package org.infinispan.security.impl;

import java.security.AccessControlException;
import java.security.Principal;
import java.util.Iterator;
import java.util.Set;
import java.util.concurrent.TimeUnit;
import javax.security.auth.Subject;
import org.infinispan.commons.util.Util;
import org.infinispan.configuration.cache.AuthorizationConfiguration;
import org.infinispan.configuration.global.GlobalSecurityConfiguration;
import org.infinispan.registry.ClusterRegistry;
import org.infinispan.security.AuditContext;
import org.infinispan.security.AuditLogger;
import org.infinispan.security.AuditResponse;
import org.infinispan.security.AuthorizationManager;
import org.infinispan.security.AuthorizationPermission;
import org.infinispan.security.PrincipalRoleMapper;
import org.infinispan.security.Role;
import org.infinispan.security.Security;
import org.infinispan.util.logging.Log;
import org.infinispan.util.logging.LogFactory;
import org.jboss.util.Strings;

/* loaded from: input_file:WEB-INF/lib/infinispan-core-8.0.0.Alpha2.jar:org/infinispan/security/impl/AuthorizationHelper.class */
public class AuthorizationHelper {
    private static final Log log = LogFactory.getLog(AuthorizationHelper.class);
    private final GlobalSecurityConfiguration globalConfiguration;
    private final AuditLogger audit;
    private final AuditContext context;
    private final String name;
    private final ClusterRegistry<String, Subject, Integer> maskCache;
    private final String maskCacheScope;

    public AuthorizationHelper(GlobalSecurityConfiguration globalSecurityConfiguration, AuditContext auditContext, String str, ClusterRegistry<String, Subject, Integer> clusterRegistry) {
        this.globalConfiguration = globalSecurityConfiguration;
        this.audit = globalSecurityConfiguration.authorization().auditLogger();
        this.context = auditContext;
        this.name = str;
        this.maskCache = clusterRegistry;
        this.maskCacheScope = AuthorizationManager.class.getSimpleName() + "_" + str;
    }

    public AuthorizationHelper(GlobalSecurityConfiguration globalSecurityConfiguration, AuditContext auditContext, String str) {
        this(globalSecurityConfiguration, auditContext, str, null);
    }

    public void checkPermission(AuthorizationPermission authorizationPermission) {
        checkPermission(null, authorizationPermission);
    }

    public void checkPermission(AuthorizationConfiguration authorizationConfiguration, AuthorizationPermission authorizationPermission) {
        if (this.globalConfiguration.authorization().enabled()) {
            if (Security.isPrivileged()) {
                Security.checkPermission(authorizationPermission.getSecurityPermission());
                return;
            }
            Subject subject = Security.getSubject();
            try {
                if (subject == null) {
                    checkSecurityManagerPermission(authorizationPermission);
                } else if ((computeSubjectRoleMask(subject, authorizationConfiguration) & authorizationPermission.getMask()) != authorizationPermission.getMask()) {
                    checkSecurityManagerPermission(authorizationPermission);
                } else {
                    this.audit.audit(subject, this.context, this.name, authorizationPermission, AuditResponse.ALLOW);
                }
            } catch (SecurityException e) {
                this.audit.audit(subject, this.context, this.name, authorizationPermission, AuditResponse.DENY);
                throw log.unauthorizedAccess(Util.prettyPrintSubject(subject), authorizationPermission.toString());
            }
        }
    }

    private void checkSecurityManagerPermission(AuthorizationPermission authorizationPermission) {
        if (System.getSecurityManager() == null) {
            throw new AccessControlException(Strings.EMPTY, authorizationPermission.getSecurityPermission());
        }
        System.getSecurityManager().checkPermission(authorizationPermission.getSecurityPermission());
    }

    public int computeSubjectRoleMask(Subject subject, AuthorizationConfiguration authorizationConfiguration) {
        Integer num;
        if (subject == null) {
            return 0;
        }
        try {
            num = this.maskCache != null ? this.maskCache.get(this.maskCacheScope, subject) : null;
        } catch (IllegalStateException e) {
            num = null;
        }
        if (num != null) {
            return num.intValue();
        }
        int i = 0;
        PrincipalRoleMapper principalRoleMapper = this.globalConfiguration.authorization().principalRoleMapper();
        Iterator<Principal> it = subject.getPrincipals().iterator();
        while (it.hasNext()) {
            Set<String> principalToRoles = principalRoleMapper.principalToRoles(it.next());
            if (principalToRoles != null) {
                for (String str : principalToRoles) {
                    if (authorizationConfiguration == null || authorizationConfiguration.roles().contains(str)) {
                        Role role = this.globalConfiguration.authorization().roles().get(str);
                        if (role != null) {
                            i |= role.getMask();
                        }
                    }
                }
            }
        }
        try {
            if (this.maskCache != null) {
                this.maskCache.put(this.maskCacheScope, subject, Integer.valueOf(i), this.globalConfiguration.securityCacheTimeout(), TimeUnit.MILLISECONDS);
            }
        } catch (IllegalStateException e2) {
        }
        return i;
    }
}
