package io.hawt.web;

import java.io.IOException;
import java.lang.management.ManagementFactory;
import java.util.ArrayList;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import javax.management.InstanceNotFoundException;
import javax.management.MBeanAttributeInfo;
import javax.management.MBeanException;
import javax.management.MBeanServer;
import javax.management.MalformedObjectNameException;
import javax.management.ObjectName;
import javax.management.QueryExp;
import org.eclipse.jgit.lib.RefDatabase;
import org.jolokia.config.ConfigKey;
import org.jolokia.config.Configuration;
import org.jolokia.restrictor.AllowAllRestrictor;
import org.jolokia.restrictor.DenyAllRestrictor;
import org.jolokia.restrictor.Restrictor;
import org.jolokia.restrictor.RestrictorFactory;
import org.jolokia.util.HttpMethod;
import org.jolokia.util.NetworkUtil;
import org.jolokia.util.RequestType;
import org.osgi.framework.ServicePermission;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/hawtio-system-1.4.0.redhat-630254.jar:io/hawt/web/RBACRestrictor.class */
public class RBACRestrictor implements Restrictor {
    private static final transient Logger LOG = LoggerFactory.getLogger(RBACRestrictor.class);
    protected Restrictor delegate;
    protected MBeanServer mBeanServer;
    protected ObjectName securityMBean;

    public RBACRestrictor(Configuration configuration) {
        this(NetworkUtil.replaceExpression(configuration.get(ConfigKey.POLICY_LOCATION)));
    }

    public RBACRestrictor(String str) {
        initDelegate(str);
        initSecurityMBean();
    }

    protected void initDelegate(String str) {
        try {
            this.delegate = RestrictorFactory.lookupPolicyRestrictor(str);
            if (this.delegate != null) {
                LOG.debug("Delegate - Using policy access restrictor {}", str);
            } else {
                LOG.debug("Delegate - No policy access restrictor found, access to any MBean is allowed");
                this.delegate = new AllowAllRestrictor();
            }
        } catch (IOException e) {
            LOG.error("Delegate - Error while accessing access policy restrictor at " + str + ". Denying all access to MBeans for security reasons. Exception: " + e, (Throwable) e);
            this.delegate = new DenyAllRestrictor();
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v34, types: [java.util.Set] */
    protected void initSecurityMBean() {
        this.mBeanServer = ManagementFactory.getPlatformMBeanServer();
        HashSet hashSet = new HashSet();
        try {
            hashSet = this.mBeanServer.queryNames(new ObjectName("*:type=security,area=jmx,*"), (QueryExp) null);
            if (LOG.isDebugEnabled()) {
                LOG.debug("Found JMXSecurity MBeans: {}", hashSet);
            }
        } catch (MalformedObjectNameException e) {
            LOG.error(e.getMessage(), e);
        }
        if (hashSet.isEmpty()) {
            LOG.info("Didn't discover any JMXSecurity MBeans, role based access control is disabled");
            this.securityMBean = null;
            return;
        }
        ObjectName objectName = null;
        if (hashSet.size() == 1) {
            objectName = (ObjectName) hashSet.iterator().next();
        } else if (hashSet.size() > 1) {
            Iterator it = hashSet.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                ObjectName objectName2 = (ObjectName) it.next();
                String objectName3 = objectName2.toString();
                if (!objectName3.contains("HawtioDummy") && !objectName3.contains("rank=")) {
                    objectName = objectName2;
                    break;
                }
            }
        }
        LOG.info("Using MBean [{}] for role based access control", objectName);
        this.securityMBean = objectName;
    }

    @Override // org.jolokia.restrictor.Restrictor
    public boolean isOperationAllowed(ObjectName objectName, String str) {
        boolean isOperationAllowed = this.delegate.isOperationAllowed(objectName, str);
        if (isOperationAllowed) {
            try {
                isOperationAllowed = canInvoke(objectName, str);
            } catch (Exception e) {
                LOG.error("Error while invoking JMXSecurity MBean: " + e.getMessage(), (Throwable) e);
                isOperationAllowed = false;
            }
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("isOperationAllowed(objectName = {}, operation = {}) = {}", new Object[]{objectName, str, Boolean.valueOf(isOperationAllowed)});
        }
        return isOperationAllowed;
    }

    private boolean canInvoke(ObjectName objectName, String str) throws Exception {
        if (this.securityMBean == null) {
            return true;
        }
        ArrayList arrayList = new ArrayList();
        try {
            return ((Boolean) this.mBeanServer.invoke(this.securityMBean, "canInvoke", new Object[]{objectName.toString(), parseOperation(str, arrayList), arrayList.toArray(new String[0])}, new String[]{String.class.getName(), String.class.getName(), String[].class.getName()})).booleanValue();
        } catch (InstanceNotFoundException e) {
            LOG.info("Instance not found: {}", e.getMessage());
            return false;
        } catch (MBeanException e2) {
            if (!(e2.getCause() instanceof InstanceNotFoundException)) {
                throw e2;
            }
            LOG.info("Instance not found: {}", e2.getCause().getMessage());
            return false;
        }
    }

    private String parseOperation(String str, List<String> list) {
        String trim = str.trim();
        int indexOf = trim.indexOf(40);
        if (indexOf < 0) {
            return trim;
        }
        for (String str2 : trim.substring(indexOf + 1, trim.length() - 1).split(",")) {
            if (!RefDatabase.ALL.equals(str2)) {
                list.add(str2);
            }
        }
        return trim.substring(0, indexOf);
    }

    @Override // org.jolokia.restrictor.Restrictor
    public boolean isAttributeReadAllowed(ObjectName objectName, String str) {
        boolean isAttributeReadAllowed = this.delegate.isAttributeReadAllowed(objectName, str);
        if (isAttributeReadAllowed) {
            try {
                isAttributeReadAllowed = canInvoke(objectName, resolveAccessor(objectName, str, false));
            } catch (Exception e) {
                LOG.error("Error while invoking JMXSecurity MBean: " + e.getMessage(), (Throwable) e);
                isAttributeReadAllowed = false;
            }
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("isAttributeReadAllowed(objectName = {}, attribute = {}) = {}", new Object[]{objectName, str, Boolean.valueOf(isAttributeReadAllowed)});
        }
        return isAttributeReadAllowed;
    }

    @Override // org.jolokia.restrictor.Restrictor
    public boolean isAttributeWriteAllowed(ObjectName objectName, String str) {
        boolean isAttributeWriteAllowed = this.delegate.isAttributeWriteAllowed(objectName, str);
        if (isAttributeWriteAllowed) {
            try {
                isAttributeWriteAllowed = canInvoke(objectName, resolveAccessor(objectName, str, true));
            } catch (Exception e) {
                LOG.error("Error while invoking JMXSecurity MBean: " + e.getMessage(), (Throwable) e);
                isAttributeWriteAllowed = false;
            }
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("isAttributeWriteAllowed(objectName = {}, attribute = {}) = {}", new Object[]{objectName, str, Boolean.valueOf(isAttributeWriteAllowed)});
        }
        return isAttributeWriteAllowed;
    }

    private String resolveAccessor(ObjectName objectName, String str, boolean z) throws Exception {
        MBeanAttributeInfo mBeanAttributeInfo = null;
        MBeanAttributeInfo[] attributes = this.mBeanServer.getMBeanInfo(objectName).getAttributes();
        int length = attributes.length;
        int i = 0;
        while (true) {
            if (i >= length) {
                break;
            }
            MBeanAttributeInfo mBeanAttributeInfo2 = attributes[i];
            if (mBeanAttributeInfo2.getName().equals(str)) {
                mBeanAttributeInfo = mBeanAttributeInfo2;
                break;
            }
            i++;
        }
        if (mBeanAttributeInfo == null) {
            throw new IllegalArgumentException("Attribute '" + str + "' not found for MBean '" + objectName + "'");
        }
        if (z) {
            return String.format("set%s(%s)", str, mBeanAttributeInfo.getType());
        }
        Object[] objArr = new Object[2];
        objArr[0] = mBeanAttributeInfo.isIs() ? "is" : ServicePermission.GET;
        objArr[1] = str;
        return String.format("%s%s()", objArr);
    }

    @Override // org.jolokia.restrictor.Restrictor
    public boolean isHttpMethodAllowed(HttpMethod httpMethod) {
        boolean isHttpMethodAllowed = this.delegate.isHttpMethodAllowed(httpMethod);
        if (LOG.isTraceEnabled()) {
            LOG.trace("isHttpMethodAllowed(method = {}) = {}", httpMethod, Boolean.valueOf(isHttpMethodAllowed));
        }
        return isHttpMethodAllowed;
    }

    @Override // org.jolokia.restrictor.Restrictor
    public boolean isTypeAllowed(RequestType requestType) {
        boolean isTypeAllowed = this.delegate.isTypeAllowed(requestType);
        if (LOG.isTraceEnabled()) {
            LOG.trace("isTypeAllowed(type = {}) = {}", requestType, Boolean.valueOf(isTypeAllowed));
        }
        return isTypeAllowed;
    }

    @Override // org.jolokia.restrictor.Restrictor
    public boolean isRemoteAccessAllowed(String... strArr) {
        boolean isRemoteAccessAllowed = this.delegate.isRemoteAccessAllowed(strArr);
        if (LOG.isTraceEnabled()) {
            LOG.trace("isRemoteAccessAllowed(hostOrAddress = {}) = {}", strArr, Boolean.valueOf(isRemoteAccessAllowed));
        }
        return isRemoteAccessAllowed;
    }

    @Override // org.jolokia.restrictor.Restrictor
    public boolean isOriginAllowed(String str, boolean z) {
        boolean isOriginAllowed = this.delegate.isOriginAllowed(str, z);
        if (LOG.isTraceEnabled()) {
            LOG.trace("isOriginAllowed(origin = {}, strictCheck = {}) = {}", new Object[]{str, Boolean.valueOf(z), Boolean.valueOf(isOriginAllowed)});
        }
        return isOriginAllowed;
    }
}
