package de.sep.sesam.restapi.service.impl;

import de.sep.sesam.common.ini.IniUtils;
import de.sep.sesam.common.logging.ContextLogger;
import de.sep.sesam.common.logging.LogGroup;
import de.sep.sesam.common.logging.RecurringLogFilter;
import de.sep.sesam.common.logging.interfaces.IContextLoggerProvider;
import de.sep.sesam.common.logging.messages.SimpleMessage;
import de.sep.sesam.common.util.HostUtils;
import de.sep.sesam.model.Credentials;
import de.sep.sesam.model.Groups;
import de.sep.sesam.model.UserAllowedHosts;
import de.sep.sesam.model.Users;
import de.sep.sesam.model.auth.dto.LoginDto;
import de.sep.sesam.model.core.defaults.DefaultGroupNames;
import de.sep.sesam.model.core.defaults.DefaultRoleNames;
import de.sep.sesam.model.core.defaults.DefaultUserNames;
import de.sep.sesam.model.dto.GroupsDto;
import de.sep.sesam.model.type.UserOrigin;
import de.sep.sesam.rest.exceptions.AuthenticationException;
import de.sep.sesam.rest.exceptions.ServiceException;
import de.sep.sesam.restapi.authentication.AbstractExternalCredentialsLogin;
import de.sep.sesam.restapi.authentication.ActiveDirectoryCredentialsLogin;
import de.sep.sesam.restapi.authentication.DatabaseCredentialsLogin;
import de.sep.sesam.restapi.authentication.LDAPCredentialsLogin;
import de.sep.sesam.restapi.authentication.SessionContext;
import de.sep.sesam.restapi.authentication.SessionHandler;
import de.sep.sesam.restapi.dao.CredentialsDaoServer;
import de.sep.sesam.restapi.dao.DaoAccessor;
import de.sep.sesam.restapi.dao.GroupsDaoServer;
import de.sep.sesam.restapi.dao.RolesDaoServer;
import de.sep.sesam.restapi.dao.UserAllowedHostsDaoServer;
import de.sep.sesam.restapi.dao.UserGroupRelationsDaoServer;
import de.sep.sesam.restapi.dao.UsersDaoServer;
import de.sep.sesam.restapi.dao.login.LoginService;
import de.sep.sesam.restapi.dao.login.LoginServiceServer;
import de.sep.sesam.restapi.service.ConsistencyCheckService;
import de.sep.sesam.server.impl.GUIServerParam;
import de.sep.sesam.ui.images.Overlays;
import java.io.File;
import java.net.InetAddress;
import java.net.NetworkInterface;
import java.net.SocketException;
import java.security.AllPermission;
import java.security.Policy;
import java.util.ArrayList;
import java.util.Enumeration;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.StringTokenizer;
import java.util.concurrent.locks.ReentrantLock;
import java.util.stream.Collectors;
import org.apache.commons.collections4.CollectionUtils;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.text.lookup.StringLookupFactory;
import org.springframework.aop.framework.autoproxy.target.QuickTargetSourceCreator;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.stereotype.Service;

@Service
/* loaded from: input_file:de/sep/sesam/restapi/service/impl/LoginServiceImpl.class */
public class LoginServiceImpl implements IContextLoggerProvider, LoginServiceServer {

    @Autowired
    private DatabaseCredentialsLogin dbCredentialLogin;

    @Autowired
    private DaoAccessor daos;

    @Autowired
    private ConsistencyCheckService consistencyCheckService;
    private static final Set<String> localIps;
    private static final Set<String> localNames;
    private static final ReentrantLock checkLock;
    private boolean allPermissionPolicySet;
    private String policyFileName;
    private static boolean unitTestMode;
    private static GUIServerParam param;
    private static final ReentrantLock dnsLock;
    private static final Thread dnsThread;
    static final /* synthetic */ boolean $assertionsDisabled;
    private final ContextLogger logger = new ContextLogger(LoginService.class);
    private final List<AbstractExternalCredentialsLogin> externalLoginSources = new ArrayList();
    private long policyFileMtime = -1;
    private final SecurityManager securityManager = new SecurityManager();

    @Override // de.sep.sesam.restapi.dao.login.LoginServiceServer
    public void initialize() {
        try {
            this.logger.info("initialize", LogGroup.SECURITY, new SimpleMessage("Checking for all permissions policy in sm_java.policy"), new Object[0]);
            Policy.getPolicy().refresh();
            this.securityManager.checkPermission(new AllPermission());
            this.allPermissionPolicySet = true;
            this.logger.info("initialize", LogGroup.SECURITY, new SimpleMessage("Found all permission policy set"), new Object[0]);
        } catch (SecurityException e) {
            this.allPermissionPolicySet = false;
        }
    }

    @Override // de.sep.sesam.restapi.dao.login.LoginService
    public String authenticate(LoginDto loginDto, boolean z) throws AuthenticationException {
        if (!$assertionsDisabled && loginDto == null) {
            throw new AssertionError();
        }
        RecurringLogFilter.skip();
        this.logger.info("authenticate", LogGroup.SECURITY, new SimpleMessage("Login request of user {0} from {1} (policy based = {2}, authEnabled = {3}, local full access = {4}, all permission = {5})"), loginDto.getUsername(), loginDto.getIp(), Boolean.valueOf(param.policyBasedPermissions), Boolean.valueOf(param.authEnabled), Boolean.valueOf(param.localFullAccess), Boolean.valueOf(this.allPermissionPolicySet));
        try {
            try {
                checkPolicyUsers();
                checkExternalAuthenticationSources();
                SessionContext sessionContext = null;
                if ((StringUtils.isBlank(loginDto.getSecret()) && loginDto.getCertificate() == null && !Boolean.TRUE.equals(loginDto.getPreAuthenticated())) || !param.authEnabled || (z && !Boolean.TRUE.equals(loginDto.getPreAuthenticated()))) {
                    if (!param.authEnabled && !param.policyBasedPermissions) {
                        loginDto.setUsername(DefaultUserNames.ADMIN_USER);
                        sessionContext = this.dbCredentialLogin.forceCreateAndAuthenticateAdmin(loginDto);
                    } else if (z) {
                        sessionContext = this.dbCredentialLogin.forceCreateAndAuthenticateAdmin(loginDto);
                    } else if (StringUtils.isNotEmpty(loginDto.getUsername()) && param.policyBasedPermissions) {
                        try {
                            sessionContext = this.dbCredentialLogin.createAndAuthenticateUser(loginDto);
                        } catch (AuthenticationException e) {
                            this.logger.info("authenticate", LogGroup.SECURITY, new SimpleMessage("DB based authentication method failed for user {0}."), loginDto.getUsername());
                        }
                        if (sessionContext == null) {
                            if (this.allPermissionPolicySet) {
                                try {
                                    loginDto.setUsername(DefaultUserNames.ADMIN_USER);
                                    sessionContext = this.dbCredentialLogin.forceCreateAndAuthenticateAdmin(loginDto);
                                } catch (AuthenticationException e2) {
                                    this.logger.info("authenticate", LogGroup.SECURITY, new SimpleMessage("Failed forced authentication as administrator for user {0} with ALL permission set."), loginDto.getUsername());
                                }
                            } else {
                                this.logger.info("authenticate", LogGroup.SECURITY, new SimpleMessage("Attempt to authenticate user {0} failed and ALL permission is not set."), loginDto.getUsername());
                            }
                        }
                    }
                    if (sessionContext == null) {
                        if (!param.localFullAccess) {
                            this.logger.info("authenticate", LogGroup.SECURITY, new SimpleMessage("Attempt to authenticate user {0} failed and local full access is disabled."), loginDto.getUsername());
                        } else if (isLocal(loginDto.getIp())) {
                            try {
                                loginDto.setUsername(DefaultUserNames.ADMIN_USER);
                                sessionContext = this.dbCredentialLogin.forceCreateAndAuthenticateAdmin(loginDto);
                            } catch (AuthenticationException e3) {
                                this.logger.info("authenticate", LogGroup.SECURITY, new SimpleMessage("Failed forced authentication as administrator for user {0} with local full access enabled."), loginDto.getUsername());
                                if (!(this.externalLoginSources.stream().filter((v0) -> {
                                    return v0.isEnabled();
                                }).count() > 0)) {
                                    throw e3;
                                }
                            }
                        } else {
                            this.logger.info("authenticate", LogGroup.SECURITY, new SimpleMessage("Attempt to authenticate user {0} failed, local full access is enabled but IP {1} is a remote address."), loginDto.getUsername(), loginDto.getIp());
                        }
                    }
                }
                if (sessionContext == null && StringUtils.isBlank(loginDto.getSecret()) && loginDto.getCertificate() == null && param.authEnabled && Boolean.TRUE.equals(loginDto.getPreAuthenticated())) {
                    try {
                        sessionContext = this.dbCredentialLogin.createAndAuthenticateUser(loginDto);
                    } catch (AuthenticationException e4) {
                        this.logger.info("authenticate", LogGroup.SECURITY, new SimpleMessage("User {0} marked to be pre-authenticated by an external instance, but DB based authentication method failed."), loginDto.getUsername());
                    }
                }
                if (sessionContext == null && ((StringUtils.isNotBlank(loginDto.getSecret()) || loginDto.getCertificate() != null) && param.authEnabled)) {
                    AuthenticationException authenticationException = null;
                    try {
                        sessionContext = this.dbCredentialLogin.createAndAuthenticateUser(loginDto);
                    } catch (AuthenticationException e5) {
                        this.logger.info("authenticate", LogGroup.SECURITY, new SimpleMessage("DB based authentication method failed for user {0}."), loginDto.getUsername());
                        authenticationException = e5;
                    }
                    if (sessionContext == null) {
                        for (AbstractExternalCredentialsLogin abstractExternalCredentialsLogin : (AbstractExternalCredentialsLogin[]) this.externalLoginSources.toArray(new AbstractExternalCredentialsLogin[0])) {
                            if (abstractExternalCredentialsLogin.isEnabled()) {
                                try {
                                    sessionContext = abstractExternalCredentialsLogin.createAndAuthenticateUser(loginDto);
                                } catch (AuthenticationException e6) {
                                    this.logger.info("authenticate", LogGroup.SECURITY, new SimpleMessage(abstractExternalCredentialsLogin.getCredentialsType() + " based authentication method failed for user {0}."), loginDto.getUsername());
                                    authenticationException = e6;
                                }
                                if (sessionContext != null) {
                                    break;
                                }
                            }
                        }
                    }
                    if (sessionContext == null) {
                        if (!param.localFullAccess) {
                            this.logger.info("authenticate", LogGroup.SECURITY, new SimpleMessage("Attempt to authenticate user {0} failed and local full access is disabled."), loginDto.getUsername());
                        } else if (isLocal(loginDto.getIp())) {
                            try {
                                loginDto.setUsername(DefaultUserNames.ADMIN_USER);
                                sessionContext = this.dbCredentialLogin.forceCreateAndAuthenticateAdmin(loginDto);
                            } catch (AuthenticationException e7) {
                                this.logger.info("authenticate", LogGroup.SECURITY, new SimpleMessage("Failed forced authentication as administrator for user {0} with local full access enabled."), loginDto.getUsername());
                            }
                        } else {
                            this.logger.info("authenticate", LogGroup.SECURITY, new SimpleMessage("Attempt to authenticate user {0} failed, local full access is enabled but IP {1} is a remote address."), loginDto.getUsername(), loginDto.getIp());
                        }
                        if (sessionContext == null && authenticationException != null) {
                            throw authenticationException;
                        }
                    }
                }
                if (sessionContext == null) {
                    this.logger.error("authenticate", LogGroup.SECURITY, AuthenticationException.AuthMessage.CREDENTIALS_INVALID, loginDto.getUsername());
                    throw new AuthenticationException(AuthenticationException.AuthMessage.CREDENTIALS_INVALID, loginDto.getUsername());
                }
                String put = SessionHandler.put(sessionContext);
                this.logger.info("authenticate", LogGroup.SECURITY, new SimpleMessage("User {1} logged in with session {0} from {2}"), put, loginDto.getUsername(), loginDto.getIp());
                RecurringLogFilter.done();
                return put;
            } catch (Exception e8) {
                if (!(e8 instanceof AuthenticationException)) {
                    this.logger.error("authenticate", e8, new Object[0]);
                }
                throw e8;
            }
        } catch (Throwable th) {
            RecurringLogFilter.done();
            throw th;
        }
    }

    private void checkPolicyUsers() {
        this.logger.start("checkPolicyUsers", new Object[0]);
        checkLock.lock();
        try {
            try {
                if (param.policyBasedPermissions) {
                    boolean checkPolicyUserGroupRelations = checkPolicyUserGroupRelations();
                    boolean z = false;
                    String policyFilePath = IniUtils.getPolicyFilePath();
                    this.logger.debug("checkPolicyUsers", "Policy file: {0}", policyFilePath);
                    if (!StringUtils.isNotBlank(this.policyFileName)) {
                        this.policyFileName = policyFilePath;
                    } else if (!StringUtils.equals(this.policyFileName, policyFilePath)) {
                        this.logger.debug("checkPolicyUsers", "Policy file name changed. Resetting.", new Object[0]);
                        this.policyFileMtime = -1L;
                        this.policyFileName = policyFilePath;
                    }
                    if (policyFilePath != null) {
                        File file = new File(policyFilePath);
                        if (file.isFile()) {
                            this.logger.debug("checkPolicyUsers", "policyFileMtime = {0}, policyFile.lastModified() = {1}", Long.valueOf(this.policyFileMtime), Long.valueOf(file.lastModified()));
                            if (this.policyFileMtime == -1) {
                                z = true;
                                this.policyFileMtime = file.lastModified();
                            } else if (file.lastModified() > this.policyFileMtime) {
                                z = true;
                                this.policyFileMtime = file.lastModified();
                            }
                        } else {
                            this.logger.debug("checkPolicyUsers", "Policy file does not exist or is not a file.", new Object[0]);
                        }
                    }
                    if (!z && !checkPolicyUserGroupRelations) {
                        this.logger.debug("checkPolicyUsers", new SimpleMessage("Dropping out because policy file didn't changed."), new Object[0]);
                        checkLock.unlock();
                        this.logger.success("checkPolicyUsers", new Object[0]);
                        return;
                    }
                    try {
                        this.logger.info("checkPolicyUsers", LogGroup.SECURITY, new SimpleMessage("Checking for all permissions policy in sm_java.policy"), new Object[0]);
                        Policy.getPolicy().refresh();
                        this.securityManager.checkPermission(new AllPermission());
                        this.allPermissionPolicySet = true;
                        this.logger.info("checkPolicyUsers", LogGroup.SECURITY, new SimpleMessage("Found all permission policy set"), new Object[0]);
                    } catch (SecurityException e) {
                        this.allPermissionPolicySet = false;
                    }
                    String str = "";
                    try {
                        this.logger.info("checkPolicyUsers", LogGroup.SECURITY, new SimpleMessage("Loading SEP server permissions from sm_java.policy"), new Object[0]);
                        str = executeSMSetupGetPolicy().replaceAll("\r\n", "\n");
                    } catch (ServiceException e2) {
                        this.logger.error("checkPolicyUsers", LogGroup.SECURITY, new SimpleMessage("Failed to load SEP server permissions from sm_java.policy. Cause: {0}"), e2.getMessage());
                    }
                    checkPolicyGroups(param);
                    removeAllHostsFromDefaultPolicyUsers();
                    ArrayList arrayList = new ArrayList();
                    arrayList.add(param.defaultAdminUser);
                    arrayList.add(param.defaultOperatorUser);
                    arrayList.add(param.defaultRestoreUser);
                    arrayList.add(param.defaultBackupUser);
                    StringTokenizer stringTokenizer = new StringTokenizer(str, "\n");
                    while (stringTokenizer.hasMoreTokens()) {
                        String nextToken = stringTokenizer.nextToken();
                        int indexOf = nextToken.indexOf("\" \"");
                        int lastIndexOf = nextToken.lastIndexOf("\" \"");
                        String substring = nextToken.substring(1, indexOf);
                        String substring2 = nextToken.substring(indexOf + 3, lastIndexOf);
                        String substring3 = nextToken.substring(lastIndexOf + 3, nextToken.length() - 1);
                        this.logger.info("checkPolicyUsers", LogGroup.SECURITY, new SimpleMessage("Found permission entry {0}@{1}:{2}"), substring, substring2, substring3);
                        if (substring.equals("*")) {
                            addHostToDefaultPolicyUser(substring3, substring2);
                        } else {
                            if (!arrayList.contains(substring)) {
                                cleanUser(substring);
                            }
                            checkPolicyUser(substring, substring3);
                            addHostToUser(substring, substring2);
                            arrayList.add(substring);
                        }
                    }
                    removeAllPolicyUsersBut(arrayList);
                } else {
                    this.logger.debug("checkPolicyUsers", LogGroup.SECURITY, new SimpleMessage("Policy based permissions are disabled. Removing all registered policy users."), new Object[0]);
                    removeAllPolicyUsersBut(null);
                    cleanUser(DefaultUserNames.ADMIN_USER);
                    this.allPermissionPolicySet = false;
                    this.policyFileMtime = -1L;
                }
                checkLock.unlock();
                this.logger.success("checkPolicyUsers", new Object[0]);
            } catch (ServiceException e3) {
                this.logger.error("checkPolicyUsers", e3, new Object[0]);
                checkLock.unlock();
                this.logger.success("checkPolicyUsers", new Object[0]);
            }
        } catch (Throwable th) {
            checkLock.unlock();
            this.logger.success("checkPolicyUsers", new Object[0]);
            throw th;
        }
    }

    private void checkExternalAuthenticationSources() {
        this.logger.start("checkExternalAuthenticationSources", new Object[0]);
        checkLock.lock();
        try {
            try {
                if (param.authEnabled) {
                    List<Credentials> internalGetAll = ((CredentialsDaoServer) this.daos.getService(CredentialsDaoServer.class)).internalGetAll();
                    if (internalGetAll == null) {
                        this.logger.debug("checkExternalAuthenticationSources", new SimpleMessage("Dropping out because no matching credentials are defined."), new Object[0]);
                        checkLock.unlock();
                        this.logger.success("checkExternalAuthenticationSources", new Object[0]);
                        return;
                    }
                    List list = (List) internalGetAll.stream().filter(credentials -> {
                        return UserOrigin.AD.name().equals(credentials.getType()) || UserOrigin.LDAP.name().equals(credentials.getType());
                    }).collect(Collectors.toList());
                    if (list == null || list.isEmpty()) {
                        this.logger.debug("checkExternalAuthenticationSources", new SimpleMessage("Dropping out because no matching credentials are defined."), new Object[0]);
                        checkLock.unlock();
                        this.logger.success("checkExternalAuthenticationSources", new Object[0]);
                        return;
                    } else {
                        List list2 = (List) list.stream().map((v0) -> {
                            return v0.getId();
                        }).collect(Collectors.toList());
                        this.externalLoginSources.removeAll((List) this.externalLoginSources.stream().filter(abstractExternalCredentialsLogin -> {
                            return abstractExternalCredentialsLogin.getCredentials() == null || !list2.contains(abstractExternalCredentialsLogin.getCredentials().getId());
                        }).collect(Collectors.toList()));
                        Map map = (Map) this.externalLoginSources.stream().collect(Collectors.groupingBy(abstractExternalCredentialsLogin2 -> {
                            return abstractExternalCredentialsLogin2.getCredentials().getId();
                        }));
                        this.externalLoginSources.clear();
                        list.sort(Credentials.rankSorter());
                        list.forEach(credentials2 -> {
                            List list3 = (List) map.get(credentials2.getId());
                            if (list3 != null && !list3.isEmpty() && list3.get(0) != null) {
                                if (!$assertionsDisabled && list3.size() != 1) {
                                    throw new AssertionError();
                                }
                                AbstractExternalCredentialsLogin abstractExternalCredentialsLogin3 = (AbstractExternalCredentialsLogin) list3.get(0);
                                if (!$assertionsDisabled && abstractExternalCredentialsLogin3 == null) {
                                    throw new AssertionError();
                                }
                                abstractExternalCredentialsLogin3.setCredentials(credentials2);
                                this.externalLoginSources.add(abstractExternalCredentialsLogin3);
                                return;
                            }
                            AbstractExternalCredentialsLogin abstractExternalCredentialsLogin4 = null;
                            String type = credentials2.getType();
                            boolean z = -1;
                            switch (type.hashCode()) {
                                case 2083:
                                    if (type.equals("AD")) {
                                        z = false;
                                        break;
                                    }
                                    break;
                                case 2331559:
                                    if (type.equals("LDAP")) {
                                        z = true;
                                        break;
                                    }
                                    break;
                            }
                            switch (z) {
                                case false:
                                    abstractExternalCredentialsLogin4 = new ActiveDirectoryCredentialsLogin(credentials2);
                                    break;
                                case true:
                                    abstractExternalCredentialsLogin4 = new LDAPCredentialsLogin(credentials2);
                                    break;
                            }
                            if (abstractExternalCredentialsLogin4 != null) {
                                this.externalLoginSources.add(abstractExternalCredentialsLogin4);
                            }
                        });
                    }
                } else {
                    this.logger.debug("checkExternalAuthenticationSources", LogGroup.SECURITY, new SimpleMessage("DB based authentication is disabled. Removing all external authentication source providers."), new Object[0]);
                    this.externalLoginSources.clear();
                }
                checkLock.unlock();
                this.logger.success("checkExternalAuthenticationSources", new Object[0]);
            } catch (ServiceException e) {
                this.logger.error("checkExternalAuthenticationSources", e, new Object[0]);
                checkLock.unlock();
                this.logger.success("checkExternalAuthenticationSources", new Object[0]);
            }
        } catch (Throwable th) {
            checkLock.unlock();
            this.logger.success("checkExternalAuthenticationSources", new Object[0]);
            throw th;
        }
    }

    private String executeSMSetupGetPolicy() throws ServiceException {
        if (!$assertionsDisabled && this.daos == null) {
            throw new AssertionError();
        }
        if ($assertionsDisabled || this.daos.getRemoteAccess() != null) {
            return this.daos.getRemoteAccess().executeSMSetup(true, "get_policy", null, null, null, null, null, null).getRetVal();
        }
        throw new AssertionError();
    }

    private void checkPolicyUser(String str, String str2) throws ServiceException {
        String findPolicyGroup = findPolicyGroup(str, str2);
        ((GroupsDaoServer) this.daos.getService(GroupsDaoServer.class)).persistGroup(verifyPolicyUser(str, findPolicyGroup, ((GroupsDaoServer) this.daos.getService(GroupsDaoServer.class)).getByName(findPolicyGroup)));
    }

    private String findPolicyGroup(String str, String str2) {
        if ($assertionsDisabled || StringUtils.isNotBlank(str2)) {
            return str2.equalsIgnoreCase("admin") ? StringUtils.equalsAny(str, DefaultUserNames.ADMIN_USER, "root", DefaultUserNames.SESAM_USER) ? "SUPERUSER" : DefaultGroupNames.ADMIN : str2.equalsIgnoreCase(Overlays.BACKUP) ? DefaultGroupNames.BACKUP : str2.equalsIgnoreCase(Overlays.RESTORE) ? DefaultGroupNames.RESTORE : DefaultGroupNames.OPERATOR;
        }
        throw new AssertionError();
    }

    private void checkPolicyGroups(GUIServerParam gUIServerParam) throws ServiceException {
        if (!$assertionsDisabled && gUIServerParam == null) {
            throw new AssertionError();
        }
        ((GroupsDaoServer) this.daos.getService(GroupsDaoServer.class)).persistGroup(verifyPolicyUser(gUIServerParam.defaultAdminUser, DefaultGroupNames.ADMIN, ((GroupsDaoServer) this.daos.getService(GroupsDaoServer.class)).getByName(DefaultGroupNames.ADMIN)));
        Groups byName = ((GroupsDaoServer) this.daos.getService(GroupsDaoServer.class)).getByName(DefaultGroupNames.OPERATOR);
        if (byName == null) {
            byName = new Groups();
            byName.setName(DefaultGroupNames.OPERATOR);
            byName.setUsercomment("Automatically generated operator group");
            byName.setEnabled(true);
            ((GroupsDaoServer) this.daos.getService(GroupsDaoServer.class)).create(byName);
        } else {
            byName.setEnabled(true);
            ((GroupsDaoServer) this.daos.getService(GroupsDaoServer.class)).update(byName);
        }
        GroupsDto verifyPolicyUser = verifyPolicyUser(gUIServerParam.defaultOperatorUser, DefaultGroupNames.OPERATOR, byName);
        verifyPolicyUser.setRoles(new ArrayList());
        verifyPolicyUser.getRoles().add(((RolesDaoServer) this.daos.getService(RolesDaoServer.class)).getByName(DefaultRoleNames.READ_ONLY_ROLE));
        ((GroupsDaoServer) this.daos.getService(GroupsDaoServer.class)).persistGroup(verifyPolicyUser);
        Groups byName2 = ((GroupsDaoServer) this.daos.getService(GroupsDaoServer.class)).getByName(DefaultGroupNames.RESTORE);
        if (byName2 == null) {
            byName2 = new Groups();
            byName2.setName(DefaultGroupNames.RESTORE);
            byName2.setUsercomment("Automatically generated restore group");
            byName2.setEnabled(true);
            ((GroupsDaoServer) this.daos.getService(GroupsDaoServer.class)).create(byName2);
        } else {
            byName2.setEnabled(true);
            ((GroupsDaoServer) this.daos.getService(GroupsDaoServer.class)).update(byName2);
        }
        GroupsDto verifyPolicyUser2 = verifyPolicyUser(gUIServerParam.defaultRestoreUser, DefaultGroupNames.RESTORE, byName2);
        verifyPolicyUser2.setRoles(new ArrayList());
        verifyPolicyUser2.getRoles().add(((RolesDaoServer) this.daos.getService(RolesDaoServer.class)).getByName(DefaultRoleNames.RESTORE_ROLE));
        ((GroupsDaoServer) this.daos.getService(GroupsDaoServer.class)).persistGroup(verifyPolicyUser2);
        Groups byName3 = ((GroupsDaoServer) this.daos.getService(GroupsDaoServer.class)).getByName(DefaultGroupNames.BACKUP);
        if (byName3 == null) {
            byName3 = new Groups();
            byName3.setName(DefaultGroupNames.BACKUP);
            byName3.setUsercomment("Automatically generated backup group");
            byName3.setEnabled(true);
            ((GroupsDaoServer) this.daos.getService(GroupsDaoServer.class)).create(byName3);
        } else {
            byName3.setEnabled(true);
            ((GroupsDaoServer) this.daos.getService(GroupsDaoServer.class)).update(byName3);
        }
        GroupsDto verifyPolicyUser3 = verifyPolicyUser(gUIServerParam.defaultBackupUser, DefaultGroupNames.BACKUP, byName3);
        verifyPolicyUser3.setRoles(new ArrayList());
        verifyPolicyUser3.getRoles().add(((RolesDaoServer) this.daos.getService(RolesDaoServer.class)).getByName(DefaultRoleNames.BACKUP_ROLE));
        ((GroupsDaoServer) this.daos.getService(GroupsDaoServer.class)).persistGroup(verifyPolicyUser3);
    }

    private GroupsDto verifyPolicyUser(String str, String str2, Groups groups) throws ServiceException {
        if (!$assertionsDisabled && !StringUtils.isNotBlank(str2)) {
            throw new AssertionError();
        }
        if (!$assertionsDisabled && groups == null) {
            throw new AssertionError();
        }
        if (!$assertionsDisabled && this.consistencyCheckService == null) {
            throw new AssertionError();
        }
        Users byNameInternal = this.consistencyCheckService.getByNameInternal(str);
        if (byNameInternal == null) {
            Users users = new Users();
            users.setName(str);
            users.setEnabled(true);
            users.setPasswordExpired(false);
            users.setAllowHostAuth(true);
            users.setOrigin(UserOrigin.POLICY);
            users.setFromJavaPolicy(true);
            users.setPassword("");
            users.setUsercomment("Default " + str2 + " user from java_policy");
            this.logger.warn("verifyPolicyUser", LogGroup.SECURITY, "GENERATED NEW POLICY " + str2 + " USER: name={0} password={1}", str, users.getPassword());
            users.setLocked(false);
            byNameInternal = this.consistencyCheckService.createUser(users);
        } else {
            byNameInternal.setEnabled(true);
            if (byNameInternal.getOrigin() == null) {
                byNameInternal.setOrigin(UserOrigin.POLICY);
            }
            byNameInternal.setAllowHostAuth(true);
            byNameInternal.setFromJavaPolicy(true);
            byNameInternal.setLocked(false);
            ((UsersDaoServer) this.daos.getService(UsersDaoServer.class)).update(byNameInternal);
        }
        GroupsDto details = ((GroupsDaoServer) this.daos.getService(GroupsDaoServer.class)).getDetails(groups.getId());
        boolean z = false;
        if (details != null) {
            Iterator<Users> it = details.getUsers().iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                if (byNameInternal.getPK().equals(it.next().getPK())) {
                    z = true;
                    break;
                }
            }
        }
        if (!z) {
            details.getUsers().add(byNameInternal);
        }
        return details;
    }

    private boolean checkPolicyUserGroupRelations() {
        boolean z = false;
        List list = null;
        try {
            list = ((UsersDaoServer) this.daos.getService(UsersDaoServer.class)).getAll();
        } catch (ServiceException e) {
        }
        if (CollectionUtils.isNotEmpty(list)) {
            Iterator it = list.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                Users users = (Users) it.next();
                if (UserOrigin.POLICY.equals(users.getOrigin())) {
                    List<Groups> list2 = null;
                    try {
                        list2 = ((GroupsDaoServer) this.daos.getService(GroupsDaoServer.class)).getGroupsByUser(users);
                    } catch (ServiceException e2) {
                    }
                    if (CollectionUtils.isEmpty(list2)) {
                        z = true;
                        this.logger.warn("checkPolicyUserGroupRelations", LogGroup.SECURITY, new SimpleMessage("Policy user ''{0}'' has not group associations. Forcing a reload of the policy file."), users.getName());
                        break;
                    }
                }
            }
        }
        return z;
    }

    private void addHostToDefaultPolicyUser(String str, String str2) throws ServiceException {
        if (!$assertionsDisabled && !StringUtils.isNotBlank(str)) {
            throw new AssertionError();
        }
        if (!$assertionsDisabled && !StringUtils.isNotBlank(str2)) {
            throw new AssertionError();
        }
        GUIServerParam params = getParams();
        if (params == null) {
            return;
        }
        String str3 = null;
        if ("admin".equalsIgnoreCase(str)) {
            str3 = params.defaultAdminUser;
        } else if ("operator".equalsIgnoreCase(str)) {
            str3 = params.defaultOperatorUser;
        } else if (Overlays.RESTORE.equalsIgnoreCase(str)) {
            str3 = params.defaultRestoreUser;
        } else if (Overlays.BACKUP.equalsIgnoreCase(str)) {
            str3 = params.defaultBackupUser;
        }
        addHostToUser(str3, str2);
    }

    private void addHostToUser(String str, String str2) throws ServiceException {
        Users byNameInternal;
        if (!$assertionsDisabled && !StringUtils.isNotBlank(str2)) {
            throw new AssertionError();
        }
        if (StringUtils.isBlank(str) || (byNameInternal = ((UsersDaoServer) this.daos.getService(UsersDaoServer.class)).getByNameInternal(str, new UserOrigin[0])) == null) {
            return;
        }
        UserAllowedHosts userAllowedHosts = new UserAllowedHosts();
        userAllowedHosts.setHost(str2);
        userAllowedHosts.setUserId(byNameInternal.getId());
        userAllowedHosts.setFromJavaPolicy(true);
        ((UserAllowedHostsDaoServer) this.daos.getService(UserAllowedHostsDaoServer.class)).create(userAllowedHosts);
    }

    private void removeAllPolicyUsersBut(List<String> list) throws ServiceException {
        for (E e : ((UsersDaoServer) this.daos.getService(UsersDaoServer.class)).getAll()) {
            if (UserOrigin.POLICY.equals(e.getOrigin()) && (list == null || !list.contains(e.getName()))) {
                ((UsersDaoServer) this.daos.getService(UsersDaoServer.class)).removeByObject(e);
            }
            if (!UserOrigin.POLICY.equals(e.getOrigin()) && e.isFromJavaPolicy() && (list == null || !list.contains(e.getName()))) {
                e.setFromJavaPolicy(false);
                ((UsersDaoServer) this.daos.getService(UsersDaoServer.class)).update(e);
            }
        }
    }

    private void removeAllHostsFromDefaultPolicyUsers() throws ServiceException {
        GUIServerParam params = getParams();
        if (params == null) {
            return;
        }
        for (String str : new String[]{params.defaultAdminUser, params.defaultOperatorUser, params.defaultRestoreUser, params.defaultBackupUser}) {
            Users byNameInternal = ((UsersDaoServer) this.daos.getService(UsersDaoServer.class)).getByNameInternal(str, new UserOrigin[0]);
            if (byNameInternal != null) {
                ((UserAllowedHostsDaoServer) this.daos.getService(UserAllowedHostsDaoServer.class)).removeByUser(byNameInternal.getPK());
            }
        }
    }

    private void cleanUser(String str) throws ServiceException {
        Groups byName;
        GroupsDto details;
        if (!$assertionsDisabled && str == null) {
            throw new AssertionError();
        }
        if (!$assertionsDisabled && this.daos == null) {
            throw new AssertionError();
        }
        Users byNameInternal = ((UsersDaoServer) this.daos.getService(UsersDaoServer.class)).getByNameInternal(str, new UserOrigin[0]);
        if (byNameInternal != null) {
            if (byNameInternal.isFromJavaPolicy() || !StringUtils.equalsAny(str, DefaultUserNames.ADMIN_USER, "root", DefaultUserNames.SESAM_USER)) {
                this.logger.info("cleanUser", LogGroup.SECURITY, new SimpleMessage("Cleaning the group and allowed host relations for user ''{0}''.", str), new Object[0]);
                ((UserGroupRelationsDaoServer) this.daos.getService(UserGroupRelationsDaoServer.class)).removeByUser(byNameInternal.getPK());
                ((UserAllowedHostsDaoServer) this.daos.getService(UserAllowedHostsDaoServer.class)).removeByUser(byNameInternal.getPK());
                if ((!DefaultUserNames.ADMIN_USER.equals(str) && !DefaultUserNames.SESAM_USER.equals(str)) || (byName = ((GroupsDaoServer) this.daos.getService(GroupsDaoServer.class)).getByName("SUPERUSER")) == null || (details = ((GroupsDaoServer) this.daos.getService(GroupsDaoServer.class)).getDetails(byName.getId())) == null) {
                    return;
                }
                details.getUsers().add(byNameInternal);
                ((GroupsDaoServer) this.daos.getService(GroupsDaoServer.class)).persistGroup(details);
            }
        }
    }

    public static GUIServerParam getParams() {
        return param;
    }

    public static boolean isAuthEnabled() {
        return param != null && param.authEnabled;
    }

    public static boolean isPolicyBasedPermissions() {
        return param != null && param.policyBasedPermissions;
    }

    public static boolean isLocalFullAccess() {
        return param != null && param.localFullAccess;
    }

    public static String[] getLocalNames() {
        return (String[]) localNames.toArray(new String[0]);
    }

    @Override // de.sep.sesam.common.logging.interfaces.IContextLoggerProvider
    public ContextLogger getLogger() {
        return this.logger;
    }

    public static void setParam(GUIServerParam gUIServerParam) {
        param = gUIServerParam;
    }

    public static boolean isUnitTestMode() {
        return unitTestMode;
    }

    public static void setUnitTestMode(boolean z) {
        unitTestMode = z;
    }

    public static boolean allowAll(boolean z) {
        if (isUnitTestMode()) {
            return true;
        }
        SessionContext sessionContext = (SessionContext) SecurityContextHolder.getContext().getAuthentication();
        if (sessionContext == null || !sessionContext.isAuthenticated()) {
            return false;
        }
        if (!z || isLocal(sessionContext.getIp())) {
            return sessionContext.hasAnyPermission("SUPERUSER");
        }
        return false;
    }

    public static boolean isLocal(String str) {
        if (Boolean.getBoolean("unitTestMode")) {
            return true;
        }
        dnsLock.lock();
        try {
            int lastIndexOf = StringUtils.lastIndexOf(str, QuickTargetSourceCreator.PREFIX_THREAD_LOCAL);
            if (lastIndexOf != -1) {
                str = StringUtils.substring(str, 0, lastIndexOf);
            }
            boolean contains = localIps.contains(str);
            dnsLock.unlock();
            return contains;
        } catch (Throwable th) {
            dnsLock.unlock();
            throw th;
        }
    }

    public static ReentrantLock getCheckLock() {
        return checkLock;
    }

    @Override // de.sep.sesam.restapi.dao.login.LoginServiceServer
    public boolean isAllPermissionPolicySet() {
        return this.allPermissionPolicySet;
    }

    static {
        $assertionsDisabled = !LoginServiceImpl.class.desiredAssertionStatus();
        localIps = new HashSet();
        localNames = new HashSet();
        checkLock = new ReentrantLock();
        param = new GUIServerParam();
        dnsLock = new ReentrantLock();
        dnsThread = new Thread(() -> {
            int indexOf;
            dnsLock.lock();
            try {
                localIps.add("127.0.0.1");
                localIps.add("::1");
                localIps.add("0:0:0:0:0:0:0:1");
                localNames.add(StringLookupFactory.KEY_LOCALHOST);
                localNames.add(HostUtils.getHostname());
                if (Boolean.getBoolean("unitTestMode")) {
                    dnsLock.unlock();
                    return;
                }
                Enumeration<NetworkInterface> networkInterfaces = NetworkInterface.getNetworkInterfaces();
                while (networkInterfaces.hasMoreElements()) {
                    Enumeration<InetAddress> inetAddresses = networkInterfaces.nextElement().getInetAddresses();
                    while (inetAddresses.hasMoreElements()) {
                        InetAddress nextElement = inetAddresses.nextElement();
                        if (!$assertionsDisabled && nextElement == null) {
                            throw new AssertionError();
                        }
                        String hostAddress = nextElement.getHostAddress();
                        int lastIndexOf = StringUtils.lastIndexOf(hostAddress, QuickTargetSourceCreator.PREFIX_THREAD_LOCAL);
                        if (lastIndexOf != -1) {
                            hostAddress = StringUtils.substring(hostAddress, 0, lastIndexOf);
                        }
                        localIps.add(hostAddress);
                        localNames.add(nextElement.getHostName());
                        String canonicalHostName = nextElement.getCanonicalHostName();
                        localNames.add(canonicalHostName);
                        if (!canonicalHostName.matches("[0-9.]+") && (indexOf = canonicalHostName.indexOf(46)) != -1) {
                            localNames.add(canonicalHostName.substring(0, indexOf));
                        }
                    }
                }
                dnsLock.unlock();
            } catch (SocketException e) {
                dnsLock.unlock();
            } catch (Throwable th) {
                dnsLock.unlock();
                throw th;
            }
        });
        dnsThread.start();
    }
}
