package org.jboss.security.plugins;

import java.security.Principal;
import java.security.acl.Group;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.locks.Lock;
import java.util.concurrent.locks.ReentrantLock;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import org.apache.xerces.impl.xs.SchemaSymbols;
import org.jboss.logging.Logger;
import org.jboss.security.AnybodyPrincipal;
import org.jboss.security.AuthorizationManager;
import org.jboss.security.NobodyPrincipal;
import org.jboss.security.RunAs;
import org.jboss.security.SecurityContext;
import org.jboss.security.SecurityRolesAssociation;
import org.jboss.security.SimplePrincipal;
import org.jboss.security.acl.ACLContext;
import org.jboss.security.authorization.AuthorizationContext;
import org.jboss.security.authorization.AuthorizationException;
import org.jboss.security.authorization.EntitlementHolder;
import org.jboss.security.authorization.Permission;
import org.jboss.security.authorization.Resource;
import org.jboss.security.callbacks.SecurityContextCallback;
import org.jboss.security.identity.Identity;
import org.jboss.security.identity.Role;
import org.jboss.security.identity.RoleGroup;
import org.jboss.security.identity.plugins.SimpleRole;
import org.jboss.security.identity.plugins.SimpleRoleGroup;
import org.jboss.security.mapping.MappingContext;
import org.jboss.security.mapping.MappingType;
import org.jboss.security.plugins.acl.JBossACLContext;
import org.jboss.security.plugins.authorization.JBossAuthorizationContext;
import org.jboss.util.NotImplementedException;

/* loaded from: input_file:WEB-INF/lib/jbosssx-2.0.4.jar:org/jboss/security/plugins/JBossAuthorizationManager.class */
public class JBossAuthorizationManager implements AuthorizationManager {
    private final String securityDomain;
    private static Logger log = Logger.getLogger(JBossAuthorizationManager.class);
    protected boolean trace = log.isTraceEnabled();
    private AuthorizationContext authorizationContext = null;
    private ACLContext aclContext = null;
    private final Lock lock = new ReentrantLock();

    public JBossAuthorizationManager(String str) {
        this.securityDomain = str;
    }

    public int authorize(Resource resource) throws AuthorizationException {
        validateResource(resource);
        return internalAuthorization(resource, SubjectActions.getActiveSubject(), null);
    }

    public int authorize(Resource resource, Subject subject) throws AuthorizationException {
        return internalAuthorization(resource, subject, null);
    }

    public int authorize(Resource resource, Subject subject, RoleGroup roleGroup) throws AuthorizationException {
        validateResource(resource);
        return internalAuthorization(resource, subject, roleGroup);
    }

    public int authorize(Resource resource, Subject subject, Group group) throws AuthorizationException {
        validateResource(resource);
        return internalAuthorization(resource, subject, getRoleGroup(group));
    }

    public int authorize(Resource resource, Identity identity, Permission permission) throws AuthorizationException {
        if (this.aclContext == null) {
            this.aclContext = new JBossACLContext(this.securityDomain);
        }
        return this.aclContext.authorize(resource, identity, permission);
    }

    public <T> EntitlementHolder<T> getEntitlements(Class<T> cls, Resource resource, Identity identity) throws AuthorizationException {
        if (this.aclContext == null) {
            this.aclContext = new JBossACLContext(this.securityDomain);
        }
        return this.aclContext.getEntitlements(cls, resource, identity);
    }

    public boolean doesUserHaveRole(Principal principal, Set<Principal> set) {
        boolean z = false;
        RoleGroup currentRoles = getCurrentRoles(principal);
        if (this.trace) {
            log.trace("doesUserHaveRole(Set), roles: " + currentRoles);
        }
        if (currentRoles != null) {
            Iterator<Principal> it2 = set.iterator();
            while (!z && it2.hasNext()) {
                Principal next = it2.next();
                z = doesRoleGroupHaveRole(next, currentRoles);
                if (this.trace) {
                    log.trace("hasRole(" + next + ")=" + z);
                }
            }
            if (this.trace) {
                log.trace("hasRole=" + z);
            }
        }
        return z;
    }

    public boolean doesUserHaveRole(Principal principal, Principal principal2) {
        return doesRoleGroupHaveRole(principal2, getCurrentRoles(principal));
    }

    public Set<Principal> getUserRoles(Principal principal) {
        return getRolesAsSet(getCurrentRoles(principal));
    }

    protected boolean doesRoleGroupHaveRole(Principal principal, RoleGroup roleGroup) {
        if (principal instanceof NobodyPrincipal) {
            return false;
        }
        boolean containsRole = roleGroup.containsRole(new SimpleRole(principal.getName()));
        if (!containsRole) {
            containsRole = principal instanceof AnybodyPrincipal;
        }
        return containsRole;
    }

    public String toString() {
        StringBuffer stringBuffer = new StringBuffer();
        stringBuffer.append("[AuthorizationManager:class=").append(getClass().getName());
        stringBuffer.append(":").append(this.securityDomain).append(":");
        stringBuffer.append("]");
        return stringBuffer.toString();
    }

    public void setAuthorizationContext(AuthorizationContext authorizationContext) {
        if (authorizationContext == null) {
            throw new IllegalArgumentException("AuthorizationContext is null");
        }
        this.lock.lock();
        try {
            String securityDomain = authorizationContext.getSecurityDomain();
            if (!this.securityDomain.equals(securityDomain)) {
                throw new IllegalArgumentException("The Security Domain " + securityDomain + " does not match with " + this.securityDomain);
            }
            this.authorizationContext = authorizationContext;
        } finally {
            this.lock.unlock();
        }
    }

    public String getSecurityDomain() {
        return this.securityDomain;
    }

    public Group getTargetRoles(Principal principal, Map<String, Object> map) {
        throw new NotImplementedException();
    }

    private HashSet<Principal> getRolesAsSet(RoleGroup roleGroup) {
        HashSet<Principal> hashSet = null;
        if (roleGroup != null) {
            hashSet = new HashSet<>();
            Iterator it2 = roleGroup.getRoles().iterator();
            while (it2.hasNext()) {
                hashSet.add(new SimplePrincipal(((Role) it2.next()).getRoleName()));
            }
        }
        return hashSet;
    }

    public RoleGroup getSubjectRoles(Subject subject, CallbackHandler callbackHandler) {
        if (subject == null) {
            return null;
        }
        SecurityContextCallback securityContextCallback = new SecurityContextCallback();
        try {
            callbackHandler.handle(new Callback[]{securityContextCallback});
            SecurityContext securityContext = securityContextCallback.getSecurityContext();
            SimplePrincipal simplePrincipal = null;
            RunAs incomingRunAs = securityContext.getIncomingRunAs();
            if (incomingRunAs != null) {
                simplePrincipal = new SimplePrincipal(incomingRunAs.getName());
            }
            RoleGroup currentRoles = getCurrentRoles(simplePrincipal, subject, securityContext);
            if (currentRoles == null) {
                currentRoles = new SimpleRoleGroup("Roles");
            }
            return currentRoles;
        } catch (Exception e) {
            log.trace("Exception in getSubjectRoles:", e);
            throw new RuntimeException(e);
        }
    }

    private RoleGroup getCurrentRoles(Principal principal) {
        Subject activeSubject = SubjectActions.getActiveSubject();
        SecurityContext securityContext = SubjectActions.getSecurityContext();
        if (securityContext == null) {
            securityContext = new JBossSecurityContext(this.securityDomain);
            SubjectActions.setSecurityContext(securityContext);
        }
        return getCurrentRoles(principal, activeSubject, securityContext);
    }

    private RoleGroup getCurrentRoles(Principal principal, Subject subject, SecurityContext securityContext) {
        if (subject == null) {
            throw new IllegalArgumentException("Subject passed is null");
        }
        if (securityContext == null) {
            throw new IllegalArgumentException("Sec Ctx sc passed is null");
        }
        RoleGroup groupFromSubject = getGroupFromSubject(subject);
        boolean z = false;
        RoleGroup roles = securityContext.getUtil().getRoles();
        if (roles == null || SchemaSymbols.ATTVAL_TRUE.equalsIgnoreCase(SubjectActions.getRefreshSecurityContextRoles())) {
            z = true;
        }
        RoleGroup copyGroups = copyGroups(roles, groupFromSubject);
        if (groupFromSubject != copyGroups || z) {
            MappingContext mappingContext = securityContext.getMappingManager().getMappingContext(MappingType.ROLE.name());
            RoleGroup roleGroup = copyGroups;
            if (mappingContext != null && mappingContext.hasModules()) {
                HashMap hashMap = new HashMap();
                hashMap.put("Roles", copyGroups);
                if (principal != null) {
                    hashMap.put("Principal", principal);
                }
                hashMap.put("deploymentPrincipalRolesMap", SecurityRolesAssociation.getSecurityRoles());
                hashMap.put("PrincipalsSet", subject.getPrincipals());
                if (this.trace) {
                    log.trace("Roles before mapping:" + copyGroups);
                }
                if (copyGroups == null) {
                    copyGroups = getEmptyRoleGroup();
                }
                mappingContext.performMapping(hashMap, copyGroups);
                roleGroup = (RoleGroup) mappingContext.getMappingResult().getMappedObject();
                if (this.trace) {
                    log.trace("Roles after mapping:" + copyGroups);
                }
            }
            securityContext.getData().put("Roles", roleGroup);
        }
        if (securityContext.getUtil().getRoles() == null) {
            securityContext.getUtil().setRoles(copyGroups);
        }
        return copyGroups;
    }

    private RoleGroup copyGroups(RoleGroup roleGroup, Group group) {
        if (group == null) {
            return roleGroup;
        }
        if (roleGroup == null && group != null) {
            roleGroup = getEmptyRoleGroup();
        }
        Enumeration<? extends Principal> members = group.members();
        while (members.hasMoreElements()) {
            roleGroup.addRole(new SimpleRole(members.nextElement().getName()));
        }
        return roleGroup;
    }

    private int internalAuthorization(Resource resource, Subject subject, RoleGroup roleGroup) throws AuthorizationException {
        this.lock.lock();
        try {
            if (this.authorizationContext == null) {
                this.authorizationContext = new JBossAuthorizationContext(this.securityDomain);
            }
            return this.authorizationContext.authorize(resource, subject, roleGroup);
        } finally {
            this.lock.unlock();
        }
    }

    private Group getGroupFromSubject(Subject subject) {
        if (subject == null) {
            throw new IllegalArgumentException("Subject is null");
        }
        Group group = null;
        for (Group group2 : subject.getPrincipals(Group.class)) {
            if (group2.getName().equals("Roles")) {
                group = group2;
            }
        }
        return group;
    }

    private RoleGroup getRoleGroup(Group group) {
        if (group == null) {
            throw new IllegalArgumentException("roleGroup is null");
        }
        SimpleRoleGroup simpleRoleGroup = new SimpleRoleGroup(group.getName());
        Enumeration<? extends Principal> members = group.members();
        while (members.hasMoreElements()) {
            simpleRoleGroup.getRoles().add(new SimpleRole(members.nextElement().getName()));
        }
        return simpleRoleGroup;
    }

    private void validateResource(Resource resource) {
        if (resource == null) {
            throw new IllegalArgumentException("resource is null");
        }
        if (resource.getMap() == null) {
            throw new IllegalArgumentException("resource has null context map");
        }
    }

    private RoleGroup getEmptyRoleGroup() {
        return new SimpleRoleGroup("Roles");
    }
}
