package org.glassfish.security.services.commands;

import com.sun.enterprise.config.serverbeans.AdminService;
import com.sun.enterprise.config.serverbeans.AuthRealm;
import com.sun.enterprise.config.serverbeans.Config;
import com.sun.enterprise.config.serverbeans.ConfigBeansUtilities;
import com.sun.enterprise.config.serverbeans.Domain;
import com.sun.enterprise.config.serverbeans.SecurityService;
import com.sun.enterprise.security.auth.login.LDAPLoginModule;
import com.sun.enterprise.security.auth.realm.Realm;
import com.sun.enterprise.security.auth.realm.ldap.LDAPRealm;
import com.sun.enterprise.util.StringUtils;
import com.sun.enterprise.util.i18n.StringManager;
import java.beans.PropertyVetoException;
import java.util.List;
import java.util.Properties;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.inject.Inject;
import javax.naming.AuthenticationNotSupportedException;
import javax.naming.InitialContext;
import org.glassfish.api.ActionReport;
import org.glassfish.api.Param;
import org.glassfish.api.admin.AccessRequired;
import org.glassfish.api.admin.AdminCommand;
import org.glassfish.api.admin.AdminCommandContext;
import org.glassfish.api.admin.AdminCommandSecurity;
import org.glassfish.api.admin.ExecuteOn;
import org.glassfish.api.admin.RestEndpoint;
import org.glassfish.api.admin.RestEndpoints;
import org.glassfish.api.admin.RuntimeType;
import org.glassfish.config.support.CommandTarget;
import org.glassfish.config.support.TargetType;
import org.glassfish.hk2.api.PerLookup;
import org.glassfish.internal.api.ORBLocator;
import org.glassfish.internal.api.Target;
import org.glassfish.security.services.config.AuthenticationService;
import org.glassfish.security.services.config.LoginModuleConfig;
import org.glassfish.security.services.config.SecurityConfigurations;
import org.glassfish.security.services.config.SecurityProvider;
import org.glassfish.security.services.config.SecurityProviderConfig;
import org.glassfish.security.services.impl.ServiceLogging;
import org.jvnet.hk2.annotations.Service;
import org.jvnet.hk2.config.RetryableException;
import org.jvnet.hk2.config.Transaction;
import org.jvnet.hk2.config.TransactionFailure;
import org.jvnet.hk2.config.types.Property;

@Service(name = "configure-ldap-for-admin")
@TargetType({CommandTarget.DAS, CommandTarget.STANDALONE_INSTANCE, CommandTarget.CLUSTER, CommandTarget.CONFIG})
@PerLookup
@ExecuteOn({RuntimeType.DAS, RuntimeType.INSTANCE})
@RestEndpoints({@RestEndpoint(configBean = Domain.class, opType = RestEndpoint.OpType.POST, path = "configure-ldap-for-admin", description = "configure-ldap-for-admin")})
/* loaded from: input_file:org/glassfish/security/services/commands/LDAPAdminAccessConfigurator.class */
public class LDAPAdminAccessConfigurator implements AdminCommand, AdminCommandSecurity.Preauthorization {

    @Param(name = "basedn", shortName = "b", optional = false)
    public volatile String basedn;

    @Param(name = "url", optional = true)
    public volatile String url = "ldap://localhost:389";

    @Param(name = "ldap-group", shortName = "g", optional = true)
    public volatile String ldapGroupName;

    @Inject
    Target targetService;

    @Inject
    private ConfigBeansUtilities configBeansUtilities;

    @Param(name = "target", optional = true, defaultValue = "server")
    private String target;
    private static final String ADMIN_SERVER = "server";
    private static final String DIR_P = "directory";
    private static final String BASEDN_P = "base-dn";
    private static final String JAAS_P = "jaas-context";
    private static final String JAAS_V = "ldapRealm";
    public static final String LDAP_SOCKET_FACTORY = "java.naming.ldap.factory.socket";
    public static final String DEFAULT_SSL_LDAP_SOCKET_FACTORY = "com.sun.enterprise.security.auth.realm.ldap.CustomSocketFactory";
    public static final String LDAPS_URL = "ldaps://";
    private static final String AUTHENTICATION_SERVICE_PROVIDER_NAME = "adminAuth";
    private static final String FILE_REALM_SECURITY_PROVIDER_NAME = "adminFile";
    private static final String ADMIN_FILE_LM_NAME = "adminFileLM";
    private Config asc;

    @AccessRequired.To({"update"})
    private AuthRealm adminAuthRealm;

    @AccessRequired.To({"update"})
    private AdminService adminService;

    @AccessRequired.To({"update"})
    private SecurityProvider fileRealmProvider;

    @Inject
    private SecurityConfigurations securityConfigs;
    public static final String FIXED_ADMIN_REALM_NAME = "admin-realm";
    public static final String ORIG_ADMIN_REALM_NAME = "admin-realm-original";
    private static final StringManager lsm = StringManager.getManager(LDAPAdminAccessConfigurator.class);
    private static final Logger logger = Logger.getLogger(ServiceLogging.SEC_COMMANDS_LOGGER, ServiceLogging.SHARED_LOGMESSAGE_RESOURCE);

    @Override // org.glassfish.api.admin.AdminCommandSecurity.Preauthorization
    public boolean preAuthorization(AdminCommandContext adminCommandContext) {
        this.asc = chooseConfig();
        this.adminAuthRealm = getAdminRealm(this.asc.getSecurityService());
        this.adminService = this.asc.getAdminService();
        AuthenticationService authenticationService = (AuthenticationService) this.securityConfigs.getSecurityServiceByName(AUTHENTICATION_SERVICE_PROVIDER_NAME);
        ActionReport actionReport = adminCommandContext.getActionReport();
        if (authenticationService == null) {
            actionReport.setMessage(lsm.getString("ldap.noExistingAtnService", AUTHENTICATION_SERVICE_PROVIDER_NAME));
            actionReport.setActionExitCode(ActionReport.ExitCode.FAILURE);
            return false;
        }
        this.fileRealmProvider = authenticationService.getSecurityProviderByName(FILE_REALM_SECURITY_PROVIDER_NAME);
        if (this.fileRealmProvider == null) {
            actionReport.setMessage(lsm.getString("ldap.noExistingAtnProvider", FILE_REALM_SECURITY_PROVIDER_NAME));
            actionReport.setActionExitCode(ActionReport.ExitCode.FAILURE);
            return false;
        }
        if ("LoginModule".equals(this.fileRealmProvider.getType())) {
            return true;
        }
        actionReport.setMessage(lsm.getString("ldap.fileRealmProviderNotLoginModuleType", FILE_REALM_SECURITY_PROVIDER_NAME, authenticationService.getName(), this.fileRealmProvider.getType()));
        actionReport.setActionExitCode(ActionReport.ExitCode.FAILURE);
        return false;
    }

    @Override // org.glassfish.api.admin.AdminCommand
    public void execute(AdminCommandContext adminCommandContext) {
        ActionReport actionReport = adminCommandContext.getActionReport();
        StringBuilder sb = new StringBuilder();
        if (this.url != null && !this.url.startsWith("ldap://") && !this.url.startsWith("ldaps://")) {
            this.url = "ldap://" + this.url;
        }
        if (!pingLDAP(sb)) {
            actionReport.setMessage(sb.toString());
            actionReport.setActionExitCode(ActionReport.ExitCode.FAILURE);
            return;
        }
        try {
            configure(sb);
            actionReport.setMessage(sb.toString());
            actionReport.setActionExitCode(ActionReport.ExitCode.SUCCESS);
        } catch (RetryableException e) {
            actionReport.setMessage(e.getMessage());
            actionReport.setActionExitCode(ActionReport.ExitCode.FAILURE);
        } catch (TransactionFailure e2) {
            actionReport.setMessage(e2.getMessage());
            actionReport.setActionExitCode(ActionReport.ExitCode.FAILURE);
        } catch (PropertyVetoException e3) {
            actionReport.setMessage(e3.getMessage());
            actionReport.setActionExitCode(ActionReport.ExitCode.FAILURE);
        }
    }

    private void configure(StringBuilder sb) throws TransactionFailure, PropertyVetoException, RetryableException {
        Transaction transaction = new Transaction();
        SecurityService securityService = (SecurityService) transaction.enroll(this.asc.getSecurityService());
        AdminService adminService = (AdminService) transaction.enroll(this.asc.getAdminService());
        deleteRealm(securityService, sb);
        createRealm(securityService, sb);
        configureAdminService(adminService);
        updateSecurityProvider(transaction, this.fileRealmProvider, sb);
        transaction.commit();
    }

    private void updateSecurityProvider(Transaction transaction, SecurityProvider securityProvider, StringBuilder sb) throws TransactionFailure, PropertyVetoException {
        for (SecurityProviderConfig securityProviderConfig : securityProvider.getSecurityProviderConfig()) {
            if ((securityProviderConfig instanceof LoginModuleConfig) && securityProviderConfig.getName().equals(ADMIN_FILE_LM_NAME)) {
                ((LoginModuleConfig) transaction.enroll((LoginModuleConfig) securityProviderConfig)).setModuleClass(LDAPLoginModule.class.getName());
                sb.append(lsm.getString("ldap.authProviderConfigOK", securityProvider.getName()));
                return;
            }
        }
        throw new TransactionFailure(lsm.getString("ldap.noAuthProviderConfig", securityProvider.getName(), ADMIN_FILE_LM_NAME));
    }

    private AuthRealm getAdminRealm(SecurityService securityService) {
        for (AuthRealm authRealm : securityService.getAuthRealm()) {
            if ("admin-realm".equals(authRealm.getName())) {
                return authRealm;
            }
        }
        return null;
    }

    private void configureAdminService(AdminService adminService) throws PropertyVetoException, TransactionFailure {
        adminService.setAuthRealmName("admin-realm");
    }

    private void createRealm(SecurityService securityService, StringBuilder sb) throws TransactionFailure, PropertyVetoException {
        securityService.getAuthRealm().add(createLDAPRealm(securityService));
        appendNL(sb, lsm.getString("ldap.realm.setup", "admin-realm"));
    }

    private void deleteRealm(SecurityService securityService, StringBuilder sb) throws TransactionFailure {
        securityService.getAuthRealm().remove(getAdminRealm(securityService));
        appendNL(sb, "...");
    }

    private AuthRealm createLDAPRealm(SecurityService securityService) throws TransactionFailure, PropertyVetoException {
        AuthRealm authRealm = (AuthRealm) securityService.createChild(AuthRealm.class);
        authRealm.setClassname(LDAPRealm.class.getName());
        authRealm.setName("admin-realm");
        List<Property> property = authRealm.getProperty();
        Property property2 = (Property) authRealm.createChild(Property.class);
        property2.setName("directory");
        property2.setValue(this.url);
        property.add(property2);
        Property property3 = (Property) authRealm.createChild(Property.class);
        property3.setName("base-dn");
        property3.setValue(this.basedn);
        property.add(property3);
        Property property4 = (Property) authRealm.createChild(Property.class);
        property4.setName("jaas-context");
        property4.setValue(JAAS_V);
        property.add(property4);
        if (this.ldapGroupName != null) {
            Property property5 = (Property) authRealm.createChild(Property.class);
            property5.setName(Realm.PARAM_GROUP_MAPPING);
            property5.setValue(this.ldapGroupName + "->asadmin");
            property.add(property5);
        }
        return authRealm;
    }

    private boolean pingLDAP(StringBuilder sb) {
        Properties properties = new Properties();
        properties.put("java.naming.factory.initial", "com.sun.jndi.ldap.LdapCtxFactory");
        properties.put(ORBLocator.JNDI_PROVIDER_URL_PROPERTY, this.url);
        if (this.url != null && this.url.startsWith("ldaps://")) {
            properties.put("java.naming.ldap.factory.socket", "com.sun.enterprise.security.auth.realm.ldap.CustomSocketFactory");
        }
        try {
            new InitialContext(properties);
            appendNL(sb, lsm.getString("ldap.ok", this.url));
            return true;
        } catch (Exception e) {
            appendNL(sb, lsm.getString("ldap.na", this.url, e.getClass().getName(), e.getMessage()));
            if (!logger.isLoggable(Level.FINE)) {
                return false;
            }
            logger.log(Level.FINE, StringUtils.getStackTrace(e));
            return false;
        } catch (AuthenticationNotSupportedException e2) {
            appendNL(sb, lsm.getString("ldap.ok", this.url));
            return true;
        }
    }

    private static void appendNL(StringBuilder sb, String str) {
        sb.append(str).append("%%%EOL%%%");
    }

    private Config chooseConfig() {
        return this.targetService.getConfig(this.configBeansUtilities.getServerNamed("server").getConfigRef());
    }
}
