package org.jboss.security.plugins;

import java.security.Principal;
import java.security.acl.Group;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.locks.Lock;
import java.util.concurrent.locks.ReentrantLock;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import org.jboss.security.AnybodyPrincipal;
import org.jboss.security.AuthorizationManager;
import org.jboss.security.NobodyPrincipal;
import org.jboss.security.PicketBoxLogger;
import org.jboss.security.PicketBoxMessages;
import org.jboss.security.RunAs;
import org.jboss.security.SecurityConstants;
import org.jboss.security.SecurityContext;
import org.jboss.security.SecurityRolesAssociation;
import org.jboss.security.SecurityUtil;
import org.jboss.security.SimplePrincipal;
import org.jboss.security.authorization.AuthorizationContext;
import org.jboss.security.authorization.AuthorizationException;
import org.jboss.security.authorization.Resource;
import org.jboss.security.callbacks.SecurityContextCallback;
import org.jboss.security.identity.Role;
import org.jboss.security.identity.RoleGroup;
import org.jboss.security.identity.plugins.SimpleRole;
import org.jboss.security.identity.plugins.SimpleRoleGroup;
import org.jboss.security.mapping.MappingContext;
import org.jboss.security.mapping.MappingType;
import org.jboss.security.plugins.authorization.JBossAuthorizationContext;

/* loaded from: input_file:WEB-INF/lib/picketbox.jar:org/jboss/security/plugins/JBossAuthorizationManager.class */
public class JBossAuthorizationManager implements AuthorizationManager {
    private final String securityDomain;
    private AuthorizationContext authorizationContext = null;
    private final Lock lock = new ReentrantLock();

    public JBossAuthorizationManager(String str) {
        this.securityDomain = SecurityUtil.unprefixSecurityDomain(str);
    }

    @Override // org.jboss.security.AuthorizationManager
    public int authorize(Resource resource) throws AuthorizationException {
        validateResource(resource);
        return internalAuthorization(resource, SubjectActions.getActiveSubject(), null);
    }

    @Override // org.jboss.security.AuthorizationManager
    public int authorize(Resource resource, Subject subject) throws AuthorizationException {
        return internalAuthorization(resource, subject, null);
    }

    @Override // org.jboss.security.AuthorizationManager
    public int authorize(Resource resource, Subject subject, RoleGroup roleGroup) throws AuthorizationException {
        validateResource(resource);
        return internalAuthorization(resource, subject, roleGroup);
    }

    @Override // org.jboss.security.AuthorizationManager
    public int authorize(Resource resource, Subject subject, Group group) throws AuthorizationException {
        validateResource(resource);
        return internalAuthorization(resource, subject, getRoleGroup(group));
    }

    @Override // org.jboss.security.AuthorizationManager
    public boolean doesUserHaveRole(Principal principal, Set<Principal> set) {
        boolean z = false;
        RoleGroup currentRoles = getCurrentRoles(principal);
        if (PicketBoxLogger.LOGGER.isTraceEnabled()) {
            PicketBoxLogger.LOGGER.traceBeginDoesUserHaveRole(principal, currentRoles != null ? currentRoles.toString() : "");
        }
        if (currentRoles != null) {
            Iterator<Principal> it2 = set.iterator();
            while (!z && it2.hasNext()) {
                z = doesRoleGroupHaveRole(it2.next(), currentRoles);
            }
            PicketBoxLogger.LOGGER.traceEndDoesUserHaveRole(z);
        }
        return z;
    }

    public boolean doesUserHaveRole(Principal principal, Principal principal2) {
        return doesRoleGroupHaveRole(principal2, getCurrentRoles(principal));
    }

    @Override // org.jboss.security.AuthorizationManager
    public Set<Principal> getUserRoles(Principal principal) {
        return getRolesAsSet(getCurrentRoles(principal));
    }

    protected boolean doesRoleGroupHaveRole(Principal principal, RoleGroup roleGroup) {
        if (principal instanceof NobodyPrincipal) {
            return false;
        }
        boolean containsRole = roleGroup.containsRole(new SimpleRole(principal.getName()));
        if (!containsRole) {
            containsRole = principal instanceof AnybodyPrincipal;
        }
        return containsRole;
    }

    public String toString() {
        StringBuffer stringBuffer = new StringBuffer();
        stringBuffer.append("[AuthorizationManager:class=").append(getClass().getName());
        stringBuffer.append(":").append(this.securityDomain).append(":");
        stringBuffer.append("]");
        return stringBuffer.toString();
    }

    public void setAuthorizationContext(AuthorizationContext authorizationContext) {
        if (authorizationContext == null) {
            throw PicketBoxMessages.MESSAGES.invalidNullArgument("authorizationContext");
        }
        if (!this.securityDomain.equals(authorizationContext.getSecurityDomain())) {
            throw PicketBoxMessages.MESSAGES.unexpectedSecurityDomainInContext(this.securityDomain);
        }
        this.lock.lock();
        try {
            this.authorizationContext = authorizationContext;
        } finally {
            this.lock.unlock();
        }
    }

    @Override // org.jboss.security.BaseSecurityManager
    public String getSecurityDomain() {
        return this.securityDomain;
    }

    @Override // org.jboss.security.AuthorizationManager
    public Group getTargetRoles(Principal principal, Map<String, Object> map) {
        throw new UnsupportedOperationException();
    }

    private HashSet<Principal> getRolesAsSet(RoleGroup roleGroup) {
        HashSet<Principal> hashSet = null;
        if (roleGroup != null) {
            hashSet = new HashSet<>();
            Iterator<Role> it2 = roleGroup.getRoles().iterator();
            while (it2.hasNext()) {
                hashSet.add(new SimplePrincipal(it2.next().getRoleName()));
            }
        }
        return hashSet;
    }

    @Override // org.jboss.security.AuthorizationManager
    public RoleGroup getSubjectRoles(Subject subject, CallbackHandler callbackHandler) {
        if (subject == null) {
            return null;
        }
        SecurityContextCallback securityContextCallback = new SecurityContextCallback();
        try {
            callbackHandler.handle(new Callback[]{securityContextCallback});
            SecurityContext securityContext = securityContextCallback.getSecurityContext();
            SimplePrincipal simplePrincipal = null;
            RunAs incomingRunAs = securityContext.getIncomingRunAs();
            if (incomingRunAs != null) {
                simplePrincipal = new SimplePrincipal(incomingRunAs.getName());
            }
            RoleGroup currentRoles = getCurrentRoles(simplePrincipal, subject, securityContext);
            if (currentRoles == null) {
                currentRoles = new SimpleRoleGroup(SecurityConstants.ROLES_IDENTIFIER);
            }
            return currentRoles;
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }

    private RoleGroup getCurrentRoles(Principal principal) {
        Subject activeSubject = SubjectActions.getActiveSubject();
        SecurityContext securityContext = SubjectActions.getSecurityContext();
        if (securityContext == null) {
            securityContext = new JBossSecurityContext(this.securityDomain);
            SubjectActions.setSecurityContext(securityContext);
        }
        return getCurrentRoles(principal, activeSubject, securityContext);
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v51, types: [org.jboss.security.identity.RoleGroup] */
    /* JADX WARN: Type inference failed for: r0v53, types: [org.jboss.security.SecurityContextUtil] */
    /* JADX WARN: Type inference failed for: r1v19, types: [org.jboss.security.identity.RoleGroup] */
    private RoleGroup getCurrentRoles(Principal principal, Subject subject, SecurityContext securityContext) {
        if (subject == null) {
            throw PicketBoxMessages.MESSAGES.invalidNullArgument("subject");
        }
        if (securityContext == null) {
            throw PicketBoxMessages.MESSAGES.invalidNullArgument("securityContext");
        }
        Group groupFromSubject = getGroupFromSubject(subject);
        boolean z = false;
        RoleGroup roles = securityContext.getUtil().getRoles();
        if (roles == null || "true".equalsIgnoreCase(SubjectActions.getRefreshSecurityContextRoles())) {
            z = true;
        }
        Group copyGroups = copyGroups(roles, groupFromSubject);
        if (groupFromSubject != copyGroups || z) {
            MappingContext mappingContext = securityContext.getMappingManager().getMappingContext(MappingType.ROLE.name());
            Object obj = copyGroups;
            if (mappingContext != null && mappingContext.hasModules()) {
                HashMap hashMap = new HashMap();
                hashMap.put(SecurityConstants.ROLES_IDENTIFIER, copyGroups);
                if (principal != null) {
                    hashMap.put(SecurityConstants.PRINCIPAL_IDENTIFIER, principal);
                }
                hashMap.put(SecurityConstants.DEPLOYMENT_PRINCIPAL_ROLES_MAP, SecurityRolesAssociation.getSecurityRoles());
                hashMap.put(SecurityConstants.PRINCIPALS_SET_IDENTIFIER, subject.getPrincipals());
                if (PicketBoxLogger.LOGGER.isTraceEnabled()) {
                    PicketBoxLogger.LOGGER.traceRolesBeforeMapping(copyGroups != null ? copyGroups.toString() : "");
                }
                if (copyGroups == null) {
                    copyGroups = getEmptyRoleGroup();
                }
                mappingContext.performMapping(hashMap, copyGroups);
                obj = (RoleGroup) mappingContext.getMappingResult().getMappedObject();
                if (PicketBoxLogger.LOGGER.isTraceEnabled()) {
                    PicketBoxLogger.LOGGER.traceRolesAfterMapping(copyGroups.toString());
                }
            }
            securityContext.getData().put(SecurityConstants.ROLES_IDENTIFIER, obj);
        }
        if (securityContext.getUtil().getRoles() == null) {
            securityContext.getUtil().setRoles(copyGroups);
        }
        return copyGroups;
    }

    private RoleGroup copyGroups(RoleGroup roleGroup, Group group) {
        if (group == null) {
            return roleGroup;
        }
        if (roleGroup == null && group != null) {
            roleGroup = getEmptyRoleGroup();
        }
        Enumeration<? extends Principal> members = group.members();
        while (members.hasMoreElements()) {
            roleGroup.addRole(new SimpleRole(members.nextElement().getName()));
        }
        return roleGroup;
    }

    private int internalAuthorization(Resource resource, Subject subject, RoleGroup roleGroup) throws AuthorizationException {
        if (this.authorizationContext == null) {
            setAuthorizationContext(new JBossAuthorizationContext(this.securityDomain));
        }
        return this.authorizationContext.authorize(resource, subject, roleGroup);
    }

    private Group getGroupFromSubject(Subject subject) {
        if (subject == null) {
            throw PicketBoxMessages.MESSAGES.invalidNullArgument("theSubject");
        }
        Group group = null;
        for (Group group2 : subject.getPrincipals(Group.class)) {
            if (group2.getName().equals(SecurityConstants.ROLES_IDENTIFIER)) {
                group = group2;
            }
        }
        return group;
    }

    private RoleGroup getRoleGroup(Group group) {
        if (group == null) {
            throw PicketBoxMessages.MESSAGES.invalidNullArgument("roleGroup");
        }
        SimpleRoleGroup simpleRoleGroup = new SimpleRoleGroup(group.getName());
        Enumeration<? extends Principal> members = group.members();
        while (members.hasMoreElements()) {
            simpleRoleGroup.addRole(new SimpleRole(members.nextElement().getName()));
        }
        return simpleRoleGroup;
    }

    private void validateResource(Resource resource) {
        if (resource == null) {
            throw PicketBoxMessages.MESSAGES.invalidNullArgument("resource");
        }
        if (resource.getMap() == null) {
            throw PicketBoxMessages.MESSAGES.invalidNullArgument("resource.contextMap");
        }
    }

    private RoleGroup getEmptyRoleGroup() {
        return new SimpleRoleGroup(SecurityConstants.ROLES_IDENTIFIER);
    }
}
