package org.wso2.carbon.core.security;

import java.util.Collections;
import javax.management.remote.JMXAuthenticator;
import javax.management.remote.JMXPrincipal;
import javax.security.auth.Subject;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.CarbonConstants;
import org.wso2.carbon.context.PrivilegedCarbonContext;
import org.wso2.carbon.core.internal.CarbonCoreDataHolder;
import org.wso2.carbon.user.api.TenantManager;
import org.wso2.carbon.user.core.AuthorizationManager;
import org.wso2.carbon.user.core.UserRealm;
import org.wso2.carbon.user.core.UserStoreException;
import org.wso2.carbon.user.core.UserStoreManager;
import org.wso2.carbon.utils.multitenancy.MultitenantUtils;

/* loaded from: input_file:lib/org.wso2.carbon.core-4.4.35.jar:org/wso2/carbon/core/security/CarbonJMXAuthenticator.class */
public class CarbonJMXAuthenticator implements JMXAuthenticator {
    private static UserRealm userRealm;
    private static final String JMX_USER_PERMISSION = "/permission/protected/server-admin";
    private static Log log = LogFactory.getLog(CarbonJMXAuthenticator.class);
    private static Log audit = CarbonConstants.AUDIT_LOG;

    public static void setUserRealm(UserRealm userRealm2) {
        userRealm = userRealm2;
    }

    public Subject authenticate(Object obj) {
        if (!(obj instanceof String[])) {
            if (obj == null) {
                throw new SecurityException("Credentials required");
            }
            throw new SecurityException("Credentials should be String[]");
        }
        String[] strArr = (String[]) obj;
        if (strArr.length < 2) {
            throw new SecurityException("Credentials should have at least username & password");
        }
        String str = strArr[0];
        String str2 = strArr[1];
        try {
            UserStoreManager userStoreManager = userRealm.getUserStoreManager();
            try {
                PrivilegedCarbonContext threadLocalCarbonContext = PrivilegedCarbonContext.getThreadLocalCarbonContext();
                threadLocalCarbonContext.setTenantDomain("carbon.super");
                threadLocalCarbonContext.setTenantId(-1234);
                String extractTenantDomain = extractTenantDomain(str);
                if (extractTenantDomain != null && extractTenantDomain.equals("carbon.super")) {
                    if (log.isDebugEnabled()) {
                        log.debug("Authentication Failure..Provided tenant domain name is reserved..");
                    }
                    throw new SecurityException("Authentication failed - System error occurred. Tenant domain name is reserved.");
                }
                if (!userStoreManager.authenticate(str, str2)) {
                    throw new SecurityException("Login failed for user : " + str + ". Invalid username or password.");
                }
                TenantManager tenantManager = CarbonCoreDataHolder.getInstance().getRealmService().getTenantManager();
                String tenantDomain = MultitenantUtils.getTenantDomain(str);
                threadLocalCarbonContext.setTenantId(tenantManager.getTenantId(tenantDomain));
                threadLocalCarbonContext.setTenantDomain(tenantDomain);
                audit.info("User " + str + " successfully authenticated to perform JMX operations.");
                if (!authorize(str)) {
                    throw new SecurityException("User : " + str + " not authorized to perform JMX operations.");
                }
                audit.info("User : " + str + " successfully authorized to perform JMX operations.");
                return new Subject(true, Collections.singleton(new JMXPrincipal(str)), Collections.EMPTY_SET, Collections.EMPTY_SET);
            } catch (SecurityException e) {
                audit.warn("Unauthorized access attempt to JMX operation. ", e);
                throw new SecurityException("Unauthorized access attempt to JMX operation. ", e);
            } catch (Exception e2) {
                log.error("JMX operation failed.", e2);
                throw new SecurityException("JMX operation failed.", e2);
            }
        } catch (UserStoreException e3) {
            log.error("Cannot get authenticator from Realm", e3);
            throw new SecurityException("Cannot get authenticator from Realm", e3);
        }
    }

    private boolean authorize(String str) throws UserStoreException {
        AuthorizationManager authorizationManager = userRealm.getAuthorizationManager();
        if (authorizationManager != null) {
            return authorizationManager.isUserAuthorized(str, JMX_USER_PERMISSION, CarbonConstants.UI_PERMISSION_ACTION);
        }
        throw new UserStoreException("Unable to retrieve Authorization manager to perform authorization");
    }

    public static String extractTenantDomain(String str) {
        if (str.contains("@")) {
            return str.substring(str.lastIndexOf(64) + 1);
        }
        return null;
    }
}
