package org.apache.qpid.server.security.access.management;

import java.io.File;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.IOException;
import java.security.AccessController;
import java.security.Principal;
import java.util.Enumeration;
import java.util.List;
import java.util.Properties;
import java.util.Set;
import java.util.concurrent.locks.ReentrantLock;
import javax.management.JMException;
import javax.management.openmbean.CompositeDataSupport;
import javax.management.openmbean.CompositeType;
import javax.management.openmbean.OpenDataException;
import javax.management.openmbean.OpenType;
import javax.management.openmbean.SimpleType;
import javax.management.openmbean.TabularData;
import javax.management.openmbean.TabularDataSupport;
import javax.management.openmbean.TabularType;
import javax.management.remote.JMXPrincipal;
import javax.security.auth.Subject;
import javax.security.auth.login.AccountNotFoundException;
import org.apache.commons.configuration.ConfigurationException;
import org.apache.log4j.Logger;
import org.apache.qpid.server.management.AMQManagedObject;
import org.apache.qpid.server.management.MBeanDescription;
import org.apache.qpid.server.management.MBeanInvocationHandlerImpl;
import org.apache.qpid.server.management.MBeanOperation;
import org.apache.qpid.server.security.auth.database.PrincipalDatabase;
import org.apache.qpid.server.security.auth.sasl.UsernamePrincipal;

@MBeanDescription("User Management Interface")
/* loaded from: input_file:org/apache/qpid/server/security/access/management/AMQUserManagementMBean.class */
public class AMQUserManagementMBean extends AMQManagedObject implements UserManagement {
    private PrincipalDatabase _principalDatabase;
    private Properties _accessRights;
    private File _accessFile;
    private ReentrantLock _accessRightsUpdate;
    static TabularType _userlistDataType;
    static CompositeType _userDataType;
    private static final Logger _logger = Logger.getLogger(AMQUserManagementMBean.class);
    static String[] _userItemNames = {"Username", "read", "write", MBeanInvocationHandlerImpl.ADMIN};

    public AMQUserManagementMBean() throws JMException {
        super(UserManagement.class, UserManagement.TYPE, 2);
        this._accessRightsUpdate = new ReentrantLock();
    }

    @Override // org.apache.qpid.server.management.ManagedObject
    public String getObjectInstanceName() {
        return UserManagement.TYPE;
    }

    @Override // org.apache.qpid.server.security.access.management.UserManagement
    public boolean setPassword(String str, char[] cArr) {
        try {
            return this._principalDatabase.updatePassword(new UsernamePrincipal(str), cArr);
        } catch (AccountNotFoundException e) {
            _logger.warn("Attempt to set password of non-existant user'" + str + "'");
            return false;
        }
    }

    @Override // org.apache.qpid.server.security.access.management.UserManagement
    public boolean setRights(String str, boolean z, boolean z2, boolean z3) {
        Object obj = this._accessRights.get(str);
        if (obj == null && this._principalDatabase.getUser(str) == null) {
            return false;
        }
        try {
            this._accessRightsUpdate.lock();
            if (z3) {
                this._accessRights.put(str, MBeanInvocationHandlerImpl.ADMIN);
            } else if (z || z2) {
                if (z) {
                    this._accessRights.put(str, MBeanInvocationHandlerImpl.READONLY);
                }
                if (z2) {
                    this._accessRights.put(str, MBeanInvocationHandlerImpl.READWRITE);
                }
            } else {
                this._accessRights.remove(str);
            }
            try {
                saveAccessFile();
                if (!this._accessRightsUpdate.isHeldByCurrentThread()) {
                    return true;
                }
                this._accessRightsUpdate.unlock();
                return true;
            } catch (IOException e) {
                _logger.warn("Problem occured saving '" + this._accessFile + "', the access right changes will not be preserved: " + e);
                _logger.warn("Reverting attempted rights update for user'" + str + "'");
                if (obj != null) {
                    this._accessRights.put(str, obj);
                } else {
                    this._accessRights.remove(str);
                }
                if (this._accessRightsUpdate.isHeldByCurrentThread()) {
                    this._accessRightsUpdate.unlock();
                }
                return false;
            }
        } catch (Throwable th) {
            if (this._accessRightsUpdate.isHeldByCurrentThread()) {
                this._accessRightsUpdate.unlock();
            }
            throw th;
        }
    }

    @Override // org.apache.qpid.server.security.access.management.UserManagement
    public boolean createUser(String str, char[] cArr, boolean z, boolean z2, boolean z3) {
        if (!this._principalDatabase.createPrincipal(new UsernamePrincipal(str), cArr)) {
            return false;
        }
        if (setRights(str, z, z2, z3)) {
            return true;
        }
        try {
            this._principalDatabase.deletePrincipal(new UsernamePrincipal(str));
            return false;
        } catch (AccountNotFoundException e) {
            return false;
        }
    }

    @Override // org.apache.qpid.server.security.access.management.UserManagement
    public boolean deleteUser(String str) {
        try {
            if (this._principalDatabase.deletePrincipal(new UsernamePrincipal(str))) {
                try {
                    this._accessRightsUpdate.lock();
                    this._accessRights.remove(str);
                    try {
                        saveAccessFile();
                        if (this._accessRightsUpdate.isHeldByCurrentThread()) {
                            this._accessRightsUpdate.unlock();
                        }
                    } catch (IOException e) {
                        _logger.warn("Problem occured saving '" + this._accessFile + "', the access right changes will not be preserved: " + e);
                        if (this._accessRightsUpdate.isHeldByCurrentThread()) {
                            this._accessRightsUpdate.unlock();
                        }
                        return false;
                    }
                } catch (Throwable th) {
                    if (this._accessRightsUpdate.isHeldByCurrentThread()) {
                        this._accessRightsUpdate.unlock();
                    }
                    throw th;
                }
            }
            return true;
        } catch (AccountNotFoundException e2) {
            _logger.warn("Attempt to delete user (" + str + ") that doesn't exist");
            return false;
        }
    }

    @Override // org.apache.qpid.server.security.access.management.UserManagement
    public boolean reloadData() {
        try {
            loadAccessFile();
            this._principalDatabase.reload();
            return true;
        } catch (ConfigurationException e) {
            _logger.warn("Reload failed due to:" + e);
            return false;
        } catch (IOException e2) {
            _logger.warn("Reload failed due to:" + e2);
            return false;
        }
    }

    @Override // org.apache.qpid.server.security.access.management.UserManagement
    @MBeanOperation(name = "viewUsers", description = "All users with access rights to the system.")
    public TabularData viewUsers() {
        if (_userlistDataType == null) {
            _logger.warn("TabluarData not setup correctly");
            return null;
        }
        List<Principal> users = this._principalDatabase.getUsers();
        TabularDataSupport tabularDataSupport = new TabularDataSupport(_userlistDataType);
        try {
            for (Principal principal : users) {
                String str = (String) this._accessRights.get(principal.getName());
                Boolean bool = false;
                Boolean bool2 = false;
                Boolean bool3 = false;
                if (str != null) {
                    bool = Boolean.valueOf(str.equals(MBeanInvocationHandlerImpl.READONLY) || str.equals(MBeanInvocationHandlerImpl.READWRITE));
                    bool2 = Boolean.valueOf(str.equals(MBeanInvocationHandlerImpl.READWRITE));
                    bool3 = Boolean.valueOf(str.equals(MBeanInvocationHandlerImpl.ADMIN));
                }
                tabularDataSupport.put(new CompositeDataSupport(_userDataType, _userItemNames, new Object[]{principal.getName(), bool, bool2, bool3}));
            }
            return tabularDataSupport;
        } catch (OpenDataException e) {
            _logger.warn("Unable to create user list due to :" + e);
            return null;
        }
    }

    public void setPrincipalDatabase(PrincipalDatabase principalDatabase) {
        this._principalDatabase = principalDatabase;
    }

    public void setAccessFile(String str) throws IOException, ConfigurationException {
        if (str == null) {
            _logger.warn("Access rights file specified is null. Access rights not changed.");
            return;
        }
        this._accessFile = new File(str);
        if (!this._accessFile.exists()) {
            throw new ConfigurationException("'" + this._accessFile + "' does not exist");
        }
        if (!this._accessFile.canRead()) {
            throw new ConfigurationException("Cannot read '" + this._accessFile + "'.");
        }
        if (!this._accessFile.canWrite()) {
            _logger.warn("Unable to write to access rights file '" + this._accessFile + "', changes will not be preserved.");
        }
        loadAccessFile();
    }

    private void loadAccessFile() throws IOException, ConfigurationException {
        if (this._accessFile == null) {
            _logger.error("No jmx access rights file has been specified.");
            return;
        }
        if (!this._accessFile.exists()) {
            _logger.error("Specified jmxaccess rights file '" + this._accessFile + "' does not exist.");
            return;
        }
        try {
            this._accessRightsUpdate.lock();
            Properties properties = new Properties();
            properties.load(new FileInputStream(this._accessFile));
            checkAccessRights(properties);
            setAccessRights(properties);
            if (this._accessRightsUpdate.isHeldByCurrentThread()) {
                this._accessRightsUpdate.unlock();
            }
        } catch (Throwable th) {
            if (this._accessRightsUpdate.isHeldByCurrentThread()) {
                this._accessRightsUpdate.unlock();
            }
            throw th;
        }
    }

    private void checkAccessRights(Properties properties) {
        Enumeration<?> propertyNames = properties.propertyNames();
        while (propertyNames.hasMoreElements()) {
            String str = (String) propertyNames.nextElement();
            if (this._principalDatabase.getUser(str) == null) {
                _logger.warn("Access rights contains user '" + str + "' but there is no authentication data for that user");
            }
        }
    }

    private void saveAccessFile() throws IOException {
        try {
            this._accessRightsUpdate.lock();
            File createTempFile = File.createTempFile(this._accessFile.getName(), ".tmp");
            FileOutputStream fileOutputStream = new FileOutputStream(createTempFile);
            this._accessRights.store(fileOutputStream, "Generated by AMQUserManagementMBean Console : Last edited by user:" + getCurrentJMXUser());
            fileOutputStream.close();
            createTempFile.renameTo(this._accessFile);
            createTempFile.delete();
            if (this._accessRightsUpdate.isHeldByCurrentThread()) {
                this._accessRightsUpdate.unlock();
            }
        } catch (Throwable th) {
            if (this._accessRightsUpdate.isHeldByCurrentThread()) {
                this._accessRightsUpdate.unlock();
            }
            throw th;
        }
    }

    private String getCurrentJMXUser() {
        Subject subject = Subject.getSubject(AccessController.getContext());
        if (subject == null) {
            return "Unknown user, authentication Subject was null";
        }
        Set principals = subject.getPrincipals(JMXPrincipal.class);
        return (principals == null || principals.isEmpty()) ? "Unknown user principals were null" : ((Principal) principals.iterator().next()).getName();
    }

    private void setAccessRights(Properties properties) {
        _logger.debug("Setting Access Rights:" + properties);
        this._accessRights = properties;
        MBeanInvocationHandlerImpl.setAccessRights(this._accessRights);
    }

    static {
        String[] strArr = {"Broker Login username", "Management Console Read Permission", "Management Console Write Permission", "Management Console Admin Permission"};
        OpenType[] openTypeArr = {SimpleType.STRING, SimpleType.BOOLEAN, SimpleType.BOOLEAN, SimpleType.BOOLEAN};
        String[] strArr2 = {_userItemNames[0]};
        try {
            _userDataType = new CompositeType("User", "User Data", _userItemNames, strArr, openTypeArr);
            _userlistDataType = new TabularType("Users", "List of users", _userDataType, strArr2);
        } catch (OpenDataException e) {
            _logger.error("Tabular data setup for viewing users incorrect.");
            _userlistDataType = null;
        }
    }
}
