package com.apusic.security;

import com.apusic.logging.Logger;
import com.apusic.security.auth.callback.DefaultCallbackHandler;
import com.apusic.server.Config;
import com.apusic.util.Utils;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.ObjectInputStream;
import java.io.ObjectOutputStream;
import java.io.Serializable;
import java.rmi.RemoteException;
import java.security.AccessControlContext;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.Principal;
import java.security.PrivateKey;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.security.PublicKey;
import java.security.SecureRandom;
import java.security.acl.Group;
import java.util.Collection;
import java.util.Enumeration;
import java.util.List;
import javax.rmi.PortableRemoteObject;
import javax.security.auth.Subject;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSManager;

/* loaded from: input_file:com/apusic/security/MasterSecurityControllerImpl.class */
public class MasterSecurityControllerImpl extends PortableRemoteObject implements MasterSecurityController {
    private SecurityService config;
    private String authHost;
    private int authPort;
    private SecureRandom prng;
    private KeyPair keyPair;
    private SecurityStore store;
    private Logger log = Logger.getLogger("service.Security");
    private String krb5Principal = null;
    private GSSCredential krb5Credential = null;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/apusic/security/MasterSecurityControllerImpl$UnmodifiableGroup.class */
    public static class UnmodifiableGroup implements Group, Serializable {
        Group g;

        UnmodifiableGroup(Group group) {
            this.g = group;
        }

        @Override // java.security.acl.Group
        public boolean addMember(Principal principal) {
            throw new Error("Cannot add members to this group");
        }

        @Override // java.security.acl.Group
        public boolean removeMember(Principal principal) {
            throw new Error("Cannot remove members from this group");
        }

        @Override // java.security.acl.Group
        public boolean isMember(Principal principal) {
            return this.g.isMember(principal);
        }

        @Override // java.security.acl.Group
        public Enumeration<? extends Principal> members() {
            return this.g.members();
        }

        @Override // java.security.Principal
        public String getName() {
            return this.g.getName();
        }

        @Override // java.security.Principal
        public boolean equals(Object obj) {
            return this.g.equals(obj);
        }

        @Override // java.security.Principal
        public int hashCode() {
            return this.g.hashCode();
        }

        @Override // java.security.Principal
        public String toString() {
            return this.g.toString();
        }
    }

    public MasterSecurityControllerImpl(SecurityService securityService, String str, int i) throws RemoteException {
        this.config = securityService;
        this.authHost = str;
        this.authPort = i;
        createAuthKey();
        loadSecurityStore();
        if (securityService.isKrb5Enabled()) {
            initKrb5();
        }
    }

    @Override // com.apusic.security.MasterSecurityController
    public String getAuthenticatorHost() {
        return this.authHost;
    }

    @Override // com.apusic.security.MasterSecurityController
    public int getAuthenticatorPort() {
        return this.authPort;
    }

    private void createAuthKey() {
        final File file = Config.getFile("config/authkey.dat");
        if (file.exists()) {
            ObjectInputStream objectInputStream = null;
            try {
                objectInputStream = new ObjectInputStream(new FileInputStream(file));
                this.keyPair = (KeyPair) objectInputStream.readObject();
                if (objectInputStream != null) {
                    try {
                        objectInputStream.close();
                    } catch (Exception e) {
                    }
                }
            } catch (Exception e2) {
                if (objectInputStream != null) {
                    try {
                        objectInputStream.close();
                    } catch (Exception e3) {
                    }
                }
            } catch (Throwable th) {
                if (objectInputStream != null) {
                    try {
                        objectInputStream.close();
                    } catch (Exception e4) {
                    }
                }
                throw th;
            }
        }
        new Thread() { // from class: com.apusic.security.MasterSecurityControllerImpl.1
            @Override // java.lang.Thread, java.lang.Runnable
            public void run() {
                MasterSecurityControllerImpl.this.prng = new SecureRandom();
                if (MasterSecurityControllerImpl.this.keyPair != null) {
                    return;
                }
                try {
                    KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("DSA");
                    keyPairGenerator.initialize(512, MasterSecurityControllerImpl.this.prng);
                    MasterSecurityControllerImpl.this.keyPair = keyPairGenerator.generateKeyPair();
                    MasterSecurityControllerImpl.this.log.debug("Signature keys generated");
                    ObjectOutputStream objectOutputStream = null;
                    try {
                        try {
                            objectOutputStream = new ObjectOutputStream(new FileOutputStream(file));
                            objectOutputStream.writeObject(MasterSecurityControllerImpl.this.keyPair);
                            if (objectOutputStream != null) {
                                try {
                                    objectOutputStream.close();
                                } catch (Exception e5) {
                                }
                            }
                        } catch (Exception e6) {
                            MasterSecurityControllerImpl.this.log.error("Can't save signature keys", e6);
                            if (file.exists()) {
                                file.delete();
                            }
                            if (objectOutputStream != null) {
                                try {
                                    objectOutputStream.close();
                                } catch (Exception e7) {
                                }
                            }
                        }
                        synchronized (MasterSecurityControllerImpl.this) {
                            MasterSecurityControllerImpl.this.notifyAll();
                        }
                    } catch (Throwable th2) {
                        if (objectOutputStream != null) {
                            try {
                                objectOutputStream.close();
                            } catch (Exception e8) {
                            }
                        }
                        throw th2;
                    }
                } catch (Exception e9) {
                    MasterSecurityControllerImpl.this.log.error("Can't generate signature keys", e9);
                }
            }
        }.start();
    }

    private KeyPair getKeyPair() {
        if (this.keyPair == null) {
            synchronized (this) {
                while (this.keyPair == null) {
                    try {
                        wait();
                    } catch (Exception e) {
                    }
                }
            }
        }
        return this.keyPair;
    }

    private PrivateKey getSignKey() {
        return getKeyPair().getPrivate();
    }

    @Override // com.apusic.security.MasterSecurityController
    public PublicKey getVerifyKey() throws RemoteException {
        return getKeyPair().getPublic();
    }

    @Override // com.apusic.security.MasterSecurityController
    public SecureRandom getSecureRandom() {
        return this.prng;
    }

    @Override // com.apusic.security.MasterSecurityController
    public Object createAccessToken(String str, Principal principal, String str2) {
        AccessToken accessToken = new AccessToken(str, principal, str2);
        accessToken.sign(getSignKey());
        return accessToken;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public Object createServerAccessToken() {
        return createAccessToken(Security.SERVER.getName(), Security.SERVER, Config.getLocalHost());
    }

    @Override // com.apusic.security.MasterSecurityController
    public Object impersonate(String str) throws RemoteException {
        if (Security.getCurrentUser().equals(Security.SERVER)) {
            return createAccessToken(str, new PrincipalImpl(str), Config.getLocalHost());
        }
        throw new SecurityException("Not server process");
    }

    public Object createServerAccessToken(String str, Object obj) throws RemoteException, AuthenticationException {
        throw new Error("NYI");
    }

    private void initKrb5() {
        try {
            Class.forName("org.ietf.jgss.GSSManager");
            String krb5Principal = this.config.getKrb5Principal();
            if (krb5Principal == null || krb5Principal.length() == 0) {
                this.log.warning("No Kerberos server principal name specified.");
                return;
            }
            String krb5Password = this.config.getKrb5Password();
            if (krb5Password == null) {
                krb5Password = "";
            }
            try {
                LoginContext loginContext = new LoginContext("com.apusic.security.ServerLogin", new DefaultCallbackHandler(krb5Principal, krb5Password.toCharArray()));
                try {
                    loginContext.login();
                    try {
                        GSSCredential gSSCredential = (GSSCredential) Subject.doAsPrivileged(loginContext.getSubject(), new PrivilegedExceptionAction() { // from class: com.apusic.security.MasterSecurityControllerImpl.2
                            @Override // java.security.PrivilegedExceptionAction
                            public Object run() throws Exception {
                                return GSSManager.getInstance().createCredential(2);
                            }
                        }, (AccessControlContext) null);
                        this.krb5Principal = krb5Principal;
                        this.krb5Credential = gSSCredential;
                    } catch (PrivilegedActionException e) {
                        this.log.error("Cannot obtain Kerberos credentials", e);
                    }
                } catch (LoginException e2) {
                    this.log.error("Failed to authenticate server principal", e2);
                } catch (Exception e3) {
                    this.log.error("Failed to authenticate server principal", e3);
                }
            } catch (SecurityException e4) {
                this.log.error("Cannot create LoginContext", e4);
            } catch (LoginException e5) {
                this.log.error("Cannot create LoginContext", e5);
            }
        } catch (ClassNotFoundException e6) {
            this.log.warning("Kerberos authentication is only supported on JDK 1.4 or higher.");
        }
    }

    @Override // com.apusic.security.MasterSecurityController
    public String getKrb5Principal() {
        return this.krb5Principal;
    }

    @Override // com.apusic.security.MasterSecurityController
    public GSSCredential getKrb5Credential() {
        return this.krb5Credential;
    }

    private void loadSecurityStore() throws RemoteException {
        try {
            this.store = new SecurityStore();
            this.store.loadAll();
            if (!this.store.getUsers().hasMoreElements()) {
                this.store.addUser(new User(Security.customAdminName, new Password(Security.customAdminpwd)));
            }
            if (!this.store.getGroups().hasMoreElements()) {
                this.store.addGroup(Security.EVERYONE);
                this.store.addGroup(new GroupImpl(Security.ADMIN_GROUP_NAME));
            }
        } catch (Exception e) {
            throw new RemoteException("Could not load security database", e);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public User findUser(String str) {
        return this.store.getUser(str);
    }

    @Override // com.apusic.security.MasterSecurityController
    public Principal getPrincipal(String str) throws RemoteException {
        Principal user = getUser(str);
        if (user != null) {
            return user;
        }
        Group group = getGroup(str);
        if (group != null) {
            return group;
        }
        return null;
    }

    @Override // com.apusic.security.MasterSecurityController
    public Principal getUser(String str) throws RemoteException {
        if (this.store.getUser(str) != null) {
            return new PrincipalImpl(str);
        }
        return null;
    }

    @Override // com.apusic.security.MasterSecurityController
    public Group getGroup(String str) throws RemoteException {
        Group group = this.store.getGroup(str);
        if (group != null) {
            return new UnmodifiableGroup(group);
        }
        return null;
    }

    @Override // com.apusic.security.MasterSecurityController
    public Collection<Principal> getUsers() throws RemoteException {
        Enumeration<User> users = this.store.getUsers();
        List newList = Utils.newList();
        while (users.hasMoreElements()) {
            newList.add(new PrincipalImpl(users.nextElement().getUserid()));
        }
        return newList;
    }

    @Override // com.apusic.security.MasterSecurityController
    public Principal addUser(String str, Password password) throws RemoteException, SecurityAdminException {
        checkAdminRole();
        if (isSpecialUser(str)) {
            throw new SecurityAdminException("Invalid user id");
        }
        if (password == null) {
            throw new SecurityAdminException("Invalid password");
        }
        try {
            boolean addUser = this.store.addUser(new User(str, password));
            this.log.info("Add user " + str);
            if (addUser) {
                return new PrincipalImpl(str);
            }
            throw new UserAlreadyExistsException(str);
        } catch (Exception e) {
            throw new RemoteException("Could not add user", e);
        }
    }

    @Override // com.apusic.security.MasterSecurityController
    public void deleteUser(String str) throws RemoteException, SecurityAdminException {
        checkAdminRole();
        if (isSelf(str)) {
            throw new SecurityAdminException("Delete self");
        }
        try {
            if (!this.store.deleteUser(str)) {
                throw new UserNotFoundException(str);
            }
        } catch (Exception e) {
            throw new RemoteException("Could not delete user", e);
        }
    }

    @Override // com.apusic.security.MasterSecurityController
    public void setUserDisabled(String str, boolean z) throws RemoteException, SecurityAdminException {
        checkAdminRole();
        if (z && isSelf(str)) {
            throw new SecurityAdminException("Disable self");
        }
        synchronized (this.store) {
            User user = this.store.getUser(str);
            if (user == null) {
                throw new UserNotFoundException();
            }
            try {
                user.setDisabled(z);
                this.store.updateUser(user);
            } catch (Exception e) {
                throw new RemoteException("Could not update user data", e);
            }
        }
    }

    @Override // com.apusic.security.MasterSecurityController
    public boolean isUserDisabled(String str) throws RemoteException, SecurityAdminException {
        User user = this.store.getUser(str);
        if (user == null) {
            throw new UserNotFoundException();
        }
        return user.isDisabled();
    }

    @Override // com.apusic.security.MasterSecurityController
    public void changePassword(String str, Password password, Password password2) throws RemoteException, SecurityAdminException {
        if (!isSelf(str) && !isCallerInAdminRole()) {
            throw new SecurityException("Only self or administrators can perform this operation");
        }
        if (password2 == null) {
            throw new SecurityAdminException("Invalid password");
        }
        synchronized (this.store) {
            User user = this.store.getUser(str);
            if (user == null) {
                throw new UserNotFoundException();
            }
            if (isSelf(str) && !user.getPassword().equals(password)) {
                throw new SecurityAdminException("Credential did not match");
            }
            try {
                user.setPassword(password2);
                this.store.updateUser(user);
            } catch (Exception e) {
                throw new RemoteException("Could not change credential", e);
            }
        }
    }

    @Override // com.apusic.security.MasterSecurityController
    public Collection<Group> getGroups() throws RemoteException {
        Enumeration<Group> groups = this.store.getGroups();
        List newList = Utils.newList();
        while (groups.hasMoreElements()) {
            newList.add(new UnmodifiableGroup(groups.nextElement()));
        }
        return newList;
    }

    @Override // com.apusic.security.MasterSecurityController
    public Group addGroup(String str) throws RemoteException, SecurityAdminException {
        checkAdminRole();
        GroupImpl groupImpl = new GroupImpl(str);
        try {
            if (this.store.addGroup(groupImpl)) {
                return new UnmodifiableGroup(groupImpl);
            }
            throw new GroupAlreadyExistsException();
        } catch (Exception e) {
            throw new RemoteException("Could not add group", e);
        }
    }

    @Override // com.apusic.security.MasterSecurityController
    public void deleteGroup(String str) throws RemoteException, SecurityAdminException {
        checkAdminRole();
        if (str.equals(Security.EVERYONE.getName()) || str.equals(Security.ADMIN_GROUP_NAME)) {
            throw new SecurityAdminException("Could not delete this group");
        }
        try {
            if (!this.store.deleteGroup(str)) {
                throw new GroupNotFoundException();
            }
        } catch (Exception e) {
            throw new RemoteException("Could not delete group", e);
        }
    }

    @Override // com.apusic.security.MasterSecurityController
    public boolean addUserToGroup(String str, String str2) throws RemoteException, SecurityAdminException {
        checkAdminRole();
        synchronized (this.store) {
            Principal user = getUser(str);
            if (user == null) {
                throw new UserNotFoundException();
            }
            Group group = this.store.getGroup(str2);
            if (group == null) {
                throw new GroupNotFoundException();
            }
            try {
                if (!group.addMember(user)) {
                    return false;
                }
                this.store.updateGroup(group);
                return true;
            } catch (Exception e) {
                throw new RemoteException("Could not add user to group", e);
            }
        }
    }

    @Override // com.apusic.security.MasterSecurityController
    public boolean removeUserFromGroup(String str, String str2) throws RemoteException, SecurityAdminException {
        checkAdminRole();
        synchronized (this.store) {
            Principal user = getUser(str);
            if (user == null) {
                throw new UserNotFoundException();
            }
            Group group = this.store.getGroup(str2);
            if (group == null) {
                throw new GroupNotFoundException();
            }
            try {
                if (!group.removeMember(user)) {
                    return false;
                }
                this.store.updateGroup(group);
                return true;
            } catch (Exception e) {
                throw new RemoteException("Could not remove user from group", e);
            }
        }
    }

    private boolean isSelf(String str) {
        return str.equals(Security.getCurrentUser().getName());
    }

    private boolean isCallerInAdminRole() {
        Principal currentUser = Security.getCurrentUser();
        if (currentUser.equals(Security.ADMIN)) {
            return true;
        }
        try {
            return getGroup(Security.ADMIN_GROUP_NAME).isMember(currentUser);
        } catch (RemoteException e) {
            return false;
        }
    }

    private void checkAdminRole() {
        Principal currentUser = Security.getCurrentUser();
        Group group = null;
        try {
            group = getGroup(Security.ADMIN_GROUP_NAME);
        } catch (RemoteException e) {
        }
        if ((group == null || !group.isMember(currentUser)) && !currentUser.equals(Security.ADMIN)) {
            this.log.fatal(currentUser.getName() + ": Perform administrative operation");
            throw new SecurityException("Only administrators can perform this operation");
        }
    }

    private boolean isSpecialUser(String str) {
        return str.startsWith("*") && str.endsWith("*");
    }
}
