package org.glassfish.security.services.impl.authorization;

import com.sun.enterprise.config.serverbeans.Domain;
import com.sun.enterprise.util.LocalStringManagerImpl;
import com.sun.messaging.jms.management.server.LogLevel;
import java.net.URI;
import java.net.URL;
import java.security.AccessController;
import java.security.CodeSigner;
import java.security.CodeSource;
import java.security.Permission;
import java.security.Policy;
import java.security.Principal;
import java.security.ProtectionDomain;
import java.util.ArrayList;
import java.util.Collections;
import java.util.List;
import java.util.Set;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.inject.Inject;
import javax.inject.Singleton;
import javax.security.auth.Subject;
import org.glassfish.hk2.api.PostConstruct;
import org.glassfish.hk2.api.ServiceLocator;
import org.glassfish.logging.annotation.LogMessageInfo;
import org.glassfish.security.services.api.authorization.AuthorizationService;
import org.glassfish.security.services.api.authorization.AzAction;
import org.glassfish.security.services.api.authorization.AzAttributeResolver;
import org.glassfish.security.services.api.authorization.AzResource;
import org.glassfish.security.services.api.authorization.AzResult;
import org.glassfish.security.services.api.authorization.AzSubject;
import org.glassfish.security.services.api.common.Attributes;
import org.glassfish.security.services.api.context.SecurityContextService;
import org.glassfish.security.services.common.PrivilegedLookup;
import org.glassfish.security.services.common.Secure;
import org.glassfish.security.services.config.SecurityConfiguration;
import org.glassfish.security.services.config.SecurityProvider;
import org.glassfish.security.services.impl.ServiceFactory;
import org.glassfish.security.services.impl.ServiceLogging;
import org.glassfish.security.services.spi.authorization.AuthorizationProvider;
import org.jvnet.hk2.annotations.Service;

@Singleton
@Secure(accessPermissionName = "security/service/authorization")
@Service
/* loaded from: input_file:org/glassfish/security/services/impl/authorization/AuthorizationServiceImpl.class */
public final class AuthorizationServiceImpl implements AuthorizationService, PostConstruct {

    @Inject
    private volatile Domain domain;

    @Inject
    private volatile ServiceLocator serviceLocator;
    private volatile org.glassfish.security.services.config.AuthorizationService atzSvCfg;

    @Inject
    private volatile SecurityContextService securityContextService;
    private volatile SecurityProvider atzPrvConfig;
    private volatile AuthorizationProvider provider;
    private volatile InitializationState initialized = InitializationState.NOT_INITIALIZED;
    private volatile String reasonInitFailed = localStrings.getLocalString("service.atz.never_init", "Authorization Service never initialized.");
    private final List<AzAttributeResolver> attributeResolvers = Collections.synchronizedList(new ArrayList());

    @LogMessageInfo(message = "Authorization Service has successfully initialized.", level = "FINE")
    private static final String ATZSVC_INITIALIZED = "SEC-SVCS-00100";

    @LogMessageInfo(message = "Authorization Service initialization failed, exception {0}, message {1}", level = LogLevel.WARNING)
    private static final String ATZSVC_INIT_FAILED = "SEC-SVCS-00101";
    private static final Level DEBUG_LEVEL = Level.FINER;
    private static final Logger logger = Logger.getLogger(ServiceLogging.SEC_SVCS_LOGGER, ServiceLogging.SHARED_LOGMESSAGE_RESOURCE);
    private static LocalStringManagerImpl localStrings = new LocalStringManagerImpl(AuthorizationServiceImpl.class);
    private static final CodeSource NULL_CODESOURCE = new CodeSource((URL) null, (CodeSigner[]) null);

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/glassfish/security/services/impl/authorization/AuthorizationServiceImpl$InitializationState.class */
    public enum InitializationState {
        NOT_INITIALIZED,
        SUCCESS_INIT,
        FAILED_INIT
    }

    private boolean isDebug() {
        return logger.isLoggable(DEBUG_LEVEL);
    }

    @Override // org.glassfish.security.services.api.SecurityService
    public void initialize(SecurityConfiguration securityConfiguration) {
        try {
            if (InitializationState.NOT_INITIALIZED != this.initialized) {
                return;
            }
            try {
                if (!(securityConfiguration instanceof org.glassfish.security.services.config.AuthorizationService)) {
                    throw new IllegalStateException(localStrings.getLocalString("service.atz.not_config", "The Authorization service is not configured in the domain configuration file."));
                }
                this.atzSvCfg = (org.glassfish.security.services.config.AuthorizationService) securityConfiguration;
                List<SecurityProvider> securityProviders = this.atzSvCfg.getSecurityProviders();
                if (securityProviders != null) {
                    SecurityProvider securityProvider = securityProviders.get(0);
                    this.atzPrvConfig = securityProvider;
                    if (securityProvider != null) {
                        String name = this.atzPrvConfig.getName();
                        if (isDebug()) {
                            logger.log(DEBUG_LEVEL, "Attempting to get Authorization provider \"{0}\".", name);
                        }
                        this.provider = (AuthorizationProvider) AccessController.doPrivileged(new PrivilegedLookup(this.serviceLocator, AuthorizationProvider.class, name));
                        if (this.provider == null) {
                            throw new IllegalStateException(localStrings.getLocalString("service.atz.not_provider", "Authorization Provider {0} not found.", name));
                        }
                        this.provider.initialize(this.atzPrvConfig);
                        this.initialized = InitializationState.SUCCESS_INIT;
                        this.reasonInitFailed = null;
                        logger.log(Level.FINE, ATZSVC_INITIALIZED);
                        if (InitializationState.SUCCESS_INIT != this.initialized) {
                            this.initialized = InitializationState.FAILED_INIT;
                            return;
                        }
                        return;
                    }
                }
                throw new IllegalStateException(localStrings.getLocalString("service.atz.no_prov_config", "No provider configured for the Authorization service in the domain configuration file."));
            } catch (Exception e) {
                String message = e.getMessage();
                String name2 = e.getClass().getName();
                this.reasonInitFailed = localStrings.getLocalString("service.atz.init_failed", "Authorization Service initialization failed, exception {0}, message {1}", name2, message);
                logger.log(Level.WARNING, ATZSVC_INIT_FAILED, new Object[]{name2, message});
                throw new RuntimeException(this.reasonInitFailed, e);
            }
        } catch (Throwable th) {
            if (InitializationState.SUCCESS_INIT != this.initialized) {
                this.initialized = InitializationState.FAILED_INIT;
            }
            throw th;
        }
    }

    @Override // org.glassfish.security.services.api.authorization.AuthorizationService
    public boolean isPermissionGranted(Subject subject, Permission permission) {
        if (null == subject) {
            throw new IllegalArgumentException(localStrings.getLocalString("service.subject_null", "The supplied Subject is null."));
        }
        if (null == permission) {
            throw new IllegalArgumentException(localStrings.getLocalString("service.permission_null", "The supplied Permission is null."));
        }
        Set<Principal> principals = subject.getPrincipals();
        return Policy.getPolicy().implies(new ProtectionDomain(NULL_CODESOURCE, null, null, principals.isEmpty() ? null : (Principal[]) principals.toArray(new Principal[principals.size()])), permission);
    }

    @Override // org.glassfish.security.services.api.authorization.AuthorizationService
    public boolean isAuthorized(Subject subject, URI uri) {
        return isAuthorized(subject, uri, null);
    }

    @Override // org.glassfish.security.services.api.authorization.AuthorizationService
    public boolean isAuthorized(Subject subject, URI uri, String str) {
        checkServiceAvailability();
        if (null == subject) {
            throw new IllegalArgumentException(localStrings.getLocalString("service.subject_null", "The supplied Subject is null."));
        }
        if (null == uri) {
            throw new IllegalArgumentException(localStrings.getLocalString("service.resource_null", "The supplied Resource is null."));
        }
        AzResult authorizationDecision = getAuthorizationDecision(makeAzSubject(subject), makeAzResource(uri), makeAzAction(str));
        return AzResult.Status.OK.equals(authorizationDecision.getStatus()) && AzResult.Decision.PERMIT.equals(authorizationDecision.getDecision());
    }

    @Override // org.glassfish.security.services.api.authorization.AuthorizationService
    public AzResult getAuthorizationDecision(AzSubject azSubject, AzResource azResource, AzAction azAction) {
        checkServiceAvailability();
        if (null == azSubject) {
            throw new IllegalArgumentException(localStrings.getLocalString("service.subject_null", "The supplied Subject is null."));
        }
        if (null == azResource) {
            throw new IllegalArgumentException(localStrings.getLocalString("service.resource_null", "The supplied Resource is null."));
        }
        AzEnvironmentImpl azEnvironmentImpl = new AzEnvironmentImpl();
        Attributes environmentAttributes = this.securityContextService.getEnvironmentAttributes();
        for (String str : environmentAttributes.getAttributeNames()) {
            azEnvironmentImpl.addAttribute(str, environmentAttributes.getAttributeValue(str), true);
        }
        AzResult authorizationDecision = this.provider.getAuthorizationDecision(azSubject, azResource, azAction, azEnvironmentImpl, this.attributeResolvers);
        if (isDebug()) {
            logger.log(DEBUG_LEVEL, "Authorization Service result for {0} was {1}.", (Object[]) new String[]{azSubject.toString(), authorizationDecision.toString()});
        }
        return authorizationDecision;
    }

    @Override // org.glassfish.security.services.api.authorization.AuthorizationService
    public AzSubject makeAzSubject(Subject subject) {
        return new AzSubjectImpl(subject);
    }

    @Override // org.glassfish.security.services.api.authorization.AuthorizationService
    public AzResource makeAzResource(URI uri) {
        return new AzResourceImpl(uri);
    }

    @Override // org.glassfish.security.services.api.authorization.AuthorizationService
    public AzAction makeAzAction(String str) {
        return new AzActionImpl(str);
    }

    @Override // org.glassfish.security.services.api.authorization.AuthorizationService
    public AuthorizationService.PolicyDeploymentContext findOrCreateDeploymentContext(String str) {
        checkServiceAvailability();
        return this.provider.findOrCreateDeploymentContext(str);
    }

    @Override // org.glassfish.hk2.api.PostConstruct
    public void postConstruct() {
        initialize((org.glassfish.security.services.config.AuthorizationService) ServiceFactory.getSecurityServiceConfiguration(this.domain, org.glassfish.security.services.config.AuthorizationService.class));
    }

    @Override // org.glassfish.security.services.api.authorization.AuthorizationService
    public boolean appendAttributeResolver(AzAttributeResolver azAttributeResolver) {
        if (null == azAttributeResolver) {
            throw new IllegalArgumentException(localStrings.getLocalString("service.resolver_null", "The supplied Attribute Resolver is null."));
        }
        synchronized (this.attributeResolvers) {
            if (this.attributeResolvers.contains(azAttributeResolver)) {
                return false;
            }
            this.attributeResolvers.add(azAttributeResolver);
            return true;
        }
    }

    @Override // org.glassfish.security.services.api.authorization.AuthorizationService
    public void setAttributeResolvers(List<AzAttributeResolver> list) {
        if (null == list) {
            throw new IllegalArgumentException(localStrings.getLocalString("service.resolver_null", "The supplied Attribute Resolver is null."));
        }
        synchronized (this.attributeResolvers) {
            this.attributeResolvers.clear();
            for (AzAttributeResolver azAttributeResolver : list) {
                if (null != azAttributeResolver && !this.attributeResolvers.contains(azAttributeResolver)) {
                    this.attributeResolvers.add(azAttributeResolver);
                }
            }
        }
    }

    @Override // org.glassfish.security.services.api.authorization.AuthorizationService
    public List<AzAttributeResolver> getAttributeResolvers() {
        return new ArrayList(this.attributeResolvers);
    }

    @Override // org.glassfish.security.services.api.authorization.AuthorizationService
    public boolean removeAllAttributeResolvers() {
        synchronized (this.attributeResolvers) {
            if (this.attributeResolvers.isEmpty()) {
                return false;
            }
            this.attributeResolvers.clear();
            return true;
        }
    }

    final InitializationState getInitializationState() {
        return this.initialized;
    }

    final String getReasonInitializationFailed() {
        return this.reasonInitFailed;
    }

    final void checkServiceAvailability() {
        if (InitializationState.SUCCESS_INIT != getInitializationState()) {
            throw new IllegalStateException(localStrings.getLocalString("service.atz.not_avail", "The Authorization service is not available.") + getReasonInitializationFailed());
        }
    }
}
