SERVICE_KEY) != null;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean handleProxificationForHook(ServiceReference<?> serviceReference) {
        if (isProxy(serviceReference)) {
            return false;
        }
        proxyIfNotAlreadyProxied(serviceReference);
        return true;
    }

    void proxyIfNotAlreadyProxied(final ServiceReference<?> serviceReference) {
        final long longValue = ((Long) serviceReference.getProperty("service.id")).longValue();
        final ServiceRegistrationHolder serviceRegistrationHolder = new ServiceRegistrationHolder();
        if (this.proxyMap.putIfAbsent(Long.valueOf(longValue), serviceRegistrationHolder) != null) {
            return;
        }
        LOG.trace("Will create proxy of service {}({})", serviceReference.getProperty("objectClass"), Long.valueOf(longValue));
        try {
            this.createProxyQueue.put(new CreateProxyRunnable() { // from class: org.apache.karaf.service.guard.impl.GuardProxyCatalog.1
                @Override // org.apache.karaf.service.guard.impl.GuardProxyCatalog.CreateProxyRunnable
                public long getOriginalServiceID() {
                    return longValue;
                }

                @Override // org.apache.karaf.service.guard.impl.GuardProxyCatalog.CreateProxyRunnable
                public void run(ProxyManager proxyManager) throws Exception {
                    try {
                        serviceRegistrationHolder.registration = serviceReference.getBundle().getBundleContext().registerService((String[]) serviceReference.getProperty("objectClass"), new ProxyServiceFactory(proxyManager, serviceReference), proxyPropertiesRoles());
                        Dictionary copyProperties = GuardProxyCatalog.copyProperties(serviceRegistrationHolder.registration.getReference());
                        GuardProxyCatalog.LOG.debug("Created proxy of service {} under {} with properties {}", Long.valueOf(longValue), copyProperties.get("objectClass"), copyProperties);
                    } catch (Exception e) {
                        GuardProxyCatalog.LOG.debug("The ServiceReference become invalid: ", (Throwable) e);
                    }
                }

                private Dictionary<String, Object> proxyPropertiesRoles() throws Exception {
                    Dictionary<String, Object> proxyProperties = GuardProxyCatalog.proxyProperties(serviceReference);
                    Set<String> serviceInvocationRoles = GuardProxyCatalog.this.getServiceInvocationRoles(serviceReference);
                    if (serviceInvocationRoles != null) {
                        serviceInvocationRoles.remove("*");
                        proxyProperties.put(GuardProxyCatalog.SERVICE_GUARD_ROLES_PROPERTY, serviceInvocationRoles);
                    } else {
                        proxyProperties.remove(GuardProxyCatalog.SERVICE_GUARD_ROLES_PROPERTY);
                    }
                    return proxyProperties;
                }
            });
        } catch (InterruptedException e) {
            LOG.warn("Problem scheduling a proxy creator for service {}({})", serviceReference.getProperty("objectClass"), Long.valueOf(longValue), e);
            e.printStackTrace();
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static Dictionary<String, Object> proxyProperties(ServiceReference<?> serviceReference) {
        Dictionary<String, Object> copyProperties = copyProperties(serviceReference);
        copyProperties.put(PROXY_SERVICE_KEY, Boolean.TRUE);
        return copyProperties;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static Dictionary<String, Object> copyProperties(ServiceReference<?> serviceReference) {
        Hashtable hashtable = new Hashtable();
        for (String str : serviceReference.getPropertyKeys()) {
            hashtable.put(str, serviceReference.getProperty(str));
        }
        return hashtable;
    }

    Set<String> getServiceInvocationRoles(ServiceReference<?> serviceReference) throws Exception {
        boolean z = false;
        HashSet hashSet = new HashSet();
        for (Configuration configuration : getServiceGuardConfigs()) {
            Dictionary<String, Object> properties = configuration.getProperties();
            Object obj = properties.get(SERVICE_GUARD_KEY);
            if ((obj instanceof String) && getFilter((String) obj).match(serviceReference)) {
                z = true;
                Enumeration<String> keys = properties.keys();
                while (keys.hasMoreElements()) {
                    String nextElement = keys.nextElement();
                    String str = nextElement;
                    int indexOf = str.indexOf(40);
                    if (indexOf >= 0) {
                        str = str.substring(0, indexOf);
                    }
                    int indexOf2 = str.indexOf(91);
                    if (indexOf2 >= 0) {
                        str = str.substring(0, indexOf2);
                    }
                    int indexOf3 = str.indexOf(42);
                    if (indexOf3 >= 0) {
                        str = str.substring(0, indexOf3);
                    }
                    if (isValidMethodName(str)) {
                        Object obj2 = properties.get(nextElement);
                        if (obj2 instanceof String) {
                            hashSet.addAll(ACLConfigurationParser.parseRoles((String) obj2));
                        }
                    }
                }
            }
        }
        if (z) {
            return hashSet;
        }
        return null;
    }

    private Filter getFilter(String str) throws InvalidSyntaxException {
        Filter filter = this.filters.get(str);
        if (filter == null) {
            filter = this.myBundleContext.createFilter(str);
            this.filters.put(str, filter);
        }
        return filter;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public Configuration[] getServiceGuardConfigs() throws IOException, InvalidSyntaxException {
        ConfigurationAdmin configurationAdmin = null;
        try {
            configurationAdmin = this.configAdminTracker.waitForService(5000L);
        } catch (InterruptedException e) {
        }
        if (configurationAdmin == null) {
            throw new IllegalStateException("Role based access for services requires the OSGi Configuration Admin Service to be present");
        }
        Configuration[] listConfigurations = configurationAdmin.listConfigurations("(&(service.pid=org.apache.karaf.service.acl.*)(service.guard=*))");
        return listConfigurations == null ? new Configuration[0] : listConfigurations;
    }

    private boolean isValidMethodName(String str) {
        return JAVA_METHOD_NAME_PATTERN.matcher(str).matches();
    }

    void stopProxyCreator() {
        this.runProxyCreator = false;
        if (this.proxyCreatorThread != null) {
            this.proxyCreatorThread.interrupt();
        }
    }

    static boolean currentUserHasRole(String str) {
        String name;
        String str2;
        Subject subject;
        if ("*".equals(str)) {
            return true;
        }
        int indexOf = str.indexOf(58);
        if (indexOf > 0) {
            name = str.substring(0, indexOf);
            str2 = str.substring(indexOf + 1);
        } else {
            name = RolePrincipal.class.getName();
            str2 = str;
        }
        AccessControlContext context = AccessController.getContext();
        if (context == null || (subject = Subject.getSubject(context)) == null) {
            return false;
        }
        for (Principal principal : subject.getPrincipals()) {
            if (name.equals(principal.getClass().getName()) && str2.equals(principal.getName())) {
                return true;
            }
        }
        return false;
    }
}
