package org.rhq.enterprise.server.core;

import java.util.ArrayList;
import java.util.HashMap;
import java.util.Map;
import java.util.Properties;
import javax.annotation.PostConstruct;
import javax.annotation.PreDestroy;
import javax.ejb.ConcurrencyManagement;
import javax.ejb.ConcurrencyManagementType;
import javax.ejb.LocalBean;
import javax.ejb.Singleton;
import javax.ejb.Startup;
import javax.ejb.TransactionAttribute;
import javax.ejb.TransactionAttributeType;
import javax.naming.AuthenticationException;
import javax.naming.NamingException;
import javax.naming.ldap.Control;
import javax.naming.ldap.InitialLdapContext;
import javax.security.auth.login.AppConfigurationEntry;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.jboss.as.controller.client.ModelControllerClient;
import org.rhq.common.jbossas.client.controller.SecurityDomainJBossASClient;
import org.rhq.core.domain.common.composite.SystemSetting;
import org.rhq.core.util.MessageDigestGenerator;
import org.rhq.core.util.obfuscation.Obfuscator;
import org.rhq.enterprise.server.RHQConstants;
import org.rhq.enterprise.server.core.jaas.JDBCLoginModule;
import org.rhq.enterprise.server.core.jaas.JDBCPrincipalCheckLoginModule;
import org.rhq.enterprise.server.core.jaas.LdapLoginModule;
import org.rhq.enterprise.server.core.service.ManagementService;
import org.rhq.enterprise.server.util.JMXUtil;
import org.rhq.enterprise.server.util.LookupUtil;
import org.rhq.enterprise.server.util.security.UntrustedSSLSocketFactory;
import org.richfaces.convert.seamtext.tags.TagFactory;

@LocalBean
@ConcurrencyManagement(ConcurrencyManagementType.BEAN)
@Singleton
@TransactionAttribute(TransactionAttributeType.SUPPORTS)
@Startup
/* loaded from: input_file:rhq-server.jar/org/rhq/enterprise/server/core/CustomJaasDeploymentService.class */
public class CustomJaasDeploymentService implements CustomJaasDeploymentServiceMBean {
    private static final Log LOG = LogFactory.getLog(CustomJaasDeploymentService.class.getName());

    @Override // org.rhq.enterprise.server.core.CustomJaasDeploymentServiceMBean
    public void installJaasModules() {
        try {
            LOG.info("Updating RHQ Server's JAAS login modules");
            updateJaasModules(LookupUtil.getSystemManager().getSystemConfiguration(LookupUtil.getSubjectManager().getOverlord()));
        } catch (Exception e) {
            LOG.fatal("Error deploying JAAS login modules", e);
            throw new RuntimeException(e);
        }
    }

    @Override // org.rhq.enterprise.server.core.CustomJaasDeploymentServiceMBean
    public void upgradeRhqUserSecurityDomainIfNeeded() {
        try {
            Properties systemConfiguration = LookupUtil.getSystemManager().getSystemConfiguration(LookupUtil.getSubjectManager().getOverlord());
            String property = systemConfiguration.getProperty(SystemSetting.LDAP_BASED_JAAS_PROVIDER.getInternalName());
            if ((property != null ? RHQConstants.LDAPJAASProvider.equals(property) : false) && !new SecurityDomainJBossASClient(ManagementService.getClient()).securityDomainHasLoginModule(CustomJaasDeploymentServiceMBean.RHQ_USER_SECURITY_DOMAIN, "org.rhq.enterprise.server.core.jaas.LdapLoginModule")) {
                LOG.info("Updating RHQ Server's JAAS login modules with LDAP support");
                updateJaasModules(systemConfiguration);
            }
        } catch (Exception e) {
            LOG.fatal("Error deploying JAAS login modules", e);
            throw new RuntimeException(e);
        }
    }

    @PostConstruct
    private void init() {
        JMXUtil.registerMBean(this, OBJECT_NAME);
    }

    @PreDestroy
    private void destroy() {
        JMXUtil.unregisterMBeanQuietly(OBJECT_NAME);
    }

    private void updateJaasModules(Properties properties) throws Exception {
        ModelControllerClient modelControllerClient = null;
        try {
            try {
                modelControllerClient = ManagementService.getClient();
                SecurityDomainJBossASClient securityDomainJBossASClient = new SecurityDomainJBossASClient(modelControllerClient);
                if (securityDomainJBossASClient.isSecurityDomain(CustomJaasDeploymentServiceMBean.RHQ_USER_SECURITY_DOMAIN)) {
                    LOG.info("Security domain [RHQUserSecurityDomain] already exists, it will be replaced.");
                }
                ArrayList arrayList = new ArrayList(3);
                arrayList.add(new SecurityDomainJBossASClient.LoginModuleRequest(JDBCLoginModule.class.getName(), AppConfigurationEntry.LoginModuleControlFlag.SUFFICIENT, getJdbcOptions(properties)));
                String property = properties.getProperty(SystemSetting.LDAP_BASED_JAAS_PROVIDER.getInternalName());
                if (property != null ? RHQConstants.LDAPJAASProvider.equals(property) : false) {
                    arrayList.add(new SecurityDomainJBossASClient.LoginModuleRequest(JDBCPrincipalCheckLoginModule.class.getName(), AppConfigurationEntry.LoginModuleControlFlag.REQUISITE, getJdbcOptions(properties)));
                    Map<String, String> ldapOptions = getLdapOptions(properties);
                    try {
                        validateLdapOptions(ldapOptions);
                    } catch (NamingException e) {
                        LOG.error(e instanceof AuthenticationException ? "The LDAP integration cannot function because the LDAP Bind credentials for RHQ integration are incorrect. Contact the Administrator:" + e : "Problems encountered when communicating with LDAP server. Contact the Administrator:" + e, e);
                    }
                    arrayList.add(new SecurityDomainJBossASClient.LoginModuleRequest(LdapLoginModule.class.getName(), AppConfigurationEntry.LoginModuleControlFlag.REQUISITE, ldapOptions));
                }
                securityDomainJBossASClient.createNewSecurityDomain(CustomJaasDeploymentServiceMBean.RHQ_USER_SECURITY_DOMAIN, (SecurityDomainJBossASClient.LoginModuleRequest[]) arrayList.toArray(new SecurityDomainJBossASClient.LoginModuleRequest[arrayList.size()]));
                securityDomainJBossASClient.flushSecurityDomainCache("RHQRESTSecurityDomain");
                LOG.info("Security domain [RHQUserSecurityDomain] re-created with login modules " + arrayList);
                safeClose(modelControllerClient);
            } catch (Exception e2) {
                throw new Exception("Error registering RHQ JAAS modules", e2);
            }
        } catch (Throwable th) {
            safeClose(modelControllerClient);
            throw th;
        }
    }

    private static void safeClose(ModelControllerClient modelControllerClient) {
        if (null != modelControllerClient) {
            try {
                modelControllerClient.close();
            } catch (Exception e) {
            }
        }
    }

    private Map<String, String> getJdbcOptions(Properties properties) {
        HashMap hashMap = new HashMap();
        hashMap.put(SecurityDomainJBossASClient.HASH_ALGORITHM, MessageDigestGenerator.MD5);
        hashMap.put(SecurityDomainJBossASClient.HASH_ENCODING, "base64");
        return hashMap;
    }

    private Map<String, String> getLdapOptions(Properties properties) throws Exception {
        HashMap hashMap = new HashMap();
        hashMap.put("java.naming.factory.initial", properties.getProperty(RHQConstants.LDAPFactory));
        hashMap.put("java.naming.provider.url", properties.getProperty(RHQConstants.LDAPUrl));
        hashMap.put("java.naming.security.protocol", "ssl".equalsIgnoreCase(properties.getProperty(SystemSetting.USE_SSL_FOR_LDAP.getInternalName())) ? "ssl" : null);
        hashMap.put("LoginProperty", properties.getProperty(RHQConstants.LDAPLoginProperty));
        hashMap.put("Filter", properties.getProperty(RHQConstants.LDAPFilter));
        hashMap.put("GroupFilter", properties.getProperty(RHQConstants.LDAPGroupFilter));
        hashMap.put("GroupMemberFilter", properties.getProperty(RHQConstants.LDAPGroupMember));
        hashMap.put("BaseDN", properties.getProperty(RHQConstants.LDAPBaseDN));
        hashMap.put("BindDN", properties.getProperty(RHQConstants.LDAPBindDN));
        hashMap.put("BindPW", Obfuscator.encode(properties.getProperty(RHQConstants.LDAPBindPW)));
        return hashMap;
    }

    private void validateLdapOptions(Map<String, String> map) throws NamingException {
        Properties properties = new Properties();
        String str = map.get("java.naming.factory.initial");
        if (str == null) {
            throw new NamingException("No initial context factory");
        }
        String str2 = map.get("java.naming.provider.url");
        if (str2 == null) {
            throw new NamingException("Naming provider url not set");
        }
        if ("ssl".equals(map.get("java.naming.security.protocol"))) {
            if (properties.getProperty("java.naming.ldap.factory.socket") == null) {
                properties.put("java.naming.ldap.factory.socket", UntrustedSSLSocketFactory.class.getName());
            }
            properties.put("java.naming.security.protocol", "ssl");
        }
        properties.setProperty("java.naming.factory.initial", str);
        properties.setProperty("java.naming.provider.url", str2);
        String str3 = map.get("BindDN");
        String str4 = map.get("BindPW");
        try {
            str4 = Obfuscator.decode(str4);
        } catch (Exception e) {
            LOG.debug("Failed to decode bindPW, binding using undecoded value [" + str4 + TagFactory.SEAM_LINK_END, e);
        }
        if (str3 != null && str3.length() != 0 && str4 != null && str4.length() != 0) {
            properties.setProperty("java.naming.security.principal", str3);
            properties.setProperty("java.naming.security.credentials", str4);
            properties.setProperty("java.naming.security.authentication", "simple");
        }
        LOG.debug("Validating LDAP properties. Initializing context...");
        new InitialLdapContext(properties, (Control[]) null).close();
    }
}
