package org.jboss.security.plugins.acl;

import java.security.AccessController;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.HashSet;
import java.util.Map;
import java.util.Set;
import org.jboss.logging.Logger;
import org.jboss.security.acl.ACLContext;
import org.jboss.security.acl.ACLPermission;
import org.jboss.security.acl.ACLProvider;
import org.jboss.security.acl.config.ACLProviderEntry;
import org.jboss.security.authorization.AuthorizationException;
import org.jboss.security.authorization.EntitlementHolder;
import org.jboss.security.authorization.Permission;
import org.jboss.security.authorization.Resource;
import org.jboss.security.config.ACLInfo;
import org.jboss.security.config.ApplicationPolicy;
import org.jboss.security.config.ControlFlag;
import org.jboss.security.config.SecurityConfiguration;
import org.jboss.security.identity.Identity;

/* loaded from: input_file:WEB-INF/lib/jbosssx.jar:org/jboss/security/plugins/acl/JBossACLContext.class */
public class JBossACLContext extends ACLContext {
    private static Logger log = Logger.getLogger(JBossACLContext.class);
    private final boolean trace = log.isTraceEnabled();

    public JBossACLContext(String str) {
        this.securityDomainName = str;
    }

    public <T> EntitlementHolder<T> getEntitlements(final Class<T> cls, final Resource resource, final Identity identity) throws AuthorizationException {
        try {
            initializeModules(resource, identity);
            try {
                final Set set = (Set) AccessController.doPrivileged(new PrivilegedExceptionAction<Set<T>>() { // from class: org.jboss.security.plugins.acl.JBossACLContext.1
                    @Override // java.security.PrivilegedExceptionAction
                    public Set<T> run() throws AuthorizationException {
                        Set<T> invokeACL = JBossACLContext.this.invokeACL(cls, resource, identity);
                        JBossACLContext.this.invokeTeardown();
                        return invokeACL;
                    }
                });
                return new EntitlementHolder<T>() { // from class: org.jboss.security.plugins.acl.JBossACLContext.2
                    public Set<T> getEntitled() {
                        return set;
                    }
                };
            } catch (PrivilegedActionException e) {
                Throwable exception = e.getException();
                if (this.trace) {
                    log.trace("Error in authorize:", exception);
                }
                invokeTeardown();
                throw ((AuthorizationException) exception);
            }
        } catch (PrivilegedActionException e2) {
            throw new RuntimeException(e2);
        }
    }

    public int authorize(final Resource resource, final Identity identity, final Permission permission) throws AuthorizationException {
        if (!(permission instanceof ACLPermission)) {
            throw new AuthorizationException("Unable to process permission of type " + permission.getClass());
        }
        try {
            initializeModules(resource, identity);
            try {
                return ((Integer) AccessController.doPrivileged(new PrivilegedExceptionAction<Object>() { // from class: org.jboss.security.plugins.acl.JBossACLContext.3
                    @Override // java.security.PrivilegedExceptionAction
                    public Object run() throws AuthorizationException {
                        return Integer.valueOf(JBossACLContext.this.invokeAuthorize(resource, identity, permission));
                    }
                })).intValue();
            } catch (PrivilegedActionException e) {
                Throwable exception = e.getException();
                if (this.trace) {
                    log.trace("Error authorizing identity " + identity + ":", exception);
                }
                invokeTeardown();
                throw ((AuthorizationException) exception);
            }
        } catch (PrivilegedActionException e2) {
            throw new RuntimeException(e2);
        }
    }

    private void initializeModules(Resource resource, Identity identity) throws PrivilegedActionException {
        ((ACLContext) this).modules.clear();
        ACLInfo aCLInfo = getACLInfo(this.securityDomainName, resource);
        if (aCLInfo == null) {
            throw new IllegalStateException("ACL Info is null");
        }
        ACLProviderEntry[] aCLProviderEntry = aCLInfo.getACLProviderEntry();
        int length = aCLProviderEntry != null ? aCLProviderEntry.length : 0;
        for (int i = 0; i < length; i++) {
            ACLProviderEntry aCLProviderEntry2 = aCLProviderEntry[i];
            ((ACLContext) this).modules.add(instantiateModule(aCLProviderEntry2.getAclProviderName(), aCLProviderEntry2.getOptions()));
            ((ACLContext) this).controlFlags.add(aCLProviderEntry2.getControlFlag());
        }
    }

    private ACLProvider instantiateModule(String str, Map<String, Object> map) throws PrivilegedActionException {
        ACLProvider aCLProvider = null;
        try {
            aCLProvider = (ACLProvider) SecurityActions.getContextClassLoader().loadClass(str).newInstance();
        } catch (Exception e) {
            log.debug("Error instantiating AuthorizationModule:", e);
        }
        if (aCLProvider == null) {
            throw new IllegalStateException("ACLProvider has not been instantiated");
        }
        aCLProvider.initialize(this.sharedState, map);
        return aCLProvider;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public <T> Set<T> invokeACL(Class<T> cls, Resource resource, Identity identity) throws AuthorizationException {
        HashSet hashSet = new HashSet();
        int size = this.modules.size();
        for (int i = 0; i < size; i++) {
            ACLProvider aCLProvider = (ACLProvider) this.modules.get(i);
            try {
                Set entitlements = aCLProvider.getEntitlements(cls, resource, identity);
                if (entitlements == null) {
                    throw new AuthorizationException("module " + aCLProvider.getClass().getName() + " generated null entitlements.");
                }
                hashSet.addAll(entitlements);
            } catch (Exception e) {
                throw new AuthorizationException(e.getMessage());
            }
        }
        return hashSet;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public int invokeAuthorize(Resource resource, Identity identity, ACLPermission aCLPermission) throws AuthorizationException {
        if (((ACLContext) this).modules == null || ((ACLContext) this).modules.size() == 0) {
            return 1;
        }
        boolean z = false;
        int i = -1;
        int i2 = 0;
        while (true) {
            if (i2 >= ((ACLContext) this).modules.size()) {
                break;
            }
            ACLProvider aCLProvider = (ACLProvider) ((ACLContext) this).modules.get(i2);
            ControlFlag controlFlag = (ControlFlag) ((ACLContext) this).controlFlags.get(i2);
            try {
                char c = aCLProvider.isAccessGranted(resource, identity, aCLPermission) ? (char) 1 : (char) 65535;
                if (this.trace) {
                    log.trace("ACL module " + aCLProvider.getClass().getName() + (c == 1 ? " granted " : " denied ") + "access to resource " + resource);
                }
                if (c == 1) {
                    i = 1;
                    if (controlFlag == ControlFlag.SUFFICIENT && !z) {
                        if (this.trace) {
                            log.trace("SUFFICIENT module succeeded: overall status=PERMIT");
                        }
                    }
                    i2++;
                } else if (controlFlag == ControlFlag.REQUISITE) {
                    if (this.trace) {
                        log.trace("REQUISITE module failed: overall status=DENY");
                    }
                    i = -1;
                } else {
                    if (controlFlag == ControlFlag.REQUIRED) {
                        if (this.trace) {
                            log.trace("REQUIRED module failed: overall status=DENY");
                        }
                        z = true;
                    }
                    i2++;
                }
            } catch (Exception e) {
                throw new AuthorizationException(e.getMessage());
            }
        }
        if (z) {
            i = -1;
        }
        return i;
    }

    private ACLInfo getACLInfo(String str, Resource resource) {
        ApplicationPolicy applicationPolicy = SecurityConfiguration.getApplicationPolicy(str);
        if (applicationPolicy == null) {
            if (this.trace) {
                log.trace("Application Policy not obtained for domain=" + str + ". Trying to obtain the App policy for the default domain of the layer:");
            }
            applicationPolicy = SecurityConfiguration.getApplicationPolicy(resource.getLayer().name());
        }
        if (applicationPolicy == null) {
            throw new IllegalStateException("Application Policy is null for domain:" + str);
        }
        return applicationPolicy.getAclInfo();
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void invokeTeardown() throws AuthorizationException {
        int size = this.modules.size();
        for (int i = 0; i < size; i++) {
            ACLProvider aCLProvider = (ACLProvider) this.modules.get(i);
            if (!aCLProvider.tearDown()) {
                throw new AuthorizationException("TearDown on module failed:" + aCLProvider.getClass());
            }
        }
        this.modules.clear();
    }

    public String toString() {
        StringBuilder sb = new StringBuilder();
        sb.append("[").append(getClass().getCanonicalName()).append("()");
        sb.append(this.securityDomainName).append(")]");
        return sb.toString();
    }
}
