package org.jboss.as.connector.security;

import java.io.IOException;
import java.io.Serializable;
import java.security.AccessController;
import java.security.Principal;
import java.util.Arrays;
import java.util.HashSet;
import java.util.Set;
import javax.resource.spi.security.PasswordCredential;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.message.callback.CallerPrincipalCallback;
import javax.security.auth.message.callback.GroupPrincipalCallback;
import javax.security.auth.message.callback.PasswordValidationCallback;
import org.codehaus.plexus.util.SelectorUtils;
import org.jboss.as.connector.logging.ConnectorLogger;
import org.jboss.jca.core.spi.security.Callback;
import org.wildfly.clustering.ejb.BeanManagerFactoryServiceConfiguratorConfiguration;
import org.wildfly.security.auth.principal.NamePrincipal;
import org.wildfly.security.auth.server.RealmUnavailableException;
import org.wildfly.security.auth.server.SecurityDomain;
import org.wildfly.security.auth.server.SecurityIdentity;
import org.wildfly.security.auth.server.ServerAuthenticationContext;
import org.wildfly.security.authz.RoleMapper;
import org.wildfly.security.authz.Roles;
import org.wildfly.security.evidence.PasswordGuessEvidence;
import org.wildfly.security.manager.WildFlySecurityManager;

/* loaded from: input_file:m2repo/org/wildfly/wildfly-connector/15.0.1.Final/wildfly-connector-15.0.1.Final.jar:org/jboss/as/connector/security/ElytronCallbackHandler.class */
public class ElytronCallbackHandler implements CallbackHandler, Serializable {
    private final SecurityDomain securityDomain;
    private final Callback mappings;
    private Subject executionSubject;

    public ElytronCallbackHandler(SecurityDomain securityDomain, Callback callback) {
        this.securityDomain = securityDomain;
        this.mappings = callback;
    }

    @Override // javax.security.auth.callback.CallbackHandler
    public void handle(javax.security.auth.callback.Callback[] callbackArr) throws UnsupportedCallbackException, IOException {
        SecurityIdentity securityIdentity;
        if (ConnectorLogger.SUBSYSTEM_RA_LOGGER.isTraceEnabled()) {
            ConnectorLogger.SUBSYSTEM_RA_LOGGER.elytronHandlerHandle(Arrays.toString(callbackArr));
        }
        if ((this.executionSubject == null || (securityIdentity = (SecurityIdentity) getPrivateCredential(this.executionSubject, SecurityIdentity.class)) == null || securityIdentity.isAnonymous()) && callbackArr != null && callbackArr.length > 0) {
            if (this.mappings != null && this.mappings.isMappingRequired()) {
                callbackArr = this.mappings.mapCallbacks(callbackArr);
            }
            GroupPrincipalCallback groupPrincipalCallback = null;
            CallerPrincipalCallback callerPrincipalCallback = null;
            PasswordValidationCallback passwordValidationCallback = null;
            for (javax.security.auth.callback.Callback callback : callbackArr) {
                if (callback instanceof GroupPrincipalCallback) {
                    groupPrincipalCallback = (GroupPrincipalCallback) callback;
                    if (this.executionSubject == null) {
                        this.executionSubject = groupPrincipalCallback.getSubject();
                    } else if (!this.executionSubject.equals(groupPrincipalCallback.getSubject())) {
                    }
                } else if (callback instanceof CallerPrincipalCallback) {
                    callerPrincipalCallback = (CallerPrincipalCallback) callback;
                    if (this.executionSubject == null) {
                        this.executionSubject = callerPrincipalCallback.getSubject();
                    } else if (!this.executionSubject.equals(callerPrincipalCallback.getSubject())) {
                    }
                } else {
                    if (!(callback instanceof PasswordValidationCallback)) {
                        throw new UnsupportedCallbackException(callback);
                    }
                    passwordValidationCallback = (PasswordValidationCallback) callback;
                    if (this.executionSubject == null) {
                        this.executionSubject = passwordValidationCallback.getSubject();
                    } else if (!this.executionSubject.equals(passwordValidationCallback.getSubject())) {
                    }
                }
            }
            handleInternal(callerPrincipalCallback, groupPrincipalCallback, passwordValidationCallback);
        }
    }

    protected void handleInternal(CallerPrincipalCallback callerPrincipalCallback, GroupPrincipalCallback groupPrincipalCallback, PasswordValidationCallback passwordValidationCallback) throws IOException {
        String[] groups;
        if (this.executionSubject == null) {
            throw ConnectorLogger.SUBSYSTEM_RA_LOGGER.executionSubjectNotSetInHandler();
        }
        SecurityIdentity anonymousSecurityIdentity = this.securityDomain.getAnonymousSecurityIdentity();
        NamePrincipal namePrincipal = null;
        if (callerPrincipalCallback != null) {
            Principal principal = callerPrincipalCallback.getPrincipal();
            namePrincipal = principal != null ? new NamePrincipal(principal.getName()) : callerPrincipalCallback.getName() != null ? new NamePrincipal(callerPrincipalCallback.getName()) : null;
        }
        if (namePrincipal != null) {
            if (passwordValidationCallback != null) {
                String username = passwordValidationCallback.getUsername();
                char[] password = passwordValidationCallback.getPassword();
                try {
                    anonymousSecurityIdentity = authenticate(username, password);
                    addPrivateCredential(this.executionSubject, new PasswordCredential(username, password));
                    passwordValidationCallback.setResult(true);
                } catch (SecurityException e) {
                    passwordValidationCallback.setResult(false);
                    return;
                }
            } else {
                PasswordCredential passwordCredential = (PasswordCredential) getPrivateCredential(this.executionSubject, PasswordCredential.class);
                if (passwordCredential != null) {
                    try {
                        anonymousSecurityIdentity = authenticate(passwordCredential.getUserName(), passwordCredential.getPassword());
                    } catch (SecurityException e2) {
                        return;
                    }
                } else {
                    anonymousSecurityIdentity = this.securityDomain.createAdHocIdentity(namePrincipal);
                }
            }
            if (!namePrincipal.equals(anonymousSecurityIdentity.getPrincipal())) {
                anonymousSecurityIdentity = anonymousSecurityIdentity.createRunAsIdentity(namePrincipal.getName());
            }
            if (groupPrincipalCallback != null && (groups = groupPrincipalCallback.getGroups()) != null) {
                anonymousSecurityIdentity = anonymousSecurityIdentity.withRoleMapper(BeanManagerFactoryServiceConfiguratorConfiguration.DEFAULT_CONTAINER_NAME, RoleMapper.constant(Roles.fromSet(new HashSet(Arrays.asList(groups)))));
            }
        }
        this.executionSubject.getPrincipals().add(anonymousSecurityIdentity.getPrincipal());
        addPrivateCredential(this.executionSubject, anonymousSecurityIdentity);
    }

    private SecurityIdentity authenticate(String str, char[] cArr) throws IOException {
        ServerAuthenticationContext createNewAuthenticationContext = this.securityDomain.createNewAuthenticationContext();
        PasswordGuessEvidence passwordGuessEvidence = new PasswordGuessEvidence(cArr != null ? cArr : null);
        try {
            try {
                createNewAuthenticationContext.setAuthenticationName(str);
                if (!createNewAuthenticationContext.verifyEvidence(passwordGuessEvidence)) {
                    createNewAuthenticationContext.fail();
                    throw new SecurityException("Authentication failed");
                }
                if (!createNewAuthenticationContext.authorize()) {
                    createNewAuthenticationContext.fail();
                    throw new SecurityException("Authorization failed");
                }
                createNewAuthenticationContext.succeed();
                SecurityIdentity authorizedIdentity = createNewAuthenticationContext.getAuthorizedIdentity();
                if (!createNewAuthenticationContext.isDone()) {
                    createNewAuthenticationContext.fail();
                }
                passwordGuessEvidence.destroy();
                return authorizedIdentity;
            } catch (IllegalArgumentException | IllegalStateException | RealmUnavailableException e) {
                createNewAuthenticationContext.fail();
                throw e;
            }
        } catch (Throwable th) {
            if (!createNewAuthenticationContext.isDone()) {
                createNewAuthenticationContext.fail();
            }
            passwordGuessEvidence.destroy();
            throw th;
        }
    }

    protected <T> T getPrivateCredential(Subject subject, Class<T> cls) {
        T t = null;
        if (subject != null) {
            Set<T> privateCredentials = !WildFlySecurityManager.isChecking() ? subject.getPrivateCredentials(cls) : (Set) AccessController.doPrivileged(() -> {
                return subject.getPrivateCredentials(cls);
            });
            if (!privateCredentials.isEmpty()) {
                t = privateCredentials.iterator().next();
            }
        }
        return t;
    }

    protected void addPrivateCredential(Subject subject, Object obj) {
        if (WildFlySecurityManager.isChecking()) {
            AccessController.doPrivileged(() -> {
                subject.getPrivateCredentials().add(obj);
                return null;
            });
        } else {
            subject.getPrivateCredentials().add(obj);
        }
    }

    public String toString() {
        StringBuilder sb = new StringBuilder();
        sb.append("ElytronCallbackHandler@").append(Integer.toHexString(System.identityHashCode(this)));
        sb.append("[mappings=").append(this.mappings);
        sb.append(SelectorUtils.PATTERN_HANDLER_SUFFIX);
        return sb.toString();
    }
}
