package com.terracotta.management.security.web.shiro;

import com.terracotta.license.LicenseManager;
import com.terracotta.management.UpdateChecker;
import com.terracotta.management.dao.DataAccessException;
import com.terracotta.management.resource.services.validator.impl.AggregateEhcacheRequestValidator;
import com.terracotta.management.security.Authorizer;
import com.terracotta.management.security.KeyChainAccessor;
import com.terracotta.management.security.KeychainInitializationException;
import com.terracotta.management.security.RequestIdentityAsserter;
import com.terracotta.management.security.SSLContextFactory;
import com.terracotta.management.security.SecurityContextManager;
import com.terracotta.management.security.impl.DefaultSSLContextFactory;
import com.terracotta.management.security.impl.DfltRequestTicketMonitor;
import com.terracotta.management.security.impl.NoSecurityContextAuthorizer;
import com.terracotta.management.security.impl.SecretFileStoreKeyChainAccessor;
import com.terracotta.management.security.impl.TMCStoresSSLContextFactory;
import com.terracotta.management.security.services.SecurityContextSetupService;
import com.terracotta.management.security.services.impl.IniFileSetupService;
import com.terracotta.management.security.shiro.ShiroAuthorizer;
import com.terracotta.management.security.shiro.ShiroSecurityContextManager;
import com.terracotta.management.security.shiro.realm.TCIniRealm;
import com.terracotta.management.security.web.impl.LicensedIdentityAsserter;
import com.terracotta.management.security.web.impl.NoOpIdentityAsserter;
import com.terracotta.management.security.web.jersey.TMSRequestClientFilter;
import com.terracotta.management.security.web.jersey.TMSRequestSecurityClientFilter;
import com.terracotta.management.services.ConfigService;
import com.terracotta.management.services.ResourceServiceClientService;
import com.terracotta.management.services.SystemConfigService;
import com.terracotta.management.services.impl.DfltJerseyClientFactory;
import com.terracotta.management.services.impl.FileConfigService;
import com.terracotta.management.services.impl.FileSystemConfigService;
import com.terracotta.management.services.impl.JerseyResourceServiceClientService;
import com.terracotta.management.user.UserInfoFactory;
import com.terracotta.management.user.dao.impl.IniFileUserInfoDao;
import com.terracotta.management.user.impl.DfltUserInfoFactory;
import com.terracotta.management.userprofile.dao.UserProfileDao;
import com.terracotta.management.userprofile.dao.impl.XMLFileUserProfileDao;
import java.util.Iterator;
import java.util.Timer;
import javax.servlet.ServletContext;
import javax.servlet.ServletContextEvent;
import org.apache.shiro.mgt.RealmSecurityManager;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.realm.Realm;
import org.apache.shiro.realm.ldap.JndiLdapRealm;
import org.apache.shiro.web.env.EnvironmentLoaderListener;
import org.apache.shiro.web.env.WebEnvironment;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.terracotta.license.LicenseException;
import org.terracotta.management.ServiceLocator;
import org.terracotta.management.resource.services.validator.RequestValidator;

/* loaded from: input_file:WEB-INF/classes/com/terracotta/management/security/web/shiro/TMSEnvironmentLoaderListener.class */
public final class TMSEnvironmentLoaderListener extends EnvironmentLoaderListener {
    private static final long EVERY_WEEK = 604800000;
    private static final long DELAY_UPDATE_CHECK = 1000;
    public static final String TMC_CONFIGURATION_DIRECTORY_PROPERTY = "com.tc.management.config.directory";
    public static Boolean HAS_LICENSE;
    public static Boolean LICENSE_IS_COMMERCIAL_LICENSE;
    private Timer updateCheckTimer;
    private static final String TMC_CONFIGURATION_DEFAULT_DIRECTORY = System.getProperty("user.home") + System.getProperty("file.separator") + ".tc" + System.getProperty("file.separator") + "mgmt" + System.getProperty("file.separator");
    public static Boolean TMS_IS_SECURED = false;
    private static final Logger LOG = LoggerFactory.getLogger(TMSEnvironmentLoaderListener.class);

    @Override // org.apache.shiro.web.env.EnvironmentLoaderListener
    public void contextInitialized(ServletContextEvent servletContextEvent) {
        LOG.info("Entering TMSEnvironmentLoaderListener.contextInitialized()");
        checkLicense();
        loadContextAccordingToLicenseAndAuth(servletContextEvent, new FileSystemConfigService(), new DfltUserInfoFactory(), new XMLFileUserProfileDao());
        scheduleUpdateCheckIfNeeded();
    }

    void loadContextAccordingToLicenseAndAuth(ServletContextEvent servletContextEvent, SystemConfigService systemConfigService, UserInfoFactory userInfoFactory, UserProfileDao userProfileDao) {
        if (!HAS_LICENSE.booleanValue() || !systemConfigService.isAuthenticationEnabled()) {
            LOG.info("TMS is NOT secured  : no license found or no authentication enabled, or either");
            loadUnlicensedCtxt(systemConfigService, userInfoFactory, userProfileDao);
        } else {
            TMS_IS_SECURED = true;
            LOG.info("TMS license properly loaded, and authentication is enabled : TMS is secured");
            initEnvironment(servletContextEvent.getServletContext());
            loadLicensedCtxt(systemConfigService, userInfoFactory, userProfileDao, servletContextEvent.getServletContext());
        }
    }

    @Override // org.apache.shiro.web.env.EnvironmentLoaderListener
    public void contextDestroyed(ServletContextEvent servletContextEvent) {
        if (HAS_LICENSE.booleanValue()) {
            destroyEnvironment(servletContextEvent.getServletContext());
        }
        ServiceLocator.unload();
        if (this.updateCheckTimer != null) {
            this.updateCheckTimer.cancel();
        }
    }

    private void checkLicense() {
        if (HAS_LICENSE == null) {
            try {
                LicenseManager.verifyTMCCapability();
                HAS_LICENSE = true;
                LICENSE_IS_COMMERCIAL_LICENSE = Boolean.valueOf(LicenseManager.isCommercialLicense());
            } catch (LicenseException e) {
                HAS_LICENSE = false;
            }
        }
    }

    private void loadLicensedCtxt(SystemConfigService systemConfigService, UserInfoFactory userInfoFactory, UserProfileDao userProfileDao, ServletContext servletContext) {
        SSLContextFactory defaultSSLContextFactory;
        ShiroAuthorizer shiroAuthorizer = new ShiroAuthorizer();
        DfltRequestTicketMonitor dfltRequestTicketMonitor = new DfltRequestTicketMonitor();
        try {
            SecretFileStoreKeyChainAccessor secretFileStoreKeyChainAccessor = new SecretFileStoreKeyChainAccessor();
            if (systemConfigService.storesAndKeychainExist() && systemConfigService.isTmsTruststoreUsedForHttpsAgents()) {
                LOG.info("SSL configuration with keystore and truststore found, registering a custom sslContextFactory using them");
                defaultSSLContextFactory = new TMCStoresSSLContextFactory(secretFileStoreKeyChainAccessor, System.getProperty("com.tc.management.config.directory", TMC_CONFIGURATION_DEFAULT_DIRECTORY) + "tms-keystore", System.getProperty("com.tc.management.config.directory", TMC_CONFIGURATION_DEFAULT_DIRECTORY) + "tms-truststore");
            } else {
                LOG.info("The system property useTmsTrustStoreForHttpsAgents found in settings.ini is set to false or either one of the tms-truststore, the tms-keystore or the keychain were not found in " + System.getProperty("com.tc.management.config.directory", TMC_CONFIGURATION_DEFAULT_DIRECTORY) + ", the TMC will use the default JDK truststore when connecting to HTTPS agents");
                defaultSSLContextFactory = new DefaultSSLContextFactory();
            }
            DfltJerseyClientFactory dfltJerseyClientFactory = new DfltJerseyClientFactory(new TMSRequestSecurityClientFilter(dfltRequestTicketMonitor, secretFileStoreKeyChainAccessor), defaultSSLContextFactory);
            FileConfigService fileConfigService = new FileConfigService();
            JerseyResourceServiceClientService jerseyResourceServiceClientService = new JerseyResourceServiceClientService(fileConfigService, dfltJerseyClientFactory, shiroAuthorizer);
            ServiceLocator serviceLocator = new ServiceLocator();
            try {
                ShiroSecurityContextManager shiroSecurityContextManager = new ShiroSecurityContextManager(new IniFileUserInfoDao(), (TCIniRealm) initializeRealm(servletContext));
                IniFileSetupService iniFileSetupService = new IniFileSetupService(shiroSecurityContextManager, userInfoFactory);
                LicensedIdentityAsserter licensedIdentityAsserter = new LicensedIdentityAsserter(shiroAuthorizer, dfltRequestTicketMonitor, shiroSecurityContextManager, secretFileStoreKeyChainAccessor);
                serviceLocator.loadService(RequestIdentityAsserter.class, licensedIdentityAsserter);
                serviceLocator.loadService(SecurityContextManager.class, shiroSecurityContextManager);
                serviceLocator.loadService(RequestIdentityAsserter.class, licensedIdentityAsserter);
                serviceLocator.loadService(SecurityContextSetupService.class, iniFileSetupService);
            } catch (DataAccessException e) {
                throw new RuntimeException("Failure instantiating TMS context because user info datasource could not be found or initialized.", e);
            } catch (ClassCastException e2) {
                LOG.debug("The user has configured an Ldap Realm");
                serviceLocator.loadService(SecurityContextManager.class, new SecurityContextManager() { // from class: com.terracotta.management.security.web.shiro.TMSEnvironmentLoaderListener.1
                    @Override // com.terracotta.management.security.SecurityContextManager
                    public boolean hasValidSecurityContext() {
                        return true;
                    }
                });
            }
            serviceLocator.loadService(RequestValidator.class, new AggregateEhcacheRequestValidator(shiroAuthorizer)).loadService(ConfigService.class, fileConfigService).loadService(ResourceServiceClientService.class, jerseyResourceServiceClientService).loadService(UserProfileDao.class, userProfileDao).loadService(Authorizer.class, shiroAuthorizer).loadService(KeyChainAccessor.class, secretFileStoreKeyChainAccessor).loadService(SystemConfigService.class, systemConfigService);
            ServiceLocator.load(serviceLocator);
        } catch (KeychainInitializationException e3) {
            throw new RuntimeException("Failure instantiating a licensed TMS (security enabled) due to invalid keychain configuration.", e3);
        }
    }

    private void loadUnlicensedCtxt(SystemConfigService systemConfigService, UserInfoFactory userInfoFactory, UserProfileDao userProfileDao) {
        NoSecurityContextAuthorizer noSecurityContextAuthorizer = new NoSecurityContextAuthorizer();
        DfltJerseyClientFactory dfltJerseyClientFactory = new DfltJerseyClientFactory(new TMSRequestClientFilter(), null);
        FileConfigService fileConfigService = new FileConfigService();
        JerseyResourceServiceClientService jerseyResourceServiceClientService = new JerseyResourceServiceClientService(fileConfigService, dfltJerseyClientFactory, noSecurityContextAuthorizer);
        ServiceLocator.load(new ServiceLocator().loadService(RequestValidator.class, new AggregateEhcacheRequestValidator(noSecurityContextAuthorizer)).loadService(ConfigService.class, fileConfigService).loadService(ResourceServiceClientService.class, jerseyResourceServiceClientService).loadService(UserProfileDao.class, userProfileDao).loadService(Authorizer.class, noSecurityContextAuthorizer).loadService(SystemConfigService.class, systemConfigService).loadService(RequestIdentityAsserter.class, new NoOpIdentityAsserter(userInfoFactory)));
    }

    private AuthorizingRealm initializeRealm(ServletContext servletContext) {
        AuthorizingRealm authorizingRealm = null;
        Iterator<Realm> it = ((RealmSecurityManager) ((WebEnvironment) servletContext.getAttribute(ENVIRONMENT_ATTRIBUTE_KEY)).getWebSecurityManager()).getRealms().iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            Realm next = it.next();
            if (next instanceof TCIniRealm) {
                authorizingRealm = (TCIniRealm) next;
            } else if (next instanceof JndiLdapRealm) {
                authorizingRealm = (JndiLdapRealm) next;
                break;
            }
        }
        if (authorizingRealm == null) {
            throw new RuntimeException("Failure instantiating TMS context. Failure to find expected security realm.");
        }
        return authorizingRealm;
    }

    private void scheduleUpdateCheckIfNeeded() {
        if (Boolean.getBoolean("com.terracotta.management.skipUpdateCheck")) {
            return;
        }
        this.updateCheckTimer = new Timer(true);
        this.updateCheckTimer.scheduleAtFixedRate(new UpdateChecker(HAS_LICENSE.booleanValue()), 1000L, 604800000L);
    }
}
