package org.jboss.security.plugins;

import java.lang.reflect.Method;
import java.lang.reflect.UndeclaredThrowableException;
import java.security.Principal;
import java.security.acl.Group;
import java.util.Arrays;
import java.util.Enumeration;
import java.util.Map;
import java.util.Set;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import org.jboss.logging.Logger;
import org.jboss.security.RealmMapping;
import org.jboss.security.SecurityAssociation;
import org.jboss.security.SecurityConstants;
import org.jboss.security.SubjectSecurityManager;
import org.jboss.security.Util;
import org.jboss.security.auth.callback.SecurityAssociationHandler;
import org.jboss.system.ServiceMBeanSupport;
import org.jboss.system.pm.XMLAttributePersistenceManager;
import org.jboss.util.CachePolicy;
import org.jboss.util.TimedCachePolicy;

/* loaded from: input_file:org/jboss/security/plugins/JaasSecurityManager.class */
public class JaasSecurityManager extends ServiceMBeanSupport implements SubjectSecurityManager, RealmMapping {
    private String securityDomain;
    private CachePolicy domainCache;
    private CallbackHandler handler;
    private Method setSecurityInfo;
    private boolean deepCopySubjectOption;
    protected Logger log;
    protected boolean trace;

    /* loaded from: input_file:org/jboss/security/plugins/JaasSecurityManager$DomainInfo.class */
    public static class DomainInfo implements TimedCachePolicy.TimedEntry {
        private static Logger log = Logger.getLogger(DomainInfo.class);
        private static boolean trace = log.isTraceEnabled();
        private LoginContext loginCtx;
        private Subject subject;
        private Object credential;
        private Principal callerPrincipal;
        private long expirationTime;
        private boolean needsDestroy;
        private int activeUsers;

        public DomainInfo(long j) {
            this.expirationTime = j;
            if (this.expirationTime != -1) {
                this.expirationTime *= 1000;
            }
        }

        synchronized int acquire() {
            int i = this.activeUsers;
            this.activeUsers = i + 1;
            return i;
        }

        synchronized int release() {
            int i = this.activeUsers;
            this.activeUsers = i - 1;
            if (this.needsDestroy && i == 0) {
                if (trace) {
                    log.trace("needsDestroy is true, doing logout");
                }
                logout();
            }
            return i;
        }

        synchronized void logout() {
            if (trace) {
                log.trace("logout, subject=" + this.subject + ", this=" + this);
            }
            try {
                if (this.loginCtx != null) {
                    this.loginCtx.logout();
                }
            } catch (Throwable th) {
                if (trace) {
                    log.trace("Cache entry logout failed", th);
                }
            }
        }

        @Override // org.jboss.util.TimedCachePolicy.TimedEntry
        public void init(long j) {
            this.expirationTime += j;
        }

        @Override // org.jboss.util.TimedCachePolicy.TimedEntry
        public boolean isCurrent(long j) {
            boolean z = this.expirationTime == -1;
            if (!z) {
                z = this.expirationTime > j;
            }
            return z;
        }

        @Override // org.jboss.util.TimedCachePolicy.TimedEntry
        public boolean refresh() {
            return false;
        }

        @Override // org.jboss.util.TimedCachePolicy.TimedEntry
        public void destroy() {
            if (trace) {
                log.trace("destroy, subject=" + this.subject + ", this=" + this + ", activeUsers=" + this.activeUsers);
            }
            synchronized (this) {
                if (this.activeUsers == 0) {
                    logout();
                } else {
                    if (trace) {
                        log.trace("destroy saw activeUsers=" + this.activeUsers);
                    }
                    this.needsDestroy = true;
                }
            }
        }

        @Override // org.jboss.util.TimedCachePolicy.TimedEntry
        public Object getValue() {
            return this;
        }

        public String toString() {
            StringBuffer stringBuffer = new StringBuffer(super.toString());
            stringBuffer.append('[');
            stringBuffer.append(SubjectActions.toString(this.subject));
            stringBuffer.append(",credential.class=");
            if (this.credential != null) {
                Class<?> cls = this.credential.getClass();
                stringBuffer.append(cls.getName());
                stringBuffer.append('@');
                stringBuffer.append(System.identityHashCode(cls));
            } else {
                stringBuffer.append(XMLAttributePersistenceManager.AL_NULL_ATTRIBUTE);
            }
            stringBuffer.append(",expirationTime=");
            stringBuffer.append(this.expirationTime);
            stringBuffer.append(']');
            return stringBuffer.toString();
        }
    }

    public JaasSecurityManager() {
        this(SecurityConstants.DEFAULT_APPLICATION_POLICY, new SecurityAssociationHandler());
    }

    public JaasSecurityManager(String str, CallbackHandler callbackHandler) {
        this.deepCopySubjectOption = false;
        this.securityDomain = str;
        this.handler = callbackHandler;
        this.log = Logger.getLogger(getClass().getName() + '.' + str);
        this.trace = this.log.isTraceEnabled();
        try {
            this.setSecurityInfo = callbackHandler.getClass().getMethod("setSecurityInfo", Principal.class, Object.class);
            this.log.debug("CallbackHandler: " + callbackHandler);
        } catch (Exception e) {
            throw new UndeclaredThrowableException(e, "Failed to find setSecurityInfo(Princpal, Object) method in handler");
        }
    }

    public void setCachePolicy(CachePolicy cachePolicy) {
        this.domainCache = cachePolicy;
        this.log.debug("CachePolicy set to: " + cachePolicy);
    }

    public void setDeepCopySubjectOption(Boolean bool) {
        this.log.debug("setDeepCopySubjectOption=" + bool);
        this.deepCopySubjectOption = bool == Boolean.TRUE;
    }

    public void flushCache() {
        if (this.domainCache != null) {
            this.domainCache.flush();
        }
    }

    @Override // org.jboss.security.AuthenticationManager
    public String getSecurityDomain() {
        return this.securityDomain;
    }

    @Override // org.jboss.security.AuthenticationManager
    public Subject getActiveSubject() {
        return SecurityAssociation.getSubject();
    }

    @Override // org.jboss.security.AuthenticationManager
    public boolean isValid(Principal principal, Object obj) {
        return isValid(principal, obj, null);
    }

    @Override // org.jboss.security.AuthenticationManager
    public boolean isValid(Principal principal, Object obj, Subject subject) {
        DomainInfo cacheInfo = getCacheInfo(principal, true);
        if (this.trace) {
            this.log.trace("Begin isValid, principal:" + principal + ", cache info: " + cacheInfo);
        }
        boolean z = false;
        if (cacheInfo != null) {
            z = validateCache(cacheInfo, obj, subject);
            if (cacheInfo != null) {
                cacheInfo.release();
            }
        }
        if (!z) {
            z = authenticate(principal, obj, subject);
        }
        if (this.trace) {
            this.log.trace("End isValid, " + z);
        }
        return z;
    }

    @Override // org.jboss.security.RealmMapping
    public Principal getPrincipal(Principal principal) {
        Principal principal2 = principal;
        synchronized (this.domainCache) {
            DomainInfo cacheInfo = getCacheInfo(principal, false);
            if (this.trace) {
                this.log.trace("getPrincipal, cache info: " + cacheInfo);
            }
            if (cacheInfo != null) {
                principal2 = cacheInfo.callerPrincipal;
                if (principal2 == null) {
                    principal2 = principal;
                }
                cacheInfo.release();
            }
        }
        return principal2;
    }

    @Override // org.jboss.security.RealmMapping
    public boolean doesUserHaveRole(Principal principal, Set set) {
        return Util.getAuthorizationManager(this.securityDomain).doesUserHaveRole(principal, set);
    }

    @Override // org.jboss.security.RealmMapping
    public Set getUserRoles(Principal principal) {
        return Util.getAuthorizationManager(this.securityDomain).getUserRoles(principal);
    }

    @Override // org.jboss.security.AuthenticationManager
    public Principal getTargetPrincipal(Principal principal, Map map) {
        throw new RuntimeException("Not implemented yet");
    }

    private boolean authenticate(Principal principal, Object obj, Subject subject) {
        boolean z = false;
        LoginException loginException = null;
        try {
            LoginContext defaultLogin = defaultLogin(principal, obj);
            Subject subject2 = defaultLogin.getSubject();
            if (subject2 != null) {
                if (subject != null) {
                    SubjectActions.copySubject(subject2, subject, false, this.deepCopySubjectOption);
                }
                z = true;
                updateCache(defaultLogin, subject2, principal, obj);
            }
        } catch (LoginException e) {
            if ((principal != null && principal.getName() != null) || this.trace) {
                this.log.trace("Login failure", e);
            }
            loginException = e;
        }
        SubjectActions.setContextInfo("org.jboss.security.exception", loginException);
        return z;
    }

    private LoginContext defaultLogin(Principal principal, Object obj) throws LoginException {
        Object[] objArr = {principal, obj};
        try {
            CallbackHandler callbackHandler = (CallbackHandler) this.handler.getClass().newInstance();
            this.setSecurityInfo.invoke(callbackHandler, objArr);
            Subject subject = new Subject();
            if (this.trace) {
                this.log.trace("defaultLogin, principal=" + principal);
            }
            LoginContext createLoginContext = SubjectActions.createLoginContext(this.securityDomain, subject, callbackHandler);
            createLoginContext.login();
            if (this.trace) {
                this.log.trace("defaultLogin, lc=" + createLoginContext + ", subject=" + SubjectActions.toString(subject));
            }
            return createLoginContext;
        } catch (Throwable th) {
            if (this.trace) {
                this.log.trace("Failed to create/setSecurityInfo on handler", th);
            }
            LoginException loginException = new LoginException("Failed to setSecurityInfo on handler");
            loginException.initCause(th);
            throw loginException;
        }
    }

    private boolean validateCache(DomainInfo domainInfo, Object obj, Subject subject) {
        if (this.trace) {
            StringBuffer stringBuffer = new StringBuffer("Begin validateCache, info=");
            stringBuffer.append(domainInfo.toString());
            stringBuffer.append(";credential.class=");
            if (obj != null) {
                Class<?> cls = obj.getClass();
                stringBuffer.append(cls.getName());
                stringBuffer.append('@');
                stringBuffer.append(System.identityHashCode(cls));
            } else {
                stringBuffer.append(XMLAttributePersistenceManager.AL_NULL_ATTRIBUTE);
            }
            this.log.trace(stringBuffer.toString());
        }
        Object obj2 = domainInfo.credential;
        boolean z = false;
        if (obj == null || obj2 == null) {
            z = obj == null && obj2 == null;
        } else if (obj2.getClass().isAssignableFrom(obj.getClass())) {
            if (obj2 instanceof Comparable) {
                z = ((Comparable) obj2).compareTo(obj) == 0;
            } else {
                z = obj2 instanceof char[] ? Arrays.equals((char[]) obj2, (char[]) obj) : obj2 instanceof byte[] ? Arrays.equals((byte[]) obj2, (byte[]) obj) : obj2.getClass().isArray() ? Arrays.equals((Object[]) obj2, (Object[]) obj) : obj2.equals(obj);
            }
        } else if ((obj2 instanceof char[]) && (obj instanceof String)) {
            z = Arrays.equals((char[]) obj2, ((String) obj).toCharArray());
        } else if ((obj2 instanceof String) && (obj instanceof char[])) {
            z = Arrays.equals(((String) obj2).toCharArray(), (char[]) obj);
        }
        if (z && subject != null) {
            SubjectActions.copySubject(domainInfo.subject, subject, false, this.deepCopySubjectOption);
        }
        if (this.trace) {
            this.log.trace("End validateCache, isValid=" + z);
        }
        return z;
    }

    private DomainInfo getCacheInfo(Principal principal, boolean z) {
        DomainInfo domainInfo;
        if (this.domainCache == null) {
            return null;
        }
        synchronized (this.domainCache) {
            domainInfo = z ? (DomainInfo) this.domainCache.get(principal) : (DomainInfo) this.domainCache.peek(principal);
            if (domainInfo != null) {
                domainInfo.acquire();
            }
        }
        return domainInfo;
    }

    private Subject updateCache(LoginContext loginContext, Subject subject, Principal principal, Object obj) {
        if (this.domainCache == null) {
            return subject;
        }
        DomainInfo domainInfo = new DomainInfo(this.domainCache instanceof TimedCachePolicy ? ((TimedCachePolicy) this.domainCache).getDefaultLifetime() : 0L);
        domainInfo.loginCtx = loginContext;
        domainInfo.subject = new Subject();
        SubjectActions.copySubject(subject, domainInfo.subject, true, this.deepCopySubjectOption);
        domainInfo.credential = obj;
        if (this.trace) {
            this.log.trace("updateCache, inputSubject=" + SubjectActions.toString(subject) + ", cacheSubject=" + SubjectActions.toString(domainInfo.subject));
        }
        for (Group group : subject.getPrincipals(Group.class)) {
            if (group.getName().equals("CallerPrincipal")) {
                Enumeration<? extends Principal> members = group.members();
                if (members.hasMoreElements()) {
                    domainInfo.callerPrincipal = members.nextElement();
                }
            }
        }
        if (principal == null && domainInfo.callerPrincipal == null) {
            for (Principal principal2 : subject.getPrincipals(Principal.class)) {
                if (!(principal2 instanceof Group)) {
                    domainInfo.callerPrincipal = principal2;
                }
            }
        }
        synchronized (this.domainCache) {
            if (this.domainCache.peek(principal) != null) {
                this.domainCache.remove(principal);
            }
            this.domainCache.insert(principal, domainInfo);
            if (this.trace) {
                this.log.trace("Inserted cache info: " + domainInfo);
            }
        }
        return domainInfo.subject;
    }
}
