package org.jboss.security.plugins.authorization;

import java.security.AccessController;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.Map;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import org.jboss.logging.Logger;
import org.jboss.security.authorization.AuthorizationContext;
import org.jboss.security.authorization.AuthorizationException;
import org.jboss.security.authorization.AuthorizationModule;
import org.jboss.security.authorization.Resource;
import org.jboss.security.authorization.ResourceType;
import org.jboss.security.authorization.config.AuthorizationModuleEntry;
import org.jboss.security.authorization.modules.DelegatingAuthorizationModule;
import org.jboss.security.config.ApplicationPolicy;
import org.jboss.security.config.AuthorizationInfo;
import org.jboss.security.config.ControlFlag;
import org.jboss.security.config.SecurityConfiguration;
import org.jboss.security.identity.RoleGroup;

/* loaded from: input_file:org/jboss/security/plugins/authorization/JBossAuthorizationContext.class */
public class JBossAuthorizationContext extends AuthorizationContext {
    private static Logger log = Logger.getLogger(JBossAuthorizationContext.class);
    private boolean trace;
    private final String EJB = "jboss-ejb-policy";
    private final String WEB = "jboss-web-policy";
    private Subject authenticatedSubject;
    private ApplicationPolicy applicationPolicy;

    public JBossAuthorizationContext(String str) {
        this.trace = log.isTraceEnabled();
        this.EJB = "jboss-ejb-policy";
        this.WEB = "jboss-web-policy";
        this.authenticatedSubject = null;
        this.applicationPolicy = null;
        this.securityDomainName = str;
    }

    public JBossAuthorizationContext(String str, CallbackHandler callbackHandler) {
        this(str);
        this.callbackHandler = callbackHandler;
    }

    public JBossAuthorizationContext(String str, Subject subject, CallbackHandler callbackHandler) {
        this(str, callbackHandler);
        this.authenticatedSubject = subject;
    }

    public void setApplicationPolicy(ApplicationPolicy applicationPolicy) {
        if (applicationPolicy == null) {
            throw new IllegalArgumentException("Application Policy is null:domain=" + this.securityDomainName);
        }
        AuthorizationInfo authorizationInfo = applicationPolicy.getAuthorizationInfo();
        if (authorizationInfo == null) {
            throw new IllegalArgumentException("Application Policy has no AuthorizationInfo");
        }
        if (!authorizationInfo.getName().equals(this.securityDomainName)) {
            throw new IllegalArgumentException("Application Policy ->AuthorizationInfo:" + authorizationInfo.getName() + " does not match required domain name=" + this.securityDomainName);
        }
        this.applicationPolicy = applicationPolicy;
    }

    public int authorize(Resource resource) throws AuthorizationException {
        return authorize(resource, this.authenticatedSubject, (RoleGroup) resource.getMap().get("securityContextRoles"));
    }

    public int authorize(final Resource resource, Subject subject, RoleGroup roleGroup) throws AuthorizationException {
        try {
            this.authenticatedSubject = subject;
            initializeModules(resource, roleGroup);
            try {
                AccessController.doPrivileged(new PrivilegedExceptionAction<Object>() { // from class: org.jboss.security.plugins.authorization.JBossAuthorizationContext.1
                    @Override // java.security.PrivilegedExceptionAction
                    public Object run() throws AuthorizationException {
                        int invokeAuthorize = JBossAuthorizationContext.this.invokeAuthorize(resource);
                        if (invokeAuthorize == 1) {
                            JBossAuthorizationContext.this.invokeCommit();
                        }
                        if (invokeAuthorize != -1) {
                            return null;
                        }
                        JBossAuthorizationContext.this.invokeAbort();
                        throw new AuthorizationException("Denied");
                    }
                });
                return 1;
            } catch (PrivilegedActionException e) {
                AuthorizationException exception = e.getException();
                if (this.trace) {
                    log.trace("Error in authorize:", exception);
                }
                invokeAbort();
                throw exception;
            }
        } catch (PrivilegedActionException e2) {
            throw new RuntimeException(e2);
        }
    }

    private void initializeModules(Resource resource, RoleGroup roleGroup) throws PrivilegedActionException {
        AuthorizationInfo authorizationInfo = getAuthorizationInfo(this.securityDomainName, resource);
        if (authorizationInfo == null) {
            throw new IllegalStateException("Authorization Info is null");
        }
        AuthorizationModuleEntry[] authorizationModuleEntry = authorizationInfo.getAuthorizationModuleEntry();
        int length = authorizationModuleEntry != null ? authorizationModuleEntry.length : 0;
        for (int i = 0; i < length; i++) {
            AuthorizationModuleEntry authorizationModuleEntry2 = authorizationModuleEntry[i];
            ControlFlag controlFlag = authorizationModuleEntry2.getControlFlag();
            if (controlFlag == null) {
                if (this.trace) {
                    log.trace("Null Control flag for entry:" + authorizationModuleEntry2 + ". Defaults to REQUIRED!");
                }
                controlFlag = ControlFlag.REQUIRED;
            } else if (this.trace) {
                log.trace("Control flag for entry:" + authorizationModuleEntry2 + "is:[" + controlFlag + "]");
            }
            this.controlFlags.add(controlFlag);
            this.modules.add(instantiateModule(authorizationModuleEntry2.getPolicyModuleName(), authorizationModuleEntry2.getOptions(), roleGroup));
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* JADX WARN: Multi-variable type inference failed */
    public int invokeAuthorize(Resource resource) throws AuthorizationException {
        int i;
        boolean z = false;
        boolean z2 = false;
        AuthorizationException authorizationException = null;
        boolean z3 = -1;
        int size = this.modules.size();
        for (int i2 = 0; i2 < size; i2++) {
            AuthorizationModule authorizationModule = (AuthorizationModule) this.modules.get(i2);
            ControlFlag controlFlag = (ControlFlag) this.controlFlags.get(i2);
            try {
                i = authorizationModule.authorize(resource);
            } catch (Exception e) {
                i = -1;
                if (authorizationException == null) {
                    authorizationException = new AuthorizationException(e.getMessage());
                }
            }
            if (i == 1) {
                z3 = true;
                if (controlFlag == ControlFlag.SUFFICIENT && !z) {
                    return 1;
                }
            } else {
                if (controlFlag == ControlFlag.REQUISITE) {
                    if (this.trace) {
                        log.trace("REQUISITE failed for " + authorizationModule);
                    }
                    if (authorizationException != null) {
                        throw authorizationException;
                    }
                    authorizationException = new AuthorizationException("Authorization failed");
                }
                if (controlFlag == ControlFlag.REQUIRED) {
                    if (this.trace) {
                        log.trace("REQUIRED failed for " + authorizationModule);
                    }
                    if (!z) {
                        z = true;
                    }
                }
                if (controlFlag == ControlFlag.OPTIONAL) {
                    z2 = true;
                }
            }
        }
        String additionalErrorMessage = getAdditionalErrorMessage(authorizationException);
        if (z) {
            throw new AuthorizationException("Authorization Failed:" + additionalErrorMessage);
        }
        if (z3 == -1 && z2) {
            throw new AuthorizationException("Authorization Failed:" + additionalErrorMessage);
        }
        if (z3 == -1) {
            throw new AuthorizationException("Authorization Failed:Denied.");
        }
        return 1;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void invokeCommit() throws AuthorizationException {
        int size = this.modules.size();
        for (int i = 0; i < size; i++) {
            AuthorizationModule authorizationModule = (AuthorizationModule) this.modules.get(i);
            if (!authorizationModule.commit()) {
                throw new AuthorizationException("commit on modules failed:" + authorizationModule.getClass());
            }
        }
        this.modules.clear();
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void invokeAbort() throws AuthorizationException {
        int size = this.modules.size();
        for (int i = 0; i < size; i++) {
            AuthorizationModule authorizationModule = (AuthorizationModule) this.modules.get(i);
            if (!authorizationModule.abort()) {
                throw new AuthorizationException("abort on modules failed:" + authorizationModule.getClass());
            }
        }
        this.modules.clear();
    }

    private AuthorizationModule instantiateModule(String str, Map<String, Object> map, RoleGroup roleGroup) throws PrivilegedActionException {
        AuthorizationModule authorizationModule = null;
        try {
            authorizationModule = (AuthorizationModule) SecurityActions.getContextClassLoader().loadClass(str).newInstance();
        } catch (Exception e) {
            if (this.trace) {
                log.debug("Error instantiating AuthorizationModule:", e);
            }
        }
        if (authorizationModule == null) {
            throw new IllegalStateException("AuthorizationModule has not been instantiated");
        }
        authorizationModule.initialize(this.authenticatedSubject, this.callbackHandler, this.sharedState, map, roleGroup);
        return authorizationModule;
    }

    private AuthorizationInfo getAuthorizationInfo(String str, Resource resource) {
        ResourceType layer = resource.getLayer();
        if (this.applicationPolicy != null) {
            return this.applicationPolicy.getAuthorizationInfo();
        }
        ApplicationPolicy applicationPolicy = SecurityConfiguration.getApplicationPolicy(str);
        if (applicationPolicy == null) {
            if (this.trace) {
                log.trace("Application Policy not obtained for domain=" + str + ". Trying to obtain the App policy for the default domain of the layer:" + layer);
            }
            if (layer == ResourceType.EJB) {
                applicationPolicy = SecurityConfiguration.getApplicationPolicy("jboss-ejb-policy");
            } else if (layer == ResourceType.WEB) {
                applicationPolicy = SecurityConfiguration.getApplicationPolicy("jboss-web-policy");
            }
        }
        if (applicationPolicy == null) {
            throw new IllegalStateException("Application Policy is null for domain:" + str);
        }
        return applicationPolicy.getAuthorizationInfo() == null ? getAuthorizationInfo(layer) : applicationPolicy.getAuthorizationInfo();
    }

    private AuthorizationInfo getAuthorizationInfo(ResourceType resourceType) {
        AuthorizationInfo authorizationInfo;
        if (resourceType == ResourceType.EJB) {
            authorizationInfo = SecurityConfiguration.getApplicationPolicy("jboss-ejb-policy").getAuthorizationInfo();
        } else if (resourceType == ResourceType.WEB) {
            authorizationInfo = SecurityConfiguration.getApplicationPolicy("jboss-web-policy").getAuthorizationInfo();
        } else {
            if (log.isTraceEnabled()) {
                log.trace("AuthorizationInfo not found. Providing default authorization info");
            }
            authorizationInfo = new AuthorizationInfo("other");
            authorizationInfo.add((AuthorizationInfo) new AuthorizationModuleEntry(DelegatingAuthorizationModule.class.getName()));
        }
        return authorizationInfo;
    }

    private String getAdditionalErrorMessage(Exception exc) {
        StringBuilder sb = new StringBuilder(" ");
        if (exc != null) {
            sb.append(exc.getLocalizedMessage());
        }
        return sb.toString();
    }
}
