package org.jboss.resteasy.keystone.as7;

import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.Principal;
import java.security.acl.Group;
import java.security.cert.X509Certificate;
import java.util.Iterator;
import java.util.Map;
import javax.naming.InitialContext;
import javax.naming.NamingException;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.login.LoginException;
import javax.servlet.http.HttpServletResponse;
import javax.ws.rs.core.MediaType;
import org.apache.catalina.connector.Request;
import org.jboss.resteasy.keystone.core.UserPrincipal;
import org.jboss.resteasy.keystone.model.Access;
import org.jboss.resteasy.keystone.model.Role;
import org.jboss.resteasy.logging.Logger;
import org.jboss.resteasy.security.smime.PKCS7SignatureInput;
import org.jboss.security.JSSESecurityDomain;
import org.jboss.security.SecurityDomain;
import org.jboss.security.SecurityUtil;
import org.jboss.security.SimpleGroup;
import org.jboss.security.SimplePrincipal;

/* loaded from: input_file:org/jboss/resteasy/keystone/as7/SignedSkeletonKeyStoneLoginModule.class */
public class SignedSkeletonKeyStoneLoginModule extends JBossWebAuthLoginModule {
    private static final Logger log = Logger.getLogger(SignedSkeletonKeyStoneLoginModule.class);
    private static final String SECURITY_DOMAIN = "securityDomain";
    protected String projectId;
    protected String skeletonKeyCertificateAlias;
    protected Access access;
    private Object domain = null;

    public void initialize(Subject subject, CallbackHandler callbackHandler, Map<String, ?> map, Map<String, ?> map2) {
        super.initialize(subject, callbackHandler, map, map2);
        this.projectId = (String) map2.get("projectId");
        this.skeletonKeyCertificateAlias = (String) map2.get("skeleton.key.certificate.alias");
        String str = (String) map2.get(SECURITY_DOMAIN);
        log.error("Security Domain: " + str);
        String unprefixSecurityDomain = SecurityUtil.unprefixSecurityDomain(str);
        if (unprefixSecurityDomain == null) {
            unprefixSecurityDomain = "other";
        }
        try {
            Object lookup = new InitialContext().lookup("java:jboss/jaas/" + unprefixSecurityDomain);
            if (lookup instanceof SecurityDomain) {
                this.domain = lookup;
            } else {
                Object lookup2 = new InitialContext().lookup("java:jboss/jaas/" + unprefixSecurityDomain + "/jsse");
                if (lookup2 instanceof JSSESecurityDomain) {
                    this.domain = lookup2;
                } else {
                    log.error("The JSSE security domain " + unprefixSecurityDomain + " is not valid. All authentication using this login module will fail!");
                }
            }
        } catch (NamingException e) {
            log.error("Unable to find the securityDomain named: " + unprefixSecurityDomain, e);
        }
    }

    @Override // org.jboss.resteasy.keystone.as7.JBossWebAuthLoginModule
    protected boolean login(Request request, HttpServletResponse httpServletResponse) throws LoginException {
        String header = request.getHeader("X-Auth-Signed-Token");
        if (header == null) {
            return false;
        }
        KeyStore keyStore = null;
        if (this.domain != null) {
            if (this.domain instanceof SecurityDomain) {
                keyStore = ((SecurityDomain) this.domain).getKeyStore();
            } else if (this.domain instanceof JSSESecurityDomain) {
                keyStore = ((JSSESecurityDomain) this.domain).getKeyStore();
            }
        }
        if (keyStore == null) {
            throw new LoginException("No trust store found");
        }
        try {
            X509Certificate x509Certificate = (X509Certificate) keyStore.getCertificate(this.skeletonKeyCertificateAlias);
            try {
                PKCS7SignatureInput pKCS7SignatureInput = new PKCS7SignatureInput(header);
                if (!pKCS7SignatureInput.verify(x509Certificate)) {
                    throw new LoginException("Bad Signature");
                }
                this.access = (Access) pKCS7SignatureInput.getEntity(Access.class, MediaType.APPLICATION_JSON_TYPE);
                if (this.access.getToken().expired()) {
                    throw new LoginException("Token expired");
                }
                if (!this.projectId.equals(this.access.getToken().getProject().getId())) {
                    throw new LoginException("Token project id doesn't match");
                }
                this.loginOk = true;
                return true;
            } catch (LoginException e) {
                throw e;
            } catch (Exception e2) {
                throw new LoginException("Bad Token");
            }
        } catch (KeyStoreException e3) {
            throw new LoginException("Could not get certificate from keyStore");
        }
    }

    protected Principal getIdentity() {
        return new UserPrincipal(this.access.getUser());
    }

    protected Group[] getRoleSets() throws LoginException {
        Group simpleGroup = new SimpleGroup("Roles");
        Group[] groupArr = {simpleGroup};
        Iterator it = this.access.getUser().getRoles().iterator();
        while (it.hasNext()) {
            simpleGroup.addMember(new SimplePrincipal(((Role) it.next()).getName()));
        }
        return groupArr;
    }
}
