package org.glassfish.security.services.provider.authorization;

import com.sun.enterprise.config.serverbeans.Domain;
import com.sun.enterprise.config.serverbeans.SecureAdmin;
import com.sun.enterprise.config.serverbeans.SecureAdminPrincipal;
import com.sun.logging.LogDomains;
import java.lang.annotation.Annotation;
import java.security.Principal;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.inject.Inject;
import org.glassfish.api.admin.ServerEnvironment;
import org.glassfish.hk2.api.PerLookup;
import org.glassfish.hk2.api.ServiceLocator;
import org.glassfish.security.services.api.authorization.AuthorizationAdminConstants;
import org.glassfish.security.services.api.authorization.AuthorizationService;
import org.glassfish.security.services.api.authorization.AzAction;
import org.glassfish.security.services.api.authorization.AzAttributeResolver;
import org.glassfish.security.services.api.authorization.AzEnvironment;
import org.glassfish.security.services.api.authorization.AzResource;
import org.glassfish.security.services.api.authorization.AzResult;
import org.glassfish.security.services.api.authorization.AzSubject;
import org.glassfish.security.services.config.SecurityProvider;
import org.glassfish.security.services.impl.authorization.AzObligationsImpl;
import org.glassfish.security.services.impl.authorization.AzResultImpl;
import org.glassfish.security.services.spi.AuthorizationProvider;
import org.jvnet.hk2.annotations.Service;

@Service(name = "simpleAuthorization")
@PerLookup
/* loaded from: input_file:org/glassfish/security/services/provider/authorization/SimpleAuthorizationProviderImpl.class */
public class SimpleAuthorizationProviderImpl implements AuthorizationProvider {
    private AuthorizationProviderConfig cfg;
    private boolean deployable;
    private String version;

    @Inject
    private ServerEnvironment serverEnv;

    @Inject
    private ServiceLocator serviceLocator;
    private Domain domain = null;
    private SecureAdmin secureAdmin = null;
    private Decider decider;
    private static final Level DEBUG_LEVEL = Level.FINER;
    protected static final Logger _logger = LogDomains.getLogger(SimpleAuthorizationProviderImpl.class, LogDomains.SECURITY_LOGGER);

    /* JADX INFO: Access modifiers changed from: protected */
    /* loaded from: input_file:org/glassfish/security/services/provider/authorization/SimpleAuthorizationProviderImpl$Decider.class */
    public class Decider {
        protected Decider() {
        }

        protected AzResult.Decision decide(AzSubject azSubject, AzResource azResource, AzAction azAction, AzEnvironment azEnvironment) {
            return (isSubjectTrustedForDASAndInstances(azSubject) || (isSubjectAnAdministrator(azSubject) && (SimpleAuthorizationProviderImpl.this.serverEnv.isDas() || isActionRead(azAction)))) ? AzResult.Decision.PERMIT : AzResult.Decision.DENY;
        }

        protected String getAdminGroupName() {
            return "asadmin";
        }

        private boolean isSubjectTrustedForDASAndInstances(AzSubject azSubject) {
            HashSet hashSet = new HashSet();
            Iterator<Principal> it = azSubject.getSubject().getPrincipals().iterator();
            while (it.hasNext()) {
                hashSet.add(it.next().getName());
            }
            hashSet.retainAll(AuthorizationAdminConstants.TRUSTED_FOR_DAS_OR_INSTANCE);
            return !hashSet.isEmpty();
        }

        private boolean isActionRead(AzAction azAction) {
            return "read".equals(azAction.getAction());
        }

        private boolean isSubjectAnAdministrator(AzSubject azSubject) {
            return isPrincipalType(azSubject, getAdminGroupName()) || hasSecureAdminPrincipal(azSubject);
        }

        private boolean isPrincipalType(AzSubject azSubject, String str) {
            Iterator<Principal> it = azSubject.getSubject().getPrincipals().iterator();
            while (it.hasNext()) {
                if (str.equals(it.next().getName())) {
                    return true;
                }
            }
            return false;
        }

        private boolean hasSecureAdminPrincipal(AzSubject azSubject) {
            if (SimpleAuthorizationProviderImpl.this.secureAdmin == null) {
                return false;
            }
            for (Principal principal : azSubject.getSubject().getPrincipals()) {
                Iterator<SecureAdminPrincipal> it = SimpleAuthorizationProviderImpl.this.secureAdmin.getSecureAdminPrincipal().iterator();
                while (it.hasNext()) {
                    if (it.next().getDn().equals(principal.getName())) {
                        return true;
                    }
                }
            }
            return false;
        }
    }

    @Override // org.glassfish.security.services.spi.SecurityProvider
    public void initialize(SecurityProvider securityProvider) {
        this.cfg = (AuthorizationProviderConfig) securityProvider.getSecurityProviderConfig().get(0);
        this.deployable = this.cfg.getSupportPolicyDeploy();
        this.version = this.cfg.getVersion();
        this.domain = (Domain) this.serviceLocator.getService(Domain.class, new Annotation[0]);
        this.secureAdmin = this.domain.getSecureAdmin();
        if (_logger.isLoggable(Level.FINE)) {
            _logger.log(Level.FINE, "provide to do policy deploy: " + this.deployable);
            _logger.log(Level.FINE, "provide version to use: " + this.version);
        }
    }

    protected Decider createDecider() {
        return new Decider();
    }

    private synchronized Decider getDecider() {
        if (this.decider == null) {
            this.decider = createDecider();
            if (isDebug()) {
                _logger.log(DEBUG_LEVEL, "Created SimpleAuthorizationProviderImpl Decider of type {0}", this.decider.getClass().getName());
            }
        }
        return this.decider;
    }

    private boolean isDebug() {
        return _logger.isLoggable(DEBUG_LEVEL);
    }

    @Override // org.glassfish.security.services.spi.AuthorizationProvider
    public AzResult getAuthorizationDecision(AzSubject azSubject, AzResource azResource, AzAction azAction, AzEnvironment azEnvironment, List<AzAttributeResolver> list) {
        if (!isAdminResource(azResource)) {
            String aSCIIString = azResource.getUri() == null ? "null" : azResource.getUri().toASCIIString();
            _logger.log(Level.WARNING, aSCIIString, (Throwable) new IllegalArgumentException(aSCIIString));
        }
        return getAdminDecision(azSubject, azResource, azAction, azEnvironment);
    }

    private boolean isAdminResource(AzResource azResource) {
        return "admin".equals(azResource.getUri().getScheme());
    }

    private AzResult getAdminDecision(AzSubject azSubject, AzResource azResource, AzAction azAction, AzEnvironment azEnvironment) {
        if (isDebug()) {
            _logger.log(DEBUG_LEVEL, "");
        }
        return new AzResultImpl(getDecider().decide(azSubject, azResource, azAction, azEnvironment), AzResult.Status.OK, new AzObligationsImpl());
    }

    @Override // org.glassfish.security.services.spi.AuthorizationProvider
    public AuthorizationService.PolicyDeploymentContext findOrCreateDeploymentContext(String str) {
        return null;
    }
}
