package org.wildfly.elytron.web.undertow.server.servlet;

import io.undertow.server.HttpHandler;
import io.undertow.servlet.api.AuthMethodConfig;
import io.undertow.servlet.api.AuthorizationManager;
import io.undertow.servlet.api.DeploymentInfo;
import io.undertow.servlet.api.LoginConfig;
import java.security.AccessController;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
import java.util.LinkedHashMap;
import java.util.List;
import java.util.Map;
import java.util.function.Function;
import java.util.function.UnaryOperator;
import org.jboss.metadata.javaee.jboss.RunAsIdentityMetaData;
import org.wildfly.elytron.web.undertow.server.ElytronContextAssociationHandler;
import org.wildfly.elytron.web.undertow.server.ElytronRunAsHandler;
import org.wildfly.elytron.web.undertow.server.ScopeSessionListener;
import org.wildfly.security.auth.server.HttpAuthenticationFactory;
import org.wildfly.security.auth.server.SecurityDomain;
import org.wildfly.security.http.HttpAuthenticationException;
import org.wildfly.security.http.HttpConstants;
import org.wildfly.security.http.HttpServerAuthenticationMechanism;
import org.wildfly.security.http.HttpServerAuthenticationMechanismFactory;
import org.wildfly.security.http.Scope;
import org.wildfly.security.http.util.PropertiesServerMechanismFactory;
import org.wildfly.security.manager.WildFlySecurityManager;

/* loaded from: input_file:org/wildfly/elytron/web/undertow/server/servlet/AuthenticationManager.class */
public class AuthenticationManager {
    private final Builder builder;

    /* loaded from: input_file:org/wildfly/elytron/web/undertow/server/servlet/AuthenticationManager$Builder.class */
    public static class Builder {
        private HttpAuthenticationFactory httpAuthenticationFactory;
        private boolean overrideDeploymentConfig;
        private AuthorizationManager authorizationManager;
        private UnaryOperator<HttpServerAuthenticationMechanismFactory> httpAuthenticationFactoryTransformer;
        private Function<String, RunAsIdentityMetaData> runAsMapper;
        private boolean built = false;

        public Builder setHttpAuthenticationFactory(HttpAuthenticationFactory httpAuthenticationFactory) {
            assertNotBuilt();
            this.httpAuthenticationFactory = httpAuthenticationFactory;
            return this;
        }

        public Builder setAuthorizationManager(AuthorizationManager authorizationManager) {
            assertNotBuilt();
            this.authorizationManager = authorizationManager;
            return this;
        }

        public Builder setOverrideDeploymentConfig(boolean z) {
            assertNotBuilt();
            this.overrideDeploymentConfig = z;
            return this;
        }

        public Builder setHttpAuthenticationFactoryTransformer(UnaryOperator<HttpServerAuthenticationMechanismFactory> unaryOperator) {
            assertNotBuilt();
            this.httpAuthenticationFactoryTransformer = unaryOperator;
            return this;
        }

        public Builder setRunAsMapper(Function<String, RunAsIdentityMetaData> function) {
            assertNotBuilt();
            this.runAsMapper = function;
            return this;
        }

        public AuthenticationManager build() {
            assertNotBuilt();
            this.built = true;
            return new AuthenticationManager(this);
        }

        void assertNotBuilt() {
            if (this.built) {
                throw new IllegalStateException("Builder already built.");
            }
        }
    }

    AuthenticationManager(Builder builder) {
        this.builder = builder;
    }

    public void configure(DeploymentInfo deploymentInfo) {
        ScopeSessionListener build = ScopeSessionListener.builder().addScopeResolver(Scope.APPLICATION, ElytronHttpServletExchange.APPLICATION_SCOPE_RESOLVER).build();
        SecurityDomain securityDomain = this.builder.httpAuthenticationFactory.getSecurityDomain();
        if (WildFlySecurityManager.isChecking()) {
            AccessController.doPrivileged(() -> {
                securityDomain.registerWithClassLoader(deploymentInfo.getClassLoader());
                return null;
            });
        } else {
            securityDomain.registerWithClassLoader(deploymentInfo.getClassLoader());
        }
        deploymentInfo.addSessionListener(build);
        Function function = this.builder.runAsMapper;
        deploymentInfo.addInnerHandlerChainWrapper(httpHandler -> {
            return finalSecurityHandlers(httpHandler, securityDomain, function);
        });
        deploymentInfo.setInitialSecurityWrapper(httpHandler2 -> {
            return initialSecurityHandler(deploymentInfo, httpHandler2, securityDomain, build);
        });
        if (function != null) {
            deploymentInfo.addLifecycleInterceptor(new RunAsLifecycleInterceptor(function, securityDomain));
        }
        if (this.builder.authorizationManager != null) {
            deploymentInfo.setAuthorizationManager(this.builder.authorizationManager);
        } else {
            deploymentInfo.setAuthorizationManager(new ElytronAuthorizationManager(securityDomain));
        }
    }

    private HttpHandler initialSecurityHandler(DeploymentInfo deploymentInfo, HttpHandler httpHandler, SecurityDomain securityDomain, ScopeSessionListener scopeSessionListener) {
        Map map;
        Collection mechanismNames = this.builder.httpAuthenticationFactory.getMechanismNames();
        if (mechanismNames.isEmpty()) {
            throw new IllegalStateException("There are no mechanisms available from the HttpAuthenticationFactory.");
        }
        HashMap hashMap = new HashMap();
        hashMap.put(HttpConstants.CONFIG_CONTEXT_PATH, deploymentInfo.getContextPath());
        LoginConfig loginConfig = deploymentInfo.getLoginConfig();
        if (loginConfig != null) {
            String realmName = loginConfig.getRealmName();
            if (realmName != null) {
                hashMap.put(HttpConstants.CONFIG_REALM, realmName);
            }
            String loginPage = loginConfig.getLoginPage();
            if (loginPage != null) {
                hashMap.put(HttpConstants.CONFIG_LOGIN_PAGE, loginPage);
            }
            String errorPage = loginConfig.getErrorPage();
            if (errorPage != null) {
                hashMap.put(HttpConstants.CONFIG_ERROR_PAGE, errorPage);
            }
        }
        Map unmodifiableMap = Collections.unmodifiableMap(hashMap);
        LinkedHashMap linkedHashMap = new LinkedHashMap();
        if (this.builder.overrideDeploymentConfig || loginConfig == null) {
            Iterator it = mechanismNames.iterator();
            while (it.hasNext()) {
                linkedHashMap.put((String) it.next(), unmodifiableMap);
            }
        } else {
            List<AuthMethodConfig> authMethods = loginConfig.getAuthMethods();
            if (authMethods.isEmpty()) {
                throw new IllegalStateException("No authentication mechanisms have been selected.");
            }
            for (AuthMethodConfig authMethodConfig : authMethods) {
                String name = authMethodConfig.getName();
                if (!mechanismNames.contains(name)) {
                    throw new IllegalStateException(String.format("The required mechanism '%s' is not available in mechanisms %s from the HttpAuthenticationFactory.", name, mechanismNames));
                }
                Map properties = authMethodConfig.getProperties();
                if (properties != null) {
                    HashMap hashMap2 = new HashMap(unmodifiableMap);
                    hashMap2.putAll(properties);
                    map = Collections.unmodifiableMap(hashMap2);
                } else {
                    map = unmodifiableMap;
                }
                linkedHashMap.put(name, map);
            }
        }
        return ElytronContextAssociationHandler.builder().setNext(httpHandler).setSecurityDomain(securityDomain).setMechanismSupplier(() -> {
            return getAuthenticationMechanisms(linkedHashMap);
        }).setAuthenticationMode(deploymentInfo.getAuthenticationMode()).setHttpExchangeSupplier(httpServerExchange -> {
            return new ElytronHttpServletExchange(httpServerExchange, scopeSessionListener);
        }).build();
    }

    private HttpHandler finalSecurityHandlers(HttpHandler httpHandler, SecurityDomain securityDomain, Function<String, RunAsIdentityMetaData> function) {
        return function != null ? new ElytronRunAsHandler(httpHandler, (securityIdentity, httpServerExchange) -> {
            return IdentityMapping.mapIdentity(securityIdentity, securityDomain, httpServerExchange, function);
        }) : new ElytronRunAsHandler(httpHandler);
    }

    private List<HttpServerAuthenticationMechanism> getAuthenticationMechanisms(Map<String, Map<String, String>> map) {
        ArrayList arrayList = new ArrayList(map.size());
        UnaryOperator unaryOperator = this.builder.httpAuthenticationFactoryTransformer;
        for (Map.Entry<String, Map<String, String>> entry : map.entrySet()) {
            try {
                HttpServerAuthenticationMechanism httpServerAuthenticationMechanism = (HttpServerAuthenticationMechanism) this.builder.httpAuthenticationFactory.createMechanism(entry.getKey(), httpServerAuthenticationMechanismFactory -> {
                    PropertiesServerMechanismFactory propertiesServerMechanismFactory = new PropertiesServerMechanismFactory(httpServerAuthenticationMechanismFactory, (Map) entry.getValue());
                    return unaryOperator != null ? (HttpServerAuthenticationMechanismFactory) unaryOperator.apply(propertiesServerMechanismFactory) : propertiesServerMechanismFactory;
                });
                if (httpServerAuthenticationMechanism != null) {
                    arrayList.add(httpServerAuthenticationMechanism);
                }
            } catch (HttpAuthenticationException e) {
                throw new IllegalStateException((Throwable) e);
            }
        }
        return arrayList;
    }

    public static Builder builder() {
        return new Builder();
    }
}
