package org.jboss.as.clustering.jgroups;

import java.io.IOException;
import java.security.Principal;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.Iterator;
import java.util.Map;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.sasl.AuthorizeCallback;
import org.jboss.as.core.security.SubjectUserInfo;
import org.jboss.as.domain.management.AuthenticationMechanism;
import org.jboss.as.domain.management.AuthorizingCallbackHandler;
import org.jboss.as.domain.management.SecurityRealm;
import org.jboss.as.domain.management.security.RealmUser;

/* loaded from: input_file:org/jboss/as/clustering/jgroups/RealmAuthorizationCallbackHandler.class */
public class RealmAuthorizationCallbackHandler implements CallbackHandler {
    private final String mechanismName;
    private final SecurityRealm realm;
    private final String clusterRole;
    static final Collection<Principal> EMPTY_PRINCIPALS = Collections.emptySet();
    static final String SASL_OPT_REALM_PROPERTY = "com.sun.security.sasl.digest.realm";
    static final String SASL_OPT_ALT_PROTO_PROPERTY = "org.jboss.sasl.digest.alternative_protocols";
    static final String SASL_OPT_PRE_DIGESTED_PROPERTY = "org.jboss.sasl.digest.pre_digested";
    static final String DIGEST_MD5 = "DIGEST-MD5";
    static final String EXTERNAL = "EXTERNAL";
    static final String GSSAPI = "GSSAPI";
    static final String PLAIN = "PLAIN";

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/jboss/as/clustering/jgroups/RealmAuthorizationCallbackHandler$DelegatingRoleAwareAuthorizingCallbackHandler.class */
    public class DelegatingRoleAwareAuthorizingCallbackHandler implements AuthorizingCallbackHandler {
        private final AuthorizingCallbackHandler delegate;

        DelegatingRoleAwareAuthorizingCallbackHandler(AuthorizingCallbackHandler authorizingCallbackHandler) {
            this.delegate = authorizingCallbackHandler;
        }

        public void handle(Callback[] callbackArr) throws IOException, UnsupportedCallbackException {
            AuthorizeCallback findCallbackHandler = RealmAuthorizationCallbackHandler.findCallbackHandler(AuthorizeCallback.class, callbackArr);
            if (findCallbackHandler == null) {
                this.delegate.handle(callbackArr);
                return;
            }
            String authenticationID = findCallbackHandler.getAuthenticationID();
            String authorizationID = findCallbackHandler.getAuthorizationID();
            findCallbackHandler.setAuthorized(authenticationID.equals(authorizationID));
            int indexOf = authorizationID.indexOf(64);
            RealmUser realmUser = indexOf < 0 ? new RealmUser(authorizationID) : new RealmUser(authorizationID.substring(indexOf + 1), authorizationID.substring(0, indexOf));
            ArrayList arrayList = new ArrayList();
            arrayList.add(realmUser);
            createSubjectUserInfo(arrayList);
        }

        public SubjectUserInfo createSubjectUserInfo(Collection<Principal> collection) throws IOException {
            return RealmAuthorizationCallbackHandler.this.validateSubjectRole(this.delegate.createSubjectUserInfo(collection));
        }
    }

    public RealmAuthorizationCallbackHandler(SecurityRealm securityRealm, String str, String str2, Map<String, String> map) {
        this.realm = securityRealm;
        this.mechanismName = str;
        this.clusterRole = str2;
        tunePropsForMech(map);
    }

    private void tunePropsForMech(Map<String, String> map) {
        if (DIGEST_MD5.equals(this.mechanismName)) {
            if (!map.containsKey(SASL_OPT_REALM_PROPERTY)) {
                map.put(SASL_OPT_REALM_PROPERTY, this.realm.getName());
            }
            Map mechanismConfig = this.realm.getMechanismConfig(AuthenticationMechanism.DIGEST);
            boolean z = true;
            if (mechanismConfig.containsKey("org.jboss.as.domain.management.digest.plain_text")) {
                z = Boolean.parseBoolean((String) mechanismConfig.get("org.jboss.as.domain.management.digest.plain_text"));
            }
            if (z) {
                return;
            }
            map.put(SASL_OPT_PRE_DIGESTED_PROPERTY, "true");
        }
    }

    @Override // javax.security.auth.callback.CallbackHandler
    public void handle(Callback[] callbackArr) throws IOException, UnsupportedCallbackException {
        getMechCallbackHandler().handle(callbackArr);
    }

    private AuthorizingCallbackHandler getMechCallbackHandler() {
        if (PLAIN.equals(this.mechanismName)) {
            return new DelegatingRoleAwareAuthorizingCallbackHandler(this.realm.getAuthorizingCallbackHandler(AuthenticationMechanism.PLAIN));
        }
        if (DIGEST_MD5.equals(this.mechanismName)) {
            return new DelegatingRoleAwareAuthorizingCallbackHandler(this.realm.getAuthorizingCallbackHandler(AuthenticationMechanism.DIGEST));
        }
        if (GSSAPI.equals(this.mechanismName)) {
            return new DelegatingRoleAwareAuthorizingCallbackHandler(this.realm.getAuthorizingCallbackHandler(AuthenticationMechanism.PLAIN));
        }
        if (EXTERNAL.equals(this.mechanismName)) {
            return new DelegatingRoleAwareAuthorizingCallbackHandler(this.realm.getAuthorizingCallbackHandler(AuthenticationMechanism.CLIENT_CERT));
        }
        throw new IllegalArgumentException("Unsupported mech " + this.mechanismName);
    }

    SubjectUserInfo validateSubjectRole(SubjectUserInfo subjectUserInfo) {
        Iterator it = subjectUserInfo.getPrincipals().iterator();
        while (it.hasNext()) {
            if (this.clusterRole.equals(((Principal) it.next()).getName())) {
                return subjectUserInfo;
            }
        }
        throw JGroupsMessages.MESSAGES.unauthorizedNodeJoin(subjectUserInfo.getUserName());
    }

    public static <T extends Callback> T findCallbackHandler(Class<T> cls, Callback[] callbackArr) {
        for (int i = 0; i < callbackArr.length; i++) {
            if (cls.isInstance(callbackArr[i])) {
                return (T) callbackArr[i];
            }
        }
        return null;
    }
}
