package net.sf.ehcache.management.service.impl;

import com.terracotta.management.security.IACredentials;
import com.terracotta.management.security.IdentityAssertionServiceClient;
import com.terracotta.management.security.impl.ContextSecurityServiceDirectory;
import com.terracotta.management.security.shiro.IdentityAssertionToken;
import com.terracotta.management.security.shiro.realm.TCIdentityAssertionRealm;
import java.net.MalformedURLException;
import java.net.URI;
import java.net.URISyntaxException;
import net.sf.ehcache.config.ManagementRESTServiceConfiguration;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.config.Ini;
import org.apache.shiro.mgt.DefaultSecurityManager;
import org.apache.shiro.subject.Subject;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.terracotta.management.l1bridge.RemoteCallDescriptor;

/* JADX WARN: Classes with same name are omitted:
  input_file:ehcache/ehcache-ee-2.10.2.2.15.jar/rest-management-private-classpath/net/sf/ehcache/management/service/impl/RemoteAgentEndpointImplEE.class_terracotta
 */
/* loaded from: input_file:rest-management-private-classpath/net/sf/ehcache/management/service/impl/RemoteAgentEndpointImplEE.class_terracotta */
public class RemoteAgentEndpointImplEE extends RemoteAgentEndpointImpl {
    private static final Logger LOG = LoggerFactory.getLogger(RemoteAgentEndpointImplEE.class);
    public static final String MBEAN_NAME_PREFIX = "net.sf.ehcache:type=" + IDENTIFIER;
    private final ManagementRESTServiceConfiguration configuration;
    private final IdentityAssertionServiceClient idAssertionSvcClient;
    private final ContextSecurityServiceDirectory contextSecurityServiceDirectory;
    private volatile boolean securityManagerInitialized = false;
    private final Object securityManagerInitializationLock = new Object();
    private final ThreadLocal<Boolean> tsaSecured = new ThreadLocal<Boolean>() { // from class: net.sf.ehcache.management.service.impl.RemoteAgentEndpointImplEE.1
        /* JADX INFO: Access modifiers changed from: protected */
        /* JADX WARN: Can't rename method to resolve collision */
        @Override // java.lang.ThreadLocal
        public Boolean initialValue() {
            return false;
        }
    };

    public RemoteAgentEndpointImplEE(ManagementRESTServiceConfiguration managementRESTServiceConfiguration, IdentityAssertionServiceClient identityAssertionServiceClient, ContextSecurityServiceDirectory contextSecurityServiceDirectory) {
        this.configuration = managementRESTServiceConfiguration;
        this.idAssertionSvcClient = identityAssertionServiceClient;
        this.contextSecurityServiceDirectory = contextSecurityServiceDirectory;
    }

    private void initSecurityManager() {
        if (this.securityManagerInitialized) {
            return;
        }
        synchronized (this.securityManagerInitializationLock) {
            if (!this.securityManagerInitialized) {
                try {
                    SecurityUtils.setSecurityManager(new DefaultSecurityManager(new TCIdentityAssertionRealm(this.idAssertionSvcClient)));
                    this.securityManagerInitialized = true;
                } catch (MalformedURLException e) {
                    throw new RuntimeException(e);
                } catch (URISyntaxException e2) {
                    throw new RuntimeException(e2);
                }
            }
        }
    }

    @Override // org.terracotta.management.l1bridge.AbstractRemoteAgentEndpointImpl, org.terracotta.management.l1bridge.RemoteAgentEndpoint
    public byte[] invoke(RemoteCallDescriptor remoteCallDescriptor) throws Exception {
        if (remoteCallDescriptor.getIaCallbackUrl() != null) {
            try {
                if (!Boolean.getBoolean("com.terracotta.management.debug.noIA")) {
                    try {
                        assertIaCallbackUrlInWhitelist(remoteCallDescriptor.getIaCallbackUrl());
                        if (this.contextSecurityServiceDirectory != null) {
                            this.contextSecurityServiceDirectory.setSecurityServiceLocation(new URI(remoteCallDescriptor.getIaCallbackUrl()));
                        }
                        initSecurityManager();
                        Subject subject = SecurityUtils.getSubject();
                        IACredentials iACredentials = new IACredentials();
                        iACredentials.setRequestTicket(remoteCallDescriptor.getTicket());
                        iACredentials.setIdentityToken(remoteCallDescriptor.getToken());
                        iACredentials.setRequestAlias("jmx:" + MBEAN_NAME_PREFIX);
                        subject.login(new IdentityAssertionToken(iACredentials));
                        this.tsaSecured.set(true);
                        if (this.contextSecurityServiceDirectory != null) {
                            this.contextSecurityServiceDirectory.clearSecurityServiceLocation();
                        }
                    } catch (URISyntaxException e) {
                        LOG.warn("IA failed because of invalid IA callback url [" + remoteCallDescriptor.getIaCallbackUrl() + Ini.SECTION_SUFFIX, (Throwable) e);
                        throw new RuntimeException("IA failed because of invalid IA callback url [" + remoteCallDescriptor.getIaCallbackUrl() + "]: " + e);
                    } catch (AuthenticationException e2) {
                        LOG.warn("IA failed", (Throwable) e2);
                        throw new RuntimeException("IA failed: " + e2);
                    }
                }
            } catch (Throwable th) {
                if (this.contextSecurityServiceDirectory != null) {
                    this.contextSecurityServiceDirectory.clearSecurityServiceLocation();
                }
                throw th;
            }
        }
        try {
            byte[] invoke = super.invoke(remoteCallDescriptor);
            this.tsaSecured.set(false);
            return invoke;
        } catch (Throwable th2) {
            this.tsaSecured.set(false);
            throw th2;
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // net.sf.ehcache.management.service.impl.RemoteAgentEndpointImpl
    public boolean isTsaSecured() {
        return this.tsaSecured.get().booleanValue();
    }

    private void assertIaCallbackUrlInWhitelist(String str) {
        String securityServiceLocation = this.configuration.getSecurityServiceLocation();
        if (securityServiceLocation == null || securityServiceLocation.trim().equals("")) {
            return;
        }
        for (String str2 : securityServiceLocation.split("\\,")) {
            if (str2.equals(str)) {
                return;
            }
        }
        throw new RuntimeException("Identity Assertion callback URL [" + str + "] is not in this agent's configured whitelist. Please add it to the <managementRESTService securityServiceLocation=\"...\"/> configuration setting.");
    }
}
