package org.wso2.carbon.security.deployment;

import java.io.IOException;
import java.util.ArrayList;
import java.util.Dictionary;
import java.util.Hashtable;
import java.util.Iterator;
import java.util.Properties;
import org.apache.axiom.om.OMElement;
import org.apache.axis2.AxisFault;
import org.apache.axis2.description.AxisModule;
import org.apache.axis2.description.AxisService;
import org.apache.axis2.description.AxisServiceGroup;
import org.apache.axis2.description.Parameter;
import org.apache.axis2.engine.AxisConfiguration;
import org.apache.axis2.engine.AxisEvent;
import org.apache.axis2.engine.AxisObserver;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.neethi.Policy;
import org.apache.neethi.PolicyReference;
import org.apache.neethi.builders.xml.XmlPrimtiveAssertion;
import org.osgi.framework.BundleContext;
import org.osgi.service.component.ComponentContext;
import org.wso2.carbon.CarbonException;
import org.wso2.carbon.context.PrivilegedCarbonContext;
import org.wso2.carbon.context.RegistryType;
import org.wso2.carbon.registry.core.Registry;
import org.wso2.carbon.registry.core.Resource;
import org.wso2.carbon.registry.core.ResourceImpl;
import org.wso2.carbon.registry.core.exceptions.RegistryException;
import org.wso2.carbon.registry.core.jdbc.utils.Transaction;
import org.wso2.carbon.registry.core.service.RegistryService;
import org.wso2.carbon.registry.core.session.UserRegistry;
import org.wso2.carbon.security.SecurityConfigParams;
import org.wso2.carbon.security.SecurityConstants;
import org.wso2.carbon.security.SecurityScenario;
import org.wso2.carbon.security.SecurityScenarioDatabase;
import org.wso2.carbon.security.SecurityServiceHolder;
import org.wso2.carbon.security.util.RahasUtil;
import org.wso2.carbon.security.util.SecurityConfigParamBuilder;
import org.wso2.carbon.security.util.ServerCrypto;
import org.wso2.carbon.security.util.ServicePasswordCallbackHandler;
import org.wso2.carbon.security.util.XmlConfiguration;
import org.wso2.carbon.user.core.AuthorizationManager;
import org.wso2.carbon.user.core.UserRealm;
import org.wso2.carbon.user.core.service.RealmService;
import org.wso2.carbon.utils.Axis2ConfigurationContextObserver;
import org.wso2.carbon.utils.PreAxisConfigurationPopulationObserver;

/* loaded from: input_file:org/wso2/carbon/security/deployment/SecurityDeploymentInterceptor.class */
public class SecurityDeploymentInterceptor implements AxisObserver {
    private static final Log log = LogFactory.getLog(SecurityDeploymentInterceptor.class);

    protected void activate(ComponentContext componentContext) {
        BundleContext bundleContext = componentContext.getBundleContext();
        try {
            PrivilegedCarbonContext threadLocalCarbonContext = PrivilegedCarbonContext.getThreadLocalCarbonContext();
            threadLocalCarbonContext.setTenantDomain("carbon.super");
            threadLocalCarbonContext.setTenantId(-1234);
            loadSecurityScenarios(SecurityServiceHolder.getRegistryService().getConfigSystemRegistry(), bundleContext);
            try {
                addKeystores();
                Hashtable hashtable = new Hashtable();
                hashtable.put("org.apache.axis2.osgi.config.service", AxisObserver.class.getName());
                bundleContext.registerService(AxisObserver.class.getName(), this, hashtable);
                bundleContext.registerService(PreAxisConfigurationPopulationObserver.class.getName(), new PreAxisConfigurationPopulationObserver() { // from class: org.wso2.carbon.security.deployment.SecurityDeploymentInterceptor.1
                    public void createdAxisConfiguration(AxisConfiguration axisConfiguration) {
                        SecurityDeploymentInterceptor.this.init(axisConfiguration);
                        axisConfiguration.addObservers(SecurityDeploymentInterceptor.this);
                    }
                }, (Dictionary) null);
                Hashtable hashtable2 = new Hashtable();
                hashtable2.put("org.apache.axis2.osgi.config.service", Axis2ConfigurationContextObserver.class.getName());
                bundleContext.registerService(Axis2ConfigurationContextObserver.class.getName(), new SecurityDeploymentListener(), hashtable2);
            } catch (Exception e) {
                log.error("Cannot add keystores", e);
                throw new RuntimeException("Cannot add keystores", e);
            }
        } catch (Exception e2) {
            log.error("Cannot load security scenarios", e2);
            throw new RuntimeException("Cannot load security scenarios", e2);
        }
    }

    public void init(AxisConfiguration axisConfiguration) {
    }

    public void moduleUpdate(AxisEvent axisEvent, AxisModule axisModule) {
    }

    public void serviceGroupUpdate(AxisEvent axisEvent, AxisServiceGroup axisServiceGroup) {
    }

    public void serviceUpdate(AxisEvent axisEvent, AxisService axisService) {
        if (axisEvent.getEventType() == 1) {
            try {
                if (axisService.getPolicySubject() == null || axisService.getPolicySubject().getAttachedPolicyComponents() == null) {
                    return;
                }
                if (log.isDebugEnabled()) {
                    log.debug("Policies found on axis service");
                }
                String str = null;
                for (Policy policy : axisService.getPolicySubject().getAttachedPolicyComponents()) {
                    if (policy instanceof Policy) {
                        str = policy.getId();
                    } else if (policy instanceof PolicyReference) {
                        str = ((PolicyReference) policy).getURI().substring(1);
                    }
                    if (str != null && isSecPolicy(str)) {
                        if (log.isDebugEnabled()) {
                            log.debug("Policy " + str + " is identified as a security policy and trying to apply security parameters");
                        }
                        SecurityScenario byWsuId = SecurityScenarioDatabase.getByWsuId(str);
                        if (byWsuId == null) {
                            if (log.isDebugEnabled()) {
                                log.debug("Policy " + str + " does not belongs to a pre-defined security scenario. So treating as a custom policy");
                            }
                            SecurityScenario securityScenario = new SecurityScenario();
                            securityScenario.setScenarioId(SecurityConstants.CUSTOM_SECURITY_SCENARIO);
                            securityScenario.setWsuId(str);
                            securityScenario.setGeneralPolicy(false);
                            securityScenario.setSummary(SecurityConstants.CUSTOM_SECURITY_SCENARIO_SUMMARY);
                            SecurityScenarioDatabase.put(str, securityScenario);
                            byWsuId = securityScenario;
                        }
                        applySecurityParameters(axisService, byWsuId, policy);
                    }
                }
            } catch (Exception e) {
                String str2 = "Cannot handle service DEPLOY event for service: " + axisService.getName();
                log.error(str2, e);
                throw new RuntimeException(str2, e);
            }
        }
    }

    private void loadSecurityScenarios(Registry registry, BundleContext bundleContext) throws CarbonException, IOException, RegistryException {
        OMElement[] elements = new XmlConfiguration(bundleContext.getBundle().getResource("/scenarios/scenario-config.xml").openStream(), SecurityConstants.SECURITY_NAMESPACE).getElements("//ns:Scenario");
        try {
            boolean isStarted = Transaction.isStarted();
            if (!isStarted) {
                registry.beginTransaction();
            }
            for (OMElement oMElement : elements) {
                SecurityScenario securityScenario = new SecurityScenario();
                String attributeValue = oMElement.getAttribute(SecurityConstants.ID_QN).getAttributeValue();
                securityScenario.setScenarioId(attributeValue);
                securityScenario.setSummary(oMElement.getFirstChildWithName(SecurityConstants.SUMMARY_QN).getText());
                securityScenario.setDescription(oMElement.getFirstChildWithName(SecurityConstants.DESCRIPTION_QN).getText());
                securityScenario.setCategory(oMElement.getFirstChildWithName(SecurityConstants.CATEGORY_QN).getText());
                securityScenario.setWsuId(oMElement.getFirstChildWithName(SecurityConstants.WSUID_QN).getText());
                securityScenario.setType(oMElement.getFirstChildWithName(SecurityConstants.TYPE_QN).getText());
                String str = "/repository/components/org.wso2.carbon.security.mgt/policy/" + attributeValue;
                Iterator childElements = oMElement.getFirstChildWithName(SecurityConstants.MODULES_QN).getChildElements();
                while (childElements.hasNext()) {
                    securityScenario.addModule(((OMElement) childElements.next()).getText());
                }
                SecurityScenarioDatabase.put(attributeValue, securityScenario);
                if (!attributeValue.equals(SecurityConstants.SCENARIO_DISABLE_SECURITY) && !attributeValue.equals(SecurityConstants.POLICY_FROM_REG_SCENARIO)) {
                    ResourceImpl resourceImpl = new ResourceImpl();
                    resourceImpl.setContentStream(bundleContext.getBundle().getResource("scenarios/" + attributeValue + "-policy.xml").openStream());
                    resourceImpl.setMediaType("application/policy+xml");
                    if (!registry.resourceExists(str)) {
                        registry.put(str, resourceImpl);
                    }
                    SecurityServiceHolder.addPolicyResource(str, resourceImpl);
                }
            }
            if (!isStarted) {
                registry.commitTransaction();
            }
        } catch (Exception e) {
            registry.rollbackTransaction();
            throw e;
        }
    }

    private void addKeystores() throws RegistryException {
        UserRegistry governanceSystemRegistry = SecurityServiceHolder.getRegistryService().getGovernanceSystemRegistry();
        try {
            boolean isStarted = Transaction.isStarted();
            if (!isStarted) {
                governanceSystemRegistry.beginTransaction();
            }
            if (!governanceSystemRegistry.resourceExists(SecurityConstants.KEY_STORES)) {
                governanceSystemRegistry.put(SecurityConstants.KEY_STORES, governanceSystemRegistry.newCollection());
                Resource newResource = governanceSystemRegistry.newResource();
                if (!governanceSystemRegistry.resourceExists("/repository/security/key-stores/carbon-primary-ks")) {
                    governanceSystemRegistry.put("/repository/security/key-stores/carbon-primary-ks", newResource);
                }
            }
            if (!isStarted) {
                governanceSystemRegistry.commitTransaction();
            }
        } catch (Exception e) {
            governanceSystemRegistry.rollbackTransaction();
            throw e;
        }
    }

    private void applySecurityParameters(AxisService axisService, SecurityScenario securityScenario, Policy policy) {
        try {
            UserRealm userRealm = PrivilegedCarbonContext.getThreadLocalCarbonContext().getUserRealm();
            UserRegistry registry = PrivilegedCarbonContext.getThreadLocalCarbonContext().getRegistry(RegistryType.SYSTEM_GOVERNANCE);
            String serviceGroupName = axisService.getAxisServiceGroup().getServiceGroupName();
            String name = axisService.getName();
            SecurityConfigParams securityParams = SecurityConfigParamBuilder.getSecurityParams(getSecurityConfig(policy));
            if (securityScenario.getModules().contains(SecurityConstants.TRUST_MODULE)) {
                AxisModule module = axisService.getAxisConfiguration().getModule(SecurityConstants.TRUST_MODULE);
                if (log.isDebugEnabled()) {
                    log.debug("Enabling trust module : rahas");
                }
                axisService.disengageModule(module);
                axisService.engageModule(module);
                Properties properties = new Properties();
                properties.setProperty(ServerCrypto.PROP_ID_PRIVATE_STORE, securityParams.getPrivateStore());
                properties.setProperty(ServerCrypto.PROP_ID_DEFAULT_ALIAS, securityParams.getKeyAlias());
                if (securityParams.getTrustStores() != null) {
                    properties.setProperty(ServerCrypto.PROP_ID_TRUST_STORES, securityParams.getTrustStores());
                }
                axisService.addParameter(RahasUtil.getSCTIssuerConfigParameter(ServerCrypto.class.getName(), properties, -1, null, true, true));
                axisService.addParameter(RahasUtil.getTokenCancelerConfigParameter());
            }
            String allowedRoles = securityParams.getAllowedRoles();
            if (allowedRoles != null) {
                if (log.isDebugEnabled()) {
                    log.debug("Authorizing roles " + allowedRoles);
                }
                AuthorizationManager authorizationManager = userRealm.getAuthorizationManager();
                String str = serviceGroupName + "/" + name;
                String[] allowedRolesForResource = authorizationManager.getAllowedRolesForResource(str, "invoke-service");
                if (allowedRolesForResource != null) {
                    for (String str2 : allowedRolesForResource) {
                        authorizationManager.clearRoleAuthorization(str2, str, "invoke-service");
                    }
                }
                String[] split = allowedRoles.split(",");
                if (split != null) {
                    for (String str3 : split) {
                        authorizationManager.authorizeRole(str3, str, "invoke-service");
                    }
                }
            }
            ServicePasswordCallbackHandler servicePasswordCallbackHandler = new ServicePasswordCallbackHandler(securityParams, serviceGroupName, name, registry, userRealm);
            Parameter parameter = new Parameter();
            parameter.setName("passwordCallbackRef");
            parameter.setValue(servicePasswordCallbackHandler);
            axisService.addParameter(parameter);
        } catch (Throwable th) {
            log.error("Cannot apply security parameters", th);
        }
    }

    private OMElement getSecurityConfig(Policy policy) {
        OMElement value;
        for (XmlPrimtiveAssertion xmlPrimtiveAssertion : policy.getPolicyComponents()) {
            if ((xmlPrimtiveAssertion instanceof XmlPrimtiveAssertion) && (value = xmlPrimtiveAssertion.getValue()) != null && SecurityConfigParamBuilder.SECURITY_CONFIG_QNAME.equals(value.getQName())) {
                if (log.isDebugEnabled()) {
                    log.debug("Carbon Security config found : " + value.toString());
                }
                return value;
            }
        }
        return null;
    }

    public void addParameter(Parameter parameter) throws AxisFault {
    }

    public void deserializeParameters(OMElement oMElement) throws AxisFault {
    }

    public Parameter getParameter(String str) {
        return null;
    }

    public ArrayList getParameters() {
        return new ArrayList();
    }

    public boolean isParameterLocked(String str) {
        return false;
    }

    public void removeParameter(Parameter parameter) throws AxisFault {
    }

    protected void setRegistryService(RegistryService registryService) {
        SecurityServiceHolder.setRegistryService(registryService);
    }

    protected void setRealmService(RealmService realmService) {
        SecurityServiceHolder.setRealmService(realmService);
    }

    protected void unsetRealmService(RealmService realmService) {
        SecurityServiceHolder.setRealmService(null);
    }

    protected void unsetRegistryService(RegistryService registryService) {
        SecurityServiceHolder.setRegistryService(null);
    }

    private boolean isSecPolicy(String str) {
        if ("RMPolicy".equals(str) || "WSO2CachingPolicy".equals(str) || "WSO2ServiceThrottlingPolicy".equals(str)) {
            return false;
        }
        if (!log.isDebugEnabled()) {
            return true;
        }
        log.debug("Policy ID : " + str + " is identified as a security policy");
        return true;
    }
}
