package org.glassfish.security.services.common;

import com.sun.enterprise.util.LocalStringManagerImpl;
import com.sun.messaging.jms.management.server.ConnectionOperations;
import java.security.AccessControlException;
import java.security.AccessController;
import java.security.Permission;
import java.security.PrivilegedAction;
import java.security.ProtectionDomain;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.logging.Level;
import java.util.logging.Logger;
import org.glassfish.hk2.api.ActiveDescriptor;
import org.glassfish.hk2.api.Injectee;
import org.glassfish.hk2.api.ValidationInformation;
import org.glassfish.hk2.api.Validator;

/* loaded from: input_file:org/glassfish/security/services/common/SecurityAccessValidator.class */
public class SecurityAccessValidator implements Validator {
    private static final Logger LOG = SecurityAccessValidationService._theLog;
    private static LocalStringManagerImpl localStrings = new LocalStringManagerImpl(SecurityAccessValidator.class);

    @Override // org.glassfish.hk2.api.Validator
    public boolean validate(ValidationInformation validationInformation) {
        if (LOG.isLoggable(Level.FINE)) {
            LOG.fine("ValidationInformation info= " + validationInformation);
        }
        switch (validationInformation.getOperation()) {
            case BIND:
            case UNBIND:
                return validateBindAndUnbind(validationInformation);
            case LOOKUP:
                return validateLookup(validationInformation.getCandidate(), validationInformation.getInjectee());
            default:
                return false;
        }
    }

    private boolean isSecureAnnotated(ValidationInformation validationInformation) {
        Set<String> qualifiers = validationInformation.getCandidate().getQualifiers();
        if (qualifiers == null || qualifiers.size() == 0) {
            return false;
        }
        Iterator<String> it = qualifiers.iterator();
        while (it.hasNext()) {
            if (Secure.class.getCanonicalName().equals(it.next())) {
                if (!LOG.isLoggable(Level.FINE)) {
                    return true;
                }
                LOG.fine("The instance is annotated with 'Secure': " + validationInformation);
                return true;
            }
        }
        return false;
    }

    private boolean validateBindAndUnbind(ValidationInformation validationInformation) {
        if (!isSecureAnnotated(validationInformation)) {
            return true;
        }
        if (LOG.isLoggable(Level.FINE)) {
            LOG.fine("validateBindAndUnbind, injectee= " + validationInformation.getInjectee());
        }
        return validateLookup(validationInformation.getCandidate(), validationInformation.getInjectee());
    }

    private boolean validateLookup(ActiveDescriptor<?> activeDescriptor, Injectee injectee) {
        Permission accessPermision;
        boolean validateInjection;
        if (LOG.isLoggable(Level.FINE)) {
            LOG.fine("Lookup candiate =" + activeDescriptor + ", injectee= " + injectee);
        }
        if (!activeDescriptor.isReified()) {
            if (!LOG.isLoggable(Level.FINE)) {
                return true;
            }
            LOG.fine("Lookup candiate is not reified yet");
            return true;
        }
        if (LOG.isLoggable(Level.FINE)) {
            LOG.fine("Lookup candiate is reified, candidate = " + activeDescriptor);
        }
        if (activeDescriptor.getAdvertisedContracts() == null) {
            return true;
        }
        Map<String, List<String>> metadata = activeDescriptor.getMetadata();
        if (LOG.isLoggable(Level.FINE)) {
            for (Map.Entry<String, List<String>> entry : metadata.entrySet()) {
                String key = entry.getKey();
                Iterator<String> it = entry.getValue().iterator();
                while (it.hasNext()) {
                    LOG.fine("$$ key= " + key + ", value= " + it.next());
                }
            }
        }
        List<String> list = metadata.get(Secure.NAME);
        if (list == null || list.isEmpty()) {
            if (LOG.isLoggable(Level.FINE)) {
                LOG.fine("Perm name is empty, will use default value");
            }
            accessPermision = getAccessPermision(Secure.DEFAULT_PERM_NAME, null);
        } else {
            accessPermision = getAccessPermision(list.get(0), null);
        }
        if (LOG.isLoggable(Level.FINE)) {
            LOG.fine("The permission to be protected = " + accessPermision);
        }
        if (injectee == null) {
            validateInjection = checkPerm(accessPermision, getServiceLookupCaller());
            if (LOG.isLoggable(Level.FINE)) {
                LOG.fine("Lookup, checked perm for = " + accessPermision + ", result= " + validateInjection);
            }
        } else {
            validateInjection = validateInjection(activeDescriptor, injectee, accessPermision);
            if (LOG.isLoggable(Level.FINE)) {
                LOG.fine("Injection, checked perm for = " + accessPermision + ", result= " + validateInjection);
            }
        }
        return validateInjection;
    }

    private Class<?> getServiceLookupCaller() {
        StackTraceElement[] stackTrace = new Exception().getStackTrace();
        for (int i = 0; i < stackTrace.length; i++) {
            StackTraceElement stackTraceElement = stackTrace[i];
            if (!stackTraceElement.getClassName().equals("org.jvnet.hk2.internal.ServiceLocatorImpl") || (!stackTraceElement.getMethodName().equals(ConnectionOperations.GET_SERVICE) && !stackTraceElement.getMethodName().equals("getAllServices") && !stackTraceElement.getMethodName().equals("getServiceHandle") && !stackTraceElement.getMethodName().equals("getAllServiceHandles") && !stackTraceElement.getMethodName().equals("create") && !stackTraceElement.getMethodName().equals("createAndInitialize") && !stackTraceElement.getMethodName().equals("shutdown"))) {
                try {
                    return Class.forName(stackTraceElement.getClassName());
                } catch (ClassNotFoundException e) {
                    LOG.warning(localStrings.getLocalString("sec.validate.lookup.noclass", "Lookup Class not found in classpath: {0}", stackTraceElement.getClassName()));
                    throw new RuntimeException(e);
                }
            }
            if (LOG.isLoggable(Level.FINE)) {
                LOG.fine("Found the service locator, classname= " + stackTrace[i + 1].getClassName() + ", ste =" + stackTrace[i + 1]);
            }
            for (int i2 = i + 1; i2 < stackTrace.length; i2++) {
                StackTraceElement stackTraceElement2 = stackTrace[i2];
                if (!stackTraceElement2.getClassName().startsWith("org.jvnet.hk2.internal.")) {
                    try {
                        return Class.forName(stackTraceElement2.getClassName(), true, Thread.currentThread().getContextClassLoader());
                    } catch (ClassNotFoundException e2) {
                        try {
                            return Class.forName(stackTraceElement2.getClassName());
                        } catch (ClassNotFoundException e3) {
                            LOG.warning(localStrings.getLocalString("sec.validate.lookup.noclass", "Lookup Class not found in classpath: {0}", stackTraceElement2.getClassName()));
                            throw new RuntimeException(e2);
                        }
                    }
                }
            }
        }
        LOG.warning(localStrings.getLocalString("sec.validate.lookup.fail", "Cannot find the lookup caller class"));
        return null;
    }

    private boolean checkPerm(Permission permission, Class cls) {
        if (LOG.isLoggable(Level.FINE)) {
            LOG.fine("Checked perm for = " + permission);
        }
        try {
            if (cls != null) {
                getCallerProtDomain(cls).implies(permission);
            } else {
                AccessController.checkPermission(permission);
            }
            return true;
        } catch (SecurityException e) {
            LOG.warning(localStrings.getLocalString("sec.validate.lookup.deny", "Check Permission failed in lookup for permission = {0}", permission));
            if (LOG.isLoggable(Level.FINE)) {
                LOG.fine("Check Permission failed, perm= " + permission + ", message = " + e.getMessage());
            }
            throw e;
        }
    }

    private boolean validateInjection(ActiveDescriptor<?> activeDescriptor, Injectee injectee, Permission permission) {
        if (LOG.isLoggable(Level.FINE)) {
            LOG.fine("Injectee =" + injectee + ", permission= " + permission);
        }
        ProtectionDomain callerProtDomain = getCallerProtDomain(injectee.getInjecteeClass());
        if (LOG.isLoggable(Level.FINE)) {
            LOG.fine("Protection domain code src= " + callerProtDomain.getCodeSource());
        }
        if (!callerProtDomain.implies(permission)) {
            if (LOG.isLoggable(Level.FINE)) {
                LOG.fine("permission check failed for " + injectee + ", to get perm " + permission + ", for candidate " + activeDescriptor);
            }
            throw new AccessControlException(localStrings.getLocalString("sec.validate.injection.deny", "Access denied for injectee {0} to get permission {1}.", injectee, permission));
        }
        if (!LOG.isLoggable(Level.FINE)) {
            return true;
        }
        LOG.fine("permission check success for " + injectee + " to get " + activeDescriptor);
        return true;
    }

    private ProtectionDomain getCallerProtDomain(final Class cls) {
        return (ProtectionDomain) AccessController.doPrivileged(new PrivilegedAction<ProtectionDomain>() { // from class: org.glassfish.security.services.common.SecurityAccessValidator.1
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedAction
            public ProtectionDomain run() {
                return cls.getProtectionDomain();
            }
        });
    }

    private Permission getAccessPermision(String str, String str2) {
        return new SecureServiceAccessPermission(str, str2);
    }
}
