package com.sun.enterprise.security.admin.cli;

import com.sun.enterprise.config.serverbeans.AdminService;
import com.sun.enterprise.config.serverbeans.AuthRealm;
import com.sun.enterprise.config.serverbeans.SecureAdminHelper;
import com.sun.enterprise.security.auth.realm.exceptions.BadRealmException;
import com.sun.enterprise.security.auth.realm.exceptions.NoSuchRealmException;
import com.sun.enterprise.security.auth.realm.exceptions.NoSuchUserException;
import com.sun.enterprise.security.auth.realm.file.FileRealm;
import com.sun.enterprise.security.auth.realm.file.FileRealmUser;
import com.sun.enterprise.security.ssl.SSLUtils;
import com.sun.enterprise.security.store.DomainScopedPasswordAliasStore;
import jakarta.inject.Inject;
import jakarta.inject.Named;
import java.io.IOException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Enumeration;
import org.glassfish.api.admin.ServerEnvironment;
import org.glassfish.hk2.api.PerLookup;
import org.jvnet.hk2.annotations.Service;

@Service
@PerLookup
/* loaded from: input_file:com/sun/enterprise/security/admin/cli/SecureAdminHelperImpl.class */
public class SecureAdminHelperImpl implements SecureAdminHelper {
    private static final char[] emptyPassword = new char[0];
    private static final String DOMAIN_ADMIN_GROUP_NAME = "asadmin";

    @Inject
    private SSLUtils sslUtils;

    @Inject
    private DomainScopedPasswordAliasStore domainPasswordAliasStore;

    @Inject
    @Named(ServerEnvironment.DEFAULT_INSTANCE_NAME)
    private volatile AdminService as;

    @Override // com.sun.enterprise.config.serverbeans.SecureAdminHelper
    public String getDN(String str, boolean z) throws IOException, KeyStoreException {
        if (!z) {
            return str;
        }
        KeyStore keyStore = this.sslUtils.getKeyStore();
        if (keyStore == null) {
            throw new RuntimeException(Strings.get("noKeyStore"));
        }
        Certificate certificate = keyStore.getCertificate(str);
        if (certificate == null) {
            throw new IllegalArgumentException(Strings.get("noAlias", str));
        }
        if (certificate instanceof X509Certificate) {
            return ((X509Certificate) certificate).getSubjectX500Principal().getName();
        }
        throw new IllegalArgumentException(Strings.get("certNotX509Certificate", str));
    }

    @Override // com.sun.enterprise.config.serverbeans.SecureAdminHelper
    public void validateInternalUsernameAndPasswordAlias(String str, String str2) {
        try {
            validateUser(str);
            validatePasswordAlias(str2);
        } catch (Exception e) {
            throw new RuntimeException(Strings.get("errVal"), e);
        }
    }

    private void validateUser(String str) throws BadRealmException, NoSuchRealmException {
        try {
            if (isInAdminGroup((FileRealmUser) adminRealm().getUser(str))) {
            } else {
                throw new RuntimeException(Strings.get("notAdminUser", str));
            }
        } catch (NoSuchUserException e) {
            throw new RuntimeException(Strings.get("notAdminUser", str));
        }
    }

    private boolean isInAdminGroup(FileRealmUser fileRealmUser) {
        for (String str : fileRealmUser.getGroups()) {
            if (str.equals("asadmin")) {
                return true;
            }
        }
        return false;
    }

    private void validatePasswordAlias(String str) throws CertificateException, NoSuchAlgorithmException, KeyStoreException, NoSuchAlgorithmException, IOException {
        if (!this.domainPasswordAliasStore.containsKey(str)) {
            throw new RuntimeException(Strings.get("noAlias", str));
        }
    }

    private FileRealm adminRealm() throws BadRealmException, NoSuchRealmException {
        AuthRealm associatedAuthRealm = this.as.getAssociatedAuthRealm();
        if (FileRealm.class.getName().equals(associatedAuthRealm.getClassname())) {
            return new FileRealm(associatedAuthRealm.getPropertyValue("file"));
        }
        return null;
    }

    @Override // com.sun.enterprise.config.serverbeans.SecureAdminHelper
    public boolean isAnyAdminUserWithoutPassword() throws Exception {
        FileRealm adminRealm = adminRealm();
        if (adminRealm == null) {
            return false;
        }
        Enumeration<String> userNames = adminRealm.getUserNames();
        while (userNames.hasMoreElements()) {
            String[] authenticate = adminRealm.authenticate(userNames.nextElement(), emptyPassword);
            if (authenticate != null) {
                for (String str : authenticate) {
                    if ("asadmin".equals(str)) {
                        return true;
                    }
                }
            }
        }
        return false;
    }
}
