package fish.payara.ejb.http.admin;

import com.sun.enterprise.config.serverbeans.Domain;
import com.sun.enterprise.config.serverbeans.SecurityService;
import com.sun.enterprise.security.jaspic.config.GFServerConfigProvider;
import com.sun.enterprise.security.jauth.AuthPolicy;
import com.sun.enterprise.util.StringUtils;
import jakarta.inject.Inject;
import java.nio.file.Path;
import java.util.Iterator;
import java.util.logging.Logger;
import javax.security.auth.Subject;
import org.glassfish.api.ActionReport;
import org.glassfish.api.Param;
import org.glassfish.api.admin.AdminCommand;
import org.glassfish.api.admin.AdminCommandContext;
import org.glassfish.api.admin.CommandRunner;
import org.glassfish.api.admin.ExecuteOn;
import org.glassfish.api.admin.ParameterMap;
import org.glassfish.api.admin.RestEndpoint;
import org.glassfish.api.admin.RestEndpoints;
import org.glassfish.api.admin.RuntimeType;
import org.glassfish.api.admin.ServerEnvironment;
import org.glassfish.config.support.CommandTarget;
import org.glassfish.config.support.TargetType;
import org.glassfish.deployment.autodeploy.AutoDeployer;
import org.glassfish.deployment.autodeploy.AutoDeploymentOperation;
import org.glassfish.deployment.autodeploy.AutoUndeploymentOperation;
import org.glassfish.hk2.api.PerLookup;
import org.glassfish.hk2.api.ServiceLocator;
import org.glassfish.internal.api.Target;
import org.jvnet.hk2.annotations.Service;
import org.jvnet.hk2.config.ConfigSupport;
import org.jvnet.hk2.config.SingleConfigCode;
import org.jvnet.hk2.config.TransactionFailure;

@Service(name = "set-ejb-invoker-configuration")
@TargetType({CommandTarget.CLUSTER, CommandTarget.CLUSTERED_INSTANCE, CommandTarget.CONFIG, CommandTarget.DAS, CommandTarget.DEPLOYMENT_GROUP, CommandTarget.STANDALONE_INSTANCE})
@PerLookup
@ExecuteOn({RuntimeType.DAS})
@RestEndpoints({@RestEndpoint(configBean = EjbInvokerConfiguration.class, opType = RestEndpoint.OpType.POST, path = "set-ejb-invoker-configuration", description = "Sets the ejb-invoker configuration")})
/* loaded from: input_file:fish/payara/ejb/http/admin/SetEjbInvokerConfigurationCommand.class */
public class SetEjbInvokerConfigurationCommand implements AdminCommand {
    private static final Logger LOGGER = Logger.getLogger(SetEjbInvokerConfigurationCommand.class.getName());

    @Inject
    private Target targetUtil;

    @Param(optional = true)
    private Boolean enabled;

    @Param(optional = true)
    private String endpoint;

    @Param(optional = true, alias = "virtualservers")
    private String virtualServers;

    @Param(optional = true, alias = "securityenabled")
    protected Boolean securityEnabled;

    @Param(optional = true, alias = "realmname")
    protected String realmName;

    @Param(optional = true, alias = "authtype")
    protected String authType;

    @Param(optional = true, alias = "authmodule")
    protected String authModule;

    @Param(optional = true, alias = "authmoduleclass")
    protected String authModuleClass;

    @Param(optional = true)
    protected String roles;

    @Param(optional = true, defaultValue = "server")
    protected String target;

    @Inject
    protected CommandRunner commandRunner;

    @Inject
    private SecurityService securityService;

    @Inject
    private ServerEnvironment serverEnvironment;

    @Inject
    private ServiceLocator serviceLocator;

    @Inject
    private Domain domain;

    @Override // org.glassfish.api.admin.AdminCommand
    public void execute(AdminCommandContext adminCommandContext) {
        ActionReport actionReport = adminCommandContext.getActionReport();
        Subject subject = adminCommandContext.getSubject();
        EjbInvokerConfiguration ejbInvokerConfiguration = (EjbInvokerConfiguration) this.targetUtil.getConfig(this.target).getExtensionByType(EjbInvokerConfiguration.class);
        try {
            ConfigSupport.apply((SingleConfigCode<EjbInvokerConfiguration>) ejbInvokerConfiguration2 -> {
                if (this.enabled != null) {
                    ejbInvokerConfiguration2.setEnabled(this.enabled.toString());
                }
                if (this.endpoint != null) {
                    ejbInvokerConfiguration2.setEndpoint(this.endpoint);
                }
                if (this.virtualServers != null) {
                    ejbInvokerConfiguration2.setVirtualServers(this.virtualServers);
                }
                if (this.securityEnabled != null) {
                    ejbInvokerConfiguration2.setSecurityEnabled(this.securityEnabled.toString());
                }
                if (this.realmName != null) {
                    ejbInvokerConfiguration2.setRealmName(this.realmName);
                }
                if (this.authType != null) {
                    ejbInvokerConfiguration2.setAuthType(this.authType);
                }
                if (this.authModule != null) {
                    ejbInvokerConfiguration2.setAuthModule(this.authModule);
                }
                if (this.authModuleClass != null) {
                    if (StringUtils.ok(this.authModuleClass) && this.authModuleClass.indexOf(46) == -1) {
                        actionReport.failure(LOGGER, "authModuleClass parameter value must be fully qualified class name.");
                    }
                    ejbInvokerConfiguration2.setAuthModuleClass(this.authModuleClass);
                }
                if (this.roles != null) {
                    ejbInvokerConfiguration2.setRoles(this.roles);
                }
                actionReport.setActionExitCode(ActionReport.ExitCode.SUCCESS);
                return ejbInvokerConfiguration2;
            }, ejbInvokerConfiguration);
        } catch (TransactionFailure e) {
            actionReport.failure(LOGGER, "Failed to update EJB Invoker configuration", e);
        }
        if (Boolean.parseBoolean(ejbInvokerConfiguration.getSecurityEnabled())) {
            if (StringUtils.ok(ejbInvokerConfiguration.getAuthModuleClass())) {
                String authModuleClass = ejbInvokerConfiguration.getAuthModuleClass();
                String substring = authModuleClass.substring(authModuleClass.lastIndexOf(46) + 1);
                ActionReport addSubActionsReport = actionReport.addSubActionsReport();
                ActionReport addSubActionsReport2 = actionReport.addSubActionsReport();
                if (!messageSecurityProviderExists(substring, addSubActionsReport, adminCommandContext.getSubject())) {
                    createRequiredMessageSecurityProvider(substring, authModuleClass, addSubActionsReport2, subject);
                }
                if (addSubActionsReport.hasFailures() || addSubActionsReport2.hasFailures()) {
                    actionReport.setActionExitCode(ActionReport.ExitCode.FAILURE);
                    return;
                }
            }
            if (!StringUtils.ok(ejbInvokerConfiguration.getRealmName()) || ejbInvokerConfiguration.getRealmName().equals("file")) {
                ActionReport addSubActionsReport3 = actionReport.addSubActionsReport();
                ActionReport addSubActionsReport4 = actionReport.addSubActionsReport();
                if (!defaultUserExists(ejbInvokerConfiguration, addSubActionsReport3, subject) && !addSubActionsReport3.hasFailures()) {
                    createDefaultUser(ejbInvokerConfiguration, addSubActionsReport4, subject);
                }
                if (addSubActionsReport3.hasFailures() || addSubActionsReport4.hasFailures()) {
                    actionReport.setActionExitCode(ActionReport.ExitCode.FAILURE);
                    return;
                }
            }
        }
        if (this.enabled != null) {
            if (this.enabled.booleanValue()) {
                enableEjbInvoker(actionReport);
            } else {
                disableEjbInvoker(actionReport);
            }
        } else if (Boolean.parseBoolean(ejbInvokerConfiguration.getEnabled())) {
            actionReport.setMessage("Restart server or re-enable the ejb-invoker service for the change to take effect.");
        }
        if (actionReport.hasFailures() || actionReport.hasWarnings()) {
            return;
        }
        actionReport.getSubActionsReport().clear();
    }

    public void disableEjbInvoker(ActionReport actionReport) {
        Path resolve = this.serverEnvironment.getInstanceRoot().toPath().resolve(Constants.ENDPOINTS_DIR);
        Path resolve2 = resolve.resolve(Constants.EJB_INVOKER_APP);
        AutoDeployer.AutodeploymentStatus run = AutoUndeploymentOperation.newInstance(this.serviceLocator, resolve2.toFile(), AutoDeployer.getNameFromFilePath(resolve.toFile(), resolve2.toFile()), this.target).run();
        actionReport.setActionExitCode(run.getExitCode());
        if (run.getExitCode().equals(ActionReport.ExitCode.FAILURE)) {
            if (this.domain.getApplications().getApplication(Constants.EJB_INVOKER_APP) == null) {
                actionReport.appendMessage("\nEJB Invoker is not enabled on any target");
            } else {
                actionReport.appendMessage("\nFailed to disable Ejb Invoker - was it enabled on the specified target?");
            }
        }
    }

    public void enableEjbInvoker(ActionReport actionReport) {
        Path resolve = this.serverEnvironment.getInstanceRoot().toPath().resolve(Constants.ENDPOINTS_DIR).resolve(Constants.EJB_INVOKER_APP);
        EjbInvokerConfiguration ejbInvokerConfiguration = (EjbInvokerConfiguration) this.targetUtil.getConfig(this.target).getExtensionByType(EjbInvokerConfiguration.class);
        AutoDeploymentOperation newInstance = AutoDeploymentOperation.newInstance(this.serviceLocator, resolve.toFile(), ejbInvokerConfiguration.getVirtualServers(), this.target, ejbInvokerConfiguration.getEndpoint());
        if (this.domain.getApplications().getApplication(Constants.EJB_INVOKER_APP) == null) {
            actionReport.setActionExitCode(newInstance.run().getExitCode());
        } else {
            actionReport.setActionExitCode(ActionReport.ExitCode.WARNING);
            actionReport.setMessage("EJB Invoker is already deployed on at least one target, please edit it as you would a normal application using the create-application-ref, delete-application-ref, or update-application-ref commands");
        }
    }

    private boolean messageSecurityProviderExists(String str, ActionReport actionReport, Subject subject) {
        boolean z = false;
        CommandRunner.CommandInvocation commandInvocation = this.commandRunner.getCommandInvocation("list-message-security-providers", actionReport, subject, false);
        ParameterMap parameterMap = new ParameterMap();
        parameterMap.add("layer", GFServerConfigProvider.HTTPSERVLET);
        commandInvocation.parameters(parameterMap).execute();
        Iterator<ActionReport.MessagePart> it = actionReport.getTopMessagePart().getChildren().iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            if (it.next().getMessage().equals(str)) {
                z = true;
                break;
            }
        }
        return z;
    }

    private void createRequiredMessageSecurityProvider(String str, String str2, ActionReport actionReport, Subject subject) {
        CommandRunner.CommandInvocation commandInvocation = this.commandRunner.getCommandInvocation("create-message-security-provider", actionReport, subject, false);
        ParameterMap parameterMap = new ParameterMap();
        parameterMap.add("classname", str2);
        parameterMap.add("isdefaultprovider", "false");
        parameterMap.add("layer", GFServerConfigProvider.HTTPSERVLET);
        parameterMap.add("providertype", "server");
        parameterMap.add("target", this.target);
        parameterMap.add("requestauthsource", AuthPolicy.SENDER);
        parameterMap.add("DEFAULT", str);
        commandInvocation.parameters(parameterMap).execute();
    }

    protected boolean defaultUserExists(EjbInvokerConfiguration ejbInvokerConfiguration, ActionReport actionReport, Subject subject) {
        CommandRunner.CommandInvocation commandInvocation = this.commandRunner.getCommandInvocation("list-file-users", actionReport, subject, false);
        ParameterMap parameterMap = new ParameterMap();
        parameterMap.add("authrealmname", StringUtils.ok(ejbInvokerConfiguration.getRealmName()) ? ejbInvokerConfiguration.getRealmName() : this.securityService.getDefaultRealm());
        commandInvocation.parameters(parameterMap).execute();
        Iterator<ActionReport.MessagePart> it = actionReport.getTopMessagePart().getChildren().iterator();
        while (it.hasNext()) {
            if (it.next().getMessage().equals("invoker")) {
                return true;
            }
        }
        return false;
    }

    protected void createDefaultUser(EjbInvokerConfiguration ejbInvokerConfiguration, ActionReport actionReport, Subject subject) {
        CommandRunner.CommandInvocation commandInvocation = this.commandRunner.getCommandInvocation("create-file-user", actionReport, subject, false);
        ParameterMap parameterMap = new ParameterMap();
        parameterMap.add("groups", ejbInvokerConfiguration.getRoles().replace(',', ':'));
        parameterMap.add("userpassword", "invoker");
        parameterMap.add("target", this.target);
        parameterMap.add("authrealmname", StringUtils.ok(ejbInvokerConfiguration.getRealmName()) ? ejbInvokerConfiguration.getRealmName() : this.securityService.getDefaultRealm());
        parameterMap.add("DEFAULT", "invoker");
        commandInvocation.parameters(parameterMap).execute();
    }
}
