package org.jboss.as.web.security;

import java.io.IOException;
import java.security.Principal;
import java.security.acl.Group;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.security.auth.Subject;
import javax.security.jacc.PolicyContext;
import javax.servlet.http.HttpServletRequest;
import org.apache.catalina.Context;
import org.apache.catalina.Wrapper;
import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response;
import org.apache.catalina.deploy.SecurityConstraint;
import org.apache.catalina.realm.GenericPrincipal;
import org.apache.catalina.realm.RealmBase;
import org.jboss.as.server.deployment.DeploymentUnit;
import org.jboss.as.web.WebLogger;
import org.jboss.as.web.WebMessages;
import org.jboss.as.web.deployment.WarMetaData;
import org.jboss.metadata.javaee.spec.SecurityRoleRefMetaData;
import org.jboss.metadata.javaee.spec.SecurityRoleRefsMetaData;
import org.jboss.metadata.web.jboss.JBossWebMetaData;
import org.jboss.metadata.web.spec.ServletMetaData;
import org.jboss.security.AuthenticationManager;
import org.jboss.security.AuthorizationManager;
import org.jboss.security.CacheableManager;
import org.jboss.security.CertificatePrincipal;
import org.jboss.security.SecurityContext;
import org.jboss.security.SecurityRolesAssociation;
import org.jboss.security.SimplePrincipal;
import org.jboss.security.audit.AuditEvent;
import org.jboss.security.audit.AuditManager;
import org.jboss.security.auth.callback.CallbackHandlerPolicyContextHandler;
import org.jboss.security.auth.callback.DigestCallbackHandler;
import org.jboss.security.auth.certs.SubjectDNMapping;
import org.jboss.security.callbacks.SecurityContextCallbackHandler;
import org.jboss.security.identity.Role;
import org.jboss.security.javaee.AbstractWebAuthorizationHelper;
import org.jboss.security.javaee.SecurityHelperFactory;
import org.jboss.security.mapping.MappingContext;
import org.jboss.security.mapping.MappingManager;
import org.jboss.security.mapping.MappingType;
import org.jboss.web.CatalinaMessages;

/* loaded from: input_file:org/jboss/as/web/security/JBossWebRealm.class */
public class JBossWebRealm extends RealmBase {
    protected static final String name = "JBossWebRealm";
    protected DeploymentUnit deploymentUnit;
    protected JBossWebMetaData metaData;
    protected Map<String, Set<String>> principalVersusRolesMap;
    protected AuditManager auditManager = null;
    protected AuthenticationManager authenticationManager = null;
    protected AuthorizationManager authorizationManager = null;
    protected MappingManager mappingManager = null;
    protected CertificatePrincipal certMapping = new SubjectDNMapping();
    protected boolean useJBossAuthorization = false;
    protected boolean disableAudit = false;

    public void setAuthenticationManager(AuthenticationManager authenticationManager) {
        this.authenticationManager = authenticationManager;
    }

    public void setAuditManager(AuditManager auditManager) {
        this.auditManager = auditManager;
    }

    public void setAuthorizationManager(AuthorizationManager authorizationManager) {
        this.authorizationManager = authorizationManager;
    }

    public void setMappingManager(MappingManager mappingManager) {
        this.mappingManager = mappingManager;
    }

    public void setDeploymentUnit(DeploymentUnit deploymentUnit) {
        this.deploymentUnit = deploymentUnit;
        this.metaData = ((WarMetaData) deploymentUnit.getAttachment(WarMetaData.ATTACHMENT_KEY)).getMergedJBossWebMetaData();
        this.principalVersusRolesMap = this.metaData.getSecurityRoles().getPrincipalVersusRolesMap();
        this.useJBossAuthorization = this.metaData.isUseJBossAuthorization();
        this.disableAudit = this.metaData.isDisableAudit();
    }

    public Map<String, Set<String>> getPrincipalVersusRolesMap() {
        return this.principalVersusRolesMap;
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r12v0, types: [org.apache.catalina.realm.RealmBase, org.jboss.as.web.security.JBossWebRealm, org.apache.catalina.Realm] */
    public Principal authenticate(String str, String str2) {
        MappingContext mappingContext;
        if (str == null && str2 == null) {
            return null;
        }
        if (this.authenticationManager == null) {
            throw new IllegalStateException("Authentication Manager has not been set");
        }
        if (this.authorizationManager == null) {
            throw new IllegalStateException("Authorization Manager has not been set");
        }
        Principal principal = getPrincipal(str);
        Subject subject = new Subject();
        try {
            if (this.authenticationManager.isValid(principal, str2, subject)) {
                WebLogger.WEB_SECURITY_LOGGER.tracef("User: " + principal + " is authenticated", new Object[0]);
                SecurityContext securityContext = SecurityActions.getSecurityContext();
                if (securityContext == null) {
                    throw new IllegalStateException("No SecurityContext found!");
                }
                securityContext.getUtil().createSubjectInfo(principal, str2, subject);
                Principal principal2 = getPrincipal(subject);
                SecurityContextCallbackHandler securityContextCallbackHandler = new SecurityContextCallbackHandler(securityContext);
                if (this.mappingManager != null && (mappingContext = this.mappingManager.getMappingContext(MappingType.ROLE.name())) != null && mappingContext.hasModules()) {
                    SecurityRolesAssociation.setSecurityRoles(this.principalVersusRolesMap);
                }
                List roles = this.authorizationManager.getSubjectRoles(subject, securityContextCallbackHandler).getRoles();
                List arrayList = new ArrayList();
                Iterator it = roles.iterator();
                while (it.hasNext()) {
                    arrayList.add(((Role) it.next()).getRoleName());
                }
                if (this.mappingManager != null) {
                    MappingContext mappingContext2 = this.mappingManager.getMappingContext(MappingType.ROLE.name());
                    if (mappingContext2 == null || !mappingContext2.hasModules()) {
                        arrayList = mapUserRoles(arrayList);
                    }
                } else {
                    arrayList = mapUserRoles(arrayList);
                }
                if (this.authenticationManager instanceof CacheableManager) {
                    GenericPrincipal jBossGenericPrincipal = new JBossGenericPrincipal(this, principal.getName(), null, arrayList, principal2, null, str2, this.authenticationManager, subject);
                    successAudit(jBossGenericPrincipal, null);
                    return jBossGenericPrincipal;
                }
                GenericPrincipal jBossGenericPrincipal2 = new JBossGenericPrincipal(this, principal.getName(), null, arrayList, principal2, null, str2, null, subject);
                successAudit(jBossGenericPrincipal2, null);
                return jBossGenericPrincipal2;
            }
        } catch (Exception e) {
            WebLogger.WEB_SECURITY_LOGGER.authenticateError(e);
            exceptionAudit(null, null, e);
        }
        Principal authenticate = super.authenticate(str, str2);
        if (authenticate != null) {
            successAudit(authenticate, null);
        } else {
            failureAudit(authenticate, null);
        }
        return authenticate;
    }

    public Principal authenticate(X509Certificate[] x509CertificateArr) {
        MappingContext mappingContext;
        if (x509CertificateArr == null || x509CertificateArr.length < 1) {
            return null;
        }
        if (this.authenticationManager == null) {
            throw WebMessages.MESSAGES.noAuthenticationManager();
        }
        if (this.authorizationManager == null) {
            throw WebMessages.MESSAGES.noAuthorizationManager();
        }
        Principal principal = this.certMapping.toPrincipal(x509CertificateArr);
        GenericPrincipal genericPrincipal = null;
        try {
            Subject subject = new Subject();
            if (this.authenticationManager.isValid(principal, x509CertificateArr, subject)) {
                WebLogger.WEB_SECURITY_LOGGER.tracef("User: " + principal + " is authenticated", new Object[0]);
                SecurityContext securityContext = SecurityActions.getSecurityContext();
                if (securityContext == null) {
                    throw new IllegalStateException("No SecurityContext found!");
                }
                securityContext.getUtil().createSubjectInfo(principal, x509CertificateArr, subject);
                Principal principal2 = getPrincipal(subject);
                SecurityContextCallbackHandler securityContextCallbackHandler = new SecurityContextCallbackHandler(securityContext);
                if (this.mappingManager != null && (mappingContext = this.mappingManager.getMappingContext(MappingType.ROLE.name())) != null && mappingContext.hasModules()) {
                    SecurityRolesAssociation.setSecurityRoles(this.principalVersusRolesMap);
                }
                List roles = this.authorizationManager.getSubjectRoles(subject, securityContextCallbackHandler).getRoles();
                List<String> arrayList = new ArrayList();
                Iterator it = roles.iterator();
                while (it.hasNext()) {
                    arrayList.add(((Role) it.next()).getRoleName());
                }
                if (this.mappingManager != null) {
                    MappingContext mappingContext2 = this.mappingManager.getMappingContext(MappingType.ROLE.name());
                    if (mappingContext2 == null || !mappingContext2.hasModules()) {
                        arrayList = mapUserRoles(arrayList);
                    }
                } else {
                    arrayList = mapUserRoles(arrayList);
                }
                genericPrincipal = this.authenticationManager instanceof CacheableManager ? new JBossGenericPrincipal(this, principal.getName(), null, arrayList, principal2, null, x509CertificateArr, this.authenticationManager, subject) : new JBossGenericPrincipal(this, principal.getName(), null, arrayList, principal2, null, x509CertificateArr, null, subject);
            } else {
                WebLogger.WEB_SECURITY_LOGGER.tracef("User: " + ((Object) null) + " is NOT authenticated", new Object[0]);
                genericPrincipal = null;
            }
        } catch (Exception e) {
            WebLogger.WEB_SECURITY_LOGGER.authenticateErrorCert(e);
            exceptionAudit(null, null, e);
        }
        if (genericPrincipal != null) {
            successAudit(genericPrincipal, null);
        }
        return genericPrincipal;
    }

    public Principal authenticate(String str, byte[] bArr) {
        return authenticate(str, new String(bArr));
    }

    public Principal authenticate(String str, String str2, String str3, String str4, String str5, String str6, String str7, String str8) {
        MappingContext mappingContext;
        if (this.authenticationManager == null) {
            throw WebMessages.MESSAGES.noAuthenticationManager();
        }
        if (this.authorizationManager == null) {
            throw WebMessages.MESSAGES.noAuthorizationManager();
        }
        Principal principal = getPrincipal(str);
        GenericPrincipal genericPrincipal = null;
        SecurityContext securityContext = SecurityActions.getSecurityContext();
        if (securityContext == null) {
            throw WebMessages.MESSAGES.noSecurityContext();
        }
        if (securityContext.getUtil().getUserPrincipal() == null && str == null && str2 == null) {
            return null;
        }
        try {
            CallbackHandlerPolicyContextHandler.setCallbackHandler(new DigestCallbackHandler(str, str3, str4, str5, str6, str7, str8));
            Subject subject = new Subject();
            if (this.authenticationManager.isValid(principal, str2, subject)) {
                WebLogger.WEB_SECURITY_LOGGER.tracef("User: " + principal + " is authenticated", new Object[0]);
                securityContext.getUtil().createSubjectInfo(principal, str2, subject);
                Principal principal2 = getPrincipal(subject);
                SecurityContextCallbackHandler securityContextCallbackHandler = new SecurityContextCallbackHandler(securityContext);
                if (this.mappingManager != null && (mappingContext = this.mappingManager.getMappingContext(MappingType.ROLE.name())) != null && mappingContext.hasModules()) {
                    SecurityRolesAssociation.setSecurityRoles(this.principalVersusRolesMap);
                }
                List roles = this.authorizationManager.getSubjectRoles(subject, securityContextCallbackHandler).getRoles();
                List<String> arrayList = new ArrayList();
                Iterator it = roles.iterator();
                while (it.hasNext()) {
                    arrayList.add(((Role) it.next()).getRoleName());
                }
                if (this.mappingManager != null) {
                    MappingContext mappingContext2 = this.mappingManager.getMappingContext(MappingType.ROLE.name());
                    if (mappingContext2 == null || !mappingContext2.hasModules()) {
                        arrayList = mapUserRoles(arrayList);
                    }
                } else {
                    arrayList = mapUserRoles(arrayList);
                }
                genericPrincipal = this.authenticationManager instanceof CacheableManager ? new JBossGenericPrincipal(this, principal.getName(), null, arrayList, principal2, null, str2, this.authenticationManager, subject) : new JBossGenericPrincipal(this, principal.getName(), null, arrayList, principal2, null, str2, null, subject);
            } else {
                WebLogger.WEB_SECURITY_LOGGER.tracef("User: " + ((Object) null) + " is NOT authenticated", new Object[0]);
                genericPrincipal = null;
            }
        } catch (Exception e) {
            WebLogger.WEB_SECURITY_LOGGER.authenticateErrorDigest(e);
        }
        if (genericPrincipal != null) {
            successAudit(genericPrincipal, null);
        } else {
            failureAudit(genericPrincipal, null);
        }
        return genericPrincipal;
    }

    protected String getName() {
        return name;
    }

    protected String getPassword(String str) {
        return null;
    }

    protected Principal getPrincipal(String str) {
        return new SimplePrincipal(str);
    }

    protected List<String> mapUserRoles(List<String> list) {
        if (this.principalVersusRolesMap == null || this.principalVersusRolesMap.size() <= 0) {
            return list;
        }
        ArrayList arrayList = new ArrayList();
        for (String str : list) {
            Set<String> set = this.principalVersusRolesMap.get(str);
            if (set != null && set.size() > 0) {
                for (String str2 : set) {
                    if (!arrayList.contains(str2)) {
                        arrayList.add(str2);
                    }
                }
            } else if (!arrayList.contains(str)) {
                arrayList.add(str);
            }
        }
        return arrayList;
    }

    protected Principal getPrincipal(Subject subject) {
        Set<Principal> principals;
        Principal principal = null;
        Principal principal2 = null;
        if (subject != null && (principals = subject.getPrincipals()) != null && !principals.isEmpty()) {
            for (Principal principal3 : principals) {
                if (!(principal3 instanceof Group) && principal == null) {
                    principal = principal3;
                }
                if (principal3 instanceof Group) {
                    Group group = (Group) Group.class.cast(principal3);
                    if (group.getName().equals("CallerPrincipal") && principal2 == null) {
                        Enumeration<? extends Principal> members = group.members();
                        if (members.hasMoreElements()) {
                            principal2 = members.nextElement();
                        }
                    }
                }
            }
        }
        return principal2 == null ? principal : principal2;
    }

    public boolean hasResourcePermission(Request request, Response response, SecurityConstraint[] securityConstraintArr, Context context) throws IOException {
        boolean z = true;
        boolean hasResourcePermission = super.hasResourcePermission(request, response, securityConstraintArr, context);
        if (hasResourcePermission && this.useJBossAuthorization) {
            SecurityContext securityContext = SecurityActions.getSecurityContext();
            Subject subject = securityContext.getUtil().getSubject();
            if (subject == null) {
                subject = getSubjectFromRequestPrincipal(request.getPrincipal());
            }
            HashMap hashMap = new HashMap();
            hashMap.put("resourcePermissionCheck", Boolean.TRUE);
            hashMap.put("securityConstraints", securityConstraintArr);
            try {
                z = SecurityHelperFactory.getWebAuthorizationHelper(securityContext).checkResourcePermission(hashMap, request, response, subject, PolicyContext.getContextID(), requestURI(request), getPrincipalRoles(request));
            } catch (Exception e) {
                WebLogger.WEB_SECURITY_LOGGER.noAuthorizationHelper(e);
                return false;
            }
        }
        boolean z2 = hasResourcePermission && z;
        WebLogger.WEB_SECURITY_LOGGER.tracef("hasResourcePermission:RealmBase says:" + hasResourcePermission + "::Authz framework says:" + z + ":final=" + z2, new Object[0]);
        if (!z2) {
            if (!this.disableAudit) {
                HashMap hashMap2 = new HashMap();
                hashMap2.put("Step", "hasResourcePermission");
                failureAudit(request.getUserPrincipal(), hashMap2);
            }
            response.sendError(403, CatalinaMessages.MESSAGES.forbiddenAccess());
        } else if (!this.disableAudit) {
            HashMap hashMap3 = new HashMap();
            hashMap3.put("Step", "hasResourcePermission");
            successAudit(request.getUserPrincipal(), hashMap3);
        }
        return z2;
    }

    public boolean hasRole(Principal principal, String str) {
        boolean z = true;
        boolean hasRole = super.hasRole(principal, str);
        if (hasRole && this.useJBossAuthorization) {
            Request activeRequest = SecurityContextAssociationValve.getActiveRequest();
            String str2 = null;
            Wrapper wrapper = activeRequest.getWrapper();
            if (wrapper != null) {
                str2 = getServletName(wrapper);
            }
            if (str2 == null) {
                throw new IllegalStateException("servletName is null");
            }
            String str3 = str;
            ServletMetaData servletMetaData = this.metaData.getServlets().get(str2);
            SecurityRoleRefsMetaData securityRoleRefsMetaData = null;
            if (servletMetaData != null) {
                securityRoleRefsMetaData = servletMetaData.getSecurityRoleRefs();
            }
            if (securityRoleRefsMetaData != null) {
                Iterator it = securityRoleRefsMetaData.iterator();
                while (true) {
                    if (!it.hasNext()) {
                        break;
                    }
                    SecurityRoleRefMetaData securityRoleRefMetaData = (SecurityRoleRefMetaData) it.next();
                    if (securityRoleRefMetaData.getRoleLink().equals(str)) {
                        str3 = securityRoleRefMetaData.getName();
                        break;
                    }
                }
            }
            SecurityContext securityContext = SecurityActions.getSecurityContext();
            AbstractWebAuthorizationHelper abstractWebAuthorizationHelper = null;
            try {
                abstractWebAuthorizationHelper = SecurityHelperFactory.getWebAuthorizationHelper(securityContext);
            } catch (Exception e) {
                WebLogger.WEB_SECURITY_LOGGER.noAuthorizationHelper(e);
            }
            Subject subject = securityContext.getUtil().getSubject();
            if (subject == null) {
                subject = getSubjectFromRequestPrincipal(principal);
            }
            z = abstractWebAuthorizationHelper.hasRole(str3, principal, str2, getPrincipalRoles(principal), PolicyContext.getContextID(), subject, getPrincipalRoles(activeRequest));
        }
        boolean z2 = hasRole && z;
        WebLogger.WEB_SECURITY_LOGGER.tracef("hasRole:RealmBase says:" + hasRole + "::Authz framework says:" + z + ":final=" + z2, new Object[0]);
        if (z2) {
            if (!this.disableAudit) {
                HashMap hashMap = new HashMap();
                hashMap.put("Step", "hasRole");
                successAudit(principal, hashMap);
            }
        } else if (!this.disableAudit) {
            HashMap hashMap2 = new HashMap();
            hashMap2.put("Step", "hasRole");
            failureAudit(principal, hashMap2);
        }
        return z2;
    }

    public boolean hasUserDataPermission(Request request, Response response, SecurityConstraint[] securityConstraintArr) throws IOException {
        boolean hasUserDataPermission = super.hasUserDataPermission(request, response, securityConstraintArr);
        if (hasUserDataPermission && this.useJBossAuthorization) {
            HashMap hashMap = new HashMap();
            hashMap.put("securityConstraints", securityConstraintArr);
            hashMap.put("userDataPermissionCheck", Boolean.TRUE);
            SecurityContext securityContext = SecurityActions.getSecurityContext();
            AbstractWebAuthorizationHelper abstractWebAuthorizationHelper = null;
            try {
                abstractWebAuthorizationHelper = SecurityHelperFactory.getWebAuthorizationHelper(securityContext);
            } catch (Exception e) {
                WebLogger.WEB_SECURITY_LOGGER.noAuthorizationHelper(e);
            }
            Subject subject = securityContext.getUtil().getSubject();
            if (subject == null) {
                subject = new Subject();
            }
            hasUserDataPermission = abstractWebAuthorizationHelper.hasUserDataPermission(hashMap, request, response, PolicyContext.getContextID(), subject, getPrincipalRoles(request));
        }
        if (!hasUserDataPermission && response.getStatus() == 200) {
            response.sendError(403);
        }
        return hasUserDataPermission;
    }

    protected Subject getSubjectFromRequestPrincipal(Principal principal) {
        Subject subject = null;
        if (principal instanceof JBossGenericPrincipal) {
            subject = ((JBossGenericPrincipal) JBossGenericPrincipal.class.cast(principal)).getSubject();
        }
        return subject;
    }

    protected Set<Principal> getPrincipalRoles(Principal principal) {
        if (!(principal instanceof GenericPrincipal)) {
            throw WebMessages.MESSAGES.illegalPrincipalType(principal.getClass());
        }
        String[] roles = ((GenericPrincipal) GenericPrincipal.class.cast(principal)).getRoles();
        HashSet hashSet = new HashSet();
        if (roles != null) {
            for (String str : roles) {
                hashSet.add(getPrincipal(str));
            }
        }
        return hashSet;
    }

    protected List<String> getPrincipalRoles(Request request) {
        List<String> list = null;
        Principal principal = request.getPrincipal();
        if (principal != null && (principal instanceof GenericPrincipal)) {
            list = Arrays.asList(((GenericPrincipal) GenericPrincipal.class.cast(principal)).getRoles());
        }
        return list;
    }

    protected String requestURI(Request request) {
        String string = request.getMappingData().requestPath.getString();
        if (string == null || string.equals("/")) {
            string = "";
        }
        return string;
    }

    private String getServletName(Wrapper wrapper) {
        String[] findMappings = wrapper.findMappings();
        WebLogger.WEB_SECURITY_LOGGER.tracef("[getServletName:servletmappings=" + findMappings + ":servlet.getName()=" + wrapper.getName() + "]", new Object[0]);
        return (!"jsp".equals(wrapper.getName()) || findMappings == null || findMappings[0].indexOf("*.jsp") <= -1) ? wrapper.getName() : "";
    }

    private HttpServletRequest getServletRequest() {
        try {
            return (HttpServletRequest) PolicyContext.getContext("javax.servlet.http.HttpServletRequest");
        } catch (Exception e) {
            WebLogger.WEB_SECURITY_LOGGER.tracef("Exception in getting servlet request:", e);
            return null;
        }
    }

    private void successAudit(Principal principal, Map<String, Object> map) {
        if (principal == null || this.disableAudit || this.auditManager == null) {
            return;
        }
        AuditEvent auditEvent = new AuditEvent("Success");
        HashMap hashMap = new HashMap();
        hashMap.put("principal", principal);
        HttpServletRequest servletRequest = getServletRequest();
        if (servletRequest != null) {
            hashMap.put("request", WebUtil.deriveUsefulInfo(servletRequest));
        }
        hashMap.put("Source", getClass().getCanonicalName());
        if (map != null) {
            hashMap.putAll(map);
        }
        auditEvent.setContextMap(hashMap);
        this.auditManager.audit(auditEvent);
    }

    private void failureAudit(Principal principal, Map<String, Object> map) {
        if (this.auditManager == null || this.disableAudit) {
            return;
        }
        AuditEvent auditEvent = new AuditEvent("Failure");
        HashMap hashMap = new HashMap();
        hashMap.put("principal", principal);
        HttpServletRequest servletRequest = getServletRequest();
        if (servletRequest != null) {
            hashMap.put("request", WebUtil.deriveUsefulInfo(servletRequest));
        }
        hashMap.put("Source", getClass().getCanonicalName());
        if (map != null) {
            hashMap.putAll(map);
        }
        auditEvent.setContextMap(hashMap);
        this.auditManager.audit(auditEvent);
    }

    private void exceptionAudit(Principal principal, Map<String, Object> map, Exception exc) {
        if (this.auditManager == null || this.disableAudit) {
            return;
        }
        AuditEvent auditEvent = new AuditEvent("Error");
        HashMap hashMap = new HashMap();
        hashMap.put("principal", principal);
        hashMap.putAll(map);
        HttpServletRequest servletRequest = getServletRequest();
        if (servletRequest != null) {
            hashMap.put("request", WebUtil.deriveUsefulInfo(servletRequest));
        }
        hashMap.put("source", getClass().getCanonicalName());
        if (map != null) {
            hashMap.putAll(map);
        }
        auditEvent.setContextMap(hashMap);
        auditEvent.setUnderlyingException(exc);
        this.auditManager.audit(auditEvent);
    }
}
