package org.rhq.enterprise.client.security.test;

import java.io.IOException;
import javax.script.ScriptEngine;
import javax.script.ScriptException;
import org.rhq.enterprise.client.ScriptableAbstractEJB3Test;
import org.rhq.enterprise.server.system.SystemManagerBean;
import org.rhq.enterprise.server.util.LookupUtil;
import org.testng.Assert;
import org.testng.annotations.Test;

@Test
/* loaded from: input_file:org/rhq/enterprise/client/security/test/JndiAccessTest.class */
public class JndiAccessTest extends ScriptableAbstractEJB3Test {
    private static final boolean SECURITY_MANAGER_IS_ENABLED;

    /* JADX INFO: Access modifiers changed from: private */
    public static void failIfSecurityManagerEnabled(String str) {
        failIfSecurityManagerEnabled(str, null);
    }

    private static void failIfSecurityManagerEnabled(String str, Throwable th) {
        if (SECURITY_MANAGER_IS_ENABLED) {
            Assert.fail(str, th);
            return;
        }
        System.out.println("This test would have failed, but the security manager is disabled so it will pass: " + str);
        if (th != null) {
            th.printStackTrace();
        }
    }

    public void testScriptCantOverrideSystemProperties() throws Exception {
        try {
            getEngine(LookupUtil.getSubjectManager().getOverlord()).eval("java.lang.System.setProperty('java.naming.factory.url.pkgs', 'counterfeit');");
        } catch (ScriptException e) {
            Assert.assertTrue(e.getMessage().contains("access denied (\"java.util.PropertyPermission\" \"java.naming.factory.url.pkgs\" \"write\")"), "The script shouldn't have write access to the system properties.");
        }
    }

    public void testEjbsAccessibleThroughPrivilegedCode() {
        LookupUtil.getSubjectManager().getOverlord();
    }

    public void testEjbsAccessibleThroughLocalClient() throws ScriptException, IOException {
        getEngine(LookupUtil.getSubjectManager().getOverlord()).eval("SubjectManager.getSubjectByName('rhqadmin');");
    }

    public void testLocalEjbsInaccessibleThroughJndiLookup() throws ScriptException, IOException {
        try {
            getEngine(LookupUtil.getSubjectManager().getOverlord()).eval("var ctx = new javax.naming.InitialContext();\nvar systemManager = ctx.lookup('" + ("java:global/rhq/rhq-server/" + SystemManagerBean.class.getSimpleName() + "!" + SystemManagerBean.class.getName().replace("Bean", "Local")) + "');\nsystemManager.isDebugModeEnabled();");
            failIfSecurityManagerEnabled("The script shouldn't have been able to call local SLSB method.");
        } catch (ScriptException e) {
            checkIsDesiredSecurityException(e);
        }
    }

    public void testLocalEjbsInaccessibleThroughJndiLookupWithCustomUrlPackages() throws ScriptException, IOException {
        try {
            getEngine(LookupUtil.getSubjectManager().getOverlord()).eval("var env = new java.util.Hashtable();\nenv.put('java.naming.factory.url.pkgs', 'org.jboss.as.naming.interfaces');\nvar ctx = new javax.naming.InitialContext(env);\nvar systemManager = ctx.lookup('" + ("java:global/rhq/rhq-server/" + SystemManagerBean.class.getSimpleName() + "!" + SystemManagerBean.class.getName().replace("Bean", "Local")) + "');\nsystemManager.isDebugModeEnabled();");
            failIfSecurityManagerEnabled("The script shouldn't have been able to call local SLSB method.");
        } catch (ScriptException e) {
            checkIsDesiredSecurityException(e);
        }
    }

    public void testRemoteEjbsInaccessibleThroughJndiLookup() throws ScriptException, IOException {
        try {
            getEngine(LookupUtil.getSubjectManager().getOverlord()).eval("var ctx = new javax.naming.InitialContext();\nvar systemManager = ctx.lookup('" + ("java:global/rhq/rhq-server/" + SystemManagerBean.class.getSimpleName() + "!" + SystemManagerBean.class.getName().replace("Bean", "Remote")) + "');\nsystemManager.getSystemSettings(subject);");
            failIfSecurityManagerEnabled("The script shouldn't have been able to call remote SLSB method directly.");
        } catch (ScriptException e) {
            checkIsDesiredSecurityException(e);
        }
    }

    /* JADX WARN: Type inference failed for: r0v4, types: [org.rhq.enterprise.client.security.test.JndiAccessTest$1G] */
    public void testScriptCantUseSessionManagerMethods() throws Exception {
        final ScriptEngine engine = getEngine(LookupUtil.getSubjectManager().getOverlord());
        ?? r0 = new Object() { // from class: org.rhq.enterprise.client.security.test.JndiAccessTest.1G
            private String sessionManager = "org.rhq.enterprise.server.auth.SessionManager.getInstance().";

            public void testInvoke(String str) throws ScriptException {
                try {
                    engine.eval(this.sessionManager + str);
                    JndiAccessTest.failIfSecurityManagerEnabled("The script shouldn't have been able to call a method on a SessionManager: " + str);
                } catch (ScriptException e) {
                    JndiAccessTest.checkIsDesiredSecurityException(e);
                }
            }
        };
        r0.testInvoke("getLastAccess(0);");
        r0.testInvoke("getOverlord()");
        r0.testInvoke("getSubject(2);");
        r0.testInvoke("invalidate(0);");
        r0.testInvoke("invalidate(\"\");");
        r0.testInvoke("put(new org.rhq.core.domain.auth.Subject());");
        r0.testInvoke("put(new org.rhq.core.domain.auth.Subject(), 0);");
    }

    public void testScriptCantObtainRawJDBCConnectionsWithoutCredentials() throws Exception {
        try {
            getEngine(LookupUtil.getSubjectManager().getOverlord()).eval("var ctx = new javax.naming.InitialContext();\nvar datasource = ctx.lookup('java:jboss/datasources/RHQDS');\ncon = datasource.getConnection();");
            failIfSecurityManagerEnabled("The script shouldn't have been able to obtain the datasource from the JNDI.");
        } catch (ScriptException e) {
            checkIsDesiredSecurityException(e);
        }
    }

    public void testScriptCantUseEntityManager() throws Exception {
        ScriptEngine engine = getEngine(LookupUtil.getSubjectManager().getOverlord());
        try {
            engine.eval("var ctx = new javax.naming.InitialContext();\nvar entityManagerFactory = ctx.lookup('java:jboss/RHQEntityManagerFactory');\nvar entityManager = entityManagerFactory.createEntityManager();\nentityManager.find(java.lang.Class.forName('org.rhq.core.domain.resource.Resource'), java.lang.Integer.valueOf('10001'));");
            failIfSecurityManagerEnabled("The script shouldn't have been able to use the EntityManager.");
        } catch (ScriptException e) {
            checkIsDesiredSecurityException(e);
        }
        try {
            engine.eval("var env = new java.util.Hashtable();env.put('java.naming.factory.initial', 'org.jboss.as.naming.InitialContextFactory');var ctx = new javax.naming.InitialContext(env);\nvar entityManagerFactory = ctx.lookup('java:jboss/RHQEntityManagerFactory');\nvar entityManager = entityManagerFactory.createEntityManager();\nentityManager.find(java.lang.Class.forName('org.rhq.core.domain.resource.Resource'), java.lang.Integer.valueOf('10001'));");
            failIfSecurityManagerEnabled("The script shouldn't have been able to use the EntityManager even using custom initial context factory.");
        } catch (ScriptException e2) {
            checkIsDesiredSecurityException(e2);
        }
    }

    public void testProxyFactoryWorksWithSecuredScriptEngine() throws Exception {
        try {
            getEngine(LookupUtil.getSubjectManager().getOverlord()).eval("var resource = ProxyFactory.getResource(10001);");
        } catch (ScriptException e) {
            checkIsNotASecurityException(e);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static void checkIsDesiredSecurityException(ScriptException scriptException) {
        if (scriptException.getMessage().contains("org.rhq.allow.server.internals.access")) {
            return;
        }
        failIfSecurityManagerEnabled("The script exception doesn't seem to be caused by the AllowRhqServerInternalsAccessPermission security exception.", scriptException);
    }

    private static void checkIsNotASecurityException(ScriptException scriptException) {
        if (scriptException.getMessage().contains("org.rhq.allow.server.internals.access")) {
            Assert.fail("The script exception does seem to be caused by the AllowRhqServerInternalsAccessPermission security exception although it shouldn't. ", scriptException);
        }
    }

    static {
        SECURITY_MANAGER_IS_ENABLED = System.getProperty("java.security.manager") != null;
    }
}
