package com.hazelcast.security.impl;

import com.hazelcast.config.InvalidConfigurationException;
import com.hazelcast.config.PermissionConfig;
import com.hazelcast.config.PermissionPolicyConfig;
import com.hazelcast.config.SecurityConfig;
import com.hazelcast.config.SecurityInterceptorConfig;
import com.hazelcast.instance.impl.Node;
import com.hazelcast.internal.nio.ClassLoaderUtil;
import com.hazelcast.internal.nio.Connection;
import com.hazelcast.internal.nio.IOUtil;
import com.hazelcast.internal.util.ExceptionUtil;
import com.hazelcast.jet.impl.observer.ObservableImpl;
import com.hazelcast.logging.ILogger;
import com.hazelcast.security.Credentials;
import com.hazelcast.security.ICredentialsFactory;
import com.hazelcast.security.IPermissionPolicy;
import com.hazelcast.security.Parameters;
import com.hazelcast.security.SecureCallable;
import com.hazelcast.security.SecurityContext;
import com.hazelcast.security.SecurityInterceptor;
import com.hazelcast.security.permission.RingBufferPermission;
import com.hazelcast.sql.impl.security.SqlSecurityContext;
import java.io.IOException;
import java.io.InputStream;
import java.security.AccessControlException;
import java.security.Permission;
import java.security.PermissionCollection;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Properties;
import java.util.Set;
import java.util.concurrent.Callable;
import java.util.concurrent.atomic.AtomicBoolean;
import java.util.logging.Level;
import javax.security.auth.Subject;
import javax.security.auth.login.Configuration;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;

/* loaded from: input_file:com/hazelcast/security/impl/SecurityContextImpl.class */
public class SecurityContextImpl implements SecurityContext {
    private static final ThreadLocal<ParametersImpl> THREAD_LOCAL_PARAMETERS = new ThreadLocal<>();
    private final ILogger logger;
    private final Node node;
    private final IPermissionPolicy policy;
    private final ICredentialsFactory credentialsFactory;
    private final Configuration memberConfiguration;
    private final Configuration clientConfiguration;
    private final List<SecurityInterceptor> interceptors;
    private final Map<String, Map<String, String>> serviceToMethod = new HashMap();
    private final Parameters emptyParameters = new EmptyParametersImpl();
    private final AtomicBoolean refreshPermissionsInProgress = new AtomicBoolean();

    public SecurityContextImpl(Node node) {
        this.node = node;
        this.logger = node.getLogger("com.hazelcast.security");
        this.logger.log(Level.INFO, "Initializing Hazelcast Enterprise security context.");
        SecurityConfig securityConfig = node.config.getSecurityConfig();
        PermissionPolicyConfig clientPolicyConfig = securityConfig.getClientPolicyConfig();
        if (clientPolicyConfig.getClassName() == null) {
            clientPolicyConfig.setClassName(SecurityConstants.DEFAULT_POLICY_CLASS);
        }
        IPermissionPolicy implementation = clientPolicyConfig.getImplementation();
        this.policy = implementation == null ? (IPermissionPolicy) createImplInstance(node.getConfigClassLoader(), clientPolicyConfig.getClassName()) : implementation;
        this.policy.configure(node.config, clientPolicyConfig.getProperties());
        String checkRealmExists = checkRealmExists(securityConfig.getMemberRealm(), securityConfig, "Member");
        String checkRealmExists2 = checkRealmExists(securityConfig.getClientRealm(), securityConfig, "Client");
        ICredentialsFactory realmCredentialsFactory = securityConfig.getRealmCredentialsFactory(checkRealmExists);
        this.credentialsFactory = realmCredentialsFactory == null ? new DefaultCredentialsFactory() : realmCredentialsFactory;
        this.credentialsFactory.configure(new NodeCallbackHandler(node));
        this.memberConfiguration = new LoginConfigurationDelegate(securityConfig.getRealmLoginModuleConfigs(checkRealmExists));
        this.clientConfiguration = new LoginConfigurationDelegate(securityConfig.getRealmLoginModuleConfigs(checkRealmExists2));
        if (this.logger.isFineEnabled()) {
            this.logger.fine("Member Login configuration: " + this.memberConfiguration);
            this.logger.fine("Client Login configuration: " + this.clientConfiguration);
        }
        List<SecurityInterceptorConfig> securityInterceptorConfigs = securityConfig.getSecurityInterceptorConfigs();
        this.interceptors = new ArrayList(securityInterceptorConfigs.size());
        Iterator<SecurityInterceptorConfig> it = securityInterceptorConfigs.iterator();
        while (it.hasNext()) {
            addInterceptors(it.next());
        }
        fillServiceToMethodMap();
    }

    private String checkRealmExists(String str, SecurityConfig securityConfig, String str2) {
        if (str == null || securityConfig.isRealm(str)) {
            return str;
        }
        throw new InvalidConfigurationException("Realm name '" + str + "' used in " + str2 + " configuration doesn't exists");
    }

    private void fillServiceToMethodMap() {
        Properties properties = new Properties();
        InputStream resourceAsStream = SecureCallableImpl.class.getClassLoader().getResourceAsStream("permission-mapping.properties");
        try {
            try {
                properties.load(resourceAsStream);
                IOUtil.closeResource(resourceAsStream);
                for (Map.Entry entry : properties.entrySet()) {
                    String str = (String) entry.getKey();
                    String str2 = (String) entry.getValue();
                    int indexOf = str.indexOf(46);
                    if (indexOf != -1) {
                        String substring = str.substring(0, indexOf);
                        this.serviceToMethod.computeIfAbsent(substring, str3 -> {
                            return new HashMap();
                        }).put(str.substring(indexOf + 1), str2);
                    }
                }
            } catch (IOException e) {
                throw ExceptionUtil.rethrow(e);
            }
        } catch (Throwable th) {
            IOUtil.closeResource(resourceAsStream);
            throw th;
        }
    }

    public Map<String, Map<String, String>> getServiceToMethod() {
        return this.serviceToMethod;
    }

    @Override // com.hazelcast.security.SecurityContext
    public void interceptBefore(Credentials credentials, String str, String str2, String str3, Object[] objArr) throws AccessControlException {
        if (this.interceptors.isEmpty()) {
            return;
        }
        Parameters arguments = getArguments(objArr);
        Iterator<SecurityInterceptor> it = this.interceptors.iterator();
        while (it.hasNext()) {
            try {
                it.next().before(credentials, str, str2, str3, arguments);
            } catch (Throwable th) {
                throw new AccessControlException(th.getMessage());
            }
        }
    }

    @Override // com.hazelcast.security.SecurityContext
    public void interceptAfter(Credentials credentials, String str, String str2, String str3) {
        if (this.interceptors.isEmpty()) {
            return;
        }
        Parameters arguments = getArguments();
        for (SecurityInterceptor securityInterceptor : this.interceptors) {
            try {
                securityInterceptor.after(credentials, str, str2, str3, arguments);
            } catch (Throwable th) {
                this.logger.warning("Exception during interceptor.after " + securityInterceptor);
            }
        }
    }

    @Override // com.hazelcast.security.SecurityContext
    public LoginContext createMemberLoginContext(String str, Credentials credentials, Connection connection) throws LoginException {
        this.logger.log(Level.FINEST, "Creating Member LoginContext for: " + credentials);
        Thread currentThread = Thread.currentThread();
        ClassLoader contextClassLoader = currentThread.getContextClassLoader();
        try {
            currentThread.setContextClassLoader(SecurityContextImpl.class.getClassLoader());
            LoginContext loginContext = new LoginContext(this.node.getConfig().getClusterName(), new Subject(), new ClusterCallbackHandler(str, credentials, connection, this.node), this.memberConfiguration);
            currentThread.setContextClassLoader(contextClassLoader);
            return loginContext;
        } catch (Throwable th) {
            currentThread.setContextClassLoader(contextClassLoader);
            throw th;
        }
    }

    @Override // com.hazelcast.security.SecurityContext
    public LoginContext createClientLoginContext(String str, Credentials credentials, Connection connection) throws LoginException {
        this.logger.log(Level.FINEST, "Creating Client LoginContext for: " + credentials);
        Thread currentThread = Thread.currentThread();
        ClassLoader contextClassLoader = currentThread.getContextClassLoader();
        try {
            LoginContext loginContext = new LoginContext(this.node.getConfig().getClusterName(), new Subject(), new ClusterCallbackHandler(str, credentials, connection, this.node), this.clientConfiguration);
            currentThread.setContextClassLoader(contextClassLoader);
            return loginContext;
        } catch (Throwable th) {
            currentThread.setContextClassLoader(contextClassLoader);
            throw th;
        }
    }

    @Override // com.hazelcast.security.SecurityContext
    public ICredentialsFactory getCredentialsFactory() {
        return this.credentialsFactory;
    }

    @Override // com.hazelcast.security.SecurityContext
    public void checkPermission(Subject subject, Permission permission) throws SecurityException {
        Permission stripJetInternalPrefix = stripJetInternalPrefix(permission);
        PermissionCollection permissions = this.policy.getPermissions(subject, stripJetInternalPrefix.getClass());
        if (!(permissions != null && permissions.implies(stripJetInternalPrefix))) {
            throw new AccessControlException("Permission " + stripJetInternalPrefix + " denied!", stripJetInternalPrefix);
        }
    }

    @Override // com.hazelcast.security.SecurityContext
    public <V> SecureCallable<V> createSecureCallable(Subject subject, Callable<V> callable) {
        return new SecureCallableImpl(subject, callable, this.serviceToMethod);
    }

    @Override // com.hazelcast.security.SecurityContext
    public <V> SecureCallable<?> createSecureCallable(Subject subject, Runnable runnable) {
        return new SecureCallableImpl(subject, runnable, this.serviceToMethod);
    }

    @Override // com.hazelcast.security.SecurityContext
    public void destroy() {
        this.logger.log(Level.INFO, "Destroying Hazelcast Enterprise security context.");
        this.policy.destroy();
        this.credentialsFactory.destroy();
    }

    @Override // com.hazelcast.security.SecurityContext
    public void refreshPermissions(Set<PermissionConfig> set) {
        if (!this.refreshPermissionsInProgress.compareAndSet(false, true)) {
            throw new IllegalStateException("Permissions could not be refreshed, another update is in progress.");
        }
        this.policy.refreshPermissions(SecurityServiceImpl.clonePermissionConfigs(set));
        ((SecurityServiceImpl) this.node.getSecurityService()).setPermissionConfigs(set);
        this.refreshPermissionsInProgress.set(false);
    }

    @Override // com.hazelcast.security.SecurityContext
    public SqlSecurityContext createSqlContext(Subject subject) {
        return new SqlSecurityContextImpl(this, subject);
    }

    public ILogger getLogger(String str) {
        return this.node.getLogger(str);
    }

    private void addInterceptors(SecurityInterceptorConfig securityInterceptorConfig) {
        SecurityInterceptor implementation = securityInterceptorConfig.getImplementation();
        String className = securityInterceptorConfig.getClassName();
        if (implementation == null && className != null) {
            try {
                implementation = (SecurityInterceptor) ClassLoaderUtil.newInstance(this.node.getConfigClassLoader(), className);
            } catch (Exception e) {
                throw ExceptionUtil.rethrow(e);
            }
        }
        if (implementation != null) {
            this.interceptors.add(implementation);
        }
    }

    private Parameters getArguments(Object[] objArr) {
        if (objArr == null) {
            return this.emptyParameters;
        }
        ParametersImpl parametersImpl = THREAD_LOCAL_PARAMETERS.get();
        if (parametersImpl == null) {
            parametersImpl = new ParametersImpl(this.node.getSerializationService());
            THREAD_LOCAL_PARAMETERS.set(parametersImpl);
        }
        parametersImpl.setArgs(objArr);
        return parametersImpl;
    }

    static Parameters getArguments() {
        return THREAD_LOCAL_PARAMETERS.get();
    }

    private Object createImplInstance(ClassLoader classLoader, String str) {
        try {
            return ClassLoaderUtil.newInstance(classLoader, str);
        } catch (Exception e) {
            throw new IllegalArgumentException("Could not create instance of '" + str + "', cause: " + e.getMessage(), e);
        }
    }

    private Permission stripJetInternalPrefix(Permission permission) {
        String name = permission.getName();
        return name.startsWith(ObservableImpl.JET_OBSERVABLE_NAME_PREFIX) ? new RingBufferPermission(name.substring(ObservableImpl.JET_OBSERVABLE_NAME_PREFIX.length()), permission.getActions()) : permission;
    }
}
