package com.tangosol.net.security;

import com.tangosol.dev.tools.CommandLineTool;
import com.tangosol.net.CacheFactory;
import com.tangosol.net.ClusterPermission;
import com.tangosol.run.xml.SimpleParser;
import com.tangosol.run.xml.XmlDocument;
import com.tangosol.run.xml.XmlElement;
import com.tangosol.run.xml.XmlHelper;
import com.tangosol.util.Base;
import com.tangosol.util.ClassHelper;
import com.tangosol.util.ExternalizableHelper;
import com.tangosol.util.ListMap;
import com.tangosol.util.LiteSet;
import com.tangosol.util.NullImplementation;
import com.tangosol.util.Resources;
import com.tangosol.util.SafeHashMap;
import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.io.Serializable;
import java.net.URL;
import java.security.AccessControlException;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.Permissions;
import java.security.Principal;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.Signature;
import java.security.SignatureException;
import java.security.SignedObject;
import java.security.cert.CertPath;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.security.auth.Subject;
import javax.security.auth.login.LoginContext;
import javax.security.auth.x500.X500Principal;
import javax.security.auth.x500.X500PrivateCredential;
import org.springframework.validation.DataBinder;
import org.springframework.web.util.WebUtils;

/* loaded from: input_file:APP-INF/lib/coherence-3.5.jar:com/tangosol/net/security/DefaultController.class */
public final class DefaultController extends Base implements AccessController {
    public static final String PROPERTY_CONFIG = "tangosol.security.config";
    public static final String KEYSTORE_TYPE;
    public static final String SIGNATURE_ALGORITHM;
    public static final Signature SIGNATURE_ENGINE;
    private KeyStore m_store;
    private XmlElement m_xmlPermits;
    private Map m_mapPublicKey = new SafeHashMap();
    static Class class$com$tangosol$net$security$DefaultController;

    public DefaultController(File file, File file2) throws IOException, AccessControlException {
        azzert((file == null || file2 == null) ? false : true, "Null files");
        if (!file2.exists() || !file2.canRead()) {
            throw new IOException(new StringBuffer().append("Permission file is not accessible: ").append(file2.getAbsolutePath()).toString());
        }
        try {
            KeyStore keyStore = KeyStore.getInstance(KEYSTORE_TYPE);
            keyStore.load(new FileInputStream(file), null);
            this.m_store = keyStore;
            try {
                this.m_xmlPermits = new SimpleParser().parseXml(new FileInputStream(file2));
            } catch (Exception e) {
                throw ensureRuntimeException(e, new StringBuffer().append("Failed to load permissions: ").append(file2.getAbsolutePath()).toString());
            }
        } catch (Exception e2) {
            throw ensureRuntimeException(e2, new StringBuffer().append("Failed to load keystore: ").append(file.getAbsolutePath()).toString());
        }
    }

    @Override // com.tangosol.net.security.AccessController
    public void checkPermission(ClusterPermission clusterPermission, Subject subject) {
        azzert(subject != null, "Null subject");
        Set<Principal> principals = subject.getPrincipals();
        if (principals != null) {
            Iterator<Principal> it = principals.iterator();
            while (it.hasNext()) {
                Permissions clusterPermissions = getClusterPermissions(it.next());
                if (clusterPermissions != null && clusterPermissions.implies(clusterPermission)) {
                    return;
                }
            }
        }
        throw new AccessControlException("Unsufficient rights to perform the operation", clusterPermission);
    }

    @Override // com.tangosol.net.security.AccessController
    public SignedObject encrypt(Object obj, Subject subject) throws IOException, GeneralSecurityException {
        azzert(obj instanceof Serializable, "Not serializable");
        azzert(subject != null, "No subject");
        Set<Object> privateCredentials = subject.getPrivateCredentials();
        if (privateCredentials == null) {
            throw new GeneralSecurityException("Subject without private credentials");
        }
        for (Object obj2 : privateCredentials) {
            PrivateKey privateKey = null;
            if (obj2 instanceof PrivateKey) {
                privateKey = (PrivateKey) obj2;
            } else if (obj2 instanceof X500PrivateCredential) {
                privateKey = ((X500PrivateCredential) obj2).getPrivateKey();
            }
            if (privateKey != null) {
                return encrypt((Serializable) obj, privateKey);
            }
        }
        throw new GeneralSecurityException("Not sufficient credentials");
    }

    @Override // com.tangosol.net.security.AccessController
    public Object decrypt(SignedObject signedObject, Subject subject, Subject subject2) throws ClassNotFoundException, IOException, GeneralSecurityException {
        Set<Object> publicCredentials;
        azzert(subject != null, "Null subject");
        PublicKey publicKey = (PublicKey) this.m_mapPublicKey.get(subject);
        if (publicKey != null) {
            return decrypt(signedObject, publicKey);
        }
        Set set = null;
        if (subject2 != null && (publicCredentials = subject2.getPublicCredentials()) != null && equalsMostly(subject2, subject)) {
            set = extractPublicKeys(publicCredentials);
        }
        if (set == null) {
            set = findPublicKeys(subject);
        }
        Iterator it = set.iterator();
        while (it.hasNext()) {
            PublicKey publicKey2 = (PublicKey) it.next();
            try {
                Object decrypt = decrypt(signedObject, publicKey2);
                this.m_mapPublicKey.put(subject, publicKey2);
                return decrypt;
            } catch (GeneralSecurityException e) {
                if (!it.hasNext()) {
                    throw e;
                }
            }
        }
        throw new GeneralSecurityException(new StringBuffer().append("Failed to match credentials for ").append(subject).toString());
    }

    public XmlElement getPermissionsConfig() {
        return (XmlElement) this.m_xmlPermits.clone();
    }

    protected Permissions getClusterPermissions(Principal principal) {
        XmlElement findElement = XmlHelper.findElement(this.m_xmlPermits, "/grant/principal/name", principal.getName());
        if (findElement == null) {
            return null;
        }
        XmlElement safeElement = findElement.getSafeElement("../");
        String string = safeElement.getSafeElement("class").getString();
        if (string.length() > 0 && !principal.getClass().getName().equals(string)) {
            return null;
        }
        XmlElement safeElement2 = safeElement.getSafeElement("../");
        Permissions permissions = new Permissions();
        Iterator elements = safeElement2.getElements("permission");
        while (elements.hasNext()) {
            XmlElement xmlElement = (XmlElement) elements.next();
            try {
                permissions.add((ClusterPermission) ClassHelper.newInstance(Class.forName(xmlElement.getSafeElement("class").getString("com.tangosol.net.ClusterPermission")), new Object[]{xmlElement.getSafeElement(DataBinder.DEFAULT_OBJECT_NAME).getString(), xmlElement.getSafeElement("action").getString()}));
            } catch (Throwable th) {
                CacheFactory.log(new StringBuffer().append("Invalid permission element: ").append(xmlElement).append("\nreason: ").append(th).toString(), 2);
            }
        }
        return permissions;
    }

    protected SignedObject encrypt(Serializable serializable, PrivateKey privateKey) throws IOException, GeneralSecurityException {
        return new SignedObject(serializable, privateKey, SIGNATURE_ENGINE);
    }

    protected Object decrypt(SignedObject signedObject, PublicKey publicKey) throws ClassNotFoundException, IOException, GeneralSecurityException {
        if (signedObject.verify(publicKey, SIGNATURE_ENGINE)) {
            return signedObject.getObject();
        }
        throw new SignatureException("Invalid signature");
    }

    protected boolean equalsMostly(Subject subject, Subject subject2) {
        return equals(subject.getPrincipals(), subject2.getPrincipals()) && equals(subject.getPublicCredentials(), subject2.getPublicCredentials());
    }

    protected Set extractPublicKeys(Set set) {
        Set extractCertificates = extractCertificates(set);
        LiteSet liteSet = new LiteSet();
        Iterator it = extractCertificates.iterator();
        while (it.hasNext()) {
            liteSet.add(((Certificate) it.next()).getPublicKey());
        }
        return liteSet;
    }

    protected Set extractCertificates(Set set) {
        LiteSet liteSet = new LiteSet();
        for (Object obj : set) {
            if (obj instanceof CertPath) {
                List<? extends Certificate> certificates = ((CertPath) obj).getCertificates();
                if (!certificates.isEmpty()) {
                    liteSet.add(certificates.get(0));
                }
            } else if (obj instanceof Certificate) {
                liteSet.add((Certificate) obj);
            } else if (obj instanceof Certificate[]) {
                Certificate[] certificateArr = (Certificate[]) obj;
                if (certificateArr.length > 0) {
                    liteSet.add(certificateArr[0]);
                }
            } else {
                CacheFactory.log(new StringBuffer().append("Unsupported credentials: ").append(obj.getClass()).toString(), 2);
            }
        }
        return liteSet;
    }

    protected Set findPublicKeys(Subject subject) throws GeneralSecurityException {
        KeyStore keyStore = this.m_store;
        Set<Certificate> extractCertificates = extractCertificates(subject.getPublicCredentials());
        LiteSet liteSet = new LiteSet();
        LiteSet liteSet2 = new LiteSet();
        for (Certificate certificate : extractCertificates) {
            if (keyStore.getCertificateAlias(certificate) != null && (certificate instanceof X509Certificate)) {
                liteSet.add(new X500Principal(((X509Certificate) certificate).getIssuerDN().getName()));
                liteSet2.add(certificate.getPublicKey());
            }
        }
        if (!liteSet.containsAll(subject.getPrincipals())) {
            CacheFactory.log(new StringBuffer().append("Unable to verify the Principal set: ").append(subject.getPrincipals()).toString(), 2);
            liteSet2.clear();
        }
        return liteSet2;
    }

    /* JADX WARN: Multi-variable type inference failed */
    public static void main(String[] strArr) throws Exception {
        Subject subject;
        if (strArr.length == 0) {
            usage(null);
            return;
        }
        try {
            ListMap parseArguments = CommandLineTool.parseArguments(strArr, new String[]{"keystore", "module", "permits", "responder", "requestor"}, true);
            String str = (String) parseArguments.get(makeInteger(0));
            String str2 = (String) parseArguments.get(makeInteger(1));
            String str3 = (String) parseArguments.get("keystore");
            String str4 = (String) parseArguments.get("module");
            String str5 = (String) parseArguments.get("permits");
            String str6 = (String) parseArguments.get("requestor");
            String str7 = (String) parseArguments.get("responder");
            if (str3 == null || str6 == null) {
                usage("The 'keystore' and 'requestor' must be specified");
                return;
            }
            if (str5 == null) {
                str5 = "permissions.xml";
            }
            if (str4 == null) {
                str4 = "Coherence";
            }
            DefaultController defaultController = new DefaultController(new File(str3), new File(str5));
            ClusterPermission clusterPermission = new ClusterPermission(str, str2);
            try {
                String[] parseDelimitedString = Base.parseDelimitedString(str6, '!');
                LoginContext loginContext = new LoginContext(str4, new SimpleHandler(parseDelimitedString[0], parseDelimitedString[1].toCharArray()));
                loginContext.login();
                Subject subject2 = loginContext.getSubject();
                if (str7 == null) {
                    subject = subject2;
                } else {
                    try {
                        String[] parseDelimitedString2 = Base.parseDelimitedString(str7, '!');
                        LoginContext loginContext2 = new LoginContext(str4, new SimpleHandler(parseDelimitedString2[0], parseDelimitedString2[1].toCharArray()));
                        loginContext2.login();
                        subject = loginContext2.getSubject();
                    } catch (ArrayIndexOutOfBoundsException e) {
                        usage("Responder's password is missing");
                        return;
                    } catch (Exception e2) {
                        throw ensureRuntimeException(e2, new StringBuffer().append("Responder's authentication failed:").append(str7).toString());
                    }
                }
                out("Requestor:");
                for (Principal principal : subject2.getPrincipals()) {
                    out(new StringBuffer().append("  ").append(principal.getClass().getName()).append(" ").append(principal.getName()).toString());
                }
                out("Permission:");
                out(new StringBuffer().append("  ").append(clusterPermission).toString());
                try {
                    out("*** Checking local access permission...");
                    defaultController.checkPermission(clusterPermission, subject2);
                    out("*** Encrypting access permission request...");
                    SignedObject encrypt = defaultController.encrypt(clusterPermission, subject2);
                    out(">>> Transfering access permission request...");
                    Subject subject3 = new Subject(true, (Set) ExternalizableHelper.fromBinary(ExternalizableHelper.toBinary(subject2.getPrincipals())), (Set) ExternalizableHelper.fromBinary(ExternalizableHelper.toBinary(subject2.getPublicCredentials())), NullImplementation.getSet());
                    SignedObject signedObject = (SignedObject) ExternalizableHelper.fromBinary(ExternalizableHelper.toBinary(encrypt));
                    out("### Decrypting access permission request...");
                    ClusterPermission clusterPermission2 = (ClusterPermission) defaultController.decrypt(signedObject, subject3, subject);
                    azzert(equals(clusterPermission, clusterPermission2));
                    out("### Checking remote access permission...");
                    defaultController.checkPermission(clusterPermission2, subject3);
                    out("### Encrypting access permission response...");
                    SignedObject encrypt2 = defaultController.encrypt(clusterPermission2, subject);
                    out("<<< Transfering access permission response...");
                    Subject subject4 = new Subject(true, (Set) ExternalizableHelper.fromBinary(ExternalizableHelper.toBinary(subject.getPrincipals())), (Set) ExternalizableHelper.fromBinary(ExternalizableHelper.toBinary(subject.getPublicCredentials())), NullImplementation.getSet());
                    SignedObject signedObject2 = (SignedObject) ExternalizableHelper.fromBinary(ExternalizableHelper.toBinary(encrypt2));
                    out("*** Decrypting access permission response...");
                    azzert(equals(clusterPermission, (ClusterPermission) defaultController.decrypt(signedObject2, subject4, subject2)));
                    out("Done.");
                } catch (Exception e3) {
                    err("Failed to encrypt/decrypt the permission");
                    err((Throwable) e3);
                }
            } catch (ArrayIndexOutOfBoundsException e4) {
                usage("Requestor's password is missing");
            } catch (Exception e5) {
                throw ensureRuntimeException(e5, new StringBuffer().append("Requestor's authentication failed:").append(str6).toString());
            }
        } catch (IllegalArgumentException e6) {
            usage(e6.getMessage());
        }
    }

    private static void usage(String str) {
        if (str != null) {
            out(new StringBuffer().append("\n*** ").append(str).toString());
        }
        out("\nUsage:\n    java com.tangosol.net.DefaultController <target> <action> -[<option>]*\n\nwhere options include:\n   -keystore <keystore path>   the path to the keystore\n   -module:<name>              the login module name\n   -permits:<permits path>     the path to permissions file\n   -requestor:<name!password>  the requestor's name/password pair\n   -responder:<name!password>  the responder's name/password pair\n");
    }

    static Class class$(String str) {
        try {
            return Class.forName(str);
        } catch (ClassNotFoundException e) {
            throw new NoClassDefFoundError().initCause(e);
        }
    }

    static {
        Class cls;
        String property = System.getProperty(PROPERTY_CONFIG);
        XmlDocument xmlDocument = null;
        String str = "JKS";
        String str2 = "SHA1withDSA";
        if (property != null && property.length() > 0) {
            URL findResource = Resources.findResource(property, null);
            Throwable th = null;
            if (findResource != null) {
                try {
                    xmlDocument = XmlHelper.loadXml(findResource.openStream());
                } catch (Throwable th2) {
                    th = th2;
                }
            }
            if (xmlDocument == null) {
                err(new StringBuffer().append("Unable to load DefaultController configuration file \"").append(property).append("\";").toString());
                if (th != null) {
                    err(th);
                }
                err("Using default configuration.");
            }
        }
        if (xmlDocument == null) {
            try {
                if (class$com$tangosol$net$security$DefaultController == null) {
                    cls = class$("com.tangosol.net.security.DefaultController");
                    class$com$tangosol$net$security$DefaultController = cls;
                } else {
                    cls = class$com$tangosol$net$security$DefaultController;
                }
                xmlDocument = XmlHelper.loadXml(cls, WebUtils.DEFAULT_CHARACTER_ENCODING);
            } catch (Throwable th3) {
            }
        }
        str = xmlDocument.getSafeElement("keystore-type").getString(str);
        str2 = xmlDocument.getSafeElement("signature-algorithm").getString(str2);
        try {
            Signature signature = Signature.getInstance(str2);
            KEYSTORE_TYPE = str;
            SIGNATURE_ALGORITHM = str2;
            SIGNATURE_ENGINE = signature;
        } catch (Exception e) {
            throw new ExceptionInInitializerError(e);
        }
    }
}
