package org.jboss.security.plugins;

import com.sun.xacml.Policy;
import java.io.InputStream;
import java.net.URL;
import java.security.Principal;
import java.security.PrivilegedActionException;
import java.security.acl.Group;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.jacc.PolicyContext;
import javax.security.jacc.PolicyContextException;
import org.jboss.logging.Logger;
import org.jboss.security.AnybodyPrincipal;
import org.jboss.security.AuthorizationManager;
import org.jboss.security.NobodyPrincipal;
import org.jboss.security.SecurityConstants;
import org.jboss.security.SecurityContext;
import org.jboss.security.SecurityRolesAssociation;
import org.jboss.security.SimpleGroup;
import org.jboss.security.authorization.AuthorizationContext;
import org.jboss.security.authorization.AuthorizationException;
import org.jboss.security.authorization.PolicyRegistration;
import org.jboss.security.authorization.Resource;
import org.jboss.security.mapping.MappingContext;
import org.jboss.security.plugins.authorization.JBossAuthorizationContext;
import org.jboss.util.xml.DOMUtils;

/* loaded from: input_file:org/jboss/security/plugins/JBossAuthorizationManager.class */
public class JBossAuthorizationManager implements AuthorizationManager, PolicyRegistration {
    private String securityDomain;
    private Map contextIdToPolicy;
    private static Logger log = Logger.getLogger(JBossAuthorizationManager.class);
    protected boolean trace;
    private CallbackHandler callbackHandler;
    private AuthorizationContext authorizationContext;

    public JBossAuthorizationManager(String str) {
        this.contextIdToPolicy = new HashMap();
        this.trace = log.isTraceEnabled();
        this.callbackHandler = null;
        this.authorizationContext = null;
        this.securityDomain = str;
    }

    public JBossAuthorizationManager(String str, CallbackHandler callbackHandler) {
        this(str);
        this.callbackHandler = callbackHandler;
    }

    public int authorize(Resource resource) throws AuthorizationException {
        Subject subject = null;
        try {
            subject = (Subject) PolicyContext.getContext(SecurityConstants.SUBJECT_CONTEXT_KEY);
        } catch (PolicyContextException e) {
            log.error("Error obtaining AuthenticatedSubject:", e);
        }
        if (this.authorizationContext == null) {
            this.authorizationContext = new JBossAuthorizationContext(this.securityDomain, subject, this.callbackHandler);
        }
        return this.authorizationContext.authorize(resource);
    }

    public boolean doesUserHaveRole(Principal principal, Set set) {
        boolean z = false;
        Group currentRoles = getCurrentRoles(principal);
        if (this.trace) {
            log.trace("doesUserHaveRole(Set), roles: " + currentRoles);
        }
        if (currentRoles != null) {
            Iterator it = set.iterator();
            while (!z && it.hasNext()) {
                Principal principal2 = (Principal) it.next();
                z = doesRoleGroupHaveRole(principal2, currentRoles);
                if (this.trace) {
                    log.trace("hasRole(" + principal2 + ")=" + z);
                }
            }
            if (this.trace) {
                log.trace("hasRole=" + z);
            }
        }
        return z;
    }

    public boolean doesUserHaveRole(Principal principal, Principal principal2) {
        return doesRoleGroupHaveRole(principal2, getCurrentRoles(principal));
    }

    public Set getUserRoles(Principal principal) {
        return getRolesAsSet(getCurrentRoles(principal));
    }

    protected boolean doesRoleGroupHaveRole(Principal principal, Group group) {
        if (principal instanceof NobodyPrincipal) {
            return false;
        }
        boolean isMember = group.isMember(principal);
        if (!isMember) {
            isMember = principal instanceof AnybodyPrincipal;
        }
        return isMember;
    }

    public void registerPolicy(String str, URL url) {
        try {
            if (this.trace) {
                log.trace("Registering policy for contextId:" + str + " and location:" + url.getPath());
            }
            registerPolicy(str, url.openStream());
        } catch (Exception e) {
            log.debug("Error in registering xacml policy:", e);
        }
    }

    public void registerPolicy(String str, InputStream inputStream) {
        try {
            this.contextIdToPolicy.put(str, Policy.getInstance(DOMUtils.parse(inputStream)));
        } catch (Exception e) {
            log.debug("Error in registering xacml policy:", e);
        }
    }

    public void deRegisterPolicy(String str) {
        this.contextIdToPolicy.remove(str);
        if (this.trace) {
            log.trace("DeRegistered policy for contextId:" + str);
        }
    }

    public Object getPolicy(String str, Map map) {
        return this.contextIdToPolicy.get(str);
    }

    public String toString() {
        StringBuffer stringBuffer = new StringBuffer();
        stringBuffer.append("[AuthorizationManager:class=").append(getClass().getName());
        stringBuffer.append(":").append(this.securityDomain).append(":");
        stringBuffer.append("]");
        return stringBuffer.toString();
    }

    public void setAuthorizationContext(AuthorizationContext authorizationContext) {
        if (authorizationContext == null) {
            throw new IllegalArgumentException("AuthorizationContext is null");
        }
        this.authorizationContext = authorizationContext;
    }

    public String getSecurityDomain() {
        return this.securityDomain;
    }

    private HashSet getRolesAsSet(Group group) {
        HashSet hashSet = null;
        if (group != null) {
            hashSet = new HashSet();
            Enumeration<? extends Principal> members = group.members();
            while (members.hasMoreElements()) {
                hashSet.add(members.nextElement());
            }
        }
        return hashSet;
    }

    private Group getCurrentRoles(Principal principal) {
        boolean z = false;
        try {
            Subject activeSubject = SubjectActions.getActiveSubject();
            Group subjectRoles = getSubjectRoles(activeSubject);
            SecurityContext securityContext = SubjectActions.getSecurityContext();
            if (securityContext == null) {
                securityContext = new JBossSecurityContext(this.securityDomain);
                SubjectActions.setSecurityContext(securityContext);
            }
            Group group = (Group) securityContext.getData().get(SecurityConstants.ROLES_IDENTIFIER);
            if (group == null || "true".equalsIgnoreCase(SubjectActions.getRefreshSecurityContextRoles())) {
                z = true;
            }
            Group copyGroups = copyGroups(group, subjectRoles);
            if (subjectRoles != copyGroups || z) {
                MappingContext mappingContext = securityContext.getMappingManager().getMappingContext(Group.class);
                Group group2 = copyGroups;
                if (mappingContext != null) {
                    HashMap hashMap = new HashMap();
                    hashMap.put(SecurityConstants.ROLES_IDENTIFIER, copyGroups);
                    hashMap.put(SecurityConstants.PRINCIPAL_IDENTIFIER, principal);
                    hashMap.put(SecurityConstants.DEPLOYMENT_PRINCIPAL_ROLES_MAP, SecurityRolesAssociation.getSecurityRoles());
                    hashMap.put(SecurityConstants.PRINCIPALS_SET_IDENTIFIER, activeSubject.getPrincipals());
                    if (this.trace) {
                        log.trace("Roles before mapping:" + copyGroups);
                    }
                    mappingContext.performMapping(hashMap, copyGroups);
                    group2 = (Group) mappingContext.getMappingResult().getMappedObject();
                    if (this.trace) {
                        log.trace("Roles after mapping:" + copyGroups);
                    }
                }
                securityContext.getData().put(SecurityConstants.ROLES_IDENTIFIER, group2);
            }
            return copyGroups;
        } catch (PrivilegedActionException e) {
            throw new IllegalStateException(e);
        }
    }

    private Group copyGroups(Group group, Group group2) {
        if (group2 == null) {
            return group;
        }
        if (group == null && group2 != null) {
            group = new SimpleGroup(SecurityConstants.ROLES_IDENTIFIER);
        }
        Enumeration<? extends Principal> members = group2.members();
        while (members.hasMoreElements()) {
            group.addMember(members.nextElement());
        }
        return group;
    }

    public Group getTargetRoles(Principal principal, Map map) {
        throw new RuntimeException("Not implemented");
    }

    private Group getSubjectRoles(Subject subject) {
        if (subject == null) {
            throw new IllegalArgumentException("Subject is null");
        }
        Group group = null;
        for (Group group2 : subject.getPrincipals(Group.class)) {
            if (group2.getName().equals(SecurityConstants.ROLES_IDENTIFIER)) {
                group = group2;
            }
        }
        return group;
    }
}
