package org.geoserver.security;

import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Preconditions;
import com.thoughtworks.xstream.converters.Converter;
import com.thoughtworks.xstream.converters.MarshallingContext;
import com.thoughtworks.xstream.converters.UnmarshallingContext;
import com.thoughtworks.xstream.converters.collections.AbstractCollectionConverter;
import com.thoughtworks.xstream.io.HierarchicalStreamReader;
import com.thoughtworks.xstream.io.HierarchicalStreamWriter;
import com.thoughtworks.xstream.mapper.Mapper;
import java.io.BufferedReader;
import java.io.BufferedWriter;
import java.io.File;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.io.OutputStream;
import java.io.OutputStreamWriter;
import java.io.PrintWriter;
import java.lang.reflect.Modifier;
import java.net.URL;
import java.rmi.server.UID;
import java.security.InvalidKeyException;
import java.text.SimpleDateFormat;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Date;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Properties;
import java.util.SortedSet;
import java.util.StringTokenizer;
import java.util.TreeSet;
import java.util.concurrent.ConcurrentHashMap;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.crypto.Cipher;
import javax.crypto.KeyGenerator;
import javax.crypto.spec.SecretKeySpec;
import org.apache.commons.io.IOUtils;
import org.geoserver.catalog.Catalog;
import org.geoserver.catalog.StoreInfo;
import org.geoserver.config.GeoServerDataDirectory;
import org.geoserver.config.util.XStreamPersister;
import org.geoserver.config.util.XStreamPersisterFactory;
import org.geoserver.config.util.XStreamUtils;
import org.geoserver.platform.ContextLoadedEvent;
import org.geoserver.platform.GeoServerExtensions;
import org.geoserver.platform.resource.Files;
import org.geoserver.platform.resource.Paths;
import org.geoserver.platform.resource.Resource;
import org.geoserver.platform.resource.Resources;
import org.geoserver.security.auth.AuthenticationCache;
import org.geoserver.security.auth.GeoServerRootAuthenticationProvider;
import org.geoserver.security.auth.GuavaAuthenticationCacheImpl;
import org.geoserver.security.auth.UsernamePasswordAuthenticationProvider;
import org.geoserver.security.concurrent.LockingKeyStoreProvider;
import org.geoserver.security.concurrent.LockingRoleService;
import org.geoserver.security.concurrent.LockingUserGroupService;
import org.geoserver.security.config.AnonymousAuthenticationFilterConfig;
import org.geoserver.security.config.BasicAuthenticationFilterConfig;
import org.geoserver.security.config.ExceptionTranslationFilterConfig;
import org.geoserver.security.config.FileBasedSecurityServiceConfig;
import org.geoserver.security.config.J2eeAuthenticationBaseFilterConfig;
import org.geoserver.security.config.LogoutFilterConfig;
import org.geoserver.security.config.PasswordPolicyConfig;
import org.geoserver.security.config.PreAuthenticatedUserNameFilterConfig;
import org.geoserver.security.config.RememberMeAuthenticationFilterConfig;
import org.geoserver.security.config.RoleFilterConfig;
import org.geoserver.security.config.RoleSource;
import org.geoserver.security.config.SSLFilterConfig;
import org.geoserver.security.config.SecurityAuthProviderConfig;
import org.geoserver.security.config.SecurityConfig;
import org.geoserver.security.config.SecurityContextPersistenceFilterConfig;
import org.geoserver.security.config.SecurityFilterConfig;
import org.geoserver.security.config.SecurityInterceptorFilterConfig;
import org.geoserver.security.config.SecurityManagerConfig;
import org.geoserver.security.config.SecurityNamedServiceConfig;
import org.geoserver.security.config.SecurityRoleServiceConfig;
import org.geoserver.security.config.SecurityUserGroupServiceConfig;
import org.geoserver.security.config.UsernamePasswordAuthenticationFilterConfig;
import org.geoserver.security.config.UsernamePasswordAuthenticationProviderConfig;
import org.geoserver.security.file.FileWatcher;
import org.geoserver.security.file.RoleFileWatcher;
import org.geoserver.security.file.UserGroupFileWatcher;
import org.geoserver.security.filter.GeoServerAnonymousAuthenticationFilter;
import org.geoserver.security.filter.GeoServerBasicAuthenticationFilter;
import org.geoserver.security.filter.GeoServerExceptionTranslationFilter;
import org.geoserver.security.filter.GeoServerLogoutFilter;
import org.geoserver.security.filter.GeoServerRememberMeAuthenticationFilter;
import org.geoserver.security.filter.GeoServerRoleFilter;
import org.geoserver.security.filter.GeoServerSSLFilter;
import org.geoserver.security.filter.GeoServerSecurityContextPersistenceFilter;
import org.geoserver.security.filter.GeoServerSecurityFilter;
import org.geoserver.security.filter.GeoServerSecurityInterceptorFilter;
import org.geoserver.security.filter.GeoServerUserNamePasswordAuthenticationFilter;
import org.geoserver.security.impl.DataAccessRuleDAO;
import org.geoserver.security.impl.GeoServerRole;
import org.geoserver.security.impl.GeoServerUser;
import org.geoserver.security.impl.GeoServerUserGroup;
import org.geoserver.security.impl.GroupAdminProperty;
import org.geoserver.security.impl.RESTAccessRuleDAO;
import org.geoserver.security.impl.ServiceAccessRuleDAO;
import org.geoserver.security.impl.Util;
import org.geoserver.security.password.ConfigurationPasswordEncryptionHelper;
import org.geoserver.security.password.GeoServerDigestPasswordEncoder;
import org.geoserver.security.password.GeoServerPBEPasswordEncoder;
import org.geoserver.security.password.GeoServerPasswordEncoder;
import org.geoserver.security.password.MasterPasswordChangeRequest;
import org.geoserver.security.password.MasterPasswordConfig;
import org.geoserver.security.password.MasterPasswordProviderConfig;
import org.geoserver.security.password.PasswordValidator;
import org.geoserver.security.password.RandomPasswordProvider;
import org.geoserver.security.password.URLMasterPasswordProvider;
import org.geoserver.security.password.URLMasterPasswordProviderConfig;
import org.geoserver.security.rememberme.GeoServerTokenBasedRememberMeServices;
import org.geoserver.security.rememberme.RememberMeServicesConfig;
import org.geoserver.security.validation.MasterPasswordChangeValidator;
import org.geoserver.security.validation.MasterPasswordConfigValidator;
import org.geoserver.security.validation.PasswordValidatorImpl;
import org.geoserver.security.validation.SecurityConfigException;
import org.geoserver.security.validation.SecurityConfigValidator;
import org.geoserver.security.xml.XMLConstants;
import org.geoserver.security.xml.XMLRoleService;
import org.geoserver.security.xml.XMLRoleServiceConfig;
import org.geoserver.security.xml.XMLUserGroupService;
import org.geoserver.security.xml.XMLUserGroupServiceConfig;
import org.geotools.util.Version;
import org.geotools.util.logging.Logging;
import org.springframework.beans.BeansException;
import org.springframework.beans.factory.BeanCreationException;
import org.springframework.context.ApplicationContext;
import org.springframework.context.ApplicationContextAware;
import org.springframework.context.ApplicationEvent;
import org.springframework.context.ApplicationListener;
import org.springframework.context.event.ContextClosedEvent;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.authentication.DefaultAuthenticationEventPublisher;
import org.springframework.security.authentication.ProviderManager;
import org.springframework.security.authentication.RememberMeAuthenticationProvider;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.memory.UserAttribute;
import org.springframework.security.core.userdetails.memory.UserAttributeEditor;
import org.springframework.security.web.authentication.RememberMeServices;
import org.springframework.util.StringUtils;

/* loaded from: input_file:org/geoserver/security/GeoServerSecurityManager.class */
public class GeoServerSecurityManager implements ApplicationContextAware, ApplicationListener {
    private static final String VERSION_PROPERTIES = "version.properties";
    private static final String VERSION = "version";
    public static final String CONFIG_FILENAME = "config.xml";
    public static final String MASTER_PASSWD_CONFIG_FILENAME = "masterpw.xml";
    public static final String MASTER_PASSWD_INFO_FILENAME = "masterpw.info";
    public static final String MASTER_PASSWD_DIGEST_FILENAME = "masterpw.digest";
    ProviderManager providerMgr;
    GeoServerDataDirectory dataDir;
    ApplicationContext appContext;
    GeoServerRoleService activeRoleService;
    List<GeoServerAuthenticationProvider> authProviders;
    volatile String masterPasswdDigest;
    ConfigurationPasswordEncryptionHelper configPasswordEncryptionHelper;
    Boolean strongEncryptionAvaialble;
    volatile KeyStoreProvider keyStoreProvider;
    volatile AuthenticationCache authCache;
    volatile RememberMeServices rememberMeService;
    private XStreamPersister xp;
    private XStreamPersister gxp;
    public static final String REALM = "GeoServer Realm";
    private DefaultAuthenticationEventPublisher eventPublisher;
    private static final Version VERSION_2_1 = new Version("2.1");
    private static final Version VERSION_2_2 = new Version("2.2");
    private static final Version VERSION_2_3 = new Version("2.3");
    private static final Version VERSION_2_4 = new Version("2.4");
    private static final Version VERSION_2_5 = new Version("2.5");
    private static final Version BASE_VERSION = VERSION_2_1;
    private static final Version CURR_VERSION = VERSION_2_5;
    static Logger LOGGER = Logging.getLogger("org.geoserver.security");
    public static final char[] MASTER_PASSWD_DEFAULT = "geoserver".toCharArray();
    SecurityManagerConfig securityConfig = new SecurityManagerConfig();
    MasterPasswordConfig masterPasswordConfig = new MasterPasswordConfig();
    ConcurrentHashMap<String, GeoServerUserGroupService> userGroupServices = new ConcurrentHashMap<>();
    ConcurrentHashMap<String, GeoServerRoleService> roleServices = new ConcurrentHashMap<>();
    ConcurrentHashMap<String, PasswordValidator> passwordValidators = new ConcurrentHashMap<>();
    RoleServiceHelper roleServiceHelper = new RoleServiceHelper();
    UserGroupServiceHelper userGroupServiceHelper = new UserGroupServiceHelper();
    AuthProviderHelper authProviderHelper = new AuthProviderHelper();
    FilterHelper filterHelper = new FilterHelper();
    PasswordValidatorHelper passwordValidatorHelper = new PasswordValidatorHelper();
    MasterPasswordProviderHelper masterPasswordProviderHelper = new MasterPasswordProviderHelper();
    List<SecurityManagerListener> listeners = new ArrayList();
    boolean initialized = false;
    RandomPasswordProvider randomPasswdProvider = new RandomPasswordProvider();
    private AuthenticationManager authMgrProxy = new AuthenticationManager() { // from class: org.geoserver.security.GeoServerSecurityManager.1
        public Authentication authenticate(Authentication authentication) throws AuthenticationException {
            return GeoServerSecurityManager.this.providerMgr.authenticate(authentication);
        }
    };

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/geoserver/security/GeoServerSecurityManager$AuthProviderHelper.class */
    public class AuthProviderHelper extends HelperBase<GeoServerAuthenticationProvider, SecurityAuthProviderConfig> {
        AuthProviderHelper() {
            super();
        }

        /* JADX WARN: Can't rename method to resolve collision */
        @Override // org.geoserver.security.GeoServerSecurityManager.HelperBase
        public GeoServerAuthenticationProvider load(String str) throws IOException {
            SecurityAuthProviderConfig loadConfig = loadConfig(str);
            if (loadConfig == null) {
                return null;
            }
            GeoServerAuthenticationProvider geoServerAuthenticationProvider = null;
            Iterator<GeoServerSecurityProvider> it = GeoServerSecurityManager.this.lookupSecurityProviders().iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                GeoServerSecurityProvider next = it.next();
                if (next.getAuthenticationProviderClass() != null && next.getAuthenticationProviderClass().getName().equals(loadConfig.getClassName())) {
                    geoServerAuthenticationProvider = next.createAuthenticationProvider(loadConfig);
                    break;
                }
            }
            if (geoServerAuthenticationProvider == null) {
                throw new IOException("No authentication provider matching config: " + loadConfig);
            }
            geoServerAuthenticationProvider.setName(str);
            geoServerAuthenticationProvider.setSecurityManager(GeoServerSecurityManager.this);
            geoServerAuthenticationProvider.initializeFromConfig(loadConfig);
            return geoServerAuthenticationProvider;
        }

        @Override // org.geoserver.security.GeoServerSecurityManager.HelperBase
        protected Resource getRoot() throws IOException {
            return GeoServerSecurityManager.this.auth();
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/geoserver/security/GeoServerSecurityManager$FilterChainConverter.class */
    public class FilterChainConverter extends AbstractCollectionConverter {
        public FilterChainConverter(Mapper mapper) {
            super(mapper);
        }

        public boolean canConvert(Class cls) {
            return GeoServerSecurityFilterChain.class.isAssignableFrom(cls);
        }

        public void marshal(Object obj, HierarchicalStreamWriter hierarchicalStreamWriter, MarshallingContext marshallingContext) {
            for (RequestFilterChain requestFilterChain : ((GeoServerSecurityFilterChain) obj).getRequestChains()) {
                hierarchicalStreamWriter.startNode("filters");
                StringBuilder sb = new StringBuilder();
                Iterator<String> it = requestFilterChain.getPatterns().iterator();
                while (it.hasNext()) {
                    sb.append(it.next()).append(",");
                }
                if (sb.length() > 0) {
                    sb.setLength(sb.length() - 1);
                }
                if (requestFilterChain.getName() != null) {
                    hierarchicalStreamWriter.addAttribute("name", requestFilterChain.getName());
                }
                hierarchicalStreamWriter.addAttribute("class", requestFilterChain.getClass().getName());
                if (StringUtils.hasLength(requestFilterChain.getRoleFilterName())) {
                    hierarchicalStreamWriter.addAttribute("roleFilterName", requestFilterChain.getRoleFilterName());
                }
                if (requestFilterChain instanceof VariableFilterChain) {
                    if (StringUtils.hasLength(((VariableFilterChain) requestFilterChain).getInterceptorName())) {
                        hierarchicalStreamWriter.addAttribute("interceptorName", ((VariableFilterChain) requestFilterChain).getInterceptorName());
                    }
                    if (StringUtils.hasLength(((VariableFilterChain) requestFilterChain).getExceptionTranslationName())) {
                        hierarchicalStreamWriter.addAttribute("exceptionTranslationName", ((VariableFilterChain) requestFilterChain).getExceptionTranslationName());
                    }
                }
                hierarchicalStreamWriter.addAttribute("path", sb.toString());
                hierarchicalStreamWriter.addAttribute("disabled", Boolean.toString(requestFilterChain.isDisabled()));
                hierarchicalStreamWriter.addAttribute("allowSessionCreation", Boolean.toString(requestFilterChain.isAllowSessionCreation()));
                hierarchicalStreamWriter.addAttribute("ssl", Boolean.toString(requestFilterChain.isRequireSSL()));
                hierarchicalStreamWriter.addAttribute("matchHTTPMethod", Boolean.toString(requestFilterChain.isMatchHTTPMethod()));
                if (requestFilterChain.getHttpMethods() != null && requestFilterChain.getHttpMethods().size() > 0) {
                    hierarchicalStreamWriter.addAttribute("httpMethods", StringUtils.collectionToCommaDelimitedString(requestFilterChain.getHttpMethods()));
                }
                for (String str : requestFilterChain.getFilterNames()) {
                    hierarchicalStreamWriter.startNode("filter");
                    hierarchicalStreamWriter.setValue(str);
                    hierarchicalStreamWriter.endNode();
                }
                hierarchicalStreamWriter.endNode();
            }
        }

        public Object unmarshal(HierarchicalStreamReader hierarchicalStreamReader, UnmarshallingContext unmarshallingContext) {
            GeoServerSecurityFilterChain geoServerSecurityFilterChain = new GeoServerSecurityFilterChain();
            while (hierarchicalStreamReader.hasMoreChildren()) {
                hierarchicalStreamReader.moveDown();
                String attribute = hierarchicalStreamReader.getAttribute("path");
                String attribute2 = hierarchicalStreamReader.getAttribute("name");
                String attribute3 = hierarchicalStreamReader.getAttribute("class");
                String attribute4 = hierarchicalStreamReader.getAttribute("roleFilterName");
                String attribute5 = hierarchicalStreamReader.getAttribute("disabled");
                String attribute6 = hierarchicalStreamReader.getAttribute("allowSessionCreation");
                String attribute7 = hierarchicalStreamReader.getAttribute("interceptorName");
                String attribute8 = hierarchicalStreamReader.getAttribute("exceptionTranslationName");
                String attribute9 = hierarchicalStreamReader.getAttribute("ssl");
                String attribute10 = hierarchicalStreamReader.getAttribute("matchHTTPMethod");
                String attribute11 = hierarchicalStreamReader.getAttribute("httpMethods");
                if (attribute2 == null) {
                    RequestFilterChain lookupRequestChainByPattern = GeoServerSecurityFilterChain.lookupRequestChainByPattern(attribute, GeoServerSecurityManager.this);
                    attribute2 = lookupRequestChainByPattern != null ? lookupRequestChainByPattern.getName() : attribute;
                }
                if (attribute3 == null) {
                    if (GeoServerSecurityFilterChain.WEB_CHAIN_NAME.equals(attribute2)) {
                        attribute3 = HtmlLoginFilterChain.class.getName();
                        attribute6 = "true";
                        attribute7 = GeoServerSecurityFilterChain.FILTER_SECURITY_INTERCEPTOR;
                    }
                    if (GeoServerSecurityFilterChain.WEB_LOGIN_CHAIN_NAME.equals(attribute2)) {
                        attribute3 = ConstantFilterChain.class.getName();
                        attribute6 = "true";
                        attribute7 = GeoServerSecurityFilterChain.FILTER_SECURITY_INTERCEPTOR;
                    }
                    if (GeoServerSecurityFilterChain.WEB_LOGOUT_CHAIN_NAME.equals(attribute2)) {
                        attribute3 = LogoutFilterChain.class.getName();
                        attribute6 = "true";
                        attribute7 = GeoServerSecurityFilterChain.FILTER_SECURITY_INTERCEPTOR;
                    }
                    if (GeoServerSecurityFilterChain.REST_CHAIN_NAME.equals(attribute2)) {
                        attribute3 = ServiceLoginFilterChain.class.getName();
                        attribute6 = "false";
                        attribute7 = GeoServerSecurityFilterChain.FILTER_SECURITY_REST_INTERCEPTOR;
                    }
                    if (GeoServerSecurityFilterChain.GWC_CHAIN_NAME.equals(attribute2)) {
                        attribute3 = ServiceLoginFilterChain.class.getName();
                        attribute6 = "false";
                        attribute7 = GeoServerSecurityFilterChain.FILTER_SECURITY_REST_INTERCEPTOR;
                    }
                    if ("default".equals(attribute2)) {
                        attribute3 = ServiceLoginFilterChain.class.getName();
                        attribute6 = "false";
                        attribute7 = GeoServerSecurityFilterChain.FILTER_SECURITY_INTERCEPTOR;
                    }
                }
                ArrayList arrayList = new ArrayList();
                while (hierarchicalStreamReader.hasMoreChildren()) {
                    hierarchicalStreamReader.moveDown();
                    arrayList.add(hierarchicalStreamReader.getValue());
                    hierarchicalStreamReader.moveUp();
                }
                try {
                    RequestFilterChain requestFilterChain = (RequestFilterChain) Class.forName(attribute3).getConstructor(String[].class).newInstance(attribute.split(","));
                    requestFilterChain.setName(attribute2);
                    if (StringUtils.hasLength(attribute5)) {
                        requestFilterChain.setDisabled(Boolean.parseBoolean(attribute5));
                    }
                    if (StringUtils.hasLength(attribute6)) {
                        requestFilterChain.setAllowSessionCreation(Boolean.parseBoolean(attribute6));
                    }
                    if (StringUtils.hasLength(attribute9)) {
                        requestFilterChain.setRequireSSL(Boolean.parseBoolean(attribute9));
                    }
                    if (StringUtils.hasLength(attribute10)) {
                        requestFilterChain.setMatchHTTPMethod(Boolean.parseBoolean(attribute10));
                    }
                    if (StringUtils.hasLength(attribute11)) {
                        for (String str : attribute11.split(",")) {
                            requestFilterChain.getHttpMethods().add(HTTPMethod.fromString(str));
                        }
                    }
                    requestFilterChain.setRoleFilterName(attribute4);
                    if (requestFilterChain instanceof VariableFilterChain) {
                        ((VariableFilterChain) requestFilterChain).setInterceptorName(attribute7);
                        if (StringUtils.hasLength(attribute8)) {
                            ((VariableFilterChain) requestFilterChain).setExceptionTranslationName(attribute8);
                        } else {
                            ((VariableFilterChain) requestFilterChain).setExceptionTranslationName(GeoServerSecurityFilterChain.DYNAMIC_EXCEPTION_TRANSLATION_FILTER);
                        }
                    }
                    requestFilterChain.setFilterNames(arrayList);
                    geoServerSecurityFilterChain.getRequestChains().add(requestFilterChain);
                    hierarchicalStreamReader.moveUp();
                } catch (Exception e) {
                    throw new RuntimeException(e);
                }
            }
            return geoServerSecurityFilterChain;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/geoserver/security/GeoServerSecurityManager$FilterHelper.class */
    public class FilterHelper extends HelperBase<GeoServerSecurityFilter, SecurityFilterConfig> {
        FilterHelper() {
            super();
        }

        /* JADX WARN: Can't rename method to resolve collision */
        @Override // org.geoserver.security.GeoServerSecurityManager.HelperBase
        public GeoServerSecurityFilter load(String str) throws IOException {
            SecurityFilterConfig loadConfig = loadConfig(str);
            if (loadConfig == null) {
                return null;
            }
            GeoServerSecurityFilter geoServerSecurityFilter = null;
            Iterator<GeoServerSecurityProvider> it = GeoServerSecurityManager.this.lookupSecurityProviders().iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                GeoServerSecurityProvider next = it.next();
                if (next.getFilterClass() != null && next.getFilterClass().getName().equals(loadConfig.getClassName())) {
                    geoServerSecurityFilter = next.createFilter(loadConfig);
                    break;
                }
            }
            if (geoServerSecurityFilter == null) {
                throw new IOException("No authentication provider matching config: " + loadConfig);
            }
            geoServerSecurityFilter.setName(str);
            geoServerSecurityFilter.setSecurityManager(GeoServerSecurityManager.this);
            geoServerSecurityFilter.initializeFromConfig(loadConfig);
            return geoServerSecurityFilter;
        }

        @Override // org.geoserver.security.GeoServerSecurityManager.HelperBase
        protected Resource getRoot() throws IOException {
            return GeoServerSecurityManager.this.filterRoot();
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/geoserver/security/GeoServerSecurityManager$HelperBase.class */
    public abstract class HelperBase<T, C extends SecurityNamedServiceConfig> {
        protected List<FileWatcher> fileWatchers = new ArrayList();

        HelperBase() {
        }

        public abstract T load(String str) throws IOException;

        public C loadConfig(String str, MigrationHelper migrationHelper) throws IOException {
            Resource resource = getRoot().get(str);
            if (resource.getType() != Resource.Type.DIRECTORY) {
                return null;
            }
            XStreamPersister persister = GeoServerSecurityManager.this.persister();
            if (migrationHelper != null) {
                migrationHelper.migrationPersister(persister);
            }
            return (C) GeoServerSecurityManager.this.loadConfigFile(resource, persister);
        }

        public C loadConfig(String str) throws IOException {
            return loadConfig(str, null);
        }

        public void saveConfig(SecurityNamedServiceConfig securityNamedServiceConfig) throws IOException {
            Resource resource = getRoot().get(securityNamedServiceConfig.getName());
            boolean z = securityNamedServiceConfig.getId() == null;
            if (z) {
                securityNamedServiceConfig.setId(newId());
            }
            try {
                GeoServerSecurityManager.this.saveConfigFile(securityNamedServiceConfig, resource, GeoServerSecurityManager.this.persister());
            } catch (Exception e) {
                if (z) {
                    securityNamedServiceConfig.setId(null);
                }
                if (!(e instanceof IOException)) {
                    throw new IOException(e);
                }
                throw ((IOException) e);
            }
        }

        String newId() {
            return new UID().toString();
        }

        public void removeConfig(String str) throws IOException {
            getRoot().get(str).delete();
        }

        public void destroy() {
            Iterator<FileWatcher> it = this.fileWatchers.iterator();
            while (it.hasNext()) {
                it.next().setTerminate(true);
            }
        }

        protected abstract Resource getRoot() throws IOException;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/geoserver/security/GeoServerSecurityManager$MasterPasswordProviderHelper.class */
    public class MasterPasswordProviderHelper extends HelperBase<MasterPasswordProvider, MasterPasswordProviderConfig> {
        MasterPasswordProviderHelper() {
            super();
        }

        /* JADX WARN: Can't rename method to resolve collision */
        @Override // org.geoserver.security.GeoServerSecurityManager.HelperBase
        public MasterPasswordProvider load(String str) throws IOException {
            MasterPasswordProviderConfig loadConfig = loadConfig(str);
            if (loadConfig == null) {
                return null;
            }
            MasterPasswordProvider masterPasswordProvider = null;
            Iterator<GeoServerSecurityProvider> it = GeoServerSecurityManager.this.lookupSecurityProviders().iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                GeoServerSecurityProvider next = it.next();
                if (next.getMasterPasswordProviderClass() != null && next.getMasterPasswordProviderClass().getName().equals(loadConfig.getClassName())) {
                    masterPasswordProvider = next.createMasterPasswordProvider(loadConfig);
                    break;
                }
            }
            if (masterPasswordProvider == null) {
                throw new IOException("No master password provider matching config: " + loadConfig);
            }
            if (!Modifier.isFinal(masterPasswordProvider.getClass().getModifiers())) {
                throw new RuntimeException("Master password provider class: " + masterPasswordProvider.getClass().getCanonicalName() + " is not final");
            }
            masterPasswordProvider.setName(loadConfig.getName());
            masterPasswordProvider.setSecurityManager(GeoServerSecurityManager.this);
            masterPasswordProvider.initializeFromConfig(loadConfig);
            return masterPasswordProvider;
        }

        @Override // org.geoserver.security.GeoServerSecurityManager.HelperBase
        protected Resource getRoot() throws IOException {
            return GeoServerSecurityManager.this.masterPasswordProvider();
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/geoserver/security/GeoServerSecurityManager$MigrationHelper.class */
    public interface MigrationHelper {
        void migrationPersister(XStreamPersister xStreamPersister);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/geoserver/security/GeoServerSecurityManager$PasswordValidatorHelper.class */
    public class PasswordValidatorHelper extends HelperBase<PasswordValidator, PasswordPolicyConfig> {
        PasswordValidatorHelper() {
            super();
        }

        /* JADX WARN: Can't rename method to resolve collision */
        @Override // org.geoserver.security.GeoServerSecurityManager.HelperBase
        public PasswordValidator load(String str) throws IOException {
            PasswordPolicyConfig loadConfig = loadConfig(str);
            if (loadConfig == null) {
                return null;
            }
            PasswordValidator passwordValidator = null;
            Iterator<GeoServerSecurityProvider> it = GeoServerSecurityManager.this.lookupSecurityProviders().iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                GeoServerSecurityProvider next = it.next();
                if (next.getPasswordValidatorClass() != null && next.getPasswordValidatorClass().getName().equals(loadConfig.getClassName())) {
                    passwordValidator = next.createPasswordValidator(loadConfig, GeoServerSecurityManager.this);
                    break;
                }
            }
            if (passwordValidator == null) {
                throw new IOException("No password policy matching config: " + loadConfig);
            }
            passwordValidator.setConfig(loadConfig);
            return passwordValidator;
        }

        @Override // org.geoserver.security.GeoServerSecurityManager.HelperBase
        protected Resource getRoot() throws IOException {
            return GeoServerSecurityManager.this.passwordPolicy();
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/geoserver/security/GeoServerSecurityManager$RoleServiceHelper.class */
    public class RoleServiceHelper extends HelperBase<GeoServerRoleService, SecurityRoleServiceConfig> {
        RoleServiceHelper() {
            super();
        }

        /* JADX WARN: Can't rename method to resolve collision */
        @Override // org.geoserver.security.GeoServerSecurityManager.HelperBase
        public GeoServerRoleService load(String str) throws IOException {
            SecurityNamedServiceConfig loadConfig = loadConfig(str);
            if (loadConfig == null) {
                return null;
            }
            GeoServerRoleService geoServerRoleService = null;
            Iterator<GeoServerSecurityProvider> it = GeoServerSecurityManager.this.lookupSecurityProviders().iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                GeoServerSecurityProvider next = it.next();
                if (next.getRoleServiceClass() != null && next.getRoleServiceClass().getName().equals(loadConfig.getClassName())) {
                    geoServerRoleService = next.createRoleService(loadConfig);
                    break;
                }
            }
            if (geoServerRoleService == null) {
                throw new IOException("No authority service matching config: " + loadConfig);
            }
            geoServerRoleService.setSecurityManager(GeoServerSecurityManager.this);
            if ((loadConfig instanceof SecurityRoleServiceConfig) && GeoServerSecurityProvider.getProvider(GeoServerRoleService.class, loadConfig.getClassName()).roleServiceNeedsLockProtection()) {
                geoServerRoleService = new LockingRoleService(geoServerRoleService);
            }
            geoServerRoleService.setName(str);
            geoServerRoleService.initializeFromConfig(loadConfig);
            if (loadConfig instanceof FileBasedSecurityServiceConfig) {
                FileBasedSecurityServiceConfig fileBasedSecurityServiceConfig = (FileBasedSecurityServiceConfig) loadConfig;
                if (fileBasedSecurityServiceConfig.getCheckInterval() > 0) {
                    Resource configFile = GeoServerSecurityManager.this.getConfigFile(fileBasedSecurityServiceConfig.getFileName());
                    if (configFile == null) {
                        configFile = GeoServerSecurityManager.this.get(Paths.path(new String[]{"security/role", str, fileBasedSecurityServiceConfig.getFileName()}));
                    }
                    RoleFileWatcher roleFileWatcher = new RoleFileWatcher(configFile, geoServerRoleService, configFile.lastmodified());
                    geoServerRoleService.registerRoleLoadedListener(roleFileWatcher);
                    roleFileWatcher.start();
                    this.fileWatchers.add(roleFileWatcher);
                }
            }
            return geoServerRoleService;
        }

        @Override // org.geoserver.security.GeoServerSecurityManager.HelperBase
        protected Resource getRoot() throws IOException {
            return GeoServerSecurityManager.this.role();
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/geoserver/security/GeoServerSecurityManager$UserGroupServiceHelper.class */
    public class UserGroupServiceHelper extends HelperBase<GeoServerUserGroupService, SecurityUserGroupServiceConfig> {
        UserGroupServiceHelper() {
            super();
        }

        /* JADX WARN: Can't rename method to resolve collision */
        @Override // org.geoserver.security.GeoServerSecurityManager.HelperBase
        public GeoServerUserGroupService load(String str) throws IOException {
            SecurityNamedServiceConfig loadConfig = loadConfig(str);
            if (loadConfig == null) {
                return null;
            }
            GeoServerUserGroupService geoServerUserGroupService = null;
            Iterator<GeoServerSecurityProvider> it = GeoServerSecurityManager.this.lookupSecurityProviders().iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                GeoServerSecurityProvider next = it.next();
                if (next.getUserGroupServiceClass() != null && next.getUserGroupServiceClass().getName().equals(loadConfig.getClassName())) {
                    geoServerUserGroupService = next.createUserGroupService(loadConfig);
                    break;
                }
            }
            if (geoServerUserGroupService == null) {
                throw new IOException("No user group service matching config: " + loadConfig);
            }
            geoServerUserGroupService.setSecurityManager(GeoServerSecurityManager.this);
            if ((loadConfig instanceof SecurityUserGroupServiceConfig) && GeoServerSecurityProvider.getProvider(GeoServerUserGroupService.class, loadConfig.getClassName()).roleServiceNeedsLockProtection()) {
                geoServerUserGroupService = new LockingUserGroupService(geoServerUserGroupService);
            }
            geoServerUserGroupService.setName(str);
            geoServerUserGroupService.initializeFromConfig(loadConfig);
            if (loadConfig instanceof FileBasedSecurityServiceConfig) {
                FileBasedSecurityServiceConfig fileBasedSecurityServiceConfig = (FileBasedSecurityServiceConfig) loadConfig;
                if (fileBasedSecurityServiceConfig.getCheckInterval() > 0) {
                    Resource configFile = GeoServerSecurityManager.this.getConfigFile(fileBasedSecurityServiceConfig.getFileName());
                    if (configFile == null) {
                        configFile = GeoServerSecurityManager.this.get(Paths.path(new String[]{"security/usergroup", str, fileBasedSecurityServiceConfig.getFileName()}));
                    }
                    UserGroupFileWatcher userGroupFileWatcher = new UserGroupFileWatcher(configFile, geoServerUserGroupService);
                    geoServerUserGroupService.registerUserGroupLoadedListener(userGroupFileWatcher);
                    userGroupFileWatcher.start();
                    this.fileWatchers.add(userGroupFileWatcher);
                }
            }
            return geoServerUserGroupService;
        }

        @Override // org.geoserver.security.GeoServerSecurityManager.HelperBase
        protected Resource getRoot() throws IOException {
            return GeoServerSecurityManager.this.userGroup();
        }
    }

    public GeoServerSecurityManager(GeoServerDataDirectory geoServerDataDirectory) throws Exception {
        this.dataDir = geoServerDataDirectory;
        if (security().get(MASTER_PASSWD_CONFIG_FILENAME).getType() == Resource.Type.RESOURCE) {
            init(loadMasterPasswordConfig());
        }
        this.configPasswordEncryptionHelper = new ConfigurationPasswordEncryptionHelper(this);
    }

    public AuthenticationManager authenticationManager() {
        return this.authMgrProxy;
    }

    public Catalog getCatalog() {
        return (Catalog) GeoServerExtensions.bean("catalog");
    }

    public List<AuthenticationProvider> getProviders() {
        Preconditions.checkNotNull(this.providerMgr, "Provider manager has not yet been created");
        return this.providerMgr.getProviders();
    }

    @VisibleForTesting
    public void setProviders(List<AuthenticationProvider> list) throws Exception {
        this.providerMgr = new ProviderManager(list);
        this.providerMgr.setEraseCredentialsAfterAuthentication(true);
        if (this.eventPublisher != null) {
            this.providerMgr.setAuthenticationEventPublisher(this.eventPublisher);
        }
        this.providerMgr.afterPropertiesSet();
    }

    public ConfigurationPasswordEncryptionHelper getConfigPasswordEncryptionHelper() {
        return this.configPasswordEncryptionHelper;
    }

    public void setApplicationContext(ApplicationContext applicationContext) throws BeansException {
        this.appContext = applicationContext;
        this.xp = buildPersister();
        this.gxp = buildGlobalPersister();
        this.eventPublisher = new DefaultAuthenticationEventPublisher(applicationContext);
    }

    public ApplicationContext getApplicationContext() {
        return this.appContext;
    }

    public void onApplicationEvent(ApplicationEvent applicationEvent) {
        if (applicationEvent instanceof ContextLoadedEvent) {
            reload();
        }
        if (applicationEvent instanceof ContextClosedEvent) {
            try {
                destroy();
            } catch (Exception e) {
                LOGGER.log(Level.WARNING, "Error destroying security manager", (Throwable) e);
            }
        }
    }

    public void reload() {
        try {
            Resource resource = security().get(MASTER_PASSWD_INFO_FILENAME);
            if (resource.getType() != Resource.Type.UNDEFINED) {
                LOGGER.warning(String.valueOf(resource.path()) + " is a security risk. Please read this file and remove it afterward");
            }
            try {
                Version securityVersion = getSecurityVersion();
                boolean z = false;
                if (securityVersion.compareTo(VERSION_2_2) < 0) {
                    z = migrateFrom21();
                }
                if (securityVersion.compareTo(VERSION_2_3) < 0) {
                    removeErroneousAccessDeniedPage();
                    migrateFrom22(z);
                }
                if (securityVersion.compareTo(VERSION_2_4) < 0) {
                    migrateFrom23();
                }
                if (securityVersion.compareTo(VERSION_2_5) < 0) {
                    migrateFrom24();
                }
                if (securityVersion.compareTo(CURR_VERSION) < 0) {
                    writeCurrentVersion();
                }
                try {
                    getKeyStoreProvider().commitMasterPasswordChange();
                    init();
                    Iterator it = GeoServerExtensions.extensions(GeoServerSecurityProvider.class).iterator();
                    while (it.hasNext()) {
                        ((GeoServerSecurityProvider) it.next()).init(this);
                    }
                } catch (Exception e) {
                    throw new BeanCreationException("Error occured reading security configuration", e);
                }
            } catch (Exception e2) {
                throw new RuntimeException(e2);
            }
        } catch (Exception e3) {
            throw new RuntimeException(e3);
        }
    }

    private Version getSecurityVersion() throws IOException {
        Resource security = security();
        if (security.getType() == Resource.Type.UNDEFINED) {
            return BASE_VERSION;
        }
        Resource resource = security.get(VERSION_PROPERTIES);
        if (resource.getType() == Resource.Type.UNDEFINED) {
            return BASE_VERSION;
        }
        Properties properties = new Properties();
        Throwable th = null;
        try {
            InputStream in = resource.in();
            try {
                properties.load(in);
                if (in != null) {
                    in.close();
                }
                String property = properties.getProperty("version");
                return property != null ? new Version(property) : BASE_VERSION;
            } catch (Throwable th2) {
                if (in != null) {
                    in.close();
                }
                throw th2;
            }
        } catch (Throwable th3) {
            if (0 == 0) {
                th = th3;
            } else if (null != th3) {
                th.addSuppressed(th3);
            }
            throw th;
        }
    }

    private void writeCurrentVersion() throws IOException {
        Resource security = security();
        security.dir();
        Resource resource = security.get(VERSION_PROPERTIES);
        Properties properties = new Properties();
        properties.put("version", CURR_VERSION.toString());
        Throwable th = null;
        try {
            OutputStream out = resource.out();
            try {
                properties.store(out, "Current version of the security directory. Do not remove or alter this file");
                if (out != null) {
                    out.close();
                }
            } catch (Throwable th2) {
                if (out != null) {
                    out.close();
                }
                throw th2;
            }
        } catch (Throwable th3) {
            if (0 == 0) {
                th = th3;
            } else if (null != th3) {
                th.addSuppressed(th3);
            }
            throw th;
        }
    }

    void migrateFrom24() throws SecurityConfigException, IOException {
        PreAuthenticatedUserNameFilterConfig preAuthenticatedUserNameFilterConfig;
        RoleSource roleSource;
        MigrationHelper migrationHelper = new MigrationHelper() { // from class: org.geoserver.security.GeoServerSecurityManager.2
            @Override // org.geoserver.security.GeoServerSecurityManager.MigrationHelper
            public void migrationPersister(XStreamPersister xStreamPersister) {
                xStreamPersister.getXStream().registerConverter(new Converter() { // from class: org.geoserver.security.GeoServerSecurityManager.2.1
                    public boolean canConvert(Class cls) {
                        return cls.isAssignableFrom(RoleSource.class);
                    }

                    public void marshal(Object obj, HierarchicalStreamWriter hierarchicalStreamWriter, MarshallingContext marshallingContext) {
                        if (obj != null) {
                            hierarchicalStreamWriter.setValue(obj.toString());
                        }
                    }

                    public Object unmarshal(HierarchicalStreamReader hierarchicalStreamReader, UnmarshallingContext unmarshallingContext) {
                        if (hierarchicalStreamReader.getValue() != null) {
                            return J2eeAuthenticationBaseFilterConfig.J2EERoleSource.valueOf(hierarchicalStreamReader.getValue());
                        }
                        return null;
                    }
                });
            }
        };
        Iterator<String> it = listFilters().iterator();
        while (it.hasNext()) {
            SecurityFilterConfig loadFilterConfig = loadFilterConfig(it.next(), migrationHelper);
            if (loadFilterConfig != null) {
                if (loadFilterConfig instanceof J2eeAuthenticationBaseFilterConfig) {
                    J2eeAuthenticationBaseFilterConfig j2eeAuthenticationBaseFilterConfig = (J2eeAuthenticationBaseFilterConfig) loadFilterConfig;
                    if (j2eeAuthenticationBaseFilterConfig.getRoleSource() == null) {
                        j2eeAuthenticationBaseFilterConfig.setRoleSource(J2eeAuthenticationBaseFilterConfig.J2EERoleSource.J2EE);
                    }
                } else if ((loadFilterConfig instanceof PreAuthenticatedUserNameFilterConfig) && (roleSource = (preAuthenticatedUserNameFilterConfig = (PreAuthenticatedUserNameFilterConfig) loadFilterConfig).getRoleSource()) != null) {
                    preAuthenticatedUserNameFilterConfig.setRoleSource(PreAuthenticatedUserNameFilterConfig.PreAuthenticatedUserNameRoleSource.valueOf(roleSource.toString()));
                }
                saveFilter(loadFilterConfig, migrationHelper);
            }
        }
    }

    public void destroy() throws Exception {
        Iterator it = GeoServerExtensions.extensions(GeoServerSecurityProvider.class).iterator();
        while (it.hasNext()) {
            ((GeoServerSecurityProvider) it.next()).destroy(this);
        }
        this.userGroupServices.clear();
        this.roleServices.clear();
        this.userGroupServiceHelper.destroy();
        this.roleServiceHelper.destroy();
        this.rememberMeService = null;
        this.keyStoreProvider = null;
        this.listeners.clear();
        this.appContext = null;
    }

    public void addListener(SecurityManagerListener securityManagerListener) {
        this.listeners.add(securityManagerListener);
    }

    public void removeListener(SecurityManagerListener securityManagerListener) {
        this.listeners.remove(securityManagerListener);
    }

    public List<GeoServerAuthenticationProvider> getAuthenticationProviders() {
        return this.authProviders;
    }

    void init() throws Exception {
        init(loadMasterPasswordConfig());
        init(loadSecurityConfig());
        fireChanged();
    }

    synchronized void init(SecurityManagerConfig securityManagerConfig) throws Exception {
        getKeyStoreProvider().reloadKeyStore();
        String roleServiceName = securityManagerConfig.getRoleServiceName();
        GeoServerRoleService geoServerRoleService = null;
        try {
            geoServerRoleService = loadRoleService(roleServiceName);
        } catch (Exception e) {
            LOGGER.log(Level.WARNING, String.format("Error occured loading role service %s, falling back to default role service", roleServiceName), (Throwable) e);
        }
        if (geoServerRoleService == null) {
            try {
                geoServerRoleService = loadRoleService("default");
            } catch (Exception e2) {
                throw new RuntimeException("Fatal error occurred loading default role service", e2);
            }
        }
        setActiveRoleService(geoServerRoleService);
        this.authProviders = new ArrayList();
        GeoServerRootAuthenticationProvider geoServerRootAuthenticationProvider = new GeoServerRootAuthenticationProvider();
        geoServerRootAuthenticationProvider.setSecurityManager(this);
        geoServerRootAuthenticationProvider.initializeFromConfig(null);
        this.authProviders.add(geoServerRootAuthenticationProvider);
        if (!securityManagerConfig.getAuthProviderNames().isEmpty()) {
            Iterator<String> it = securityManagerConfig.getAuthProviderNames().iterator();
            while (it.hasNext()) {
                this.authProviders.add(this.authProviderHelper.load(it.next()));
            }
        }
        ArrayList arrayList = new ArrayList();
        arrayList.addAll(this.authProviders);
        RememberMeAuthenticationProvider rememberMeAuthenticationProvider = new RememberMeAuthenticationProvider(securityManagerConfig.getRememberMeService().getKey());
        rememberMeAuthenticationProvider.afterPropertiesSet();
        arrayList.add(rememberMeAuthenticationProvider);
        setProviders(arrayList);
        this.securityConfig = new SecurityManagerConfig(securityManagerConfig);
        this.initialized = true;
    }

    void init(MasterPasswordConfig masterPasswordConfig) {
        this.masterPasswordConfig = new MasterPasswordConfig(masterPasswordConfig);
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v4 */
    /* JADX WARN: Type inference failed for: r0v5, types: [java.lang.Throwable] */
    /* JADX WARN: Type inference failed for: r0v8 */
    public KeyStoreProvider getKeyStoreProvider() {
        if (this.keyStoreProvider == null) {
            ?? r0 = this;
            synchronized (r0) {
                if (this.keyStoreProvider == null) {
                    this.keyStoreProvider = lookupKeyStoreProvider();
                }
                r0 = r0;
            }
        }
        return this.keyStoreProvider;
    }

    KeyStoreProvider lookupKeyStoreProvider() {
        KeyStoreProvider keyStoreProvider = (KeyStoreProvider) GeoServerExtensions.bean(KeyStoreProvider.class);
        if (keyStoreProvider == null) {
            keyStoreProvider = new KeyStoreProviderImpl();
        }
        keyStoreProvider.setSecurityManager(this);
        return new LockingKeyStoreProvider(keyStoreProvider);
    }

    public RandomPasswordProvider getRandomPassworddProvider() {
        return this.randomPasswdProvider;
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v4 */
    /* JADX WARN: Type inference failed for: r0v5, types: [java.lang.Throwable] */
    /* JADX WARN: Type inference failed for: r0v8 */
    public AuthenticationCache getAuthenticationCache() {
        if (this.authCache == null) {
            ?? r0 = this;
            synchronized (r0) {
                if (this.authCache == null) {
                    this.authCache = lookupAuthenticationCache();
                }
                r0 = r0;
            }
        }
        return this.authCache;
    }

    AuthenticationCache lookupAuthenticationCache() {
        AuthenticationCache authenticationCache = (AuthenticationCache) GeoServerExtensions.bean(AuthenticationCache.class);
        return authenticationCache != null ? authenticationCache : new GuavaAuthenticationCacheImpl(1000);
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v4 */
    /* JADX WARN: Type inference failed for: r0v5, types: [java.lang.Throwable] */
    /* JADX WARN: Type inference failed for: r0v8 */
    public RememberMeServices getRememberMeService() {
        if (this.rememberMeService == null) {
            ?? r0 = this;
            synchronized (r0) {
                if (this.rememberMeService == null) {
                    this.rememberMeService = lookupRememberMeService();
                }
                r0 = r0;
            }
        }
        return this.rememberMeService;
    }

    RememberMeServices lookupRememberMeService() {
        return (RememberMeServices) GeoServerExtensions.bean("rememberMeServices");
    }

    public DataAccessRuleDAO getDataAccessRuleDAO() {
        return DataAccessRuleDAO.get();
    }

    public ServiceAccessRuleDAO getServiceAccessRuleDAO() {
        return ServiceAccessRuleDAO.get();
    }

    public RESTAccessRuleDAO getRESTAccessRuleDAO() {
        return RESTAccessRuleDAO.get();
    }

    public boolean isInitialized() {
        return this.initialized;
    }

    public Resource get(String str) {
        return this.dataDir.get(str);
    }

    public Resource security() {
        return get("security");
    }

    public File getSecurityRoot() throws IOException {
        return get("security").dir();
    }

    public Resource role() {
        return get("security/role");
    }

    public File getRoleRoot() throws IOException {
        return get("security/role").dir();
    }

    public File getRoleRoot(boolean z) throws IOException {
        Resource resource = get("security/role");
        return z ? resource.dir() : Resources.directory(resource);
    }

    public Resource passwordPolicy() {
        return get("security/pwpolicy");
    }

    public File getPasswordPolicyRoot() throws IOException {
        return get("security/pwpolicy").dir();
    }

    public Resource userGroup() throws IOException {
        return get("security/usergroup");
    }

    public File getUserGroupRoot() throws IOException {
        return get("security/usergroup").dir();
    }

    public Resource auth() throws IOException {
        return get("security/auth");
    }

    public File getAuthRoot() throws IOException {
        return get("security/auth").dir();
    }

    public Resource filterRoot() throws IOException {
        return get("security/filter");
    }

    public File getFilterRoot() throws IOException {
        return get("security/filter").dir();
    }

    public Resource masterPasswordProvider() throws IOException {
        return get("security/masterpw");
    }

    public File getMasterPasswordProviderRoot() throws IOException {
        return get("security/masterpw").dir();
    }

    public SortedSet<String> listRoleServices() throws IOException {
        return listFiles(role());
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v14 */
    /* JADX WARN: Type inference failed for: r0v7 */
    /* JADX WARN: Type inference failed for: r0v8, types: [java.lang.Throwable] */
    public GeoServerRoleService loadRoleService(String str) throws IOException {
        GeoServerRoleService geoServerRoleService = this.roleServices.get(str);
        if (geoServerRoleService == null) {
            ?? r0 = this;
            synchronized (r0) {
                geoServerRoleService = this.roleServices.get(str);
                if (geoServerRoleService == null) {
                    geoServerRoleService = this.roleServiceHelper.load(str);
                    if (geoServerRoleService != null) {
                        this.roleServices.put(str, geoServerRoleService);
                    }
                }
                r0 = r0;
            }
        }
        return wrapRoleService(geoServerRoleService);
    }

    GeoServerRoleService wrapRoleService(GeoServerRoleService geoServerRoleService) throws IOException {
        if (!this.initialized) {
            return geoServerRoleService;
        }
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        if (checkAuthenticationForAdminRole(authentication)) {
            return geoServerRoleService;
        }
        if (checkAuthenticationForRole(authentication, GeoServerRole.GROUP_ADMIN_ROLE)) {
            geoServerRoleService = new GroupAdminRoleService(geoServerRoleService, calculateAdminGroups((UserDetails) authentication.getPrincipal()));
        }
        return geoServerRoleService;
    }

    List<String> calculateAdminGroups(UserDetails userDetails) throws IOException {
        if (userDetails instanceof GeoServerUser) {
            Properties properties = ((GeoServerUser) userDetails).getProperties();
            if (GroupAdminProperty.has(properties)) {
                return Arrays.asList(GroupAdminProperty.get(properties));
            }
        }
        ArrayList arrayList = new ArrayList();
        for (GeoServerUserGroupService geoServerUserGroupService : loadUserGroupServices()) {
            GeoServerUser userByUsername = geoServerUserGroupService.getUserByUsername(userDetails.getUsername());
            if (userByUsername != null) {
                Iterator<GeoServerUserGroup> it = geoServerUserGroupService.getGroupsForUser(userByUsername).iterator();
                while (it.hasNext()) {
                    arrayList.add(it.next().getGroupname());
                }
            }
        }
        return arrayList;
    }

    public SecurityRoleServiceConfig loadRoleServiceConfig(String str) throws IOException {
        return this.roleServiceHelper.loadConfig(str);
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v13 */
    /* JADX WARN: Type inference failed for: r0v6 */
    /* JADX WARN: Type inference failed for: r0v7, types: [java.lang.Throwable] */
    public PasswordValidator loadPasswordValidator(String str) throws IOException {
        PasswordValidator passwordValidator = this.passwordValidators.get(str);
        if (passwordValidator == null) {
            ?? r0 = this;
            synchronized (r0) {
                passwordValidator = this.passwordValidators.get(str);
                if (passwordValidator == null) {
                    passwordValidator = this.passwordValidatorHelper.load(str);
                    if (passwordValidator != null) {
                        this.passwordValidators.put(str, passwordValidator);
                    }
                }
                r0 = r0;
            }
        }
        return passwordValidator;
    }

    public PasswordPolicyConfig loadPasswordPolicyConfig(String str) throws IOException {
        return this.passwordValidatorHelper.loadConfig(str);
    }

    public GeoServerPasswordEncoder loadPasswordEncoder(String str) {
        GeoServerPasswordEncoder geoServerPasswordEncoder = (GeoServerPasswordEncoder) GeoServerExtensions.bean(str);
        if (geoServerPasswordEncoder != null) {
            try {
                geoServerPasswordEncoder.initialize(this);
            } catch (IOException e) {
                throw new RuntimeException("Error occurred initializing password encoder");
            }
        }
        return geoServerPasswordEncoder;
    }

    public <T extends GeoServerPasswordEncoder> T loadPasswordEncoder(Class<T> cls) {
        return (T) loadPasswordEncoder(cls, null, null);
    }

    public <T extends GeoServerPasswordEncoder> T loadPasswordEncoder(Class<T> cls, Boolean bool, Boolean bool2) {
        List<T> loadPasswordEncoders = loadPasswordEncoders(cls, bool, bool2);
        if (loadPasswordEncoders.isEmpty()) {
            return null;
        }
        return loadPasswordEncoders.get(0);
    }

    public List<GeoServerPasswordEncoder> loadPasswordEncoders() {
        return loadPasswordEncoders(null);
    }

    public <T extends GeoServerPasswordEncoder> List<T> loadPasswordEncoders(Class<T> cls) {
        return loadPasswordEncoders(cls, null, null);
    }

    public <T extends GeoServerPasswordEncoder> List<T> loadPasswordEncoders(Class<T> cls, Boolean bool, Boolean bool2) {
        List<T> extensions = GeoServerExtensions.extensions(cls != null ? cls : GeoServerPasswordEncoder.class);
        Iterator<T> it = extensions.iterator();
        while (it.hasNext()) {
            boolean z = false;
            T next = it.next();
            if (bool != null && !bool.equals(Boolean.valueOf(next.isReversible()))) {
                z = true;
            }
            if (!z && bool2 != null && bool2.equals(Boolean.valueOf(next.isAvailableWithoutStrongCryptogaphy()))) {
                z = true;
            }
            if (z) {
                it.remove();
            } else {
                try {
                    next.initialize(this);
                } catch (IOException e) {
                    LOGGER.log(Level.WARNING, "Error initializing password encoder " + next.getName() + ", skipping", (Throwable) e);
                    it.remove();
                }
            }
        }
        return extensions;
    }

    public boolean isStrongEncryptionAvailable() {
        if (this.strongEncryptionAvaialble != null) {
            return this.strongEncryptionAvaialble.booleanValue();
        }
        try {
            KeyGenerator keyGenerator = KeyGenerator.getInstance("AES");
            keyGenerator.init(256);
            SecretKeySpec secretKeySpec = new SecretKeySpec(keyGenerator.generateKey().getEncoded(), "AES");
            Cipher cipher = Cipher.getInstance("AES");
            cipher.init(1, secretKeySpec);
            cipher.doFinal("This is just an example".getBytes());
            this.strongEncryptionAvaialble = true;
            LOGGER.info("Strong cryptography is available");
        } catch (InvalidKeyException e) {
            this.strongEncryptionAvaialble = false;
            LOGGER.warning("Strong cryptography is NOT available\nDownload and installation the of unlimted length policy files is recommended");
        } catch (Exception e2) {
            LOGGER.log(Level.WARNING, "Strong cryptography is NOT available, unexpected error", (Throwable) e2);
            this.strongEncryptionAvaialble = false;
        }
        return this.strongEncryptionAvaialble.booleanValue();
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v16, types: [org.geoserver.security.GeoServerRoleService] */
    /* JADX WARN: Type inference failed for: r0v17, types: [java.lang.Throwable] */
    /* JADX WARN: Type inference failed for: r0v20 */
    public void saveRoleService(SecurityRoleServiceConfig securityRoleServiceConfig) throws IOException, SecurityConfigException {
        SecurityConfigValidator configurationValiator = SecurityConfigValidator.getConfigurationValiator(GeoServerRoleService.class, securityRoleServiceConfig.getClassName());
        if (securityRoleServiceConfig.getId() == null) {
            securityRoleServiceConfig.initBeforeSave();
            configurationValiator.validateAddRoleService(securityRoleServiceConfig);
        } else {
            configurationValiator.validateModifiedRoleService(securityRoleServiceConfig, this.roleServiceHelper.loadConfig(securityRoleServiceConfig.getName()));
        }
        this.roleServiceHelper.saveConfig(securityRoleServiceConfig);
        this.roleServices.remove(securityRoleServiceConfig.getName());
        if (this.activeRoleService == null || !securityRoleServiceConfig.getName().equals(this.activeRoleService.getName())) {
            return;
        }
        ?? r0 = this.activeRoleService;
        synchronized (r0) {
            this.activeRoleService.initializeFromConfig(securityRoleServiceConfig);
            r0 = r0;
        }
    }

    public void savePasswordPolicy(PasswordPolicyConfig passwordPolicyConfig) throws IOException, SecurityConfigException {
        SecurityConfigValidator configurationValiator = SecurityConfigValidator.getConfigurationValiator(PasswordValidator.class, passwordPolicyConfig.getClassName());
        if (passwordPolicyConfig.getId() == null) {
            passwordPolicyConfig.initBeforeSave();
            configurationValiator.validateAddPasswordPolicy(passwordPolicyConfig);
        } else {
            configurationValiator.validateModifiedPasswordPolicy(passwordPolicyConfig, this.passwordValidatorHelper.loadConfig(passwordPolicyConfig.getName()));
        }
        this.passwordValidatorHelper.saveConfig(passwordPolicyConfig);
    }

    public void removeRoleService(SecurityRoleServiceConfig securityRoleServiceConfig) throws IOException, SecurityConfigException {
        SecurityConfigValidator.getConfigurationValiator(GeoServerRoleService.class, securityRoleServiceConfig.getClassName()).validateRemoveRoleService(securityRoleServiceConfig);
        this.roleServices.remove(securityRoleServiceConfig.getName());
        this.roleServiceHelper.removeConfig(securityRoleServiceConfig.getName());
    }

    public void removePasswordValidator(PasswordPolicyConfig passwordPolicyConfig) throws IOException, SecurityConfigException {
        SecurityConfigValidator.getConfigurationValiator(PasswordValidator.class, passwordPolicyConfig.getClassName()).validateRemovePasswordPolicy(passwordPolicyConfig);
        this.passwordValidators.remove(passwordPolicyConfig.getName());
        this.passwordValidatorHelper.removeConfig(passwordPolicyConfig.getName());
    }

    public SortedSet<String> listUserGroupServices() throws IOException {
        return listFiles(userGroup());
    }

    public SortedSet<String> listPasswordValidators() throws IOException {
        return listFiles(passwordPolicy());
    }

    public List<GeoServerUserGroupService> loadUserGroupServices() throws IOException {
        ArrayList arrayList = new ArrayList();
        for (String str : listUserGroupServices()) {
            try {
                arrayList.add(this.userGroupServiceHelper.load(str));
            } catch (IOException e) {
                LOGGER.log(Level.WARNING, "Failed to load user group service " + str, (Throwable) e);
            }
        }
        return arrayList;
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v14 */
    /* JADX WARN: Type inference failed for: r0v7 */
    /* JADX WARN: Type inference failed for: r0v8, types: [java.lang.Throwable] */
    public GeoServerUserGroupService loadUserGroupService(String str) throws IOException {
        GeoServerUserGroupService geoServerUserGroupService = this.userGroupServices.get(str);
        if (geoServerUserGroupService == null) {
            ?? r0 = this;
            synchronized (r0) {
                geoServerUserGroupService = this.userGroupServices.get(str);
                if (geoServerUserGroupService == null) {
                    geoServerUserGroupService = this.userGroupServiceHelper.load(str);
                    if (geoServerUserGroupService != null) {
                        this.userGroupServices.put(str, geoServerUserGroupService);
                    }
                }
                r0 = r0;
            }
        }
        return wrapUserGroupService(geoServerUserGroupService);
    }

    GeoServerUserGroupService wrapUserGroupService(GeoServerUserGroupService geoServerUserGroupService) throws IOException {
        if (!this.initialized) {
            return geoServerUserGroupService;
        }
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        if (checkAuthenticationForAdminRole(authentication)) {
            return geoServerUserGroupService;
        }
        if (checkAuthenticationForRole(authentication, GeoServerRole.GROUP_ADMIN_ROLE)) {
            geoServerUserGroupService = new GroupAdminUserGroupService(geoServerUserGroupService, calculateAdminGroups((UserDetails) authentication.getPrincipal()));
        }
        return geoServerUserGroupService;
    }

    public SecurityUserGroupServiceConfig loadUserGroupServiceConfig(String str) throws IOException {
        return this.userGroupServiceHelper.loadConfig(str);
    }

    public void saveUserGroupService(SecurityUserGroupServiceConfig securityUserGroupServiceConfig) throws IOException, SecurityConfigException {
        SecurityConfigValidator configurationValiator = SecurityConfigValidator.getConfigurationValiator(GeoServerUserGroupService.class, securityUserGroupServiceConfig.getClassName());
        if (securityUserGroupServiceConfig.getId() == null) {
            securityUserGroupServiceConfig.initBeforeSave();
            configurationValiator.validateAddUserGroupService(securityUserGroupServiceConfig);
        } else {
            configurationValiator.validateModifiedUserGroupService(securityUserGroupServiceConfig, this.userGroupServiceHelper.loadConfig(securityUserGroupServiceConfig.getName()));
        }
        this.userGroupServiceHelper.saveConfig(securityUserGroupServiceConfig);
        this.userGroupServices.remove(securityUserGroupServiceConfig.getName());
    }

    public void removeUserGroupService(SecurityUserGroupServiceConfig securityUserGroupServiceConfig) throws IOException, SecurityConfigException {
        SecurityConfigValidator.getConfigurationValiator(GeoServerUserGroupService.class, securityUserGroupServiceConfig.getClassName()).validateRemoveUserGroupService(securityUserGroupServiceConfig);
        this.userGroupServices.remove(securityUserGroupServiceConfig.getName());
        this.userGroupServiceHelper.removeConfig(securityUserGroupServiceConfig.getName());
    }

    public SortedSet<String> listAuthenticationProviders() throws IOException {
        return listFiles(auth());
    }

    public GeoServerAuthenticationProvider loadAuthenticationProvider(String str) throws IOException {
        return this.authProviderHelper.load(str);
    }

    public SecurityAuthProviderConfig loadAuthenticationProviderConfig(String str) throws IOException {
        return this.authProviderHelper.loadConfig(str);
    }

    public void saveAuthenticationProvider(SecurityAuthProviderConfig securityAuthProviderConfig) throws IOException, SecurityConfigException {
        SecurityConfigValidator configurationValiator = SecurityConfigValidator.getConfigurationValiator(GeoServerAuthenticationProvider.class, securityAuthProviderConfig.getClassName());
        if (securityAuthProviderConfig.getId() == null) {
            securityAuthProviderConfig.initBeforeSave();
            configurationValiator.validateAddAuthProvider(securityAuthProviderConfig);
        } else {
            configurationValiator.validateModifiedAuthProvider(securityAuthProviderConfig, this.authProviderHelper.loadConfig(securityAuthProviderConfig.getName()));
        }
        if (this.authProviders != null) {
            AuthenticationProvider authenticationProvider = null;
            Iterator<GeoServerAuthenticationProvider> it = this.authProviders.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                AuthenticationProvider authenticationProvider2 = (GeoServerAuthenticationProvider) it.next();
                if (securityAuthProviderConfig.getName().equals(authenticationProvider2.getName())) {
                    authenticationProvider = authenticationProvider2;
                    break;
                }
            }
            if (authenticationProvider != null) {
                AuthenticationProvider authenticationProvider3 = authenticationProvider;
                synchronized (authenticationProvider3) {
                    authenticationProvider.initializeFromConfig(securityAuthProviderConfig);
                    authenticationProvider3 = authenticationProvider3;
                }
            }
        }
        this.authProviderHelper.saveConfig(securityAuthProviderConfig);
    }

    public boolean checkAuthenticationForAdminRole() {
        return SecurityContextHolder.getContext() == null ? checkAuthenticationForAdminRole(null) : checkAuthenticationForAdminRole(SecurityContextHolder.getContext().getAuthentication());
    }

    public boolean checkAuthenticationForAdminRole(Authentication authentication) {
        return checkAuthenticationForRole(authentication, GeoServerRole.ADMIN_ROLE);
    }

    public boolean checkAuthenticationForRole(Authentication authentication, GeoServerRole geoServerRole) {
        if (!GeoServerSecurityFilterChainProxy.isSecurityEnabledForCurrentRequest()) {
            return true;
        }
        if (authentication == null || !authentication.isAuthenticated()) {
            return false;
        }
        Iterator it = authentication.getAuthorities().iterator();
        while (it.hasNext()) {
            if (geoServerRole.getAuthority().equals(((GrantedAuthority) it.next()).getAuthority())) {
                return true;
            }
        }
        return false;
    }

    public boolean checkForDefaultAdminPassword() {
        Authentication usernamePasswordAuthenticationToken = new UsernamePasswordAuthenticationToken(GeoServerUser.ADMIN_USERNAME, "geoserver");
        try {
            usernamePasswordAuthenticationToken = this.providerMgr.authenticate(usernamePasswordAuthenticationToken);
        } catch (Exception e) {
        }
        return usernamePasswordAuthenticationToken.isAuthenticated();
    }

    public SortedSet<String> listFilters() throws IOException {
        return listFiles(filterRoot());
    }

    public SortedSet<String> listFilters(Class<?> cls) throws IOException {
        TreeSet treeSet = new TreeSet();
        Iterator<String> it = listFilters().iterator();
        while (it.hasNext()) {
            SecurityFilterConfig loadFilterConfig = loadFilterConfig(it.next());
            if (loadFilterConfig.getClassName() != null) {
                try {
                    if (cls.isAssignableFrom(Class.forName(loadFilterConfig.getClassName()))) {
                        treeSet.add(loadFilterConfig.getName());
                    }
                } catch (ClassNotFoundException e) {
                    LOGGER.log(Level.WARNING, e.getMessage(), (Throwable) e);
                }
            }
        }
        return treeSet;
    }

    public GeoServerSecurityFilter loadFilter(String str) throws IOException {
        return this.filterHelper.load(str);
    }

    public SecurityFilterConfig loadFilterConfig(String str, MigrationHelper migrationHelper) throws IOException {
        return this.filterHelper.loadConfig(str, migrationHelper);
    }

    public SecurityFilterConfig loadFilterConfig(String str) throws IOException {
        return this.filterHelper.loadConfig(str);
    }

    public void saveFilter(SecurityNamedServiceConfig securityNamedServiceConfig) throws IOException, SecurityConfigException {
        saveFilter(securityNamedServiceConfig, null);
    }

    public void saveFilter(SecurityNamedServiceConfig securityNamedServiceConfig, MigrationHelper migrationHelper) throws IOException, SecurityConfigException {
        SecurityConfigValidator configurationValiator = SecurityConfigValidator.getConfigurationValiator(GeoServerSecurityFilter.class, securityNamedServiceConfig.getClassName());
        boolean z = false;
        if (securityNamedServiceConfig.getId() == null) {
            securityNamedServiceConfig.initBeforeSave();
            configurationValiator.validateAddFilter(securityNamedServiceConfig);
        } else {
            configurationValiator.validateModifiedFilter(securityNamedServiceConfig, this.filterHelper.loadConfig(securityNamedServiceConfig.getName(), migrationHelper));
            getAuthenticationCache().removeAll(securityNamedServiceConfig.getName());
            if (!this.securityConfig.getFilterChain().patternsForFilter(securityNamedServiceConfig.getName(), true).isEmpty()) {
                z = true;
            }
        }
        this.filterHelper.saveConfig(securityNamedServiceConfig);
        if (z) {
            fireChanged();
        }
    }

    public void removeAuthenticationProvider(SecurityAuthProviderConfig securityAuthProviderConfig) throws IOException, SecurityConfigException {
        SecurityConfigValidator.getConfigurationValiator(GeoServerAuthenticationProvider.class, securityAuthProviderConfig.getClassName()).validateRemoveAuthProvider(securityAuthProviderConfig);
        this.authProviderHelper.removeConfig(securityAuthProviderConfig.getName());
    }

    public void removeFilter(SecurityNamedServiceConfig securityNamedServiceConfig) throws IOException, SecurityConfigException {
        SecurityConfigValidator.getConfigurationValiator(GeoServerSecurityFilter.class, securityNamedServiceConfig.getClassName()).validateRemoveFilter(securityNamedServiceConfig);
        getAuthenticationCache().removeAll(securityNamedServiceConfig.getName());
        this.filterHelper.removeConfig(securityNamedServiceConfig.getName());
    }

    public SecurityManagerConfig getSecurityConfig() {
        return new SecurityManagerConfig(this.securityConfig);
    }

    public boolean isEncryptingUrlParams() {
        if (this.securityConfig == null) {
            return false;
        }
        return this.securityConfig.isEncryptingUrlParams();
    }

    public synchronized void saveSecurityConfig(SecurityManagerConfig securityManagerConfig) throws Exception {
        SecurityManagerConfig securityManagerConfig2 = new SecurityManagerConfig(this.securityConfig);
        new SecurityConfigValidator(this).validateManagerConfig((SecurityManagerConfig) securityManagerConfig.clone(true), (SecurityManagerConfig) securityManagerConfig2.clone(true));
        try {
            init(securityManagerConfig);
            if (!securityManagerConfig.getConfigPasswordEncrypterName().equals(securityManagerConfig2.getConfigPasswordEncrypterName())) {
                updateConfigurationFilesWithEncryptedFields();
            }
            XStreamUtils.xStreamPersist(security().get(CONFIG_FILENAME), securityManagerConfig, globalPersister());
            fireChanged();
        } catch (IOException e) {
            LOGGER.log(Level.SEVERE, "Error saving security config, reverting back to previous", (Throwable) e);
            init(securityManagerConfig2);
        }
    }

    public MasterPasswordConfig getMasterPasswordConfig() {
        return new MasterPasswordConfig(this.masterPasswordConfig);
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v19 */
    /* JADX WARN: Type inference failed for: r0v20, types: [java.lang.Throwable] */
    /* JADX WARN: Type inference failed for: r0v21, types: [org.geoserver.security.KeyStoreProvider] */
    public synchronized void saveMasterPasswordConfig(MasterPasswordConfig masterPasswordConfig, char[] cArr, char[] cArr2, char[] cArr3) throws Exception {
        MasterPasswordProviderConfig loadMasterPassswordProviderConfig = loadMasterPassswordProviderConfig(masterPasswordConfig.getProviderName());
        MasterPasswordProvider loadMasterPasswordProvider = loadMasterPasswordProvider(masterPasswordConfig.getProviderName());
        if (loadMasterPassswordProviderConfig.isReadOnly()) {
            cArr2 = loadMasterPasswordProvider.getMasterPassword();
        }
        MasterPasswordChangeRequest masterPasswordChangeRequest = new MasterPasswordChangeRequest();
        masterPasswordChangeRequest.setCurrentPassword(cArr);
        masterPasswordChangeRequest.setNewPassword(cArr2);
        masterPasswordChangeRequest.setConfirmPassword(cArr3);
        new MasterPasswordChangeValidator(this).validateChangeRequest(masterPasswordChangeRequest);
        new MasterPasswordConfigValidator(this).validateMasterPasswordConfig(masterPasswordConfig);
        MasterPasswordConfig masterPasswordConfig2 = new MasterPasswordConfig(this.masterPasswordConfig);
        String str = this.masterPasswdDigest;
        KeyStoreProvider keyStoreProvider = getKeyStoreProvider();
        ?? r0 = keyStoreProvider;
        synchronized (r0) {
            r0 = keyStoreProvider;
            r0.prepareForMasterPasswordChange(cArr, cArr3);
            try {
                if (!loadMasterPassswordProviderConfig.isReadOnly()) {
                    try {
                        loadMasterPasswordProvider.setMasterPassword(cArr2);
                    } catch (Exception e) {
                        throw new IOException(e);
                    }
                }
                saveMasterPasswordConfig(masterPasswordConfig);
                this.masterPasswdDigest = computeAndSaveMasterPasswordDigest(cArr3);
                keyStoreProvider.commitMasterPasswordChange();
                masterPasswordConfig.getProviderName().equals(masterPasswordConfig2.getProviderName());
            } catch (IOException e2) {
                keyStoreProvider.abortMasterPasswordChange();
                this.masterPasswordConfig = masterPasswordConfig2;
                this.masterPasswdDigest = str;
                saveMasterPasswordDigest(str);
                throw e2;
            }
        }
    }

    public void saveMasterPasswordConfig(MasterPasswordConfig masterPasswordConfig) throws IOException {
        XStreamUtils.xStreamPersist(security().get(MASTER_PASSWD_CONFIG_FILENAME), masterPasswordConfig, globalPersister());
        this.masterPasswordConfig = new MasterPasswordConfig(masterPasswordConfig);
    }

    public boolean checkMasterPassword(String str) {
        return checkMasterPassword(str.toCharArray());
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v10, types: [java.lang.String] */
    /* JADX WARN: Type inference failed for: r0v12, types: [org.geoserver.security.GeoServerSecurityManager] */
    /* JADX WARN: Type inference failed for: r0v7 */
    /* JADX WARN: Type inference failed for: r0v8, types: [java.lang.Throwable] */
    public boolean checkMasterPassword(char[] cArr) {
        GeoServerDigestPasswordEncoder geoServerDigestPasswordEncoder = (GeoServerDigestPasswordEncoder) loadPasswordEncoder(GeoServerDigestPasswordEncoder.class);
        if (this.masterPasswdDigest == null) {
            ?? r0 = this;
            synchronized (r0) {
                r0 = this.masterPasswdDigest;
                if (r0 == 0) {
                    try {
                        r0 = this;
                        r0.masterPasswdDigest = loadMasterPasswordDigest();
                    } catch (IOException e) {
                        throw new RuntimeException("Unable to create master password digest", e);
                    }
                }
            }
        }
        return geoServerDigestPasswordEncoder.isPasswordValid(this.masterPasswdDigest, cArr, (Object) null);
    }

    String loadMasterPasswordDigest() throws IOException {
        Resource resource = security().get(MASTER_PASSWD_DIGEST_FILENAME);
        if (resource.getType() == Resource.Type.RESOURCE) {
            InputStream in = resource.in();
            try {
                return IOUtils.toString(in);
            } finally {
                in.close();
            }
        }
        char[] masterPassword = getMasterPassword();
        try {
            return computeAndSaveMasterPasswordDigest(masterPassword);
        } finally {
            disposePassword(masterPassword);
        }
    }

    void saveMasterPasswordDigest(String str) throws IOException {
        OutputStream out = security().get(MASTER_PASSWD_DIGEST_FILENAME).out();
        try {
            IOUtils.write(str, out);
        } finally {
            out.close();
        }
    }

    String computeAndSaveMasterPasswordDigest(char[] cArr) throws IOException {
        String encodePassword = ((GeoServerDigestPasswordEncoder) loadPasswordEncoder(GeoServerDigestPasswordEncoder.class)).encodePassword(cArr, (Object) null);
        saveMasterPasswordDigest(encodePassword);
        return encodePassword;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public char[] getMasterPassword() {
        try {
            return loadMasterPasswordProvider(getMasterPasswordConfig().getProviderName()).getMasterPassword();
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }

    public void disposePassword(char[] cArr) {
        SecurityUtils.scramble(cArr);
    }

    public void disposePassword(byte[] bArr) {
        SecurityUtils.scramble(bArr);
    }

    public MasterPasswordProviderConfig loadMasterPassswordProviderConfig(String str) throws IOException {
        return this.masterPasswordProviderHelper.loadConfig(str);
    }

    protected MasterPasswordProvider loadMasterPasswordProvider(String str) throws IOException {
        return this.masterPasswordProviderHelper.load(str);
    }

    public void saveMasterPasswordProviderConfig(MasterPasswordProviderConfig masterPasswordProviderConfig) throws IOException, SecurityConfigException {
        saveMasterPasswordProviderConfig(masterPasswordProviderConfig, true);
    }

    void saveMasterPasswordProviderConfig(MasterPasswordProviderConfig masterPasswordProviderConfig, boolean z) throws IOException, SecurityConfigException {
        SecurityConfigValidator configurationValiator = SecurityConfigValidator.getConfigurationValiator(MasterPasswordProvider.class, masterPasswordProviderConfig.getClassName());
        if (masterPasswordProviderConfig.getId() == null) {
            masterPasswordProviderConfig.initBeforeSave();
            if (z) {
                configurationValiator.validateAddMasterPasswordProvider(masterPasswordProviderConfig);
            }
        } else if (z) {
            configurationValiator.validateModifiedMasterPasswordProvider(masterPasswordProviderConfig, this.masterPasswordProviderHelper.loadConfig(masterPasswordProviderConfig.getName()));
        }
        this.masterPasswordProviderHelper.saveConfig(masterPasswordProviderConfig);
    }

    public void removeMasterPasswordProvder(MasterPasswordProviderConfig masterPasswordProviderConfig) throws IOException, SecurityConfigException {
        SecurityConfigValidator.getConfigurationValiator(MasterPasswordProvider.class, masterPasswordProviderConfig.getClassName()).validateRemoveMasterPasswordProvider(masterPasswordProviderConfig);
        this.masterPasswordProviderHelper.removeConfig(masterPasswordProviderConfig.getName());
    }

    public SortedSet<String> listMasterPasswordProviders() throws IOException {
        return listFiles(masterPasswordProvider());
    }

    void fireChanged() {
        Iterator<SecurityManagerListener> it = this.listeners.iterator();
        while (it.hasNext()) {
            it.next().handlePostChanged(this);
        }
    }

    char[] extractMasterPasswordForMigration(Properties properties) throws Exception {
        char[] randomPassword;
        HashMap hashMap = new HashMap();
        String str = new String(MASTER_PASSWD_DEFAULT);
        if (properties != null) {
            UserAttributeEditor userAttributeEditor = new UserAttributeEditor();
            for (String str2 : properties.keySet()) {
                userAttributeEditor.setAsText(properties.getProperty(str2));
                UserAttribute userAttribute = (UserAttribute) userAttributeEditor.getValue();
                if (userAttribute != null && userAttribute.getPassword() != null && userAttribute.getPassword().length() >= 8 && !str.equals(userAttribute.getPassword())) {
                    if (GeoServerUser.ADMIN_USERNAME.equals(str2)) {
                        hashMap.put(GeoServerUser.ADMIN_USERNAME, userAttribute.getPassword());
                    } else if (userAttribute.getAuthorities().contains(GeoServerRole.ADMIN_ROLE)) {
                        hashMap.put(str2, userAttribute.getPassword());
                    }
                }
            }
        }
        String str3 = GeoServerUser.ADMIN_USERNAME;
        String str4 = (String) hashMap.get(str3);
        if (str4 == null && hashMap.size() > 0) {
            str3 = (String) hashMap.keySet().iterator().next();
            str4 = (String) hashMap.get(str3);
        }
        Resource resource = security().get(MASTER_PASSWD_INFO_FILENAME);
        if (str4 != null) {
            randomPassword = str4.toCharArray();
            writeMasterPasswordInfo(resource, "Master password is identical to the password of user: " + str3, null);
        } else {
            randomPassword = getRandomPassworddProvider().getRandomPassword(8);
            writeMasterPasswordInfo(resource, "The generated master password is: ", randomPassword);
        }
        LOGGER.info("Information regarding the master password is in: " + resource.path());
        return randomPassword;
    }

    void writeMasterPasswordInfo(Resource resource, String str, char[] cArr) throws IOException {
        Throwable th = null;
        try {
            BufferedWriter bufferedWriter = new BufferedWriter(new OutputStreamWriter(resource.out()));
            try {
                bufferedWriter.write("This file was created at " + new SimpleDateFormat("yyyy/MM/dd HH:mm:ss").format(new Date()));
                bufferedWriter.newLine();
                bufferedWriter.newLine();
                bufferedWriter.write(str);
                if (cArr != null) {
                    bufferedWriter.write(cArr);
                }
                bufferedWriter.newLine();
                bufferedWriter.newLine();
                bufferedWriter.write("Test the master password by logging in as user \"root\"");
                bufferedWriter.newLine();
                bufferedWriter.newLine();
                bufferedWriter.write("This file should be removed after reading !!!.");
                bufferedWriter.newLine();
                if (bufferedWriter != null) {
                    bufferedWriter.close();
                }
            } catch (Throwable th2) {
                if (bufferedWriter != null) {
                    bufferedWriter.close();
                }
                throw th2;
            }
        } catch (Throwable th3) {
            if (0 == 0) {
                th = th3;
            } else if (null != th3) {
                th.addSuppressed(th3);
            }
            throw th;
        }
    }

    public boolean dumpMasterPassword(File file) throws IOException {
        return dumpMasterPassword(Files.asResource(file));
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v3, types: [java.lang.String[], java.lang.String[][]] */
    public boolean dumpMasterPassword(Resource resource) throws IOException {
        if (!checkAuthenticationForAdminRole()) {
            LOGGER.warning("Unautorized user tries to dump master password");
            return false;
        }
        String checkStackTrace = checkStackTrace(10, new String[]{new String[]{"org.geoserver.security.GeoServerSecurityManagerTest", "testMasterPasswordDump"}, new String[]{"org.geoserver.security.web.passwd.MasterPasswordInfoPage", "dumpMasterPassword"}});
        if (checkStackTrace != null) {
            LOGGER.warning("Dump master password is called by an unautorized method\n" + checkStackTrace);
            return false;
        }
        writeMasterPasswordInfo(resource, "The current master password is: ", getMasterPassword());
        return true;
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v3, types: [java.lang.String[], java.lang.String[][]] */
    public char[] getMasterPasswordForREST() throws IOException {
        if (!checkAuthenticationForAdminRole()) {
            throw new IOException("Unauthorized user tries to read master password");
        }
        String checkStackTrace = checkStackTrace(10, new String[]{new String[]{"org.geoserver.rest.security.MasterPasswordController", "masterPasswordGet"}});
        if (checkStackTrace != null) {
            throw new IOException("Unauthorized method wants to read master password\n" + checkStackTrace);
        }
        return getMasterPassword();
    }

    String checkStackTrace(int i, String[][] strArr) {
        StackTraceElement[] stackTrace = Thread.currentThread().getStackTrace();
        boolean z = false;
        for (int i2 = 0; i2 < i; i2++) {
            StackTraceElement stackTraceElement = stackTrace[i2];
            int length = strArr.length;
            int i3 = 0;
            while (true) {
                if (i3 >= length) {
                    break;
                }
                String[] strArr2 = strArr[i3];
                if (strArr2[0].equals(stackTraceElement.getClassName()) && strArr2[1].equals(stackTraceElement.getMethodName())) {
                    z = true;
                    break;
                }
                i3++;
            }
        }
        if (z) {
            return null;
        }
        StringBuffer stringBuffer = new StringBuffer();
        for (int i4 = 0; i4 < i; i4++) {
            StackTraceElement stackTraceElement2 = stackTrace[i4];
            stringBuffer.append(stackTraceElement2.getClassName()).append(" : ").append(stackTraceElement2.getMethodName()).append("\n");
        }
        return stringBuffer.toString();
    }

    boolean migrateFrom21() throws Exception {
        Throwable th;
        if (role().getType() != Resource.Type.UNDEFINED) {
            Resource resource = security().get("users.properties.old");
            if (resource.getType() == Resource.Type.UNDEFINED) {
                return false;
            }
            LOGGER.warning(String.valueOf(resource.path()) + " could be removed manually");
            return false;
        }
        LOGGER.info("Start security migration");
        MasterPasswordProviderConfig loadMasterPassswordProviderConfig = loadMasterPassswordProviderConfig("default");
        if (loadMasterPassswordProviderConfig == null) {
            loadMasterPassswordProviderConfig = new URLMasterPasswordProviderConfig();
            loadMasterPassswordProviderConfig.setName("default");
            loadMasterPassswordProviderConfig.setClassName(URLMasterPasswordProvider.class.getCanonicalName());
            loadMasterPassswordProviderConfig.setReadOnly(false);
            ((URLMasterPasswordProviderConfig) loadMasterPassswordProviderConfig).setURL(new URL("file:passwd"));
            ((URLMasterPasswordProviderConfig) loadMasterPassswordProviderConfig).setEncrypting(true);
            saveMasterPasswordProviderConfig(loadMasterPassswordProviderConfig, false);
            MasterPasswordProvider loadMasterPasswordProvider = loadMasterPasswordProvider(loadMasterPassswordProviderConfig.getName());
            Resource resource2 = security().get("users.properties");
            loadMasterPasswordProvider.setMasterPassword(extractMasterPasswordForMigration(resource2.getType() == Resource.Type.RESOURCE ? Util.loadPropertyFile(resource2) : null));
        }
        MasterPasswordConfig masterPasswordConfig = new MasterPasswordConfig();
        masterPasswordConfig.setProviderName(loadMasterPassswordProviderConfig.getName());
        saveMasterPasswordConfig(masterPasswordConfig);
        Resource resource3 = security().get("services.properties");
        if (resource3.getType() == Resource.Type.UNDEFINED) {
            org.geoserver.util.IOUtils.copy(Util.class.getResourceAsStream("serviceTemplate.properties"), resource3.out());
        }
        GeoServerUserGroupService loadUserGroupService = loadUserGroupService(XMLUserGroupService.DEFAULT_NAME);
        KeyStoreProvider keyStoreProvider = getKeyStoreProvider();
        keyStoreProvider.reloadKeyStore();
        keyStoreProvider.setUserGroupKey(XMLUserGroupService.DEFAULT_NAME, this.randomPasswdProvider.getRandomPassword(32));
        keyStoreProvider.storeKeyStore();
        if (loadPasswordValidator("default") == null) {
            PasswordPolicyConfig passwordPolicyConfig = new PasswordPolicyConfig();
            passwordPolicyConfig.setName("default");
            passwordPolicyConfig.setClassName(PasswordValidatorImpl.class.getName());
            passwordPolicyConfig.setMinLength(0);
            savePasswordPolicy(passwordPolicyConfig);
            loadPasswordValidator("default");
        }
        if (loadPasswordValidator(PasswordValidator.MASTERPASSWORD_NAME) == null) {
            PasswordPolicyConfig passwordPolicyConfig2 = new PasswordPolicyConfig();
            passwordPolicyConfig2.setName(PasswordValidator.MASTERPASSWORD_NAME);
            passwordPolicyConfig2.setClassName(PasswordValidatorImpl.class.getName());
            passwordPolicyConfig2.setMinLength(8);
            savePasswordPolicy(passwordPolicyConfig2);
            loadPasswordValidator(PasswordValidator.MASTERPASSWORD_NAME);
        }
        if (loadUserGroupService == null) {
            XMLUserGroupServiceConfig xMLUserGroupServiceConfig = new XMLUserGroupServiceConfig();
            xMLUserGroupServiceConfig.setName(XMLUserGroupService.DEFAULT_NAME);
            xMLUserGroupServiceConfig.setClassName(XMLUserGroupService.class.getName());
            xMLUserGroupServiceConfig.setCheckInterval(10000L);
            xMLUserGroupServiceConfig.setFileName(XMLConstants.FILE_UR);
            xMLUserGroupServiceConfig.setValidating(true);
            xMLUserGroupServiceConfig.setPasswordEncoderName(((GeoServerPBEPasswordEncoder) loadPasswordEncoder(GeoServerPBEPasswordEncoder.class, null, false)).getName());
            xMLUserGroupServiceConfig.setPasswordPolicyName("default");
            saveUserGroupService(xMLUserGroupServiceConfig);
            loadUserGroupService = loadUserGroupService(XMLUserGroupService.DEFAULT_NAME);
        }
        GeoServerRoleService loadRoleService = loadRoleService(XMLRoleService.DEFAULT_NAME);
        if (loadRoleService == null) {
            XMLRoleServiceConfig xMLRoleServiceConfig = new XMLRoleServiceConfig();
            xMLRoleServiceConfig.setName(XMLRoleService.DEFAULT_NAME);
            xMLRoleServiceConfig.setClassName(XMLRoleService.class.getName());
            xMLRoleServiceConfig.setCheckInterval(10000L);
            xMLRoleServiceConfig.setFileName(XMLConstants.FILE_RR);
            xMLRoleServiceConfig.setValidating(true);
            xMLRoleServiceConfig.setAdminRoleName(XMLRoleService.DEFAULT_LOCAL_ADMIN_ROLE);
            xMLRoleServiceConfig.setGroupAdminRoleName(XMLRoleService.DEFAULT_LOCAL_GROUP_ADMIN_ROLE);
            saveRoleService(xMLRoleServiceConfig);
            loadRoleService = loadRoleService(XMLRoleService.DEFAULT_NAME);
        }
        if (loadFilter(GeoServerSecurityFilterChain.BASIC_AUTH_FILTER) == null) {
            BasicAuthenticationFilterConfig basicAuthenticationFilterConfig = new BasicAuthenticationFilterConfig();
            basicAuthenticationFilterConfig.setName(GeoServerSecurityFilterChain.BASIC_AUTH_FILTER);
            basicAuthenticationFilterConfig.setClassName(GeoServerBasicAuthenticationFilter.class.getName());
            basicAuthenticationFilterConfig.setUseRememberMe(true);
            saveFilter(basicAuthenticationFilterConfig);
        }
        if (loadFilter(GeoServerSecurityFilterChain.FORM_LOGIN_FILTER) == null) {
            UsernamePasswordAuthenticationFilterConfig usernamePasswordAuthenticationFilterConfig = new UsernamePasswordAuthenticationFilterConfig();
            usernamePasswordAuthenticationFilterConfig.setClassName(GeoServerUserNamePasswordAuthenticationFilter.class.getName());
            usernamePasswordAuthenticationFilterConfig.setName(GeoServerSecurityFilterChain.FORM_LOGIN_FILTER);
            usernamePasswordAuthenticationFilterConfig.setUsernameParameterName("username");
            usernamePasswordAuthenticationFilterConfig.setPasswordParameterName("password");
            saveFilter(usernamePasswordAuthenticationFilterConfig);
        }
        if (loadFilter(GeoServerSecurityFilterChain.SECURITY_CONTEXT_ASC_FILTER) == null) {
            SecurityContextPersistenceFilterConfig securityContextPersistenceFilterConfig = new SecurityContextPersistenceFilterConfig();
            securityContextPersistenceFilterConfig.setClassName(GeoServerSecurityContextPersistenceFilter.class.getName());
            securityContextPersistenceFilterConfig.setName(GeoServerSecurityFilterChain.SECURITY_CONTEXT_ASC_FILTER);
            securityContextPersistenceFilterConfig.setAllowSessionCreation(true);
            saveFilter(securityContextPersistenceFilterConfig);
        }
        if (loadFilter(GeoServerSecurityFilterChain.SECURITY_CONTEXT_NO_ASC_FILTER) == null) {
            SecurityContextPersistenceFilterConfig securityContextPersistenceFilterConfig2 = new SecurityContextPersistenceFilterConfig();
            securityContextPersistenceFilterConfig2.setClassName(GeoServerSecurityContextPersistenceFilter.class.getName());
            securityContextPersistenceFilterConfig2.setName(GeoServerSecurityFilterChain.SECURITY_CONTEXT_NO_ASC_FILTER);
            securityContextPersistenceFilterConfig2.setAllowSessionCreation(false);
            saveFilter(securityContextPersistenceFilterConfig2);
        }
        if (loadFilter("anonymous") == null) {
            SecurityNamedServiceConfig anonymousAuthenticationFilterConfig = new AnonymousAuthenticationFilterConfig();
            anonymousAuthenticationFilterConfig.setClassName(GeoServerAnonymousAuthenticationFilter.class.getName());
            anonymousAuthenticationFilterConfig.setName("anonymous");
            saveFilter(anonymousAuthenticationFilterConfig);
        }
        if (loadFilter(GeoServerSecurityFilterChain.REMEMBER_ME_FILTER) == null) {
            SecurityNamedServiceConfig rememberMeAuthenticationFilterConfig = new RememberMeAuthenticationFilterConfig();
            rememberMeAuthenticationFilterConfig.setClassName(GeoServerRememberMeAuthenticationFilter.class.getName());
            rememberMeAuthenticationFilterConfig.setName(GeoServerSecurityFilterChain.REMEMBER_ME_FILTER);
            saveFilter(rememberMeAuthenticationFilterConfig);
        }
        if (loadFilter(GeoServerSecurityFilterChain.FILTER_SECURITY_INTERCEPTOR) == null) {
            SecurityInterceptorFilterConfig securityInterceptorFilterConfig = new SecurityInterceptorFilterConfig();
            securityInterceptorFilterConfig.setClassName(GeoServerSecurityInterceptorFilter.class.getName());
            securityInterceptorFilterConfig.setName(GeoServerSecurityFilterChain.FILTER_SECURITY_INTERCEPTOR);
            securityInterceptorFilterConfig.setAllowIfAllAbstainDecisions(false);
            securityInterceptorFilterConfig.setSecurityMetadataSource("geoserverMetadataSource");
            saveFilter(securityInterceptorFilterConfig);
        }
        if (loadFilter(GeoServerSecurityFilterChain.FILTER_SECURITY_REST_INTERCEPTOR) == null) {
            SecurityInterceptorFilterConfig securityInterceptorFilterConfig2 = new SecurityInterceptorFilterConfig();
            securityInterceptorFilterConfig2.setClassName(GeoServerSecurityInterceptorFilter.class.getName());
            securityInterceptorFilterConfig2.setName(GeoServerSecurityFilterChain.FILTER_SECURITY_REST_INTERCEPTOR);
            securityInterceptorFilterConfig2.setAllowIfAllAbstainDecisions(false);
            securityInterceptorFilterConfig2.setSecurityMetadataSource("restFilterDefinitionMap");
            saveFilter(securityInterceptorFilterConfig2);
        }
        if (loadFilter(GeoServerSecurityFilterChain.FORM_LOGOUT_FILTER) == null) {
            SecurityNamedServiceConfig logoutFilterConfig = new LogoutFilterConfig();
            logoutFilterConfig.setClassName(GeoServerLogoutFilter.class.getName());
            logoutFilterConfig.setName(GeoServerSecurityFilterChain.FORM_LOGOUT_FILTER);
            saveFilter(logoutFilterConfig);
        }
        if (loadFilter(GeoServerSecurityFilterChain.DYNAMIC_EXCEPTION_TRANSLATION_FILTER) == null) {
            ExceptionTranslationFilterConfig exceptionTranslationFilterConfig = new ExceptionTranslationFilterConfig();
            exceptionTranslationFilterConfig.setClassName(GeoServerExceptionTranslationFilter.class.getName());
            exceptionTranslationFilterConfig.setName(GeoServerSecurityFilterChain.DYNAMIC_EXCEPTION_TRANSLATION_FILTER);
            exceptionTranslationFilterConfig.setAuthenticationFilterName(null);
            exceptionTranslationFilterConfig.setAccessDeniedErrorPage("/accessDenied.jsp");
            saveFilter(exceptionTranslationFilterConfig);
        }
        if (loadFilter(GeoServerSecurityFilterChain.GUI_EXCEPTION_TRANSLATION_FILTER) == null) {
            ExceptionTranslationFilterConfig exceptionTranslationFilterConfig2 = new ExceptionTranslationFilterConfig();
            exceptionTranslationFilterConfig2.setClassName(GeoServerExceptionTranslationFilter.class.getName());
            exceptionTranslationFilterConfig2.setName(GeoServerSecurityFilterChain.GUI_EXCEPTION_TRANSLATION_FILTER);
            exceptionTranslationFilterConfig2.setAuthenticationFilterName(GeoServerSecurityFilterChain.FORM_LOGIN_FILTER);
            exceptionTranslationFilterConfig2.setAccessDeniedErrorPage("/accessDenied.jsp");
            saveFilter(exceptionTranslationFilterConfig2);
        }
        GeoServerAuthenticationProvider loadAuthenticationProvider = loadAuthenticationProvider(GeoServerAuthenticationProvider.DEFAULT_NAME);
        if (loadAuthenticationProvider == null) {
            SecurityAuthProviderConfig usernamePasswordAuthenticationProviderConfig = new UsernamePasswordAuthenticationProviderConfig();
            usernamePasswordAuthenticationProviderConfig.setName(GeoServerAuthenticationProvider.DEFAULT_NAME);
            usernamePasswordAuthenticationProviderConfig.setClassName(UsernamePasswordAuthenticationProvider.class.getName());
            usernamePasswordAuthenticationProviderConfig.setUserGroupServiceName(loadUserGroupService.getName());
            saveAuthenticationProvider(usernamePasswordAuthenticationProviderConfig);
            loadAuthenticationProvider = loadAuthenticationProvider(GeoServerAuthenticationProvider.DEFAULT_NAME);
        }
        SecurityManagerConfig securityManagerConfig = new SecurityManagerConfig();
        securityManagerConfig.setRoleServiceName(loadRoleService.getName());
        securityManagerConfig.getAuthProviderNames().add(loadAuthenticationProvider.getName());
        securityManagerConfig.setEncryptingUrlParams(false);
        securityManagerConfig.setConfigPasswordEncrypterName(((GeoServerPBEPasswordEncoder) loadPasswordEncoder(GeoServerPBEPasswordEncoder.class, true, false)).getName());
        RememberMeServicesConfig rememberMeServicesConfig = new RememberMeServicesConfig();
        rememberMeServicesConfig.setClassName(GeoServerTokenBasedRememberMeServices.class.getName());
        securityManagerConfig.setRememberMeService(rememberMeServicesConfig);
        securityManagerConfig.setFilterChain(GeoServerSecurityFilterChain.createInitialChain());
        saveSecurityConfig(securityManagerConfig);
        loadUserGroupService.setSecurityManager(this);
        loadRoleService.setSecurityManager(this);
        GeoServerUserGroupStore createStore = loadUserGroupService.createStore();
        GeoServerRoleStore createStore2 = loadRoleService.createStore();
        Resource resource4 = security().get("users.properties");
        if (resource4.getType() == Resource.Type.RESOURCE) {
            Properties loadPropertyFile = Util.loadPropertyFile(resource4);
            UserAttributeEditor userAttributeEditor = new UserAttributeEditor();
            for (String str : loadPropertyFile.keySet()) {
                userAttributeEditor.setAsText(loadPropertyFile.getProperty(str));
                UserAttribute userAttribute = (UserAttribute) userAttributeEditor.getValue();
                if (userAttribute != null) {
                    createStore.addUser(createStore.createUserObject(str, userAttribute.getPassword(), userAttribute.isEnabled()));
                    for (GrantedAuthority grantedAuthority : userAttribute.getAuthorities()) {
                        String authority = GeoServerRole.ADMIN_ROLE.getAuthority().equals(grantedAuthority.getAuthority()) ? XMLRoleService.DEFAULT_LOCAL_ADMIN_ROLE : grantedAuthority.getAuthority();
                        GeoServerRole roleByName = createStore2.getRoleByName(authority);
                        if (roleByName == null) {
                            roleByName = createStore2.createRoleObject(authority);
                            createStore2.addRole(roleByName);
                        }
                        createStore2.associateRoleToUser(roleByName, str);
                    }
                }
            }
        } else if (loadUserGroupService.getUserByUsername(GeoServerUser.ADMIN_USERNAME) == null) {
            createStore.addUser(GeoServerUser.createDefaultAdmin());
            GeoServerRole createRoleObject = createStore2.createRoleObject(XMLRoleService.DEFAULT_LOCAL_ADMIN_ROLE);
            createStore2.addRole(createRoleObject);
            createStore2.associateRoleToUser(createRoleObject, GeoServerUser.ADMIN_USERNAME);
        }
        if (createStore2.getRoleByName(XMLRoleService.DEFAULT_LOCAL_GROUP_ADMIN_ROLE) == null) {
            createStore2.addRole(createStore2.createRoleObject(XMLRoleService.DEFAULT_LOCAL_GROUP_ADMIN_ROLE));
        }
        for (String str2 : new String[]{"services.properties", "layers.properties", "rest.properties"}) {
            Resource resource5 = security().get(str2);
            if (resource5.getType() != Resource.Type.UNDEFINED) {
                ArrayList arrayList = new ArrayList();
                Throwable th2 = null;
                try {
                    BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(resource5.in()));
                    while (true) {
                        try {
                            String readLine = bufferedReader.readLine();
                            if (readLine == null) {
                                break;
                            }
                            arrayList.add(readLine.replace(GeoServerRole.ADMIN_ROLE.getAuthority(), XMLRoleService.DEFAULT_LOCAL_ADMIN_ROLE));
                        } catch (Throwable th3) {
                            th2 = th3;
                            if (bufferedReader != null) {
                                bufferedReader.close();
                            }
                            throw th2;
                        }
                    }
                    if (bufferedReader != null) {
                        bufferedReader.close();
                    }
                    Throwable th4 = null;
                    try {
                        PrintWriter printWriter = new PrintWriter(new OutputStreamWriter(resource5.out()));
                        try {
                            Iterator it = arrayList.iterator();
                            while (it.hasNext()) {
                                printWriter.println((String) it.next());
                            }
                            if (printWriter != null) {
                                printWriter.close();
                            }
                        } catch (Throwable th5) {
                            th4 = th5;
                            if (printWriter != null) {
                                printWriter.close();
                            }
                            throw th4;
                        }
                    } finally {
                    }
                } finally {
                }
            }
        }
        Resource resource6 = security().get("services.properties");
        if (resource6.getType() != Resource.Type.UNDEFINED) {
            Iterator it2 = Util.loadPropertyFile(resource6).entrySet().iterator();
            while (it2.hasNext()) {
                StringTokenizer stringTokenizer = new StringTokenizer((String) ((Map.Entry) it2.next()).getValue(), ",");
                while (stringTokenizer.hasMoreTokens()) {
                    String trim = stringTokenizer.nextToken().trim();
                    if (trim.length() > 0 && createStore2.getRoleByName(trim) == null) {
                        createStore2.addRole(createStore2.createRoleObject(trim));
                    }
                }
            }
        }
        Resource resource7 = security().get("layers.properties");
        if (resource7.getType() == Resource.Type.RESOURCE) {
            for (Map.Entry entry : Util.loadPropertyFile(resource7).entrySet()) {
                if (!"mode".equals(entry.getKey().toString())) {
                    StringTokenizer stringTokenizer2 = new StringTokenizer((String) entry.getValue(), ",");
                    while (stringTokenizer2.hasMoreTokens()) {
                        String trim2 = stringTokenizer2.nextToken().trim();
                        if (trim2.length() > 0 && !trim2.equals("*") && createStore2.getRoleByName(trim2) == null) {
                            createStore2.addRole(createStore2.createRoleObject(trim2));
                        }
                    }
                }
            }
        }
        createStore2.store();
        createStore.store();
        if (resource4.getType() != Resource.Type.UNDEFINED) {
            Resource resource8 = this.dataDir.get(String.valueOf(resource4.path()) + ".old");
            resource4.renameTo(resource8);
            LOGGER.info("Renamed " + resource4.path() + " to " + resource8.path());
        }
        LOGGER.info("End security migration");
        return true;
    }

    boolean migrateFrom22(boolean z) throws Exception {
        GeoServerSecurityFilter loadFilter = loadFilter(GeoServerSecurityFilterChain.ROLE_FILTER);
        Resource resource = filterRoot().get(GeoServerSecurityFilterChain.FORM_LOGOUT_FILTER);
        Resource resource2 = resource.get("config.xml.2.2.x");
        Resource resource3 = security().get("config.xml.2.2.x");
        if (loadFilter != null) {
            if (resource2.getType() == Resource.Type.RESOURCE) {
                LOGGER.warning(String.valueOf(resource2.path()) + " could be removed manually");
            }
            if (resource3.getType() != Resource.Type.RESOURCE) {
                return false;
            }
            LOGGER.warning(String.valueOf(resource3.path()) + " could be removed manually");
            return false;
        }
        RoleFilterConfig roleFilterConfig = new RoleFilterConfig();
        roleFilterConfig.setClassName(GeoServerRoleFilter.class.getName());
        roleFilterConfig.setName(GeoServerSecurityFilterChain.ROLE_FILTER);
        roleFilterConfig.setHttpResponseHeaderAttrForIncludedRoles(GeoServerRoleFilter.DEFAULT_HEADER_ATTRIBUTE);
        roleFilterConfig.setRoleConverterName(GeoServerRoleFilter.DEFAULT_ROLE_CONVERTER);
        saveFilter(roleFilterConfig);
        SSLFilterConfig sSLFilterConfig = new SSLFilterConfig();
        sSLFilterConfig.setClassName(GeoServerSSLFilter.class.getName());
        sSLFilterConfig.setName(GeoServerSecurityFilterChain.SSL_FILTER);
        sSLFilterConfig.setSslPort(443);
        saveFilter(sSLFilterConfig);
        if (!z) {
            org.geoserver.util.IOUtils.copy(resource.get(CONFIG_FILENAME).in(), resource2.out());
        }
        LogoutFilterConfig logoutFilterConfig = (LogoutFilterConfig) loadFilterConfig(GeoServerSecurityFilterChain.FORM_LOGOUT_FILTER);
        logoutFilterConfig.setRedirectURL(GeoServerLogoutFilter.URL_AFTER_LOGOUT);
        saveFilter(logoutFilterConfig);
        if (!z) {
            org.geoserver.util.IOUtils.copy(security().get(CONFIG_FILENAME).in(), resource3.out());
        }
        SecurityManagerConfig loadSecurityConfig = loadSecurityConfig();
        for (RequestFilterChain requestFilterChain : loadSecurityConfig.getFilterChain().getRequestChains()) {
            if (requestFilterChain.getFilterNames().contains(GeoServerSecurityFilterChain.SECURITY_CONTEXT_ASC_FILTER)) {
                requestFilterChain.setAllowSessionCreation(true);
                requestFilterChain.getFilterNames().remove(GeoServerSecurityFilterChain.SECURITY_CONTEXT_ASC_FILTER);
            }
            if (requestFilterChain.getFilterNames().contains(GeoServerSecurityFilterChain.SECURITY_CONTEXT_NO_ASC_FILTER)) {
                requestFilterChain.setAllowSessionCreation(false);
                requestFilterChain.getFilterNames().remove(GeoServerSecurityFilterChain.SECURITY_CONTEXT_NO_ASC_FILTER);
            }
            if (GeoServerSecurityFilterChain.WEB_CHAIN_NAME.equals(requestFilterChain.getName())) {
                int indexOf = requestFilterChain.getFilterNames().indexOf(GeoServerSecurityFilterChain.GUI_EXCEPTION_TRANSLATION_FILTER);
                if (indexOf != -1) {
                    requestFilterChain.getFilterNames().set(indexOf, GeoServerSecurityFilterChain.DYNAMIC_EXCEPTION_TRANSLATION_FILTER);
                }
                if (requestFilterChain.getFilterNames().indexOf(GeoServerSecurityFilterChain.FORM_LOGIN_FILTER) == -1) {
                    int indexOf2 = requestFilterChain.getFilterNames().indexOf("anonymous");
                    if (indexOf2 == -1) {
                        indexOf2 = requestFilterChain.getFilterNames().indexOf(GeoServerSecurityFilterChain.FILTER_SECURITY_INTERCEPTOR);
                    }
                    if (indexOf2 != -1) {
                        requestFilterChain.getFilterNames().add(indexOf2, GeoServerSecurityFilterChain.FORM_LOGIN_FILTER);
                    }
                }
            }
            requestFilterChain.getFilterNames().remove(GeoServerSecurityFilterChain.DYNAMIC_EXCEPTION_TRANSLATION_FILTER);
            requestFilterChain.getFilterNames().remove(GeoServerSecurityFilterChain.FILTER_SECURITY_INTERCEPTOR);
            requestFilterChain.getFilterNames().remove(GeoServerSecurityFilterChain.FILTER_SECURITY_REST_INTERCEPTOR);
        }
        removeFilter(loadFilterConfig(GeoServerSecurityFilterChain.GUI_EXCEPTION_TRANSLATION_FILTER));
        saveSecurityConfig(loadSecurityConfig);
        if (z) {
            return true;
        }
        Iterator<String> it = listFilters().iterator();
        while (it.hasNext()) {
            SecurityFilterConfig loadFilterConfig = loadFilterConfig(it.next());
            if (loadFilterConfig != null) {
                saveFilter(loadFilterConfig);
            }
        }
        return true;
    }

    boolean migrateFrom23() throws Exception {
        SecurityManagerConfig loadSecurityConfig = loadSecurityConfig();
        boolean z = false;
        List<String> patterns = loadSecurityConfig.getFilterChain().getRequestChainByName(GeoServerSecurityFilterChain.WEB_CHAIN_NAME).getPatterns();
        if (!patterns.contains("/")) {
            patterns.add("/");
            saveSecurityConfig(loadSecurityConfig);
            z = false | true;
        }
        return z;
    }

    void removeErroneousAccessDeniedPage() throws Exception {
        ExceptionTranslationFilterConfig exceptionTranslationFilterConfig = (ExceptionTranslationFilterConfig) loadFilterConfig(GeoServerSecurityFilterChain.DYNAMIC_EXCEPTION_TRANSLATION_FILTER);
        if (exceptionTranslationFilterConfig != null && "/accessDenied.jsp".equals(exceptionTranslationFilterConfig.getAccessDeniedErrorPage())) {
            exceptionTranslationFilterConfig.setAccessDeniedErrorPage(null);
            saveFilter(exceptionTranslationFilterConfig);
        }
        ExceptionTranslationFilterConfig exceptionTranslationFilterConfig2 = (ExceptionTranslationFilterConfig) loadFilterConfig(GeoServerSecurityFilterChain.GUI_EXCEPTION_TRANSLATION_FILTER);
        if (exceptionTranslationFilterConfig2 == null || !"/accessDenied.jsp".equals(exceptionTranslationFilterConfig2.getAccessDeniedErrorPage())) {
            return;
        }
        exceptionTranslationFilterConfig2.setAccessDeniedErrorPage(null);
        saveFilter(exceptionTranslationFilterConfig2);
    }

    public List<GeoServerSecurityProvider> lookupSecurityProviders() {
        ArrayList arrayList = new ArrayList();
        for (GeoServerSecurityProvider geoServerSecurityProvider : GeoServerExtensions.extensions(GeoServerSecurityProvider.class, this.appContext)) {
            if (geoServerSecurityProvider.isAvailable()) {
                arrayList.add(geoServerSecurityProvider);
            }
        }
        return arrayList;
    }

    SortedSet<String> listFiles(Resource resource) {
        TreeSet treeSet = new TreeSet();
        for (Resource resource2 : resource.list()) {
            if (resource2.getType() == Resource.Type.DIRECTORY && resource2.get(CONFIG_FILENAME).getType() == Resource.Type.RESOURCE) {
                treeSet.add(resource2.name());
            }
        }
        return treeSet;
    }

    XStreamPersister globalPersister() throws IOException {
        if (this.gxp == null) {
            this.gxp = buildGlobalPersister();
        }
        return this.gxp;
    }

    private XStreamPersister buildGlobalPersister() {
        XStreamPersister buildPersister = buildPersister();
        buildPersister.getXStream().alias("security", SecurityManagerConfig.class);
        buildPersister.getXStream().alias("masterPassword", MasterPasswordConfig.class);
        buildPersister.getXStream().registerLocalConverter(SecurityManagerConfig.class, "filterChain", new FilterChainConverter(buildPersister.getXStream().getMapper()));
        buildPersister.getXStream().omitField(SecurityManagerConfig.class, "anonymousAuth");
        return buildPersister;
    }

    XStreamPersister persister() throws IOException {
        if (this.xp == null) {
            this.xp = buildPersister();
        }
        return this.xp;
    }

    private XStreamPersister buildPersister() {
        List<GeoServerSecurityProvider> lookupSecurityProviders = lookupSecurityProviders();
        XStreamPersister createXMLPersister = new XStreamPersisterFactory().createXMLPersister();
        createXMLPersister.getXStream().alias("security", SecurityManagerConfig.class);
        Iterator<GeoServerSecurityProvider> it = lookupSecurityProviders.iterator();
        while (it.hasNext()) {
            it.next().configure(createXMLPersister);
        }
        return createXMLPersister;
    }

    public SecurityManagerConfig loadSecurityConfig() throws IOException {
        return (SecurityManagerConfig) loadConfigFile(security(), globalPersister());
    }

    public MasterPasswordConfig loadMasterPasswordConfig() throws IOException {
        return (MasterPasswordConfig) loadConfig(MasterPasswordConfig.class, security().get(MASTER_PASSWD_CONFIG_FILENAME), globalPersister());
    }

    <T extends SecurityConfig> T loadConfig(Class<T> cls, Resource resource, XStreamPersister xStreamPersister) throws IOException {
        InputStream in = resource.in();
        try {
            return cls.cast(((SecurityConfig) xStreamPersister.load(in, SecurityConfig.class)).clone(true));
        } finally {
            in.close();
        }
    }

    SecurityConfig loadConfigFile(Resource resource, String str, XStreamPersister xStreamPersister) throws IOException {
        InputStream in = resource.get(str).in();
        try {
            return ((SecurityConfig) xStreamPersister.load(in, SecurityConfig.class)).clone(true);
        } finally {
            in.close();
        }
    }

    SecurityConfig loadConfigFile(Resource resource, XStreamPersister xStreamPersister) throws IOException {
        return loadConfigFile(resource, CONFIG_FILENAME, xStreamPersister);
    }

    void saveConfigFile(SecurityConfig securityConfig, Resource resource, String str, XStreamPersister xStreamPersister) throws IOException {
        XStreamUtils.xStreamPersist(resource.get(str), securityConfig, xStreamPersister);
    }

    void saveConfigFile(SecurityConfig securityConfig, Resource resource, XStreamPersister xStreamPersister) throws IOException {
        saveConfigFile(securityConfig, resource, CONFIG_FILENAME, xStreamPersister);
    }

    Resource getConfigFile(String str) throws IOException {
        File file = new File(str);
        if (!file.isAbsolute()) {
            return null;
        }
        if (file.canRead()) {
            return Files.asResource(file);
        }
        throw new IOException("Cannot read file: " + file.getCanonicalPath());
    }

    public GeoServerRoleService getActiveRoleService() {
        try {
            return wrapRoleService(this.activeRoleService);
        } catch (IOException e) {
            throw new RuntimeException(e);
        }
    }

    public void setActiveRoleService(GeoServerRoleService geoServerRoleService) {
        this.activeRoleService = geoServerRoleService;
    }

    public void updateConfigurationFilesWithEncryptedFields() throws IOException {
        LOGGER.info("Start encrypting configuration passwords using " + getSecurityConfig().getConfigPasswordEncrypterName());
        Catalog catalog = getCatalog();
        for (StoreInfo storeInfo : catalog.getStores(StoreInfo.class)) {
            if (!this.configPasswordEncryptionHelper.getEncryptedFields(storeInfo).isEmpty()) {
                catalog.save(storeInfo);
            }
        }
        HashSet hashSet = new HashSet();
        Iterator<GeoServerSecurityProvider> it = lookupSecurityProviders().iterator();
        while (it.hasNext()) {
            hashSet.addAll(it.next().getFieldsForEncryption().keySet());
        }
        Iterator<String> it2 = listPasswordValidators().iterator();
        while (it2.hasNext()) {
            PasswordPolicyConfig loadConfig = this.passwordValidatorHelper.loadConfig(it2.next());
            Iterator it3 = hashSet.iterator();
            while (true) {
                if (!it3.hasNext()) {
                    break;
                }
                if (loadConfig.getClass().isAssignableFrom((Class) it3.next())) {
                    this.passwordValidatorHelper.saveConfig(loadConfig);
                    break;
                }
            }
        }
        Iterator<String> it4 = listRoleServices().iterator();
        while (it4.hasNext()) {
            SecurityRoleServiceConfig loadConfig2 = this.roleServiceHelper.loadConfig(it4.next());
            Iterator it5 = hashSet.iterator();
            while (true) {
                if (!it5.hasNext()) {
                    break;
                }
                if (loadConfig2.getClass().isAssignableFrom((Class) it5.next())) {
                    this.roleServiceHelper.saveConfig(loadConfig2);
                    break;
                }
            }
        }
        Iterator<String> it6 = listUserGroupServices().iterator();
        while (it6.hasNext()) {
            SecurityUserGroupServiceConfig loadConfig3 = this.userGroupServiceHelper.loadConfig(it6.next());
            Iterator it7 = hashSet.iterator();
            while (true) {
                if (!it7.hasNext()) {
                    break;
                }
                if (loadConfig3.getClass().isAssignableFrom((Class) it7.next())) {
                    this.userGroupServiceHelper.saveConfig(loadConfig3);
                    break;
                }
            }
        }
        Iterator<String> it8 = listAuthenticationProviders().iterator();
        while (it8.hasNext()) {
            SecurityAuthProviderConfig loadConfig4 = this.authProviderHelper.loadConfig(it8.next());
            Iterator it9 = hashSet.iterator();
            while (true) {
                if (!it9.hasNext()) {
                    break;
                }
                if (loadConfig4.getClass().isAssignableFrom((Class) it9.next())) {
                    this.authProviderHelper.saveConfig(loadConfig4);
                    break;
                }
            }
        }
        Iterator<String> it10 = listFilters().iterator();
        while (it10.hasNext()) {
            SecurityFilterConfig loadConfig5 = this.filterHelper.loadConfig(it10.next());
            Iterator it11 = hashSet.iterator();
            while (true) {
                if (!it11.hasNext()) {
                    break;
                }
                if (loadConfig5.getClass().isAssignableFrom((Class) it11.next())) {
                    this.filterHelper.saveConfig(loadConfig5);
                    break;
                }
            }
        }
        LOGGER.info("End encrypting configuration passwords");
    }

    public SortedSet<GeoServerRole> getRolesForAccessControl() throws IOException {
        TreeSet treeSet = new TreeSet();
        Iterator<String> it = listRoleServices().iterator();
        while (it.hasNext()) {
            try {
                treeSet.addAll(loadRoleService(it.next()).getRoles());
            } catch (IOException e) {
                LOGGER.log(Level.WARNING, e.getMessage(), (Throwable) e);
            }
        }
        treeSet.add(GeoServerRole.AUTHENTICATED_ROLE);
        treeSet.add(GeoServerRole.ANONYMOUS_ROLE);
        return treeSet;
    }
}
