package org.apache.cassandra.auth.jmx;

import java.lang.reflect.InvocationHandler;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
import java.security.AccessController;
import java.security.Principal;
import java.util.Set;
import java.util.function.Function;
import java.util.function.Supplier;
import java.util.stream.Collectors;
import javax.management.MBeanServer;
import javax.management.MalformedObjectNameException;
import javax.management.ObjectName;
import javax.management.QueryExp;
import javax.security.auth.Subject;
import org.apache.cassandra.auth.AuthCache;
import org.apache.cassandra.auth.AuthenticatedUser;
import org.apache.cassandra.auth.JMXResource;
import org.apache.cassandra.auth.Permission;
import org.apache.cassandra.auth.PermissionDetails;
import org.apache.cassandra.auth.RoleResource;
import org.apache.cassandra.auth.Roles;
import org.apache.cassandra.config.DatabaseDescriptor;
import org.apache.cassandra.schema.TableParams;
import org.apache.cassandra.service.StorageService;
import org.cassandraunit.shaded.com.google.common.annotations.VisibleForTesting;
import org.cassandraunit.shaded.com.google.common.collect.ImmutableSet;
import org.cassandraunit.shaded.org.codehaus.jackson.util.MinimalPrettyPrinter;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/cassandra/auth/jmx/AuthorizationProxy.class */
public class AuthorizationProxy implements InvocationHandler {
    private static final Logger logger = LoggerFactory.getLogger(AuthorizationProxy.class);
    private static final Set<String> MBEAN_SERVER_METHOD_WHITELIST = ImmutableSet.of("getDefaultDomain", "getDomains", "getMBeanCount", "hashCode", "queryMBeans", "queryNames", "toString");
    private static final Set<String> METHOD_BLACKLIST = ImmutableSet.of("createMBean", "deserialize", "getClassLoader", "getClassLoaderFor", "instantiate", "registerMBean", "unregisterMBean");
    private static final JMXPermissionsCache permissionsCache = new JMXPermissionsCache();
    private MBeanServer mbs;
    protected Function<RoleResource, Boolean> isSuperuser = Roles::hasSuperuserStatus;
    protected Function<RoleResource, Set<PermissionDetails>> getPermissions;
    protected Supplier<Boolean> isAuthzRequired;
    protected Function<ObjectName, Set<ObjectName>> queryNames;
    protected Supplier<Boolean> isAuthSetupComplete;

    /* loaded from: input_file:org/apache/cassandra/auth/jmx/AuthorizationProxy$JMXPermissionsCache.class */
    private static final class JMXPermissionsCache extends AuthCache<RoleResource, Set<PermissionDetails>> {
        protected JMXPermissionsCache() {
            super("JMXPermissionsCache", (v0) -> {
                DatabaseDescriptor.setPermissionsValidity(v0);
            }, DatabaseDescriptor::getPermissionsValidity, (v0) -> {
                DatabaseDescriptor.setPermissionsUpdateInterval(v0);
            }, DatabaseDescriptor::getPermissionsUpdateInterval, (v0) -> {
                DatabaseDescriptor.setPermissionsCacheMaxEntries(v0);
            }, DatabaseDescriptor::getPermissionsCacheMaxEntries, roleResource -> {
                return AuthorizationProxy.loadPermissions(roleResource);
            }, () -> {
                return true;
            });
        }
    }

    public AuthorizationProxy() {
        JMXPermissionsCache jMXPermissionsCache = permissionsCache;
        jMXPermissionsCache.getClass();
        this.getPermissions = (v1) -> {
            return r1.get(v1);
        };
        this.isAuthzRequired = () -> {
            return Boolean.valueOf(DatabaseDescriptor.getAuthorizer().requireAuthorization());
        };
        this.queryNames = objectName -> {
            return this.mbs.queryNames(objectName, (QueryExp) null);
        };
        this.isAuthSetupComplete = () -> {
            return Boolean.valueOf(StorageService.instance.isAuthSetupComplete());
        };
    }

    @Override // java.lang.reflect.InvocationHandler
    public Object invoke(Object obj, Method method, Object[] objArr) throws Throwable {
        String name = method.getName();
        if ("getMBeanServer".equals(name)) {
            throw new SecurityException("Access denied");
        }
        Subject subject = Subject.getSubject(AccessController.getContext());
        if (!"setMBeanServer".equals(name)) {
            if (authorize(subject, name, objArr)) {
                return invoke(method, objArr);
            }
            throw new SecurityException("Access Denied");
        }
        if (subject != null) {
            throw new SecurityException("Access denied");
        }
        if (objArr[0] == null) {
            throw new IllegalArgumentException("Null MBeanServer");
        }
        if (this.mbs != null) {
            throw new IllegalArgumentException("MBeanServer already initialized");
        }
        this.mbs = (MBeanServer) objArr[0];
        return null;
    }

    @VisibleForTesting
    boolean authorize(Subject subject, String str, Object[] objArr) {
        logger.trace("Authorizing JMX method invocation {} for {}", str, subject == null ? TableParams.DEFAULT_COMMENT : subject.toString().replaceAll("\\n", MinimalPrettyPrinter.DEFAULT_ROOT_VALUE_SEPARATOR));
        if (!this.isAuthSetupComplete.get().booleanValue()) {
            logger.trace("Auth setup is not complete, refusing access");
            return false;
        }
        if (!this.isAuthzRequired.get().booleanValue() || subject == null) {
            return true;
        }
        if (METHOD_BLACKLIST.contains(str)) {
            logger.trace("Access denied to blacklisted method {}", str);
            return false;
        }
        Set<Principal> principals = subject.getPrincipals();
        if (principals == null || principals.isEmpty()) {
            return false;
        }
        RoleResource role = RoleResource.role(principals.iterator().next().getName());
        if (this.isSuperuser.apply(role).booleanValue()) {
            return true;
        }
        return (objArr == null || !(objArr[0] instanceof ObjectName)) ? authorizeMBeanServerMethod(role, str) : authorizeMBeanMethod(role, str, objArr);
    }

    private boolean authorizeMBeanServerMethod(RoleResource roleResource, String str) {
        logger.trace("JMX invocation of {} on MBeanServer requires permission {}", str, Permission.DESCRIBE);
        return MBEAN_SERVER_METHOD_WHITELIST.contains(str) && hasPermission(roleResource, Permission.DESCRIBE, JMXResource.root());
    }

    private boolean authorizeMBeanMethod(RoleResource roleResource, String str, Object[] objArr) {
        ObjectName objectName = (ObjectName) objArr[0];
        Permission requiredPermission = getRequiredPermission(str);
        if (null == requiredPermission) {
            return false;
        }
        logger.trace("JMX invocation of {} on {} requires permission {}", new Object[]{str, objectName, requiredPermission});
        Set<JMXResource> permittedResources = getPermittedResources(roleResource, requiredPermission);
        if (permittedResources.isEmpty()) {
            return false;
        }
        return objectName.isPattern() ? checkPattern(objectName, permittedResources) : checkExact(objectName, permittedResources);
    }

    private Set<JMXResource> getPermittedResources(RoleResource roleResource, Permission permission) {
        return (Set) this.getPermissions.apply(roleResource).stream().filter(permissionDetails -> {
            return permissionDetails.permission == permission;
        }).map(permissionDetails2 -> {
            return (JMXResource) permissionDetails2.resource;
        }).collect(Collectors.toSet());
    }

    private boolean hasPermission(RoleResource roleResource, Permission permission, JMXResource jMXResource) {
        return this.getPermissions.apply(roleResource).stream().anyMatch(permissionDetails -> {
            return permissionDetails.permission == permission && permissionDetails.resource.equals(jMXResource);
        });
    }

    private boolean checkPattern(ObjectName objectName, Set<JMXResource> set) {
        if (set.contains(JMXResource.root())) {
            return true;
        }
        Set<ObjectName> apply = this.queryNames.apply(objectName);
        for (JMXResource jMXResource : set) {
            try {
                apply.removeAll(this.queryNames.apply(ObjectName.getInstance(jMXResource.getObjectName())));
            } catch (MalformedObjectNameException e) {
                logger.warn("Permissions for JMX resource contains invalid ObjectName {}", jMXResource.getObjectName());
            }
            if (apply.isEmpty()) {
                return true;
            }
        }
        logger.trace("Subject does not have sufficient permissions on all MBeans matching the target pattern {}", objectName);
        return false;
    }

    private boolean checkExact(ObjectName objectName, Set<JMXResource> set) {
        if (set.contains(JMXResource.root())) {
            return true;
        }
        for (JMXResource jMXResource : set) {
            try {
            } catch (MalformedObjectNameException e) {
                logger.warn("Permissions for JMX resource contains invalid ObjectName {}", jMXResource.getObjectName());
            }
            if (ObjectName.getInstance(jMXResource.getObjectName()).apply(objectName)) {
                return true;
            }
        }
        logger.trace("Subject does not have sufficient permissions on target MBean {}", objectName);
        return false;
    }

    private static Permission getRequiredPermission(String str) {
        boolean z = -1;
        switch (str.hashCode()) {
            case -1479410370:
                if (str.equals("queryMBeans")) {
                    z = 10;
                    break;
                }
                break;
            case -1221670378:
                if (str.equals("isInstanceOf")) {
                    z = 8;
                    break;
                }
                break;
            case -1183693704:
                if (str.equals("invoke")) {
                    z = 4;
                    break;
                }
                break;
            case -184415392:
                if (str.equals("queryNames")) {
                    z = 11;
                    break;
                }
                break;
            case 3480550:
                if (str.equals("getAttribute")) {
                    z = false;
                    break;
                }
                break;
            case 107897165:
                if (str.equals("getAttributes")) {
                    z = true;
                    break;
                }
                break;
            case 147696667:
                if (str.equals("hashCode")) {
                    z = 7;
                    break;
                }
                break;
            case 301341516:
                if (str.equals("isRegistered")) {
                    z = 9;
                    break;
                }
                break;
            case 604276034:
                if (str.equals("getInstanceOf")) {
                    z = 5;
                    break;
                }
                break;
            case 882028377:
                if (str.equals("setAttributes")) {
                    z = 3;
                    break;
                }
                break;
            case 1552473178:
                if (str.equals("setAttribute")) {
                    z = 2;
                    break;
                }
                break;
            case 1932176725:
                if (str.equals("getMBeanInfo")) {
                    z = 6;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
            case true:
                return Permission.SELECT;
            case true:
            case true:
                return Permission.MODIFY;
            case true:
                return Permission.EXECUTE;
            case true:
            case true:
            case true:
            case true:
            case true:
            case true:
            case true:
                return Permission.DESCRIBE;
            default:
                logger.debug("Access denied, method name {} does not map to any defined permission", str);
                return null;
        }
    }

    private Object invoke(Method method, Object[] objArr) throws Throwable {
        try {
            return method.invoke(this.mbs, objArr);
        } catch (InvocationTargetException e) {
            throw e.getCause();
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static Set<PermissionDetails> loadPermissions(RoleResource roleResource) {
        return (Set) DatabaseDescriptor.getAuthorizer().list(AuthenticatedUser.SYSTEM_USER, Permission.ALL, null, roleResource).stream().filter(permissionDetails -> {
            return permissionDetails.resource instanceof JMXResource;
        }).collect(Collectors.toSet());
    }
}
