package org.rhq.enterprise.server.auth;

import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Properties;
import java.util.Set;
import javax.ejb.EJB;
import javax.ejb.Stateless;
import javax.interceptor.ExcludeDefaultInterceptors;
import javax.persistence.EntityManager;
import javax.persistence.NoResultException;
import javax.persistence.PersistenceContext;
import javax.persistence.Query;
import javax.security.auth.login.LoginContext;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.jboss.security.Util;
import org.jboss.security.auth.callback.UsernamePasswordHandler;
import org.rhq.core.domain.auth.Principal;
import org.rhq.core.domain.auth.Subject;
import org.rhq.core.domain.authz.Permission;
import org.rhq.core.domain.authz.Role;
import org.rhq.core.domain.configuration.Configuration;
import org.rhq.core.domain.criteria.SubjectCriteria;
import org.rhq.core.domain.util.PageControl;
import org.rhq.core.domain.util.PageList;
import org.rhq.core.domain.util.PersistenceUtility;
import org.rhq.enterprise.server.RHQConstants;
import org.rhq.enterprise.server.authz.AuthorizationManagerLocal;
import org.rhq.enterprise.server.authz.PermissionException;
import org.rhq.enterprise.server.authz.RequiredPermission;
import org.rhq.enterprise.server.core.CustomJaasDeploymentServiceMBean;
import org.rhq.enterprise.server.exception.LoginException;
import org.rhq.enterprise.server.system.SystemManagerLocal;
import org.rhq.enterprise.server.util.CriteriaQueryGenerator;
import org.rhq.enterprise.server.util.CriteriaQueryRunner;

@Stateless
/* loaded from: input_file:lib/rhq-enterprise-server.jar:org/rhq/enterprise/server/auth/SubjectManagerBean.class */
public class SubjectManagerBean implements SubjectManagerLocal, SubjectManagerRemote {

    @PersistenceContext(unitName = RHQConstants.PERSISTENCE_UNIT_NAME)
    private EntityManager entityManager;

    @EJB
    private AuthorizationManagerLocal authorizationManager;

    @EJB
    private SystemManagerLocal systemManager;
    private final Log log = LogFactory.getLog(SubjectManagerBean.class);
    private SessionManager sessionManager = SessionManager.getInstance();
    private TemporarySessionPasswordGenerator m_sessionPasswordGenerator = new TemporarySessionPasswordGenerator();

    @Override // org.rhq.enterprise.server.auth.SubjectManagerLocal
    public Subject loadUserConfiguration(Integer num) {
        Subject subject = (Subject) this.entityManager.find(Subject.class, num);
        Configuration userConfiguration = subject.getUserConfiguration();
        if (userConfiguration != null && userConfiguration.getProperties() != null) {
            userConfiguration.getProperties().size();
        }
        if (subject.getRoles() != null) {
            subject.getRoles().size();
        }
        return subject;
    }

    @Override // org.rhq.enterprise.server.auth.SubjectManagerLocal
    public PageList<Subject> findSubjectsById(Integer[] numArr, PageControl pageControl) {
        if (numArr == null || numArr.length == 0) {
            return new PageList<>(pageControl);
        }
        pageControl.initDefaultOrderingField("s.name");
        Query createCountQuery = PersistenceUtility.createCountQuery(this.entityManager, Subject.QUERY_FIND_BY_IDS);
        Query createQueryWithOrderBy = PersistenceUtility.createQueryWithOrderBy(this.entityManager, Subject.QUERY_FIND_BY_IDS, pageControl);
        List asList = Arrays.asList(numArr);
        createCountQuery.setParameter("ids", asList);
        createQueryWithOrderBy.setParameter("ids", asList);
        long longValue = ((Long) createCountQuery.getSingleResult()).longValue();
        List resultList = createQueryWithOrderBy.getResultList();
        if (resultList != null) {
            Iterator it = resultList.iterator();
            while (it.hasNext()) {
                ((Subject) it.next()).getRoles().size();
            }
        } else {
            resultList = new ArrayList();
        }
        return new PageList<>(resultList, (int) longValue, pageControl);
    }

    @Override // org.rhq.enterprise.server.auth.SubjectManagerLocal, org.rhq.enterprise.server.auth.SubjectManagerRemote
    public Subject updateSubject(Subject subject, Subject subject2) {
        if (!subject.equals(subject2) && !this.authorizationManager.getExplicitGlobalPermissions(subject).contains(Permission.MANAGE_SECURITY)) {
            throw new PermissionException("You [" + subject.getName() + "] do not have permission to update user [" + subject2.getName() + "]");
        }
        if ((subject2.getFsystem() || this.authorizationManager.isSystemSuperuser(subject2)) && !subject2.getFactive()) {
            throw new PermissionException("You cannot disable user [" + subject2.getName() + "] - it must always be active");
        }
        return (Subject) this.entityManager.merge(subject2);
    }

    @Override // org.rhq.enterprise.server.auth.SubjectManagerLocal
    public Subject getOverlord() {
        return this.sessionManager.getOverlord();
    }

    @Override // org.rhq.enterprise.server.auth.SubjectManagerLocal, org.rhq.enterprise.server.auth.SubjectManagerRemote
    public Subject getSubjectByName(String str) {
        Subject subject;
        try {
            Query createNamedQuery = this.entityManager.createNamedQuery(Subject.QUERY_FIND_BY_NAME);
            createNamedQuery.setParameter("name", str);
            subject = (Subject) createNamedQuery.getSingleResult();
        } catch (NoResultException e) {
            subject = null;
        }
        return subject;
    }

    @Override // org.rhq.enterprise.server.auth.SubjectManagerLocal, org.rhq.enterprise.server.auth.SubjectManagerRemote
    @RequiredPermission(Permission.MANAGE_SECURITY)
    public Subject createSubject(Subject subject, Subject subject2) throws SubjectException {
        if (getSubjectByName(subject2.getName()) != null) {
            throw new SubjectException("A user already exists with " + subject2.getName());
        }
        if (subject2.getFsystem()) {
            throw new SubjectException("Cannot create new system subjects: " + subject2.getName());
        }
        subject2.setRoles(null);
        Configuration userConfiguration = subject2.getUserConfiguration();
        if (userConfiguration != null) {
            subject2.setUserConfiguration((Configuration) this.entityManager.merge(userConfiguration));
        }
        this.entityManager.persist(subject2);
        return subject2;
    }

    @Override // org.rhq.enterprise.server.auth.SubjectManagerLocal
    public PageList<Subject> findAllSubjects(PageControl pageControl) {
        pageControl.initDefaultOrderingField("s.name");
        Query createCountQuery = PersistenceUtility.createCountQuery(this.entityManager, Subject.QUERY_FIND_ALL);
        return new PageList<>(PersistenceUtility.createQueryWithOrderBy(this.entityManager, Subject.QUERY_FIND_ALL, pageControl).getResultList(), (int) ((Long) createCountQuery.getSingleResult()).longValue(), pageControl);
    }

    @Override // org.rhq.enterprise.server.auth.SubjectManagerLocal
    public Subject getSubjectById(int i) {
        return (Subject) this.entityManager.find(Subject.class, Integer.valueOf(i));
    }

    @Override // org.rhq.enterprise.server.auth.SubjectManagerLocal
    public String generateTemporarySessionPassword(int i) {
        return this.m_sessionPasswordGenerator.generateSessionPassword(i);
    }

    @Override // org.rhq.enterprise.server.auth.SubjectManagerLocal
    public boolean authenticateTemporarySessionPassword(String str) throws Exception {
        Integer authenticateSessionPassword = this.m_sessionPasswordGenerator.authenticateSessionPassword(str);
        boolean z = false;
        if (authenticateSessionPassword != null && this.sessionManager.getSubject(authenticateSessionPassword.intValue()) != null) {
            z = true;
        }
        return z;
    }

    @Override // org.rhq.enterprise.server.auth.SubjectManagerLocal, org.rhq.enterprise.server.auth.SubjectManagerRemote
    public Subject login(String str, String str2) throws LoginException {
        if (str2 == null) {
            throw new LoginException("No password was given");
        }
        Properties systemConfiguration = this.systemManager.getSystemConfiguration();
        try {
            LoginContext loginContext = new LoginContext(CustomJaasDeploymentServiceMBean.SECURITY_DOMAIN_NAME, new UsernamePasswordHandler(str, str2.toCharArray()));
            loginContext.login();
            loginContext.getSubject().getPrincipals().iterator().next();
            loginContext.logout();
            Subject subjectByName = getSubjectByName(str);
            if (subjectByName != null) {
                if (!subjectByName.getFactive()) {
                    throw new LoginException("User account has been disabled.");
                }
                try {
                    subjectByName.setSessionId(Integer.valueOf(this.sessionManager.getSessionIdFromUsername(str)));
                    return subjectByName;
                } catch (SessionException e) {
                }
            } else {
                if (!systemConfiguration.getProperty(RHQConstants.JAASProvider).equals(RHQConstants.LDAPJAASProvider)) {
                    throw new IllegalStateException("Somehow you authenticated with a principal that has no associated subject. Your account is invalid.");
                }
                subjectByName = new Subject();
                subjectByName.setId(0);
                subjectByName.setName(str);
                subjectByName.setFactive(true);
                subjectByName.setFsystem(false);
            }
            this.sessionManager.put(subjectByName);
            return subjectByName;
        } catch (javax.security.auth.login.LoginException e2) {
            throw new LoginException(e2.getMessage());
        }
    }

    @Override // org.rhq.enterprise.server.auth.SubjectManagerLocal, org.rhq.enterprise.server.auth.SubjectManagerRemote
    public void logout(Subject subject) {
        try {
            this.sessionManager.invalidate(this.sessionManager.getSessionIdFromUsername(subject.getName()));
        } catch (SessionNotFoundException e) {
        } catch (SessionTimeoutException e2) {
        }
    }

    @Override // org.rhq.enterprise.server.auth.SubjectManagerLocal
    public void logout(int i) {
        this.sessionManager.invalidate(i);
    }

    @Override // org.rhq.enterprise.server.auth.SubjectManagerLocal
    public boolean isLoggedIn(String str) {
        boolean z = false;
        try {
            this.sessionManager.getSessionIdFromUsername(str);
            z = true;
        } catch (SessionException e) {
        }
        return z;
    }

    @Override // org.rhq.enterprise.server.auth.SubjectManagerLocal, org.rhq.enterprise.server.auth.SubjectManagerRemote
    @RequiredPermission(Permission.MANAGE_SECURITY)
    public void createPrincipal(Subject subject, String str, String str2) throws SubjectException {
        createPrincipal(subject, new Principal(str, Util.createPasswordHash("MD5", "base64", (String) null, (String) null, str2)));
    }

    @Override // org.rhq.enterprise.server.auth.SubjectManagerLocal
    @RequiredPermission(Permission.MANAGE_SECURITY)
    public void createPrincipal(Subject subject, Principal principal) throws SubjectException {
        try {
            this.entityManager.persist(principal);
        } catch (Exception e) {
            throw new SubjectException("Failed creating principal: " + e.getMessage());
        }
    }

    @Override // org.rhq.enterprise.server.auth.SubjectManagerLocal, org.rhq.enterprise.server.auth.SubjectManagerRemote
    public void changePassword(Subject subject, String str, String str2) {
        if (!subject.getName().equals(str) && !this.authorizationManager.hasGlobalPermission(subject, Permission.MANAGE_SECURITY)) {
            throw new PermissionException("You do not have permission to change the password for user [" + str + "]");
        }
        Query createNamedQuery = this.entityManager.createNamedQuery(Principal.QUERY_FIND_BY_USERNAME);
        createNamedQuery.setParameter("principal", str);
        ((Principal) createNamedQuery.getSingleResult()).setPassword(Util.createPasswordHash("MD5", "base64", (String) null, (String) null, str2));
    }

    @Override // org.rhq.enterprise.server.auth.SubjectManagerLocal
    public boolean isUserWithPrincipal(String str) {
        try {
            Query createNamedQuery = this.entityManager.createNamedQuery(Principal.QUERY_FIND_BY_USERNAME);
            createNamedQuery.setParameter("principal", str);
            return ((Principal) createNamedQuery.getSingleResult()) != null;
        } catch (NoResultException e) {
            return false;
        }
    }

    @Override // org.rhq.enterprise.server.auth.SubjectManagerLocal
    public Collection<String> findAllUsersWithPrincipals() {
        List resultList = this.entityManager.createNamedQuery(Principal.QUERY_FIND_ALL_USERS).getResultList();
        ArrayList arrayList = new ArrayList();
        Iterator it = resultList.iterator();
        while (it.hasNext()) {
            arrayList.add(((Principal) it.next()).getPrincipal());
        }
        return arrayList;
    }

    @Override // org.rhq.enterprise.server.auth.SubjectManagerLocal
    public Subject loginUnauthenticated(String str, boolean z) throws LoginException {
        if (z) {
            try {
                return this.sessionManager.getSubject(this.sessionManager.getSessionIdFromUsername(str));
            } catch (SessionException e) {
            }
        }
        Subject subjectByName = getSubjectByName(str);
        if (subjectByName == null) {
            throw new LoginException("User account does not exist. [" + str + "]");
        }
        if (!subjectByName.getFactive()) {
            throw new LoginException("User account has been disabled. [" + str + "]");
        }
        this.sessionManager.put(subjectByName, 120000L);
        return subjectByName;
    }

    @Override // org.rhq.enterprise.server.auth.SubjectManagerLocal
    @RequiredPermission(Permission.MANAGE_SECURITY)
    public void deleteUsers(Subject subject, int[] iArr) {
        for (int i : iArr) {
            Subject subjectById = getSubjectById(Integer.valueOf(i).intValue());
            if (subject.getName().equals(subjectById.getName())) {
                throw new PermissionException("You cannot remove yourself: " + subjectById.getName());
            }
            Set<Role> roles = subjectById.getRoles();
            subjectById.setRoles(new HashSet());
            Iterator<Role> it = roles.iterator();
            while (it.hasNext()) {
                it.next().removeSubject(subjectById);
            }
            if (isUserWithPrincipal(subjectById.getName())) {
                deletePrincipal(subject, subjectById);
            }
            deleteSubject(subject, subjectById);
        }
    }

    @Override // org.rhq.enterprise.server.auth.SubjectManagerLocal, org.rhq.enterprise.server.auth.SubjectManagerRemote
    public void deleteSubjects(Subject subject, int[] iArr) {
        deleteUsers(subject, iArr);
    }

    private void deleteSubject(Subject subject, Subject subject2) throws PermissionException {
        if (this.authorizationManager.isSystemSuperuser(subject2)) {
            throw new PermissionException("You cannot delete a system root user - they must always exist");
        }
        this.entityManager.remove(subject2);
    }

    private void deletePrincipal(Subject subject, Subject subject2) throws PermissionException {
        if (this.authorizationManager.isSystemSuperuser(subject2)) {
            throw new PermissionException("You cannot delete the principal for the root user [" + subject2.getName() + "]");
        }
        Query createNamedQuery = this.entityManager.createNamedQuery(Principal.QUERY_FIND_BY_USERNAME);
        createNamedQuery.setParameter("principal", subject2.getName());
        this.entityManager.remove((Principal) createNamedQuery.getSingleResult());
    }

    @Override // org.rhq.enterprise.server.auth.SubjectManagerLocal
    public Subject getSubjectBySessionId(int i) throws Exception {
        return this.sessionManager.getSubject(i);
    }

    @Override // org.rhq.enterprise.server.auth.SubjectManagerLocal, org.rhq.enterprise.server.auth.SubjectManagerRemote
    public Subject getSubjectByNameAndSessionId(String str, int i) throws Exception {
        Subject subjectBySessionId = getSubjectBySessionId(i);
        if (str.equals(subjectBySessionId.getName())) {
            return subjectBySessionId;
        }
        throw new SessionNotFoundException();
    }

    @Override // org.rhq.enterprise.server.auth.SubjectManagerLocal
    @ExcludeDefaultInterceptors
    public boolean isValidSessionId(int i, String str) {
        try {
            return str.equals(this.sessionManager.getSubject(i).getName());
        } catch (Exception e) {
            return false;
        }
    }

    @Override // org.rhq.enterprise.server.auth.SubjectManagerLocal
    @RequiredPermission(Permission.MANAGE_SECURITY)
    public PageList<Subject> findAvailableSubjectsForRole(Subject subject, Integer num, Integer[] numArr, PageControl pageControl) {
        pageControl.initDefaultOrderingField("s.name");
        String str = (numArr == null || numArr.length == 0) ? Subject.QUERY_FIND_AVAILABLE_SUBJECTS_FOR_ROLE : Subject.QUERY_FIND_AVAILABLE_SUBJECTS_FOR_ROLE_WITH_EXCLUDES;
        Query createCountQuery = PersistenceUtility.createCountQuery(this.entityManager, str, "distinct s");
        Query createQueryWithOrderBy = PersistenceUtility.createQueryWithOrderBy(this.entityManager, str, pageControl);
        createCountQuery.setParameter("roleId", num);
        createQueryWithOrderBy.setParameter("roleId", num);
        if (numArr != null && numArr.length > 0) {
            List asList = Arrays.asList(numArr);
            createCountQuery.setParameter("excludes", asList);
            createQueryWithOrderBy.setParameter("excludes", asList);
        }
        long longValue = ((Long) createCountQuery.getSingleResult()).longValue();
        List resultList = createQueryWithOrderBy.getResultList();
        Iterator it = resultList.iterator();
        while (it.hasNext()) {
            ((Subject) it.next()).getRoles().size();
        }
        return new PageList<>(resultList, (int) longValue, pageControl);
    }

    @Override // org.rhq.enterprise.server.auth.SubjectManagerLocal, org.rhq.enterprise.server.auth.SubjectManagerRemote
    public PageList<Subject> findSubjectsByCriteria(Subject subject, SubjectCriteria subjectCriteria) {
        return new CriteriaQueryRunner(subjectCriteria, new CriteriaQueryGenerator(subjectCriteria), this.entityManager).execute();
    }
}
