package org.jboss.as.domain.management.security;

import java.io.IOException;
import java.security.Principal;
import java.security.spec.AlgorithmParameterSpec;
import java.util.Collections;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.Map;
import java.util.Set;
import java.util.function.Consumer;
import java.util.stream.Collectors;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import javax.security.sasl.AuthorizeCallback;
import javax.security.sasl.RealmCallback;
import org.jboss.as.core.security.RealmGroup;
import org.jboss.as.core.security.ServerSecurityManager;
import org.jboss.as.domain.management.AuthMechanism;
import org.jboss.as.domain.management.RealmConfigurationConstants;
import org.jboss.as.domain.management.SecurityRealm;
import org.jboss.as.domain.management.logging.DomainManagementLogger;
import org.jboss.msc.service.Service;
import org.jboss.msc.service.ServiceName;
import org.jboss.msc.service.StartContext;
import org.jboss.msc.service.StartException;
import org.jboss.msc.service.StopContext;
import org.jboss.msc.value.InjectedValue;
import org.jboss.security.SimpleGroup;
import org.wildfly.common.Assert;
import org.wildfly.security.auth.SupportLevel;
import org.wildfly.security.auth.callback.EvidenceVerifyCallback;
import org.wildfly.security.auth.server.RealmIdentity;
import org.wildfly.security.auth.server.RealmUnavailableException;
import org.wildfly.security.auth.server.SecurityRealm;
import org.wildfly.security.authz.AuthorizationIdentity;
import org.wildfly.security.authz.MapAttributes;
import org.wildfly.security.credential.Credential;
import org.wildfly.security.evidence.Evidence;
import org.wildfly.security.evidence.PasswordGuessEvidence;

/* loaded from: input_file:org/jboss/as/domain/management/security/JaasCallbackHandler.class */
public class JaasCallbackHandler implements Service<CallbackHandlerService>, CallbackHandlerService, CallbackHandler {
    private static final String SERVICE_SUFFIX = "jaas";
    private static final Map<String, String> configurationOptions;
    private final String realm;
    private final String name;
    private final boolean assignGroups;
    private final InjectedValue<ServerSecurityManager> securityManagerValue = new InjectedValue<>();

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/jboss/as/domain/management/security/JaasCallbackHandler$SecurityRealmImpl.class */
    public class SecurityRealmImpl implements SecurityRealm {

        /* loaded from: input_file:org/jboss/as/domain/management/security/JaasCallbackHandler$SecurityRealmImpl$RealmIdentityImpl.class */
        private class RealmIdentityImpl implements RealmIdentity {
            private final Principal principal;
            private volatile Subject subject;

            private RealmIdentityImpl(Principal principal) {
                this.subject = new Subject();
                this.principal = principal;
            }

            public Principal getRealmIdentityPrincipal() {
                return this.principal;
            }

            public SupportLevel getCredentialAcquireSupport(Class<? extends Credential> cls, String str, AlgorithmParameterSpec algorithmParameterSpec) throws RealmUnavailableException {
                return SecurityRealmImpl.this.getCredentialAcquireSupport(cls, str, algorithmParameterSpec);
            }

            public SupportLevel getCredentialAcquireSupport(Class<? extends Credential> cls, String str) throws RealmUnavailableException {
                return SecurityRealmImpl.this.getCredentialAcquireSupport(cls, str);
            }

            public <C extends Credential> C getCredential(Class<C> cls) throws RealmUnavailableException {
                return null;
            }

            public SupportLevel getEvidenceVerifySupport(Class<? extends Evidence> cls, String str) throws RealmUnavailableException {
                return SecurityRealmImpl.this.getEvidenceVerifySupport(cls, str);
            }

            public boolean verifyEvidence(Evidence evidence) throws RealmUnavailableException {
                if (!(evidence instanceof PasswordGuessEvidence)) {
                    return false;
                }
                return JaasCallbackHandler.this.verify(this.principal.getName(), ((PasswordGuessEvidence) evidence).getGuess(), this.subject, subject -> {
                    this.subject = subject;
                });
            }

            public boolean exists() {
                return true;
            }

            public AuthorizationIdentity getAuthorizationIdentity() throws RealmUnavailableException {
                return AuthorizationIdentity.basicIdentity(new MapAttributes(Collections.singletonMap("GROUPS", this.subject.getPrincipals(RealmGroup.class).stream().map((v0) -> {
                    return v0.getName();
                }).collect(Collectors.toList()))));
            }
        }

        private SecurityRealmImpl() {
        }

        public RealmIdentity getRealmIdentity(Principal principal) throws RealmUnavailableException {
            return new RealmIdentityImpl(principal);
        }

        public SupportLevel getCredentialAcquireSupport(Class<? extends Credential> cls, String str) throws RealmUnavailableException {
            Assert.checkNotNullParam("credentialType", cls);
            return SupportLevel.UNSUPPORTED;
        }

        public SupportLevel getCredentialAcquireSupport(Class<? extends Credential> cls, String str, AlgorithmParameterSpec algorithmParameterSpec) throws RealmUnavailableException {
            Assert.checkNotNullParam("credentialType", cls);
            return SupportLevel.UNSUPPORTED;
        }

        public SupportLevel getEvidenceVerifySupport(Class<? extends Evidence> cls, String str) throws RealmUnavailableException {
            return PasswordGuessEvidence.class.isAssignableFrom(cls) ? SupportLevel.SUPPORTED : SupportLevel.UNSUPPORTED;
        }
    }

    /* loaded from: input_file:org/jboss/as/domain/management/security/JaasCallbackHandler$ServiceUtil.class */
    public static final class ServiceUtil {
        private ServiceUtil() {
        }

        public static ServiceName createServiceName(String str) {
            return SecurityRealm.ServiceUtil.createServiceName(str).append(new String[]{"jaas"});
        }
    }

    public JaasCallbackHandler(String str, String str2, boolean z) {
        this.realm = str;
        this.name = str2;
        this.assignGroups = z;
    }

    @Override // org.jboss.as.domain.management.security.CallbackHandlerService
    public AuthMechanism getPreferredMechanism() {
        return AuthMechanism.PLAIN;
    }

    @Override // org.jboss.as.domain.management.security.CallbackHandlerService
    public Set<AuthMechanism> getSupplementaryMechanisms() {
        return Collections.emptySet();
    }

    @Override // org.jboss.as.domain.management.security.CallbackHandlerService
    public Map<String, String> getConfigurationOptions() {
        return configurationOptions;
    }

    @Override // org.jboss.as.domain.management.security.CallbackHandlerService
    public CallbackHandler getCallbackHandler(Map<String, Object> map) {
        return this;
    }

    @Override // org.jboss.as.domain.management.security.CallbackHandlerService
    public org.wildfly.security.auth.server.SecurityRealm getElytronSecurityRealm() {
        return new SecurityRealmImpl();
    }

    @Override // org.jboss.as.domain.management.security.CallbackHandlerService
    public boolean isReadyForHttpChallenge() {
        return true;
    }

    @Override // javax.security.auth.callback.CallbackHandler
    public void handle(Callback[] callbackArr) throws IOException, UnsupportedCallbackException {
        Consumer<Subject> consumer;
        if (callbackArr.length == 1 && (callbackArr[0] instanceof AuthorizeCallback)) {
            AuthorizeCallback authorizeCallback = (AuthorizeCallback) callbackArr[0];
            boolean equals = authorizeCallback.getAuthenticationID().equals(authorizeCallback.getAuthorizationID());
            if (!equals) {
                DomainManagementLogger.SECURITY_LOGGER.tracef("Checking 'AuthorizeCallback', authorized=false, authenticationID=%s, authorizationID=%s.", authorizeCallback.getAuthenticationID(), authorizeCallback.getAuthorizationID());
            }
            authorizeCallback.setAuthorized(equals);
            return;
        }
        NameCallback nameCallback = null;
        EvidenceVerifyCallback evidenceVerifyCallback = null;
        SubjectCallback subjectCallback = null;
        for (Callback callback : callbackArr) {
            if (callback instanceof NameCallback) {
                nameCallback = (NameCallback) callback;
            } else if (callback instanceof RealmCallback) {
                continue;
            } else if (callback instanceof EvidenceVerifyCallback) {
                evidenceVerifyCallback = (EvidenceVerifyCallback) callback;
            } else {
                if (!(callback instanceof SubjectCallback)) {
                    throw new UnsupportedCallbackException(callback);
                }
                subjectCallback = (SubjectCallback) callback;
            }
        }
        if (nameCallback == null) {
            DomainManagementLogger.SECURITY_LOGGER.trace("No username supplied in Callbacks.");
            throw DomainManagementLogger.ROOT_LOGGER.noUsername();
        }
        String defaultName = nameCallback.getDefaultName();
        if (defaultName == null || defaultName.length() == 0) {
            DomainManagementLogger.SECURITY_LOGGER.trace("NameCallback either has no username or is 0 length.");
            throw DomainManagementLogger.ROOT_LOGGER.noUsername();
        }
        if (evidenceVerifyCallback == null || evidenceVerifyCallback.getEvidence() == null) {
            DomainManagementLogger.SECURITY_LOGGER.trace("No password to verify.");
            throw DomainManagementLogger.ROOT_LOGGER.noPassword();
        }
        if (!(evidenceVerifyCallback.getEvidence() instanceof PasswordGuessEvidence)) {
            DomainManagementLogger.SECURITY_LOGGER.trace("No password to verify.");
            throw DomainManagementLogger.ROOT_LOGGER.noPassword();
        }
        char[] guess = evidenceVerifyCallback.getEvidence().getGuess();
        Subject subject = (subjectCallback == null || subjectCallback.getSubject() == null) ? new Subject() : subjectCallback.getSubject();
        EvidenceVerifyCallback evidenceVerifyCallback2 = evidenceVerifyCallback;
        if (subjectCallback != null) {
            SubjectCallback subjectCallback2 = subjectCallback;
            subjectCallback2.getClass();
            consumer = subjectCallback2::setSubject;
        } else {
            consumer = null;
        }
        evidenceVerifyCallback2.setVerified(verify(defaultName, guess, subject, consumer));
    }

    /* JADX INFO: Access modifiers changed from: private */
    public boolean verify(final String str, final char[] cArr, Subject subject, Consumer<Subject> consumer) {
        ServerSecurityManager serverSecurityManager = (ServerSecurityManager) this.securityManagerValue.getOptionalValue();
        try {
            if (serverSecurityManager == null) {
                try {
                    new LoginContext(this.name, subject, new CallbackHandler() { // from class: org.jboss.as.domain.management.security.JaasCallbackHandler.1
                        @Override // javax.security.auth.callback.CallbackHandler
                        public void handle(Callback[] callbackArr) throws IOException, UnsupportedCallbackException {
                            for (Callback callback : callbackArr) {
                                if (callback instanceof NameCallback) {
                                    ((NameCallback) callback).setName(str);
                                } else {
                                    if (!(callback instanceof PasswordCallback)) {
                                        throw new UnsupportedCallbackException(callback);
                                    }
                                    ((PasswordCallback) callback).setPassword(cArr);
                                }
                            }
                        }
                    }).login();
                    subject.getPrivateCredentials().add(new PasswordCredential(str, cArr));
                    if (this.assignGroups) {
                        Set<Principal> principals = subject.getPrincipals();
                        for (SimpleGroup simpleGroup : subject.getPrincipals(SimpleGroup.class)) {
                            if ("Roles".equals(simpleGroup.getName())) {
                                Enumeration members = simpleGroup.members();
                                while (members.hasMoreElements()) {
                                    principals.add(new RealmGroup(this.realm, ((Principal) members.nextElement()).getName()));
                                }
                            }
                        }
                    }
                    if (consumer == null) {
                        return true;
                    }
                    consumer.accept(subject);
                    return true;
                } catch (LoginException e) {
                    DomainManagementLogger.SECURITY_LOGGER.debug("Login failed in JAAS callbackhandler " + this.name, e);
                    return false;
                }
            }
            try {
                serverSecurityManager.push(this.name, str, cArr, subject);
                serverSecurityManager.authenticate();
                Subject subject2 = serverSecurityManager.getSubject();
                subject2.getPrivateCredentials().add(new PasswordCredential(str, cArr));
                if (this.assignGroups) {
                    Set<Principal> principals2 = subject2.getPrincipals();
                    for (SimpleGroup simpleGroup2 : subject2.getPrincipals(SimpleGroup.class)) {
                        if ("Roles".equals(simpleGroup2.getName())) {
                            Enumeration members2 = simpleGroup2.members();
                            while (members2.hasMoreElements()) {
                                principals2.add(new RealmGroup(this.realm, ((Principal) members2.nextElement()).getName()));
                            }
                        }
                    }
                }
                if (consumer != null) {
                    consumer.accept(subject2);
                }
                serverSecurityManager.pop();
                return true;
            } catch (SecurityException e2) {
                DomainManagementLogger.SECURITY_LOGGER.debug("Failed to verify password in JAAS callbackhandler " + this.name, e2);
                serverSecurityManager.pop();
                return false;
            }
        } catch (Throwable th) {
            serverSecurityManager.pop();
            throw th;
        }
    }

    public void start(StartContext startContext) throws StartException {
    }

    public void stop(StopContext stopContext) {
    }

    public InjectedValue<ServerSecurityManager> getSecurityManagerValue() {
        return this.securityManagerValue;
    }

    /* renamed from: getValue, reason: merged with bridge method [inline-methods] */
    public CallbackHandlerService m97getValue() throws IllegalStateException, IllegalArgumentException {
        return this;
    }

    static {
        HashMap hashMap = new HashMap(2);
        hashMap.put(RealmConfigurationConstants.SUBJECT_CALLBACK_SUPPORTED, Boolean.TRUE.toString());
        hashMap.put(RealmConfigurationConstants.VERIFY_PASSWORD_CALLBACK_SUPPORTED, Boolean.TRUE.toString());
        configurationOptions = Collections.unmodifiableMap(hashMap);
    }
}
