package org.wildfly.extension.undertow.security;

import io.undertow.security.idm.Account;
import io.undertow.server.HttpServerExchange;
import io.undertow.servlet.api.AuthorizationManager;
import io.undertow.servlet.api.Deployment;
import io.undertow.servlet.api.SecurityRoleRef;
import io.undertow.servlet.api.ServletInfo;
import io.undertow.servlet.api.SingleConstraintMatch;
import io.undertow.servlet.api.TransportGuaranteeType;
import io.undertow.servlet.handlers.ServletRequestContext;
import java.io.IOException;
import java.security.Principal;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import javax.security.auth.Subject;
import javax.security.jacc.PolicyContext;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.jboss.as.core.security.SimplePrincipal;
import org.jboss.security.SecurityContext;
import org.jboss.security.authorization.ResourceKeys;
import org.jboss.security.javaee.AbstractWebAuthorizationHelper;
import org.jboss.security.javaee.SecurityHelperFactory;
import org.wildfly.extension.undertow.logging.UndertowLogger;

/* loaded from: input_file:m2repo/org/wildfly/wildfly-undertow/15.0.1.Final/wildfly-undertow-15.0.1.Final.jar:org/wildfly/extension/undertow/security/JbossAuthorizationManager.class */
public class JbossAuthorizationManager implements AuthorizationManager {
    private final AuthorizationManager delegate;

    public JbossAuthorizationManager(AuthorizationManager authorizationManager) {
        this.delegate = authorizationManager;
    }

    @Override // io.undertow.servlet.api.AuthorizationManager
    public boolean isUserInRole(String str, Account account, ServletInfo servletInfo, HttpServletRequest httpServletRequest, Deployment deployment) {
        boolean z = true;
        boolean isUserInRole = this.delegate.isUserInRole(str, account, servletInfo, httpServletRequest, deployment);
        if (isUserInRole) {
            String name = servletInfo.getName();
            String str2 = str;
            List<SecurityRoleRef> securityRoleRefs = servletInfo.getSecurityRoleRefs();
            if (securityRoleRefs != null) {
                Iterator<SecurityRoleRef> it = securityRoleRefs.iterator();
                while (true) {
                    if (!it.hasNext()) {
                        break;
                    }
                    SecurityRoleRef next = it.next();
                    if (next.getLinkedRole().equals(str)) {
                        str2 = next.getRole();
                        break;
                    }
                }
            }
            SecurityContext securityContext = SecurityActions.getSecurityContext();
            try {
                z = SecurityHelperFactory.getWebAuthorizationHelper(securityContext).hasRole(str2, account.getPrincipal(), name, getPrincipalRoles(account), PolicyContext.getContextID(), securityContext.getUtil().getSubject(), new ArrayList(account.getRoles()));
            } catch (Exception e) {
                UndertowLogger.ROOT_LOGGER.noAuthorizationHelper(e);
                return false;
            }
        }
        boolean z2 = isUserInRole && z;
        UndertowLogger.ROOT_LOGGER.tracef("hasRole:RealmBase says: %s ::Authz framework says: %s :final= %s", Boolean.valueOf(isUserInRole), Boolean.valueOf(z), Boolean.valueOf(z2));
        return z2;
    }

    private Set<Principal> getPrincipalRoles(Account account) {
        HashSet hashSet = new HashSet();
        Iterator<String> it = account.getRoles().iterator();
        while (it.hasNext()) {
            hashSet.add(new SimplePrincipal(it.next()));
        }
        return hashSet;
    }

    @Override // io.undertow.servlet.api.AuthorizationManager
    public boolean canAccessResource(List<SingleConstraintMatch> list, Account account, ServletInfo servletInfo, HttpServletRequest httpServletRequest, Deployment deployment) {
        ServletRequestContext current = ServletRequestContext.current();
        boolean canAccessResource = this.delegate.canAccessResource(list, account, servletInfo, httpServletRequest, deployment);
        boolean z = false;
        if (canAccessResource) {
            SecurityContext securityContext = SecurityActions.getSecurityContext();
            Subject subject = securityContext.getUtil().getSubject();
            HashMap hashMap = new HashMap();
            hashMap.put(ResourceKeys.RESOURCE_PERM_CHECK, Boolean.TRUE);
            hashMap.put("securityConstraints", list);
            try {
                AbstractWebAuthorizationHelper webAuthorizationHelper = SecurityHelperFactory.getWebAuthorizationHelper(securityContext);
                ArrayList arrayList = new ArrayList();
                if (account != null) {
                    arrayList.addAll(account.getRoles());
                }
                z = webAuthorizationHelper.checkResourcePermission(hashMap, httpServletRequest, current.getServletResponse(), subject, PolicyContext.getContextID(), requestURI(current.getExchange()), arrayList);
            } catch (Exception e) {
                UndertowLogger.ROOT_LOGGER.noAuthorizationHelper(e);
                return false;
            }
        }
        boolean z2 = canAccessResource && z && hasUserDataPermission(httpServletRequest, current.getOriginalResponse(), account, list);
        UndertowLogger.ROOT_LOGGER.tracef("hasResourcePermission:RealmBase says: %s ::Authz framework says: %s :final= %s", Boolean.valueOf(canAccessResource), Boolean.valueOf(z), Boolean.valueOf(z2));
        return z2;
    }

    public boolean hasUserDataPermission(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Account account, List<SingleConstraintMatch> list) {
        HashMap hashMap = new HashMap();
        hashMap.put("securityConstraints", list);
        hashMap.put(ResourceKeys.USERDATA_PERM_CHECK, Boolean.TRUE);
        SecurityContext securityContext = SecurityActions.getSecurityContext();
        try {
            AbstractWebAuthorizationHelper webAuthorizationHelper = SecurityHelperFactory.getWebAuthorizationHelper(securityContext);
            Subject subject = securityContext.getUtil().getSubject();
            if (subject == null) {
                subject = new Subject();
            }
            ArrayList arrayList = new ArrayList();
            if (account != null) {
                arrayList.addAll(account.getRoles());
            }
            boolean hasUserDataPermission = webAuthorizationHelper.hasUserDataPermission(hashMap, httpServletRequest, httpServletResponse, PolicyContext.getContextID(), subject, arrayList);
            if (!hasUserDataPermission && httpServletResponse.getStatus() == 200) {
                try {
                    httpServletResponse.sendError(403);
                } catch (IOException e) {
                    throw new RuntimeException(e);
                }
            }
            return hasUserDataPermission;
        } catch (Exception e2) {
            UndertowLogger.ROOT_LOGGER.noAuthorizationHelper(e2);
            return false;
        }
    }

    @Override // io.undertow.servlet.api.AuthorizationManager
    public TransportGuaranteeType transportGuarantee(TransportGuaranteeType transportGuaranteeType, TransportGuaranteeType transportGuaranteeType2, HttpServletRequest httpServletRequest) {
        return this.delegate.transportGuarantee(transportGuaranteeType, transportGuaranteeType2, httpServletRequest);
    }

    protected String requestURI(HttpServerExchange httpServerExchange) {
        String relativePath = httpServerExchange.getRelativePath();
        if (relativePath == null || relativePath.equals("/")) {
            relativePath = "";
        }
        return relativePath;
    }
}
