package org.wildfly.extension.undertow.security.jacc;

import io.undertow.security.idm.Account;
import io.undertow.servlet.api.AuthorizationManager;
import io.undertow.servlet.api.Deployment;
import io.undertow.servlet.api.ServletInfo;
import io.undertow.servlet.api.SingleConstraintMatch;
import io.undertow.servlet.api.TransportGuaranteeType;
import java.security.AccessController;
import java.security.Permission;
import java.security.Policy;
import java.security.Principal;
import java.security.ProtectionDomain;
import java.util.Collections;
import java.util.HashSet;
import java.util.List;
import javax.security.jacc.WebResourcePermission;
import javax.security.jacc.WebRoleRefPermission;
import javax.security.jacc.WebUserDataPermission;
import javax.servlet.http.HttpServletRequest;
import org.wildfly.security.manager.WildFlySecurityManager;

/* loaded from: input_file:m2repo/org/wildfly/wildfly-undertow/18.0.1.Final/wildfly-undertow-18.0.1.Final.jar:org/wildfly/extension/undertow/security/jacc/JACCAuthorizationManager.class */
public class JACCAuthorizationManager implements AuthorizationManager {
    public static final AuthorizationManager INSTANCE = new JACCAuthorizationManager();

    @Override // io.undertow.servlet.api.AuthorizationManager
    public boolean isUserInRole(String str, Account account, ServletInfo servletInfo, HttpServletRequest httpServletRequest, Deployment deployment) {
        return hasPermission(account, deployment, servletInfo, new WebRoleRefPermission(servletInfo.getName(), str));
    }

    @Override // io.undertow.servlet.api.AuthorizationManager
    public boolean canAccessResource(List<SingleConstraintMatch> list, Account account, ServletInfo servletInfo, HttpServletRequest httpServletRequest, Deployment deployment) {
        return hasPermission(account, deployment, servletInfo, new WebResourcePermission(httpServletRequest));
    }

    @Override // io.undertow.servlet.api.AuthorizationManager
    public TransportGuaranteeType transportGuarantee(TransportGuaranteeType transportGuaranteeType, TransportGuaranteeType transportGuaranteeType2, HttpServletRequest httpServletRequest) {
        ProtectionDomain protectionDomain = new ProtectionDomain(null, null, null, null);
        String[] strArr = {httpServletRequest.getMethod()};
        String canonicalURI = getCanonicalURI(httpServletRequest);
        switch (transportGuaranteeType) {
            case NONE:
                if (!hasPermission(protectionDomain, new WebUserDataPermission(canonicalURI, strArr, null)) && hasPermission(protectionDomain, new WebUserDataPermission(canonicalURI, strArr, TransportGuaranteeType.CONFIDENTIAL.name()))) {
                    return TransportGuaranteeType.CONFIDENTIAL;
                }
                return TransportGuaranteeType.NONE;
            case INTEGRAL:
            case CONFIDENTIAL:
                return hasPermission(protectionDomain, new WebUserDataPermission(canonicalURI, strArr, TransportGuaranteeType.CONFIDENTIAL.name())) ? TransportGuaranteeType.CONFIDENTIAL : hasPermission(protectionDomain, new WebUserDataPermission(canonicalURI, strArr, TransportGuaranteeType.INTEGRAL.name())) ? TransportGuaranteeType.INTEGRAL : TransportGuaranteeType.REJECTED;
            default:
                return TransportGuaranteeType.REJECTED;
        }
    }

    private String getCanonicalURI(HttpServletRequest httpServletRequest) {
        String substring = httpServletRequest.getRequestURI().substring(httpServletRequest.getContextPath().length());
        if (substring == null || substring.equals("/")) {
            substring = "";
        }
        return substring;
    }

    private boolean hasPermission(Account account, Deployment deployment, ServletInfo servletInfo, Permission permission) {
        return hasPermission(new ProtectionDomain(servletInfo.getServletClass().getProtectionDomain().getCodeSource(), null, null, getGrantedRoles(account, deployment)), permission);
    }

    private boolean hasPermission(ProtectionDomain protectionDomain, Permission permission) {
        return (WildFlySecurityManager.isChecking() ? (Policy) AccessController.doPrivileged(Policy::getPolicy) : Policy.getPolicy()).implies(protectionDomain, permission);
    }

    private Principal[] getGrantedRoles(Account account, Deployment deployment) {
        if (account == null) {
            return new Principal[0];
        }
        HashSet<String> hashSet = new HashSet(account.getRoles());
        hashSet.addAll(deployment.getDeploymentInfo().getPrincipalVersusRolesMap().getOrDefault(account.getPrincipal().getName(), Collections.emptySet()));
        Principal[] principalArr = new Principal[hashSet.size()];
        int i = 0;
        for (String str : hashSet) {
            int i2 = i;
            i++;
            principalArr[i2] = () -> {
                return str;
            };
        }
        return principalArr;
    }
}
