package org.codice.ddf.security.common;

import ddf.security.Subject;
import ddf.security.assertion.SecurityAssertion;
import ddf.security.common.audit.SecurityLogger;
import ddf.security.service.SecurityManager;
import ddf.security.service.SecurityServiceException;
import java.io.File;
import java.io.IOException;
import java.io.InputStream;
import java.lang.reflect.InvocationTargetException;
import java.nio.file.Files;
import java.nio.file.OpenOption;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.security.AccessController;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivilegedAction;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Date;
import java.util.HashSet;
import java.util.concurrent.Callable;
import java.util.concurrent.TimeUnit;
import javax.validation.constraints.NotNull;
import org.apache.commons.lang.Validate;
import org.apache.karaf.jaas.boot.principal.RolePrincipal;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.UnavailableSecurityManagerException;
import org.apache.shiro.subject.ExecutionException;
import org.codice.ddf.security.handler.api.GuestAuthenticationToken;
import org.codice.ddf.security.handler.api.PKIAuthenticationToken;
import org.codice.ddf.security.handler.api.PKIAuthenticationTokenFactory;
import org.codice.ddf.security.handler.api.UPAuthenticationToken;
import org.jvnet.jaxb2_commons.lang.StringUtils;
import org.osgi.framework.Bundle;
import org.osgi.framework.BundleContext;
import org.osgi.framework.FrameworkUtil;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:ddf-security-common-2.9.1.jar:org/codice/ddf/security/common/Security.class */
public class Security {
    private static final String INSUFFICIENT_PERMISSIONS_ERROR = "Current user doesn't have sufficient privileges to run this command";
    private static final String KARAF_LOCAL_ROLE = "karaf.local.roles";
    private Subject cachedSystemSubject;
    private static final Security INSTANCE = new Security();
    private static final Logger LOGGER = LoggerFactory.getLogger(Security.class);
    private static final javax.security.auth.Subject JAVA_ADMIN_SUBJECT = getAdminJavaSubject();

    private Security() {
    }

    public static Security getInstance() {
        return INSTANCE;
    }

    public Subject getSubject(String str, String str2) {
        UPAuthenticationToken uPAuthenticationToken = new UPAuthenticationToken(str, str2);
        SecurityManager securityManager = getSecurityManager();
        if (securityManager == null) {
            return null;
        }
        try {
            return securityManager.getSubject(uPAuthenticationToken);
        } catch (SecurityServiceException | RuntimeException e) {
            LOGGER.error("Unable to request subject for {} user.", str, e);
            return null;
        }
    }

    public boolean javaSubjectHasAdminRole() {
        javax.security.auth.Subject subject = javax.security.auth.Subject.getSubject(AccessController.getContext());
        if (subject == null) {
            return false;
        }
        String property = System.getProperty(KARAF_LOCAL_ROLE, StringUtils.EMPTY);
        ArrayList arrayList = new ArrayList();
        for (String str : property.split(",")) {
            arrayList.add(new RolePrincipal(str));
        }
        return subject.getPrincipals().containsAll(arrayList);
    }

    public <T> T runWithSubjectOrElevate(@NotNull Callable<T> callable) throws SecurityServiceException, InvocationTargetException {
        Validate.notNull(callable, "Callable cannot be null");
        try {
            try {
                return (T) SecurityUtils.getSubject().execute(callable);
            } catch (IllegalStateException | UnavailableSecurityManagerException e) {
                LOGGER.debug("No shiro subject available for running command, trying with Java Subject");
                Subject systemSubject = getSystemSubject();
                if (systemSubject == null) {
                    SecurityLogger.audit(INSUFFICIENT_PERMISSIONS_ERROR);
                    throw new SecurityServiceException(INSUFFICIENT_PERMISSIONS_ERROR);
                }
                SecurityLogger.auditWarn("Elevating current user permissions to use System subject");
                return (T) systemSubject.execute(callable);
            }
        } catch (ExecutionException e2) {
            throw new InvocationTargetException(e2.getCause());
        }
    }

    public synchronized Subject getSystemSubject() {
        SecurityManager securityManager;
        if (!javaSubjectHasAdminRole()) {
            SecurityLogger.audit("Unable to retrieve system subject.");
            return null;
        }
        if (!tokenAboutToExpire(this.cachedSystemSubject)) {
            return this.cachedSystemSubject;
        }
        KeyStore systemKeyStore = getSystemKeyStore();
        String str = null;
        Certificate certificate = null;
        if (systemKeyStore != null) {
            try {
                if (systemKeyStore.size() == 1) {
                    str = systemKeyStore.aliases().nextElement();
                } else if (systemKeyStore.size() > 1) {
                    str = getCertificateAlias();
                }
                certificate = systemKeyStore.getCertificate(str);
            } catch (KeyStoreException e) {
                LOGGER.error("Unable to get certificate for alias [{}]", str, e);
                return null;
            }
        }
        if (certificate == null) {
            LOGGER.error("Unable to get certificate for alias [{}]", str);
            return null;
        }
        PKIAuthenticationToken tokenFromCerts = createPKITokenFactory().getTokenFromCerts(new X509Certificate[]{(X509Certificate) certificate}, "karaf");
        if (tokenFromCerts != null && (securityManager = getSecurityManager()) != null) {
            try {
                this.cachedSystemSubject = securityManager.getSubject(tokenFromCerts);
            } catch (SecurityServiceException e2) {
                LOGGER.error("Unable to request subject for system user.", e2);
            }
        }
        return this.cachedSystemSubject;
    }

    public Subject getGuestSubject(String str) {
        Subject subject = null;
        GuestAuthenticationToken guestAuthenticationToken = new GuestAuthenticationToken("karaf", str);
        LOGGER.debug("Getting new Guest user token for {}", str);
        try {
            subject = getSecurityManager().getSubject(guestAuthenticationToken);
        } catch (SecurityServiceException e) {
            LOGGER.warn("Unable to request subject for guest user.", e);
        }
        return subject;
    }

    public boolean tokenAboutToExpire(Subject subject) {
        return null == subject || null == subject.getPrincipals() || null == subject.getPrincipals().oneByType(SecurityAssertion.class) || ((SecurityAssertion) subject.getPrincipals().oneByType(SecurityAssertion.class)).getSecurityToken().isAboutToExpire(TimeUnit.MINUTES.toSeconds(1L));
    }

    public Date getExpires(Subject subject) {
        if (null == subject || null == subject.getPrincipals() || null == subject.getPrincipals().oneByType(SecurityAssertion.class)) {
            return null;
        }
        return ((SecurityAssertion) subject.getPrincipals().oneByType(SecurityAssertion.class)).getSecurityToken().getExpires();
    }

    public SecurityManager getSecurityManager() {
        BundleContext bundleContext = getBundleContext();
        if (bundleContext != null) {
            return (SecurityManager) bundleContext.getService(bundleContext.getServiceReference(SecurityManager.class));
        }
        LOGGER.warn("Unable to get Security Manager");
        return null;
    }

    public static <T> T runAsAdmin(PrivilegedAction<T> privilegedAction) {
        return (T) javax.security.auth.Subject.doAs(JAVA_ADMIN_SUBJECT, privilegedAction);
    }

    public static <T> T runAsAdminWithException(PrivilegedExceptionAction<T> privilegedExceptionAction) throws PrivilegedActionException {
        return (T) javax.security.auth.Subject.doAs(JAVA_ADMIN_SUBJECT, privilegedExceptionAction);
    }

    private static javax.security.auth.Subject getAdminJavaSubject() {
        HashSet hashSet = new HashSet();
        for (String str : System.getProperty(KARAF_LOCAL_ROLE, StringUtils.EMPTY).split(",")) {
            hashSet.add(new RolePrincipal(str));
        }
        return new javax.security.auth.Subject(true, hashSet, new HashSet(), new HashSet());
    }

    private BundleContext getBundleContext() {
        Bundle bundle = FrameworkUtil.getBundle(Security.class);
        if (bundle != null) {
            return bundle.getBundleContext();
        }
        return null;
    }

    private PKIAuthenticationTokenFactory createPKITokenFactory() {
        PKIAuthenticationTokenFactory pKIAuthenticationTokenFactory = new PKIAuthenticationTokenFactory();
        pKIAuthenticationTokenFactory.init();
        return pKIAuthenticationTokenFactory;
    }

    private String getCertificateAlias() {
        return System.getProperty("org.codice.ddf.system.hostname");
    }

    private KeyStore getSystemKeyStore() {
        InputStream newInputStream;
        Throwable th;
        try {
            KeyStore keyStore = KeyStore.getInstance(System.getProperty("javax.net.ssl.keyStoreType"));
            Path path = new File(System.getProperty("javax.net.ssl.keyStore")).toPath();
            Path path2 = Paths.get(System.getProperty("ddf.home"), new String[0]);
            if (!path.isAbsolute()) {
                path = Paths.get(path2.toString(), path.toString());
            }
            String property = System.getProperty("javax.net.ssl.keyStorePassword");
            if (!Files.isReadable(path)) {
                LOGGER.error("Unable to read system key/trust store files: [ {} ] ", path);
                return null;
            }
            try {
                newInputStream = Files.newInputStream(path, new OpenOption[0]);
                th = null;
            } catch (IOException | NoSuchAlgorithmException | CertificateException e) {
                LOGGER.error("Unable to load system key file.", e);
            }
            try {
                try {
                    keyStore.load(newInputStream, property.toCharArray());
                    if (newInputStream != null) {
                        if (0 != 0) {
                            try {
                                newInputStream.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            newInputStream.close();
                        }
                    }
                    return keyStore;
                } finally {
                }
            } finally {
            }
        } catch (KeyStoreException e2) {
            LOGGER.error("Unable to create keystore instance of type {}", System.getProperty("javax.net.ssl.keyStoreType"), e2);
            return null;
        }
    }
}
