package com.apusic.security;

import com.apusic.logging.Logger;
import com.apusic.net.MuxSocket;
import com.apusic.org.objectweb.asm.Opcodes;
import com.apusic.security.auth.login.PasswordCredential;
import com.apusic.security.realm.PasswordCredential2;
import com.apusic.security.sso.SSOCredential;
import com.apusic.util.Utils;
import java.io.IOException;
import java.net.BindException;
import java.rmi.RemoteException;
import java.security.Policy;
import java.security.Principal;
import java.security.PublicKey;
import java.security.acl.Group;
import java.security.cert.CertPath;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.Collection;
import java.util.EmptyStackException;
import java.util.List;
import java.util.Map;
import java.util.Stack;
import java.util.WeakHashMap;
import javax.rmi.PortableRemoteObject;
import org.ietf.jgss.GSSCredential;
import org.omg.CORBA.INTERNAL;
import org.omg.CORBA.LocalObject;
import org.omg.CORBA.ORB;

/* loaded from: input_file:com/apusic/security/SecurityControllerImpl.class */
public final class SecurityControllerImpl extends LocalObject implements SecurityController, SecurityAdmin {
    private ORB orb;
    private MasterSecurityController msc;
    private boolean isServer;
    private String authHost;
    private int authPort;
    private PublicKey verifyKey;
    private Object serverToken;
    private Logger log;
    private SecurityContext processContext = null;
    private ThreadLocal<Stack<SecurityContext>> threadContext = new ThreadLocal<>();
    private Map<Object, AccessToken> tokenCache = new WeakHashMap(Opcodes.LSUB);

    @Override // com.apusic.security.SecurityController
    public ORB orb() {
        return this.orb;
    }

    public void orb(ORB orb) {
        if (this.orb == null) {
            this.orb = orb;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void postInit(MasterSecurityController masterSecurityController) {
        this.msc = masterSecurityController;
        this.isServer = true;
        this.log = Logger.getLogger("service.Security");
        Security.primary = this;
    }

    public MasterSecurityController factory() {
        if (this.msc == null) {
            try {
                this.msc = (MasterSecurityController) PortableRemoteObject.narrow(this.orb.resolve_initial_references("SecurityService"), MasterSecurityController.class);
            } catch (Exception e) {
                INTERNAL internal = new INTERNAL("Unable to resolve SecurityService");
                internal.initCause(e);
                throw internal;
            }
        }
        return this.msc;
    }

    @Override // com.apusic.security.SecurityController
    public synchronized void login(String str, Object obj) throws RemoteException, AuthenticationException {
        if (this.isServer) {
            throw new AlreadyAuthenticatedException();
        }
        if (getProcessSecurityContext() != null) {
            throw new AlreadyAuthenticatedException();
        }
        setProcessSecurityContext(logonUser(str, obj));
    }

    @Override // com.apusic.security.SecurityController
    public SecurityContext logonUser(String str, Object obj) throws RemoteException, AuthenticationException {
        Object normalizeCredential = normalizeCredential(str, obj, isCredentialRequired());
        return new SecurityContext(authenticate(str, normalizeCredential), normalizeCredential);
    }

    private Object authenticate(String str, Object obj) throws RemoteException, AuthenticationException {
        if ((obj instanceof PasswordCredential) && Boolean.getBoolean("com.apusic.authenticator.local")) {
            return new ServerAuthenticator(factory(), this.log).localPasswordAuthenticate(str, (PasswordCredential) obj);
        }
        if (this.authHost == null) {
            this.authHost = factory().getAuthenticatorHost();
            this.authPort = factory().getAuthenticatorPort();
        }
        int i = 3;
        do {
            try {
                MuxSocket muxSocket = new MuxSocket(this.authHost, this.authPort, "auth");
                String currentRealm = Security.getCurrentRealm();
                if (currentRealm != null) {
                    str = str + "@" + currentRealm;
                }
                try {
                    try {
                        if (obj instanceof PasswordCredential) {
                            return new ClientAuthenticator(muxSocket).authenticate(str, (PasswordCredential) obj);
                        }
                        if (obj instanceof PasswordCredential2) {
                            Object authenticate = new ClientAuthenticator2(muxSocket).authenticate(str, (PasswordCredential2) obj);
                            try {
                                muxSocket.close();
                            } catch (Exception e) {
                            }
                            return authenticate;
                        }
                        if (obj instanceof CertPath) {
                            Object authenticate2 = new ClientCertificateAuthenticator(muxSocket).authenticate((CertPath) obj);
                            try {
                                muxSocket.close();
                            } catch (Exception e2) {
                            }
                            return authenticate2;
                        }
                        if (obj instanceof GSSCredential) {
                            Object authenticate3 = new Krb5ClientAuthenticator(muxSocket).authenticate((GSSCredential) obj);
                            try {
                                muxSocket.close();
                            } catch (Exception e3) {
                            }
                            return authenticate3;
                        }
                        if (!(obj instanceof SSOCredential)) {
                            throw new AuthenticationException("Unsupported credential");
                        }
                        Object authenticate4 = new SSOAuthenticator(muxSocket).authenticate(str);
                        try {
                            muxSocket.close();
                        } catch (Exception e4) {
                        }
                        return authenticate4;
                    } catch (IOException e5) {
                        throw new RemoteException("communication error", e5);
                    }
                } finally {
                    try {
                        muxSocket.close();
                    } catch (Exception e6) {
                    }
                }
            } catch (BindException e7) {
                i--;
            } catch (IOException e8) {
                throw new RemoteException("communication error", e8);
            }
        } while (i != 0);
        throw new RemoteException("communication error", e7);
    }

    @Override // com.apusic.security.SecurityController
    public synchronized void logout() {
        setProcessSecurityContext(null);
    }

    @Override // com.apusic.security.SecurityController
    public void impersonate(Object obj) {
        impersonate(obj, null);
    }

    @Override // com.apusic.security.SecurityController
    public void impersonate(Object obj, Object obj2) {
        if (obj != null) {
            verifyAccessToken(obj);
        }
        SecurityContext securityContext = new SecurityContext(obj, obj2);
        securityContext.setImpersonation();
        pushSecurityContext(securityContext);
    }

    @Override // com.apusic.security.SecurityController
    public void revertToSelf() {
        SecurityContext threadSecurityContext = getThreadSecurityContext();
        if (threadSecurityContext == null) {
            throw new RuntimeException("null security context");
        }
        if (!threadSecurityContext.isImpersonation()) {
            throw new RuntimeException("Not in impersonation state");
        }
        popSecurityContext();
    }

    @Override // com.apusic.security.SecurityController
    public Object getImpersonateToken(String str) throws RemoteException {
        if (this.serverToken == null) {
            if (!(this.msc instanceof MasterSecurityControllerImpl)) {
                throw new SecurityException("Impersonation is disabled");
            }
            this.serverToken = ((MasterSecurityControllerImpl) this.msc).createServerAccessToken();
        }
        try {
            pushSecurityContext(new SecurityContext(this.serverToken, null));
            Object impersonate = factory().impersonate(str);
            popSecurityContext();
            return impersonate;
        } catch (Throwable th) {
            popSecurityContext();
            throw th;
        }
    }

    @Override // com.apusic.security.SecurityController
    public Object getAccessToken() {
        Object subjectCredential = Security.getSubjectCredential(AccessToken.class);
        if (subjectCredential != null) {
            return subjectCredential;
        }
        SecurityContext securityContext = getSecurityContext();
        if (securityContext != null) {
            return securityContext.getAccessToken();
        }
        return null;
    }

    @Override // com.apusic.security.SecurityController
    public Object getCredential() {
        SecurityContext securityContext = getSecurityContext();
        if (securityContext != null) {
            return securityContext.getCredential();
        }
        return null;
    }

    @Override // com.apusic.security.SecurityController
    public Principal getCurrentUser() {
        AccessToken accessToken = (AccessToken) getAccessToken();
        if (accessToken != null) {
            return accessToken.getPrincipal();
        }
        return null;
    }

    @Override // com.apusic.security.SecurityController
    public Principal getLogonUser() {
        AccessToken accessToken;
        SecurityContext processSecurityContext = getProcessSecurityContext();
        if (processSecurityContext == null || (accessToken = (AccessToken) processSecurityContext.getAccessToken()) == null) {
            return null;
        }
        return accessToken.getPrincipal();
    }

    @Override // com.apusic.security.SecurityController
    public Principal getPrincipal(String str) throws RemoteException {
        checkUserid(str);
        return factory().getPrincipal(str);
    }

    @Override // com.apusic.security.SecurityController
    public Principal getUser(String str) throws RemoteException {
        checkUserid(str);
        return factory().getUser(str);
    }

    @Override // com.apusic.security.SecurityController
    public Group getGroup(String str) throws RemoteException {
        checkGroupName(str);
        return factory().getGroup(str);
    }

    @Override // com.apusic.security.SecurityAdmin
    public Collection<Principal> getUsers() throws RemoteException {
        return factory().getUsers();
    }

    @Override // com.apusic.security.SecurityAdmin
    public Principal editUser(String str, String str2) throws RemoteException, SecurityAdminException {
        checkUserid(str);
        Security.checkPasswordComplexity(str2);
        factory().deleteUser(str);
        return factory().addUser(str, new Password(str2));
    }

    @Override // com.apusic.security.SecurityAdmin
    public Principal addUser(String str, String str2) throws RemoteException, SecurityAdminException {
        checkUserid(str);
        Security.checkPasswordComplexity(str2);
        Principal addUser = factory().addUser(str, new Password(str2));
        Policy.getPolicy().refresh();
        return addUser;
    }

    @Override // com.apusic.security.SecurityAdmin
    public void deleteUser(String str) throws RemoteException, SecurityAdminException {
        checkUserid(str);
        factory().deleteUser(str);
        Policy.getPolicy().refresh();
    }

    @Override // com.apusic.security.SecurityAdmin
    public void disableUser(String str) throws RemoteException, SecurityAdminException {
        checkUserid(str);
        factory().setUserDisabled(str, true);
    }

    @Override // com.apusic.security.SecurityAdmin
    public void enableUser(String str) throws RemoteException, SecurityAdminException {
        checkUserid(str);
        factory().setUserDisabled(str, false);
    }

    @Override // com.apusic.security.SecurityAdmin
    public boolean isUserDisabled(String str) throws RemoteException, SecurityAdminException {
        checkUserid(str);
        return factory().isUserDisabled(str);
    }

    @Override // com.apusic.security.SecurityAdmin
    public void changePassword(String str, String str2, String str3) throws RemoteException, SecurityAdminException {
        checkUserid(str);
        Security.checkPasswordComplexity(str3);
        factory().changePassword(str, new Password(str2), new Password(str3));
    }

    @Override // com.apusic.security.SecurityAdmin
    public Collection<Group> getGroups() throws RemoteException {
        return factory().getGroups();
    }

    @Override // com.apusic.security.SecurityAdmin
    public Group addGroup(String str) throws RemoteException, SecurityAdminException {
        checkGroupName(str);
        return factory().addGroup(str);
    }

    @Override // com.apusic.security.SecurityAdmin
    public void deleteGroup(String str) throws RemoteException, SecurityAdminException {
        checkGroupName(str);
        factory().deleteGroup(str);
        Policy.getPolicy().refresh();
    }

    @Override // com.apusic.security.SecurityAdmin
    public boolean addUserToGroup(String str, String str2) throws RemoteException, SecurityAdminException {
        checkUserid(str);
        checkGroupName(str2);
        boolean addUserToGroup = factory().addUserToGroup(str, str2);
        Policy.getPolicy().refresh();
        return addUserToGroup;
    }

    @Override // com.apusic.security.SecurityAdmin
    public boolean removeUserFromGroup(String str, String str2) throws RemoteException, SecurityAdminException {
        checkUserid(str);
        checkGroupName(str2);
        boolean removeUserFromGroup = factory().removeUserFromGroup(str, str2);
        Policy.getPolicy().refresh();
        return removeUserFromGroup;
    }

    public boolean isCredentialRequired() {
        return true;
    }

    @Override // com.apusic.security.SecurityController
    public SecurityContext getSecurityContext() {
        Stack<SecurityContext> stack = this.threadContext.get();
        return (stack == null || stack.empty()) ? this.processContext : stack.peek();
    }

    private SecurityContext getProcessSecurityContext() {
        return this.processContext;
    }

    @Override // com.apusic.security.SecurityController
    public void setProcessSecurityContext(SecurityContext securityContext) {
        this.processContext = securityContext;
    }

    private SecurityContext getThreadSecurityContext() {
        Stack<SecurityContext> stack = this.threadContext.get();
        if (stack == null || stack.empty()) {
            return null;
        }
        return stack.peek();
    }

    private void pushSecurityContext(SecurityContext securityContext) {
        Stack<SecurityContext> stack = this.threadContext.get();
        if (stack == null) {
            stack = new Stack<>();
            this.threadContext.set(stack);
        }
        stack.push(securityContext);
    }

    private SecurityContext popSecurityContext() {
        Stack<SecurityContext> stack = this.threadContext.get();
        if (stack == null) {
            throw new EmptyStackException();
        }
        return stack.pop();
    }

    private void verifyAccessToken(Object obj) {
        boolean z;
        if (!(obj instanceof AccessToken)) {
            throw new SecurityException("Bad access token");
        }
        if (this.isServer) {
            AccessToken accessToken = (AccessToken) obj;
            AccessToken cachedAccessToken = getCachedAccessToken(accessToken);
            if (cachedAccessToken != null) {
                z = cachedAccessToken.equals(accessToken);
            } else {
                PublicKey verifyKey = getVerifyKey();
                z = verifyKey != null && accessToken.verify(verifyKey);
            }
            if (z) {
                cacheAccessToken(accessToken);
            } else {
                this.log.fatal("ACCESS TOKEN VERIFYING FAILED: " + accessToken.getPrincipalName() + " FROM " + accessToken.getClientHost());
                throw new SecurityException("Bad access token");
            }
        }
    }

    private AccessToken getCachedAccessToken(AccessToken accessToken) {
        AccessToken accessToken2;
        synchronized (this.tokenCache) {
            accessToken2 = this.tokenCache.get(accessToken.getId());
        }
        return accessToken2;
    }

    private void cacheAccessToken(AccessToken accessToken) {
        Object clone = accessToken.getId().clone();
        synchronized (this.tokenCache) {
            this.tokenCache.put(clone, accessToken);
        }
    }

    private PublicKey getVerifyKey() {
        if (this.verifyKey == null) {
            try {
                this.verifyKey = factory().getVerifyKey();
            } catch (RemoteException e) {
                this.log.warning("THROW", e);
            }
        }
        return this.verifyKey;
    }

    private void checkUserid(String str) {
        if (str == null || str.length() == 0) {
            throw new IllegalArgumentException("User id is required");
        }
    }

    private void checkGroupName(String str) {
        if (str == null || str.length() == 0) {
            throw new IllegalArgumentException("Group name is required");
        }
    }

    private Object normalizeCredential(String str, Object obj, boolean z) {
        char[] cArr;
        if (obj instanceof GSSCredential) {
            return (GSSCredential) obj;
        }
        if (obj instanceof SSOCredential) {
            return obj;
        }
        try {
            if (obj instanceof CertPath) {
                return (CertPath) obj;
            }
            if (obj instanceof X509Certificate[]) {
                List<? extends Certificate> newList = Utils.newList();
                for (X509Certificate x509Certificate : (X509Certificate[]) obj) {
                    newList.add(x509Certificate);
                }
                return CertificateFactory.getInstance("X.509").generateCertPath(newList);
            }
            if (obj instanceof X509Certificate) {
                List<? extends Certificate> newList2 = Utils.newList();
                newList2.add((X509Certificate) obj);
                return CertificateFactory.getInstance("X.509").generateCertPath(newList2);
            }
            if (obj == null) {
                cArr = new char[0];
            } else if (obj instanceof String) {
                cArr = ((String) obj).toCharArray();
            } else {
                if (!(obj instanceof char[])) {
                    throw new IllegalArgumentException("Unrecoginized credential");
                }
                cArr = (char[]) obj;
            }
            checkUserid(str);
            if (cArr.length == 0 && z) {
                throw new IllegalArgumentException("Credential required");
            }
            return Security.getPwdTransEncrypted() ? new PasswordCredential(str, cArr) : new PasswordCredential2(str, cArr);
        } catch (CertificateException e) {
            throw new IllegalArgumentException("Invalid X.509 Certificate");
        }
    }
}
