package de.sep.sesam.restapi.service.impl;

import de.sep.sesam.gui.common.DefaultUserNames;
import de.sep.sesam.gui.common.logging.ContextLogger;
import de.sep.sesam.gui.common.logging.LogGroup;
import de.sep.sesam.gui.common.logging.RecurringLogFilter;
import de.sep.sesam.gui.common.logging.SesamComponent;
import de.sep.sesam.gui.common.logging.messages.RestletMessages;
import de.sep.sesam.gui.common.logging.messages.SimpleMessage;
import de.sep.sesam.gui.server.GUIServerParam;
import de.sep.sesam.gui.server.RemoteAccessNew;
import de.sep.sesam.gui.tools.SpringUtils;
import de.sep.sesam.model.dto.SEPAuthentication;
import de.sep.sesam.restapi.authentication.ActiveDirectoryCredentialsLogin;
import de.sep.sesam.restapi.authentication.DatabaseCredentialsLogin;
import de.sep.sesam.restapi.authentication.LDAPCredentialsLogin;
import de.sep.sesam.restapi.authentication.SessionContext;
import de.sep.sesam.restapi.authentication.SessionHandler;
import de.sep.sesam.restapi.dao.LoginService;
import de.sep.sesam.restapi.exception.AuthenticationException;
import de.sep.sesam.restapi.exception.ServiceException;
import de.sep.sesam.restapi.service.ConsistencyCheckService;
import de.sep.sesam.restapi.util.ContextLoggable;
import java.io.File;
import java.net.InetAddress;
import java.net.NetworkInterface;
import java.net.SocketException;
import java.security.AllPermission;
import java.security.Policy;
import java.util.ArrayList;
import java.util.Enumeration;
import java.util.HashSet;
import java.util.Iterator;
import java.util.StringTokenizer;
import java.util.concurrent.locks.ReentrantLock;
import org.apache.commons.lang.StringUtils;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.stereotype.Service;

@Service
/* loaded from: input_file:de/sep/sesam/restapi/service/impl/LoginServiceImpl.class */
public class LoginServiceImpl implements ContextLoggable, LoginService {
    private static GUIServerParam param;

    @Autowired
    private ActiveDirectoryCredentialsLogin adCredentialLogin;

    @Autowired
    private LDAPCredentialsLogin ldapCredentialLogin;

    @Autowired
    private DatabaseCredentialsLogin dbCredentialLogin;
    private static final HashSet<String> localIps;
    private static final HashSet<String> localNames;
    private static final ReentrantLock dnsLock;
    private static final Thread dnsThread;
    static final /* synthetic */ boolean $assertionsDisabled;
    private boolean initialized = false;
    private ContextLogger logger = new ContextLogger(LoginServiceImpl.class, SesamComponent.RESTAPI);
    private final ReentrantLock policyCheckLock = new ReentrantLock();
    private boolean allPermissionPolicySet = false;
    private long policyFileMtime = -1;
    private final SecurityManager securityManager = new SecurityManager();

    @Override // de.sep.sesam.restapi.dao.LoginService
    public void initialize() {
        if (this.initialized) {
            return;
        }
        this.initialized = true;
        checkPolicyUsers();
    }

    @Override // de.sep.sesam.restapi.dao.LoginService
    public String authenticate(SEPAuthentication sEPAuthentication, boolean z) throws AuthenticationException {
        if (!$assertionsDisabled && sEPAuthentication == null) {
            throw new AssertionError();
        }
        RecurringLogFilter.skip();
        this.logger.info("authenticate", LogGroup.SECURITY, new SimpleMessage("Login request of user {0} from {1} (policy based = {2}, authEnabled = {3}, local full access = {4}, all permission = {5})"), sEPAuthentication.name, sEPAuthentication.ip, Boolean.valueOf(param.policyBasedPermissions), Boolean.valueOf(param.authEnabled), Boolean.valueOf(param.localFullAccess), Boolean.valueOf(this.allPermissionPolicySet));
        try {
            checkPolicyUsers();
            SessionContext sessionContext = null;
            if (StringUtils.isEmpty(sEPAuthentication.password) || !param.authEnabled || z) {
                if (!param.authEnabled && !param.policyBasedPermissions) {
                    sEPAuthentication.name = DefaultUserNames.ADMIN_USER;
                    sessionContext = this.dbCredentialLogin.forceCreateAndAuthenticateAdmin(sEPAuthentication);
                } else if (z) {
                    sessionContext = this.dbCredentialLogin.forceCreateAndAuthenticateAdmin(sEPAuthentication);
                } else if (StringUtils.isNotEmpty(sEPAuthentication.name) && param.policyBasedPermissions) {
                    try {
                        sessionContext = this.dbCredentialLogin.createAndAuthenticateUser(sEPAuthentication);
                    } catch (AuthenticationException e) {
                        this.logger.info("authenticate", LogGroup.SECURITY, new SimpleMessage("DB based authentication method failed for user {0}."), sEPAuthentication.name);
                    }
                    if (sessionContext == null) {
                        if (this.allPermissionPolicySet) {
                            try {
                                sEPAuthentication.name = DefaultUserNames.ADMIN_USER;
                                sessionContext = this.dbCredentialLogin.forceCreateAndAuthenticateAdmin(sEPAuthentication);
                            } catch (AuthenticationException e2) {
                                this.logger.info("authenticate", LogGroup.SECURITY, new SimpleMessage("Failed forced authentication as administrator for user {0} with ALL permission set."), sEPAuthentication.name);
                            }
                        } else {
                            this.logger.info("authenticate", LogGroup.SECURITY, new SimpleMessage("Attempt to authenticate user {0} failed and ALL permission is not set."), sEPAuthentication.name);
                        }
                    }
                }
                if (sessionContext == null) {
                    if (!param.localFullAccess) {
                        this.logger.info("authenticate", LogGroup.SECURITY, new SimpleMessage("Attempt to authenticate user {0} failed and local full access is disabled."), sEPAuthentication.name);
                    } else if (isLocal(sEPAuthentication.ip)) {
                        try {
                            sEPAuthentication.name = DefaultUserNames.ADMIN_USER;
                            sessionContext = this.dbCredentialLogin.forceCreateAndAuthenticateAdmin(sEPAuthentication);
                        } catch (AuthenticationException e3) {
                            this.logger.info("authenticate", LogGroup.SECURITY, new SimpleMessage("Failed forced authentication as administrator for user {0} with local full access enabled."), sEPAuthentication.name);
                            if (!this.adCredentialLogin.isEnabled() && !this.ldapCredentialLogin.isEnabled()) {
                                throw e3;
                            }
                        }
                    } else {
                        this.logger.info("authenticate", LogGroup.SECURITY, new SimpleMessage("Attempt to authenticate user {0} failed, local full access is enabled but IP {1} is a remote address."), sEPAuthentication.name, sEPAuthentication.ip);
                    }
                }
            }
            if (sessionContext == null && StringUtils.isNotEmpty(sEPAuthentication.password) && param.authEnabled) {
                AuthenticationException authenticationException = null;
                if (this.dbCredentialLogin.isEnabled()) {
                    try {
                        sessionContext = this.dbCredentialLogin.createAndAuthenticateUser(sEPAuthentication);
                    } catch (AuthenticationException e4) {
                        this.logger.info("authenticate", LogGroup.SECURITY, new SimpleMessage("DB based authentication method failed for user {0}."), sEPAuthentication.name);
                        authenticationException = e4;
                    }
                }
                if (sessionContext == null && this.adCredentialLogin.isEnabled()) {
                    try {
                        sessionContext = this.adCredentialLogin.createAndAuthenticateUser(sEPAuthentication);
                    } catch (AuthenticationException e5) {
                        this.logger.info("authenticate", LogGroup.SECURITY, new SimpleMessage("AD based authentication method failed for user {0}."), sEPAuthentication.name);
                        authenticationException = e5;
                    }
                }
                if (sessionContext == null && this.ldapCredentialLogin.isEnabled()) {
                    try {
                        sessionContext = this.ldapCredentialLogin.createAndAuthenticateUser(sEPAuthentication);
                    } catch (AuthenticationException e6) {
                        this.logger.info("authenticate", LogGroup.SECURITY, new SimpleMessage("LDAP based authentication method failed for user {0}."), sEPAuthentication.name);
                        authenticationException = e6;
                    }
                }
                if (sessionContext == null) {
                    if (!param.localFullAccess) {
                        this.logger.info("authenticate", LogGroup.SECURITY, new SimpleMessage("Attempt to authenticate user {0} failed and local full access is disabled."), sEPAuthentication.name);
                    } else if (isLocal(sEPAuthentication.ip)) {
                        try {
                            sEPAuthentication.name = DefaultUserNames.ADMIN_USER;
                            sessionContext = this.dbCredentialLogin.forceCreateAndAuthenticateAdmin(sEPAuthentication);
                        } catch (AuthenticationException e7) {
                            this.logger.info("authenticate", LogGroup.SECURITY, new SimpleMessage("Failed forced authentication as administrator for user {0} with local full access enabled."), sEPAuthentication.name);
                        }
                    } else {
                        this.logger.info("authenticate", LogGroup.SECURITY, new SimpleMessage("Attempt to authenticate user {0} failed, local full access is enabled but IP {1} is a remote address."), sEPAuthentication.name, sEPAuthentication.ip);
                    }
                    if (sessionContext == null && authenticationException != null) {
                        throw authenticationException;
                    }
                }
            }
            if (sessionContext == null) {
                this.logger.error("authenticate", LogGroup.SECURITY, AuthenticationException.AuthMessage.INVALID_CREDENTIALS, sEPAuthentication.name);
                throw new AuthenticationException(AuthenticationException.AuthMessage.INVALID_CREDENTIALS, sEPAuthentication.name);
            }
            String put = SessionHandler.put(sessionContext);
            this.logger.info("authenticate", LogGroup.SECURITY, RestletMessages.LOGIN, put, sEPAuthentication.name, sEPAuthentication.ip);
            RecurringLogFilter.done();
            return put;
        } catch (Throwable th) {
            RecurringLogFilter.done();
            throw th;
        }
    }

    private void checkPolicyUsers() {
        this.policyCheckLock.lock();
        try {
            try {
                ConsistencyCheckService consistencyCheckService = (ConsistencyCheckService) SpringUtils.getBean(ConsistencyCheckService.class);
                if (param.policyBasedPermissions) {
                    boolean z = false;
                    String property = System.getProperty("java.security.policy");
                    if (property != null) {
                        File file = new File(property);
                        if (file.isFile()) {
                            if (this.policyFileMtime == -1) {
                                z = true;
                                this.policyFileMtime = file.lastModified();
                            } else if (file.lastModified() > this.policyFileMtime) {
                                z = true;
                                this.policyFileMtime = file.lastModified();
                            }
                        }
                    }
                    if (!z) {
                        this.policyCheckLock.unlock();
                        return;
                    }
                    try {
                        this.logger.info("checkPolicyUsers", LogGroup.SECURITY, new SimpleMessage("Checking for all permissions policy in sm_java.policy"), new Object[0]);
                        Policy.getPolicy().refresh();
                        this.securityManager.checkPermission(new AllPermission());
                        this.allPermissionPolicySet = true;
                        this.logger.info("checkPolicyUsers", LogGroup.SECURITY, new SimpleMessage("Found all permission policy set"), new Object[0]);
                    } catch (SecurityException e) {
                        this.allPermissionPolicySet = false;
                    }
                    String str = "";
                    try {
                        this.logger.info("checkPolicyUsers", LogGroup.SECURITY, new SimpleMessage("Loading SEP server permissions from sm_java.policy"), new Object[0]);
                        str = new RemoteAccessNew(true).executeSMSetup(true, "get_policy", null, null, null, null, null, null).getRetVal().replaceAll("\r\n", "\n");
                    } catch (ServiceException e2) {
                        this.logger.error("checkPolicyUsers", LogGroup.SECURITY, new SimpleMessage("Failed to load SEP server permissions from sm_java.policy. Possible cause: {0}"), e2.getMessage());
                    }
                    consistencyCheckService.checkPolicyGroups(param);
                    consistencyCheckService.removeAllHostsFromDefaultPolicyUsers();
                    ArrayList arrayList = new ArrayList();
                    arrayList.add(param.defaultAdminUser);
                    arrayList.add(param.defaultOperatorUser);
                    arrayList.add(param.defaultRestoreUser);
                    arrayList.add(param.defaultBackupUser);
                    StringTokenizer stringTokenizer = new StringTokenizer(str, "\n");
                    while (stringTokenizer.hasMoreTokens()) {
                        String nextToken = stringTokenizer.nextToken();
                        int indexOf = nextToken.indexOf("\" \"");
                        int lastIndexOf = nextToken.lastIndexOf("\" \"");
                        String substring = nextToken.substring(1, indexOf);
                        String substring2 = nextToken.substring(indexOf + 3, lastIndexOf);
                        String substring3 = nextToken.substring(lastIndexOf + 3, nextToken.length() - 1);
                        this.logger.info("checkPolicyUsers", LogGroup.SECURITY, new SimpleMessage("Found permission entry {0}@{1}:{2}"), substring, substring2, substring3);
                        if (substring.equals("*")) {
                            consistencyCheckService.addHostToDefaultPolicyUser(substring3, substring2);
                        } else {
                            if (!arrayList.contains(substring)) {
                                consistencyCheckService.cleanUser(substring);
                            }
                            consistencyCheckService.checkPolicyUser(substring, substring2, substring3);
                            arrayList.add(substring);
                        }
                    }
                    consistencyCheckService.removeAllPolicyUsersBut(arrayList);
                    if (param.localFullAccess) {
                        dnsLock.lock();
                        try {
                            Iterator<String> it = localIps.iterator();
                            while (it.hasNext()) {
                                consistencyCheckService.addHostToDefaultPolicyUser("admin", it.next());
                            }
                            dnsLock.unlock();
                        } catch (Throwable th) {
                            dnsLock.unlock();
                            throw th;
                        }
                    }
                } else {
                    this.logger.debug("checkPolicyUsers", LogGroup.SECURITY, new SimpleMessage("Policy based permissions are disabled. Removing all registered policy users."), new Object[0]);
                    consistencyCheckService.removeAllPolicyUsersBut(null);
                    consistencyCheckService.cleanUser(DefaultUserNames.ADMIN_USER);
                    this.allPermissionPolicySet = false;
                    this.policyFileMtime = -1L;
                }
                this.policyCheckLock.unlock();
            } catch (ServiceException e3) {
                this.logger.error("checkPolicyUsers", e3, new Object[0]);
                this.policyCheckLock.unlock();
            }
        } catch (Throwable th2) {
            this.policyCheckLock.unlock();
            throw th2;
        }
    }

    public static final GUIServerParam getParams() {
        return param;
    }

    public static final boolean isAuthEnabled() {
        return param != null && param.authEnabled;
    }

    public static final boolean isPolicyBasedPermissions() {
        return param != null && param.policyBasedPermissions;
    }

    public static final boolean isLocalFullAccess() {
        return param != null && param.localFullAccess;
    }

    @Override // de.sep.sesam.restapi.dao.LoginService
    public final boolean isAllPermissionPolicySet() {
        return this.allPermissionPolicySet;
    }

    public static final String[] getLocalNames() {
        return (String[]) localNames.toArray(new String[localNames.size()]);
    }

    @Override // de.sep.sesam.restapi.util.ContextLoggable, de.sep.sesam.restapi.dao.IGenericDao
    public ContextLogger logger() {
        return this.logger;
    }

    public static void setParam(GUIServerParam gUIServerParam) {
        param = gUIServerParam;
    }

    public static boolean allowAll() {
        SessionContext sessionContext = (SessionContext) SecurityContextHolder.getContext().getAuthentication();
        if (sessionContext != null && sessionContext.isAuthenticated() && isLocal(sessionContext.getIp())) {
            return sessionContext.hasAnyPermission(SessionContext.SKIPRIGHT_AUTH);
        }
        return false;
    }

    public static final boolean isLocal(String str) {
        dnsLock.lock();
        try {
            boolean contains = localIps.contains(str);
            dnsLock.unlock();
            return contains;
        } catch (Throwable th) {
            dnsLock.unlock();
            throw th;
        }
    }

    static {
        $assertionsDisabled = !LoginServiceImpl.class.desiredAssertionStatus();
        param = new GUIServerParam();
        localIps = new HashSet<>();
        localNames = new HashSet<>();
        dnsLock = new ReentrantLock();
        dnsThread = new Thread(new Runnable() { // from class: de.sep.sesam.restapi.service.impl.LoginServiceImpl.1
            @Override // java.lang.Runnable
            public void run() {
                int indexOf;
                LoginServiceImpl.dnsLock.lock();
                try {
                    LoginServiceImpl.localIps.add("127.0.0.1");
                    LoginServiceImpl.localIps.add("::1");
                    LoginServiceImpl.localIps.add("0:0:0:0:0:0:0:1");
                    Enumeration<NetworkInterface> networkInterfaces = NetworkInterface.getNetworkInterfaces();
                    while (networkInterfaces.hasMoreElements()) {
                        Enumeration<InetAddress> inetAddresses = networkInterfaces.nextElement().getInetAddresses();
                        while (inetAddresses.hasMoreElements()) {
                            InetAddress nextElement = inetAddresses.nextElement();
                            LoginServiceImpl.localIps.add(nextElement.getHostAddress());
                            String hostName = nextElement.getHostName();
                            if (!LoginServiceImpl.localNames.contains(hostName)) {
                                LoginServiceImpl.localNames.add(hostName);
                            }
                            String canonicalHostName = nextElement.getCanonicalHostName();
                            if (!LoginServiceImpl.localNames.contains(canonicalHostName)) {
                                LoginServiceImpl.localNames.add(canonicalHostName);
                            }
                            if (!canonicalHostName.matches("[0-9.]+") && (indexOf = canonicalHostName.indexOf(46)) != -1) {
                                String substring = canonicalHostName.substring(0, indexOf);
                                if (!LoginServiceImpl.localNames.contains(substring)) {
                                    LoginServiceImpl.localNames.add(substring);
                                }
                            }
                        }
                    }
                    LoginServiceImpl.dnsLock.unlock();
                } catch (SocketException e) {
                    LoginServiceImpl.dnsLock.unlock();
                } catch (Throwable th) {
                    LoginServiceImpl.dnsLock.unlock();
                    throw th;
                }
            }
        });
        dnsThread.start();
    }
}
