package org.apache.karaf.management;

import java.io.IOException;
import java.lang.reflect.InvocationHandler;
import java.lang.reflect.Method;
import java.security.AccessControlContext;
import java.security.AccessController;
import java.security.Principal;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Enumeration;
import java.util.Iterator;
import java.util.List;
import java.util.regex.Pattern;
import javax.management.Attribute;
import javax.management.AttributeList;
import javax.management.JMException;
import javax.management.MBeanAttributeInfo;
import javax.management.MBeanInfo;
import javax.management.MBeanOperationInfo;
import javax.management.MBeanParameterInfo;
import javax.management.MBeanServer;
import javax.management.ObjectName;
import javax.security.auth.Subject;
import org.apache.karaf.jaas.boot.principal.RolePrincipal;
import org.apache.karaf.management.tools.ACLConfigurationParser;
import org.osgi.framework.InvalidSyntaxException;
import org.osgi.framework.ServicePermission;
import org.osgi.service.cm.Configuration;
import org.osgi.service.cm.ConfigurationAdmin;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/karaf/management/KarafMBeanServerGuard.class */
public class KarafMBeanServerGuard implements InvocationHandler {
    private static final Logger LOG = LoggerFactory.getLogger(KarafMBeanServerGuard.class);
    private static final String JMX_ACL_PID_PREFIX = "jmx.acl";
    private static final String JMX_ACL_WHITELIST = "jmx.acl.whitelist";
    private static final String ROLE_WILDCARD = "*";
    private static final String JMX_OBJECTNAME_PROPERTY_WILDCARD = "_";
    private ConfigurationAdmin configAdmin;

    public ConfigurationAdmin getConfigAdmin() {
        return this.configAdmin;
    }

    public void setConfigAdmin(ConfigurationAdmin configurationAdmin) {
        this.configAdmin = configurationAdmin;
    }

    @Override // java.lang.reflect.InvocationHandler
    public Object invoke(Object obj, Method method, Object[] objArr) throws Throwable {
        if (method.getParameterTypes().length == 0 || !ObjectName.class.isAssignableFrom(method.getParameterTypes()[0])) {
            return null;
        }
        ObjectName objectName = (ObjectName) objArr[0];
        if ("getAttribute".equals(method.getName())) {
            handleGetAttribute((MBeanServer) obj, objectName, (String) objArr[1]);
            return null;
        }
        if ("getAttributes".equals(method.getName())) {
            handleGetAttributes((MBeanServer) obj, objectName, (String[]) objArr[1]);
            return null;
        }
        if ("setAttribute".equals(method.getName())) {
            handleSetAttribute((MBeanServer) obj, objectName, (Attribute) objArr[1]);
            return null;
        }
        if ("setAttributes".equals(method.getName())) {
            handleSetAttributes((MBeanServer) obj, objectName, (AttributeList) objArr[1]);
            return null;
        }
        if (!"invoke".equals(method.getName())) {
            return null;
        }
        handleInvoke(objectName, (String) objArr[1], (Object[]) objArr[2], (String[]) objArr[3]);
        return null;
    }

    public boolean canInvoke(MBeanServer mBeanServer, ObjectName objectName) throws JMException, IOException {
        MBeanInfo mBeanInfo = mBeanServer.getMBeanInfo(objectName);
        for (MBeanOperationInfo mBeanOperationInfo : mBeanInfo.getOperations()) {
            ArrayList arrayList = new ArrayList();
            for (MBeanParameterInfo mBeanParameterInfo : mBeanOperationInfo.getSignature()) {
                arrayList.add(mBeanParameterInfo.getType());
            }
            if (canInvoke(objectName, mBeanOperationInfo.getName(), (String[]) arrayList.toArray(new String[0]))) {
                return true;
            }
        }
        for (MBeanAttributeInfo mBeanAttributeInfo : mBeanInfo.getAttributes()) {
            if (mBeanAttributeInfo.isReadable()) {
                if (canInvoke(objectName, mBeanAttributeInfo.isIs() ? "is" : ServicePermission.GET + mBeanAttributeInfo.getName(), new String[0])) {
                    return true;
                }
            }
            if (mBeanAttributeInfo.isWritable() && canInvoke(objectName, "set" + mBeanAttributeInfo.getName(), new String[]{mBeanAttributeInfo.getType()})) {
                return true;
            }
        }
        return false;
    }

    public boolean canInvoke(MBeanServer mBeanServer, ObjectName objectName, String str) throws JMException, IOException {
        String trim = str.trim();
        MBeanInfo mBeanInfo = mBeanServer.getMBeanInfo(objectName);
        for (MBeanOperationInfo mBeanOperationInfo : mBeanInfo.getOperations()) {
            if (trim.equals(mBeanOperationInfo.getName())) {
                ArrayList arrayList = new ArrayList();
                for (MBeanParameterInfo mBeanParameterInfo : mBeanOperationInfo.getSignature()) {
                    arrayList.add(mBeanParameterInfo.getType());
                }
                if (canInvoke(objectName, mBeanOperationInfo.getName(), (String[]) arrayList.toArray(new String[0]))) {
                    return true;
                }
            }
        }
        for (MBeanAttributeInfo mBeanAttributeInfo : mBeanInfo.getAttributes()) {
            String name = mBeanAttributeInfo.getName();
            if (trim.equals("is" + name) || trim.equals(ServicePermission.GET + name)) {
                return canInvoke(objectName, trim, new String[0]);
            }
            if (trim.equals("set" + name)) {
                return canInvoke(objectName, trim, new String[]{mBeanAttributeInfo.getType()});
            }
        }
        return false;
    }

    public boolean canInvoke(MBeanServer mBeanServer, ObjectName objectName, String str, String[] strArr) throws IOException {
        return canInvoke(objectName, str, strArr);
    }

    private boolean canInvoke(ObjectName objectName, String str, String[] strArr) throws IOException {
        if (canBypassRBAC(objectName, str)) {
            return true;
        }
        Iterator<String> it = getRequiredRoles(objectName, str, strArr).iterator();
        while (it.hasNext()) {
            if (currentUserHasRole(it.next())) {
                return true;
            }
        }
        return false;
    }

    private void handleGetAttribute(MBeanServer mBeanServer, ObjectName objectName, String str) throws JMException, IOException {
        String str2 = null;
        for (MBeanAttributeInfo mBeanAttributeInfo : mBeanServer.getMBeanInfo(objectName).getAttributes()) {
            if (mBeanAttributeInfo.getName().equals(str)) {
                str2 = mBeanAttributeInfo.isIs() ? "is" : ServicePermission.GET;
            }
        }
        if (str2 == null) {
            LOG.debug("Attribute " + str + " can not be found for MBean " + objectName.toString());
        } else {
            handleInvoke(objectName, str2 + str, new Object[0], new String[0]);
        }
    }

    private void handleGetAttributes(MBeanServer mBeanServer, ObjectName objectName, String[] strArr) throws JMException, IOException {
        for (String str : strArr) {
            handleGetAttribute(mBeanServer, objectName, str);
        }
    }

    private void handleSetAttribute(MBeanServer mBeanServer, ObjectName objectName, Attribute attribute) throws JMException, IOException {
        String str = null;
        MBeanAttributeInfo[] attributes = mBeanServer.getMBeanInfo(objectName).getAttributes();
        int length = attributes.length;
        int i = 0;
        while (true) {
            if (i >= length) {
                break;
            }
            MBeanAttributeInfo mBeanAttributeInfo = attributes[i];
            if (mBeanAttributeInfo.getName().equals(attribute.getName())) {
                str = mBeanAttributeInfo.getType();
                break;
            }
            i++;
        }
        if (str == null) {
            throw new IllegalStateException("Attribute data type can not be found");
        }
        handleInvoke(objectName, "set" + attribute.getName(), new Object[]{attribute.getValue()}, new String[]{str});
    }

    private void handleSetAttributes(MBeanServer mBeanServer, ObjectName objectName, AttributeList attributeList) throws JMException, IOException {
        Iterator it = attributeList.asList().iterator();
        while (it.hasNext()) {
            handleSetAttribute(mBeanServer, objectName, (Attribute) it.next());
        }
    }

    private boolean canBypassRBAC(ObjectName objectName, String str) {
        ArrayList<String> arrayList = new ArrayList();
        try {
            Configuration[] listConfigurations = this.configAdmin.listConfigurations("(service.pid=jmx.acl.whitelist)");
            if (listConfigurations != null) {
                for (Configuration configuration : listConfigurations) {
                    Enumeration<String> keys = configuration.getProperties().keys();
                    while (keys.hasMoreElements()) {
                        arrayList.add(keys.nextElement());
                    }
                }
            }
            for (String str2 : iterateDownPids(getNameSegments(objectName))) {
                if (!str2.equals(JMX_ACL_PID_PREFIX)) {
                    for (String str3 : arrayList) {
                        if (str3.split(";").length > 1) {
                            if (str3.equals(str2.substring("jmx.acl.".length()) + ";" + str)) {
                                return true;
                            }
                        } else if (str3.equals(str2.substring("jmx.acl.".length()))) {
                            return true;
                        }
                    }
                }
            }
            return false;
        } catch (IOException e) {
            throw new RuntimeException(e);
        } catch (InvalidSyntaxException e2) {
            throw new RuntimeException(e2);
        }
    }

    void handleInvoke(ObjectName objectName, String str, Object[] objArr, String[] strArr) throws IOException {
        if (canBypassRBAC(objectName, str)) {
            return;
        }
        Iterator<String> it = getRequiredRoles(objectName, str, objArr, strArr).iterator();
        while (it.hasNext()) {
            if (currentUserHasRole(it.next())) {
                return;
            }
        }
        throw new SecurityException("Insufficient roles/credentials for operation");
    }

    List<String> getRequiredRoles(ObjectName objectName, String str, String[] strArr) throws IOException {
        return getRequiredRoles(objectName, str, null, strArr);
    }

    List<String> getRequiredRoles(ObjectName objectName, String str, Object[] objArr, String[] strArr) throws IOException {
        ArrayList arrayList = new ArrayList();
        try {
            for (Configuration configuration : this.configAdmin.listConfigurations("(service.pid=jmx.acl*)")) {
                arrayList.add(configuration.getPid());
            }
            Iterator<String> it = iterateDownPids(getNameSegments(objectName)).iterator();
            while (it.hasNext()) {
                String generalPid = getGeneralPid(arrayList, it.next());
                if (generalPid.length() > 0) {
                    Configuration configuration2 = this.configAdmin.getConfiguration(generalPid);
                    ArrayList arrayList2 = new ArrayList();
                    if (ACLConfigurationParser.getRolesForInvocation(str, objArr, strArr, configuration2.getProperties(), arrayList2) != ACLConfigurationParser.Specificity.NO_MATCH) {
                        return arrayList2;
                    }
                }
            }
            return Collections.emptyList();
        } catch (InvalidSyntaxException e) {
            throw new RuntimeException(e);
        }
    }

    private String getGeneralPid(List<String> list, String str) {
        String[] split = str.split(Pattern.quote("."));
        for (String str2 : list) {
            String[] split2 = str2.split(Pattern.quote("."));
            if (split2.length == split.length) {
                boolean z = true;
                int i = 0;
                while (true) {
                    if (i >= split2.length) {
                        break;
                    }
                    if (!split2[i].equals(JMX_OBJECTNAME_PROPERTY_WILDCARD) && !split2[i].equals(split[i])) {
                        z = false;
                        break;
                    }
                    i++;
                }
                if (z) {
                    return str2;
                }
            }
        }
        return "";
    }

    private List<String> getNameSegments(ObjectName objectName) {
        ArrayList arrayList = new ArrayList();
        arrayList.add(objectName.getDomain());
        for (String str : objectName.getKeyPropertyListString().split("[,]")) {
            int indexOf = str.indexOf(61);
            if (indexOf >= 0) {
                String keyProperty = objectName.getKeyProperty(str.substring(0, indexOf));
                if (str.substring(0, indexOf).equals("type")) {
                    arrayList.add(1, keyProperty);
                } else {
                    arrayList.add(keyProperty);
                }
            }
        }
        return arrayList;
    }

    private List<String> iterateDownPids(List<String> list) {
        ArrayList arrayList = new ArrayList();
        for (int size = list.size(); size > 0; size--) {
            StringBuilder sb = new StringBuilder();
            sb.append(JMX_ACL_PID_PREFIX);
            for (int i = 0; i < size; i++) {
                sb.append('.');
                sb.append(list.get(i));
            }
            arrayList.add(sb.toString());
        }
        arrayList.add(JMX_ACL_PID_PREFIX);
        return arrayList;
    }

    static boolean currentUserHasRole(String str) {
        String name;
        String str2;
        Subject subject;
        if ("*".equals(str)) {
            return true;
        }
        int indexOf = str.indexOf(58);
        if (indexOf > 0) {
            name = str.substring(0, indexOf);
            str2 = str.substring(indexOf + 1);
        } else {
            name = RolePrincipal.class.getName();
            str2 = str;
        }
        AccessControlContext context = AccessController.getContext();
        if (context == null || (subject = Subject.getSubject(context)) == null) {
            return false;
        }
        for (Principal principal : subject.getPrincipals()) {
            if (name.equals(principal.getClass().getName()) && str2.equals(principal.getName())) {
                return true;
            }
        }
        return false;
    }
}
