package org.jboss.as.domain.http.server;

import io.undertow.security.api.AuthenticationMechanism;
import io.undertow.security.api.AuthenticationMode;
import io.undertow.security.handlers.AuthenticationCallHandler;
import io.undertow.security.handlers.AuthenticationConstraintHandler;
import io.undertow.security.handlers.AuthenticationMechanismsHandler;
import io.undertow.security.handlers.SecurityInitialHandler;
import io.undertow.security.handlers.SinglePortConfidentialityHandler;
import io.undertow.security.idm.DigestAlgorithm;
import io.undertow.security.impl.BasicAuthenticationMechanism;
import io.undertow.security.impl.CachedAuthenticatedSessionMechanism;
import io.undertow.security.impl.ClientCertAuthenticationMechanism;
import io.undertow.security.impl.DigestAuthenticationMechanism;
import io.undertow.security.impl.GSSAPIAuthenticationMechanism;
import io.undertow.security.impl.SimpleNonceManager;
import io.undertow.server.HttpHandler;
import io.undertow.server.handlers.CanonicalPathHandler;
import io.undertow.server.handlers.ChannelUpgradeHandler;
import io.undertow.server.handlers.PathHandler;
import io.undertow.server.handlers.cache.CacheHandler;
import io.undertow.server.handlers.cache.DirectBufferCache;
import io.undertow.server.handlers.error.SimpleErrorPageHandler;
import io.undertow.server.protocol.http.HttpOpenListener;
import java.io.IOException;
import java.net.InetSocketAddress;
import java.util.ArrayList;
import java.util.Collections;
import java.util.List;
import java.util.Set;
import javax.net.ssl.SSLContext;
import org.jboss.as.controller.ControlledProcessStateService;
import org.jboss.as.controller.ModelController;
import org.jboss.as.domain.http.server.logging.HttpServerLogger;
import org.jboss.as.domain.http.server.security.AnonymousMechanism;
import org.jboss.as.domain.http.server.security.AuthenticationMechanismWrapper;
import org.jboss.as.domain.http.server.security.DmrFailureReadinessHandler;
import org.jboss.as.domain.http.server.security.LogoutHandler;
import org.jboss.as.domain.http.server.security.RealmIdentityManager;
import org.jboss.as.domain.http.server.security.RedirectReadinessHandler;
import org.jboss.as.domain.http.server.security.ServerSubjectFactory;
import org.jboss.as.domain.management.AuthMechanism;
import org.jboss.as.domain.management.SecurityRealm;
import org.jboss.modules.Module;
import org.jboss.modules.ModuleIdentifier;
import org.jboss.modules.ModuleLoadException;
import org.jboss.msc.service.StartException;
import org.xnio.BufferAllocator;
import org.xnio.ByteBufferSlicePool;
import org.xnio.ChannelListener;
import org.xnio.ChannelListeners;
import org.xnio.IoUtils;
import org.xnio.OptionMap;
import org.xnio.Options;
import org.xnio.SslClientAuthMode;
import org.xnio.StreamConnection;
import org.xnio.Xnio;
import org.xnio.XnioWorker;
import org.xnio.channels.AcceptingChannel;
import org.xnio.ssl.JsseXnioSsl;
import org.xnio.ssl.SslConnection;

/* loaded from: input_file:org/jboss/as/domain/http/server/ManagementHttpServer.class */
public class ManagementHttpServer {
    private final HttpOpenListener openListener;
    private final InetSocketAddress httpAddress;
    private final InetSocketAddress secureAddress;
    private volatile XnioWorker worker;
    private volatile AcceptingChannel<StreamConnection> normalServer;
    private volatile AcceptingChannel<SslConnection> secureServer;
    private final SSLContext sslContext;
    private final SslClientAuthMode sslClientAuthMode;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: org.jboss.as.domain.http.server.ManagementHttpServer$1, reason: invalid class name */
    /* loaded from: input_file:org/jboss/as/domain/http/server/ManagementHttpServer$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$jboss$as$domain$management$AuthMechanism = new int[AuthMechanism.values().length];

        static {
            try {
                $SwitchMap$org$jboss$as$domain$management$AuthMechanism[AuthMechanism.KERBEROS.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$jboss$as$domain$management$AuthMechanism[AuthMechanism.CLIENT_CERT.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$org$jboss$as$domain$management$AuthMechanism[AuthMechanism.DIGEST.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$org$jboss$as$domain$management$AuthMechanism[AuthMechanism.PLAIN.ordinal()] = 4;
            } catch (NoSuchFieldError e4) {
            }
            try {
                $SwitchMap$org$jboss$as$domain$management$AuthMechanism[AuthMechanism.LOCAL.ordinal()] = 5;
            } catch (NoSuchFieldError e5) {
            }
        }
    }

    private ManagementHttpServer(HttpOpenListener httpOpenListener, InetSocketAddress inetSocketAddress, InetSocketAddress inetSocketAddress2, SSLContext sSLContext, SslClientAuthMode sslClientAuthMode) {
        this.openListener = httpOpenListener;
        this.httpAddress = inetSocketAddress;
        this.secureAddress = inetSocketAddress2;
        this.sslContext = sSLContext;
        this.sslClientAuthMode = sslClientAuthMode;
    }

    public void start() {
        try {
            try {
                this.worker = Xnio.getInstance((String) null, Module.getModuleFromCallerModuleLoader(ModuleIdentifier.fromString("org.jboss.xnio.nio")).getClassLoader()).createWorker(OptionMap.builder().set(Options.WORKER_IO_THREADS, 2).set(Options.WORKER_TASK_CORE_THREADS, 5).set(Options.WORKER_TASK_MAX_THREADS, 10).set(Options.TCP_NODELAY, true).set(Options.CORK, true).getMap());
                OptionMap.Builder builder = OptionMap.builder().set(Options.TCP_NODELAY, true).set(Options.REUSE_ADDRESSES, true);
                ChannelListener openListenerAdapter = ChannelListeners.openListenerAdapter(this.openListener);
                if (this.httpAddress != null) {
                    this.normalServer = this.worker.createStreamConnectionServer(this.httpAddress, openListenerAdapter, builder.getMap());
                    this.normalServer.resumeAccepts();
                }
                if (this.secureAddress != null) {
                    if (this.sslClientAuthMode != null) {
                        builder.set(Options.SSL_CLIENT_AUTH_MODE, this.sslClientAuthMode);
                    }
                    OptionMap map = builder.getMap();
                    this.secureServer = new JsseXnioSsl(this.worker.getXnio(), map, this.sslContext).createSslConnectionServer(this.worker, this.secureAddress, openListenerAdapter, map);
                    this.secureServer.resumeAccepts();
                }
            } catch (IOException e) {
                throw new RuntimeException(e);
            }
        } catch (Exception e2) {
            throw new IllegalStateException(e2.getLocalizedMessage());
        }
    }

    public void stop() {
        IoUtils.safeClose(this.normalServer);
        IoUtils.safeClose(this.secureServer);
        this.worker.shutdown();
    }

    public static ManagementHttpServer create(InetSocketAddress inetSocketAddress, InetSocketAddress inetSocketAddress2, int i, ModelController modelController, SecurityRealm securityRealm, ControlledProcessStateService controlledProcessStateService, ConsoleMode consoleMode, String str, ChannelUpgradeHandler channelUpgradeHandler, ManagementHttpRequestProcessor managementHttpRequestProcessor) throws IOException, StartException {
        SSLContext sSLContext = null;
        SslClientAuthMode sslClientAuthMode = null;
        if (inetSocketAddress2 != null) {
            sSLContext = securityRealm.getSSLContext();
            if (sSLContext == null) {
                throw HttpServerLogger.ROOT_LOGGER.sslRequestedNoSslContext();
            }
            Set supportedAuthenticationMechanisms = securityRealm.getSupportedAuthenticationMechanisms();
            if (supportedAuthenticationMechanisms.contains(AuthMechanism.CLIENT_CERT)) {
                sslClientAuthMode = (supportedAuthenticationMechanisms.contains(AuthMechanism.DIGEST) || supportedAuthenticationMechanisms.contains(AuthMechanism.PLAIN)) ? SslClientAuthMode.REQUESTED : SslClientAuthMode.REQUIRED;
            }
        }
        HttpOpenListener httpOpenListener = new HttpOpenListener(new ByteBufferSlicePool(BufferAllocator.DIRECT_BYTE_BUFFER_ALLOCATOR, 4096, 40960), 4096);
        int port = inetSocketAddress2 != null ? inetSocketAddress2.getPort() : -1;
        if (!(inetSocketAddress == null || inetSocketAddress2 == null || inetSocketAddress.getAddress().equals(inetSocketAddress2.getAddress())) && port > 0) {
            HttpServerLogger.ROOT_LOGGER.httpsRedirectNotSupported(inetSocketAddress.getAddress(), inetSocketAddress2.getAddress());
            port = -1;
        }
        setupOpenListener(httpOpenListener, modelController, consoleMode, str, controlledProcessStateService, port, securityRealm, channelUpgradeHandler, managementHttpRequestProcessor);
        return new ManagementHttpServer(httpOpenListener, inetSocketAddress, inetSocketAddress2, sSLContext, sslClientAuthMode);
    }

    private static void setupOpenListener(HttpOpenListener httpOpenListener, ModelController modelController, ConsoleMode consoleMode, String str, ControlledProcessStateService controlledProcessStateService, int i, SecurityRealm securityRealm, ChannelUpgradeHandler channelUpgradeHandler, ManagementHttpRequestProcessor managementHttpRequestProcessor) {
        CanonicalPathHandler canonicalPathHandler = new CanonicalPathHandler();
        httpOpenListener.setRootHandler(new ManagementHttpRequestHandler(managementHttpRequestProcessor, canonicalPathHandler));
        ChannelUpgradeHandler pathHandler = new PathHandler();
        ChannelUpgradeHandler channelUpgradeHandler2 = pathHandler;
        if (channelUpgradeHandler != null) {
            channelUpgradeHandler.setNonUpgradeHandler(channelUpgradeHandler2);
            channelUpgradeHandler2 = channelUpgradeHandler;
        }
        if (i > 0) {
            channelUpgradeHandler2 = new SinglePortConfidentialityHandler(channelUpgradeHandler2, i);
        }
        canonicalPathHandler.setNext(new SimpleErrorPageHandler(new CacheHandler(new DirectBufferCache(1024, 10240, 1024000, BufferAllocator.BYTE_BUFFER_ALLOCATOR), channelUpgradeHandler2)));
        ResourceHandlerDefinition resourceHandlerDefinition = null;
        try {
            resourceHandlerDefinition = consoleMode.createConsoleHandler(str);
        } catch (ModuleLoadException e) {
            HttpServerLogger.ROOT_LOGGER.consoleModuleNotFound(str == null ? "main" : str);
        }
        try {
            pathHandler.addPrefixPath("/error", ErrorContextHandler.createErrorContext(str));
        } catch (ModuleLoadException e2) {
            HttpServerLogger.ROOT_LOGGER.errorContextModuleNotFound(str == null ? "main" : str);
        }
        ManagementRootConsoleRedirectHandler managementRootConsoleRedirectHandler = new ManagementRootConsoleRedirectHandler(resourceHandlerDefinition);
        DomainApiCheckHandler domainApiCheckHandler = new DomainApiCheckHandler(modelController, controlledProcessStateService);
        pathHandler.addPrefixPath("/", managementRootConsoleRedirectHandler);
        if (resourceHandlerDefinition != null) {
            pathHandler.addPrefixPath(resourceHandlerDefinition.getContext(), new RedirectReadinessHandler(securityRealm, resourceHandlerDefinition.getHandler(), "/error"));
        }
        DmrFailureReadinessHandler dmrFailureReadinessHandler = new DmrFailureReadinessHandler(securityRealm, secureDomainAccess(domainApiCheckHandler, securityRealm), "/error");
        pathHandler.addPrefixPath(DomainApiCheckHandler.PATH, dmrFailureReadinessHandler);
        pathHandler.addExactPath("management-upload", dmrFailureReadinessHandler);
        if (securityRealm != null) {
            pathHandler.addPrefixPath(LogoutHandler.PATH, new LogoutHandler(securityRealm.getName()));
        }
    }

    private static HttpHandler secureDomainAccess(HttpHandler httpHandler, SecurityRealm securityRealm) {
        List singletonList;
        RealmIdentityManager realmIdentityManager = new RealmIdentityManager(securityRealm);
        if (securityRealm != null) {
            Set<AuthMechanism> supportedAuthenticationMechanisms = securityRealm.getSupportedAuthenticationMechanisms();
            singletonList = new ArrayList(supportedAuthenticationMechanisms.size());
            singletonList.add(wrap(new CachedAuthenticatedSessionMechanism(), null));
            for (AuthMechanism authMechanism : supportedAuthenticationMechanisms) {
                switch (AnonymousClass1.$SwitchMap$org$jboss$as$domain$management$AuthMechanism[authMechanism.ordinal()]) {
                    case 1:
                        singletonList.add(wrap(new GSSAPIAuthenticationMechanism(new ServerSubjectFactory(securityRealm, realmIdentityManager)), authMechanism));
                        break;
                    case 2:
                        singletonList.add(wrap(new ClientCertAuthenticationMechanism(), authMechanism));
                        break;
                    case 3:
                        singletonList.add(wrap(new DigestAuthenticationMechanism(Collections.singletonList(DigestAlgorithm.MD5), Collections.emptyList(), securityRealm.getName(), "/management", new SimpleNonceManager()), authMechanism));
                        break;
                    case 4:
                        singletonList.add(wrap(new BasicAuthenticationMechanism(securityRealm.getName()), authMechanism));
                        break;
                }
            }
        } else {
            singletonList = Collections.singletonList(wrap(new AnonymousMechanism(), null));
        }
        return new SecurityInitialHandler(AuthenticationMode.PRO_ACTIVE, realmIdentityManager, new AuthenticationMechanismsHandler(new AuthenticationConstraintHandler(new AuthenticationCallHandler(httpHandler)), singletonList));
    }

    private static AuthenticationMechanism wrap(AuthenticationMechanism authenticationMechanism, AuthMechanism authMechanism) {
        return new AuthenticationMechanismWrapper(authenticationMechanism, authMechanism);
    }
}
