package org.wildfly.security.auth.jaspi.impl;

import java.io.IOException;
import java.security.Principal;
import java.security.PrivilegedActionException;
import java.util.Arrays;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Set;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.message.callback.CallerPrincipalCallback;
import javax.security.auth.message.callback.GroupPrincipalCallback;
import javax.security.auth.message.callback.PasswordValidationCallback;
import org.apache.activemq.artemis.uri.schema.connector.InVMTransportConfigurationSchema;
import org.wildfly.common.Assert;
import org.wildfly.security.auth.callback.CallbackUtil;
import org.wildfly.security.auth.jaspi._private.ElytronMessages;
import org.wildfly.security.auth.principal.NamePrincipal;
import org.wildfly.security.auth.server.SecurityDomain;
import org.wildfly.security.auth.server.SecurityIdentity;
import org.wildfly.security.auth.server.ServerAuthenticationContext;
import org.wildfly.security.authz.RoleMapper;
import org.wildfly.security.authz.Roles;
import org.wildfly.security.evidence.PasswordGuessEvidence;
import org.wildfly.security.permission.ElytronPermission;

/* loaded from: input_file:WEB-INF/lib/wildfly-elytron-1.15.16.Final.jar:org/wildfly/security/auth/jaspi/impl/JaspiAuthenticationContext.class */
public class JaspiAuthenticationContext {
    static final ElytronPermission CREATE_AUTH_CONTEXT = ElytronPermission.forName("createServerAuthenticationContext");
    private final SecurityDomain securityDomain;
    private final boolean integrated;
    private volatile SecurityIdentity securityIdentity = null;
    private final Set<String> roles = new HashSet();

    JaspiAuthenticationContext(SecurityDomain securityDomain, boolean z) {
        this.securityDomain = securityDomain;
        this.integrated = z;
    }

    public static JaspiAuthenticationContext newInstance(SecurityDomain securityDomain, boolean z) {
        SecurityManager securityManager = System.getSecurityManager();
        if (securityManager != null) {
            securityManager.checkPermission(CREATE_AUTH_CONTEXT);
        }
        return new JaspiAuthenticationContext((SecurityDomain) Assert.checkNotNullParam(InVMTransportConfigurationSchema.SECURITY_DOMAIN, securityDomain), z);
    }

    public CallbackHandler createCallbackHandler() {
        return createCommonCallbackHandler(this.integrated);
    }

    private CallbackHandler createCommonCallbackHandler(final boolean z) {
        return new CallbackHandler() { // from class: org.wildfly.security.auth.jaspi.impl.JaspiAuthenticationContext.1
            @Override // javax.security.auth.callback.CallbackHandler
            public void handle(Callback[] callbackArr) throws IOException, UnsupportedCallbackException {
                try {
                    SecurityActions.doPrivileged(() -> {
                        handleOne(callbackArr, 0);
                        return null;
                    });
                } catch (Exception e) {
                    if (e instanceof PrivilegedActionException) {
                        if (e.getCause() instanceof UnsupportedCallbackException) {
                            throw ((UnsupportedCallbackException) e.getCause());
                        }
                        if (e.getCause() instanceof IOException) {
                            throw ((IOException) e.getCause());
                        }
                    }
                    throw new IOException(e);
                }
            }

            private void handleOne(Callback[] callbackArr, int i) throws IOException, UnsupportedCallbackException {
                if (callbackArr.length == i) {
                    return;
                }
                Callback callback = callbackArr[i];
                if (callback instanceof PasswordValidationCallback) {
                    PasswordValidationCallback passwordValidationCallback = (PasswordValidationCallback) callback;
                    String username = passwordValidationCallback.getUsername();
                    ElytronMessages.log.tracef("Handling PasswordValidationCallback for '%s'", username);
                    try {
                        SecurityIdentity authenticate = JaspiAuthenticationContext.this.securityDomain.authenticate(username, new PasswordGuessEvidence(passwordValidationCallback.getPassword()));
                        passwordValidationCallback.setResult(true);
                        JaspiAuthenticationContext.this.securityIdentity = authenticate;
                    } catch (Exception e) {
                        ElytronMessages.log.trace("Authentication failed", e);
                        passwordValidationCallback.setResult(false);
                    }
                } else if (callback instanceof CallerPrincipalCallback) {
                    ElytronMessages.log.trace("Handling CallerPrincipalCallback");
                    CallerPrincipalCallback callerPrincipalCallback = (CallerPrincipalCallback) callback;
                    Principal principal = callerPrincipalCallback.getPrincipal();
                    String name = callerPrincipalCallback.getName();
                    Principal namePrincipal = principal != null ? principal : name != null ? new NamePrincipal(name) : null;
                    ElytronMessages.log.tracef("Original Principal = '%s', Caller Name = '%s', Resulting Principal = '%s'", principal, name, namePrincipal);
                    SecurityIdentity securityIdentity = null;
                    if (JaspiAuthenticationContext.this.securityIdentity != null) {
                        if (namePrincipal != null) {
                            securityIdentity = JaspiAuthenticationContext.this.securityIdentity.createRunAsIdentity(namePrincipal, z && !JaspiAuthenticationContext.this.securityIdentity.getPrincipal().equals(namePrincipal));
                        } else if (z) {
                            ServerAuthenticationContext createNewAuthenticationContext = JaspiAuthenticationContext.this.securityDomain.createNewAuthenticationContext();
                            createNewAuthenticationContext.importIdentity(JaspiAuthenticationContext.this.securityIdentity);
                            createNewAuthenticationContext.authorize();
                            securityIdentity = createNewAuthenticationContext.getAuthorizedIdentity();
                            createNewAuthenticationContext.close();
                        } else {
                            securityIdentity = JaspiAuthenticationContext.this.securityIdentity;
                        }
                    } else if (namePrincipal == null) {
                        handleOne(callbackArr, i + 1);
                        return;
                    } else if (z) {
                        ServerAuthenticationContext createNewAuthenticationContext2 = JaspiAuthenticationContext.this.securityDomain.createNewAuthenticationContext();
                        createNewAuthenticationContext2.setAuthenticationPrincipal(namePrincipal);
                        if (createNewAuthenticationContext2.authorize()) {
                            securityIdentity = createNewAuthenticationContext2.getAuthorizedIdentity();
                        }
                        createNewAuthenticationContext2.close();
                    } else {
                        securityIdentity = JaspiAuthenticationContext.this.securityDomain.createAdHocIdentity(namePrincipal);
                    }
                    if (securityIdentity == null) {
                        throw ElytronMessages.log.authorizationFailed();
                    }
                    JaspiAuthenticationContext.this.securityIdentity = securityIdentity;
                    Subject subject = callerPrincipalCallback.getSubject();
                    if (subject != null && !subject.isReadOnly()) {
                        subject.getPrincipals().add(securityIdentity.getPrincipal());
                    }
                } else if (callback instanceof GroupPrincipalCallback) {
                    ElytronMessages.log.trace("Handling GroupPrincipalCallback");
                    ElytronMessages.log.trace("Handling GroupPrincipalCallback");
                    String[] groups = ((GroupPrincipalCallback) callback).getGroups();
                    if (groups != null && groups.length > 0) {
                        JaspiAuthenticationContext.this.roles.addAll(Arrays.asList(groups));
                    }
                } else {
                    CallbackUtil.unsupported(callback);
                    handleOne(callbackArr, i + 1);
                }
                handleOne(callbackArr, i + 1);
            }
        };
    }

    public SecurityIdentity getAuthorizedIdentity() throws IllegalStateException {
        SecurityIdentity securityIdentity = this.securityIdentity;
        if (securityIdentity == null || this.roles.size() <= 0) {
            ElytronMessages.log.trace("No roles request of CallbackHandler.");
        } else {
            if (ElytronMessages.log.isTraceEnabled()) {
                Iterator<String> it = this.roles.iterator();
                StringBuilder sb = new StringBuilder(it.next());
                while (it.hasNext()) {
                    sb.append(",").append(it.next());
                }
                ElytronMessages.log.tracef("Assigning roles '%s' to resulting SecurityIdentity", sb.toString());
            }
            RoleMapper constant = RoleMapper.constant(Roles.fromSet(this.roles));
            securityIdentity = (SecurityIdentity) SecurityActions.doPrivileged(() -> {
                return securityIdentity.withDefaultRoleMapper(constant);
            });
        }
        return securityIdentity;
    }
}
