package org.jboss.ejb.plugins;

import java.lang.reflect.Method;
import java.security.CodeSource;
import java.security.Principal;
import java.util.Map;
import java.util.Set;
import javax.ejb.TimedObject;
import javax.ejb.Timer;
import javax.security.auth.Subject;
import org.jboss.ejb.Container;
import org.jboss.invocation.Invocation;
import org.jboss.metadata.ApplicationMetaData;
import org.jboss.metadata.AssemblyDescriptorMetaData;
import org.jboss.metadata.BeanMetaData;
import org.jboss.metadata.SecurityIdentityMetaData;
import org.jboss.security.AuthenticationManager;
import org.jboss.security.ISecurityManagement;
import org.jboss.security.RealmMapping;
import org.jboss.security.RunAs;
import org.jboss.security.RunAsIdentity;
import org.jboss.security.SecurityContext;
import org.jboss.security.SecurityRolesAssociation;
import org.jboss.security.SecurityUtil;
import org.jboss.security.identity.plugins.SimpleRoleGroup;
import org.jboss.security.javaee.AbstractEJBAuthorizationHelper;
import org.jboss.security.javaee.EJBAuthenticationHelper;
import org.jboss.security.javaee.SecurityHelperFactory;
import org.jboss.system.Registry;

/* loaded from: input_file:org/jboss/ejb/plugins/SecurityInterceptor.class */
public class SecurityInterceptor extends AbstractInterceptor {
    protected AuthenticationManager securityManager;
    protected RealmMapping realmMapping;
    protected RunAs runAsIdentity;
    protected Map securityRoles;
    protected Map<String, Set<String>> deploymentRoles;
    protected AuthenticationObserver authenticationObserver;
    protected Method ejbTimeout;
    protected String ejbName = null;
    protected CodeSource ejbCS = null;
    protected String appSecurityDomain = null;
    protected String defaultAuthorizationSecurityDomain = "jboss-ejb-policy";
    protected boolean isUseCallerIdentity = false;
    protected ISecurityManagement securityManagement = null;

    /* loaded from: input_file:org/jboss/ejb/plugins/SecurityInterceptor$AuthenticationObserver.class */
    public interface AuthenticationObserver {
        public static final String KEY = "SecurityInterceptor.AuthenticationObserver";

        void authenticationFailed();
    }

    @Override // org.jboss.ejb.plugins.AbstractInterceptor, org.jboss.ejb.ContainerPlugin
    public void setContainer(Container container) {
        super.setContainer(container);
        if (container != null) {
            BeanMetaData beanMetaData = container.getBeanMetaData();
            ApplicationMetaData applicationMetaData = beanMetaData.getApplicationMetaData();
            AssemblyDescriptorMetaData assemblyDescriptor = applicationMetaData.getAssemblyDescriptor();
            this.securityRoles = assemblyDescriptor.getSecurityRoles();
            this.deploymentRoles = assemblyDescriptor.getPrincipalVersusRolesMap();
            SecurityIdentityMetaData securityIdentityMetaData = beanMetaData.getSecurityIdentityMetaData();
            if (securityIdentityMetaData != null && !securityIdentityMetaData.getUseCallerIdentity()) {
                String runAsRoleName = securityIdentityMetaData.getRunAsRoleName();
                String runAsPrincipalName = securityIdentityMetaData.getRunAsPrincipalName();
                if (runAsPrincipalName == null) {
                    runAsPrincipalName = applicationMetaData.getUnauthenticatedPrincipal();
                }
                this.runAsIdentity = new RunAsIdentity(runAsRoleName, runAsPrincipalName, assemblyDescriptor.getSecurityRoleNamesByPrincipal(runAsPrincipalName));
            }
            if (securityIdentityMetaData != null && securityIdentityMetaData.getUseCallerIdentity()) {
                this.isUseCallerIdentity = true;
            }
            this.securityManager = container.getSecurityManager();
            this.realmMapping = container.getRealmMapping();
            try {
                this.ejbTimeout = TimedObject.class.getMethod("ejbTimeout", Timer.class);
            } catch (NoSuchMethodException e) {
            }
            if (this.securityManager != null) {
                this.appSecurityDomain = this.securityManager.getSecurityDomain();
                this.appSecurityDomain = SecurityUtil.unprefixSecurityDomain(this.appSecurityDomain);
            }
            this.ejbName = beanMetaData.getEjbName();
            this.ejbCS = container.getBeanClass().getProtectionDomain().getCodeSource();
            this.securityManagement = container.getSecurityManagement();
        }
    }

    @Override // org.jboss.ejb.plugins.AbstractInterceptor
    public void start() throws Exception {
        super.start();
        this.authenticationObserver = (AuthenticationObserver) Registry.lookup(AuthenticationObserver.KEY);
        if (this.container != null) {
            this.securityManager = this.container.getSecurityManager();
            if (this.securityManager != null) {
                this.appSecurityDomain = this.securityManager.getSecurityDomain();
                this.appSecurityDomain = SecurityUtil.unprefixSecurityDomain(this.appSecurityDomain);
            }
        }
    }

    @Override // org.jboss.ejb.plugins.AbstractInterceptor, org.jboss.ejb.Interceptor
    public Object invokeHome(Invocation invocation) throws Exception {
        return process(invocation, false);
    }

    @Override // org.jboss.ejb.plugins.AbstractInterceptor, org.jboss.ejb.Interceptor
    public Object invoke(Invocation invocation) throws Exception {
        return process(invocation, true);
    }

    private Object process(Invocation invocation, boolean z) throws Exception {
        if (shouldBypassSecurity(invocation)) {
            if (this.log.isTraceEnabled()) {
                this.log.trace("Bypass security for invoke or invokeHome");
            }
            return z ? getNext().invoke(invocation) : getNext().invokeHome(invocation);
        }
        SecurityContext securityContext = SecurityActions.getSecurityContext();
        if (securityContext == null) {
            throw new IllegalStateException("Security Context is null");
        }
        RunAs incomingRunAs = securityContext.getIncomingRunAs();
        if (this.log.isTraceEnabled()) {
            this.log.trace("Caller RunAs=" + incomingRunAs + ": useCallerIdentity=" + this.isUseCallerIdentity);
        }
        try {
            checkSecurityContext(invocation, incomingRunAs);
            if (incomingRunAs != null && this.isUseCallerIdentity) {
                this.runAsIdentity = incomingRunAs;
            }
            SecurityActions.pushRunAsIdentity(this.runAsIdentity);
            try {
                return z ? getNext().invoke(invocation) : getNext().invokeHome(invocation);
            } finally {
                SecurityActions.popRunAsIdentity();
                SecurityActions.popSubjectContext();
            }
        } catch (Exception e) {
            this.log.error("Error in Security Interceptor", e);
            throw e;
        }
    }

    private void checkSecurityContext(Invocation invocation, RunAs runAs) throws Exception {
        Principal principal = invocation.getPrincipal();
        Object credential = invocation.getCredential();
        boolean isTraceEnabled = this.log.isTraceEnabled();
        Method method = invocation.getMethod();
        if ((method == null || method.equals(this.ejbTimeout)) || this.securityManager == null || this.container == null) {
            SecurityActions.pushSubjectContext(principal, credential, null);
            return;
        }
        if (this.realmMapping == null) {
            throw new SecurityException("Role mapping manager has not been set");
        }
        SecurityContext securityContext = SecurityActions.getSecurityContext();
        EJBAuthenticationHelper eJBAuthenticationHelper = SecurityHelperFactory.getEJBAuthenticationHelper(securityContext);
        if (containsTrustableRunAs(securityContext) || eJBAuthenticationHelper.isTrusted()) {
            SecurityActions.pushRunAsIdentity(runAs);
        } else {
            Subject subject = new Subject();
            if (!SecurityActions.isValid(eJBAuthenticationHelper, subject, method.getName())) {
                if (this.authenticationObserver != null) {
                    this.authenticationObserver.authenticationFailed();
                }
                throw new SecurityException("Authentication exception, principal=" + principal);
            }
            SecurityActions.pushSubjectContext(principal, credential, subject);
            if (isTraceEnabled) {
                this.log.trace("Authenticated principal=" + principal + " in security domain=" + securityContext.getSecurityDomain());
            }
        }
        Method method2 = invocation.getMethod();
        if (method2 == null) {
            return;
        }
        Subject contextSubject = SecurityActions.getContextSubject();
        if (contextSubject == null) {
            throw new IllegalStateException("Authenticated User. But caller subject is null");
        }
        SecurityRolesAssociation.setSecurityRoles(this.deploymentRoles);
        Set<Principal> methodPermissions = this.container.getMethodPermissions(method2, invocation.getType());
        SecurityContext securityContext2 = SecurityActions.getSecurityContext();
        if (SecurityActions.getSecurityManagement(securityContext2) == null) {
            SecurityActions.setSecurityManagement(securityContext2, this.securityManagement);
        }
        AbstractEJBAuthorizationHelper eJBAuthorizationHelper = SecurityHelperFactory.getEJBAuthorizationHelper(securityContext);
        eJBAuthorizationHelper.setPolicyRegistration(this.container.getPolicyRegistration());
        if (!SecurityActions.authorize(eJBAuthorizationHelper, this.ejbName, method2, invocation.getPrincipal(), invocation.getType().toInterfaceString(), this.ejbCS, contextSubject, runAs, this.container.getJaccContextID(), new SimpleRoleGroup(methodPermissions))) {
            throw new SecurityException("Denied: caller with subject=" + contextSubject + " and security context post-mapping roles=" + SecurityActions.getRolesFromSecurityContext(securityContext2) + ": ejbMethod=" + method2);
        }
    }

    private boolean shouldBypassSecurity(Invocation invocation) throws Exception {
        Method method = invocation.getMethod();
        if (!(method == null || method.equals(this.ejbTimeout)) && this.securityManager != null && this.container != null) {
            return false;
        }
        SecurityActions.createAndSetSecurityContext(invocation.getPrincipal(), invocation.getCredential(), "BYPASSED-SECURITY");
        if (this.runAsIdentity == null) {
            return true;
        }
        SecurityActions.pushRunAsIdentity(this.runAsIdentity);
        return true;
    }

    private boolean containsTrustableRunAs(SecurityContext securityContext) {
        RunAs incomingRunAs = securityContext.getIncomingRunAs();
        return incomingRunAs != null && (incomingRunAs instanceof RunAsIdentity);
    }
}
