package org.jboss.as.domain.management.security;

import java.io.IOException;
import java.security.Principal;
import java.security.spec.AlgorithmParameterSpec;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import java.util.Stack;
import java.util.function.Consumer;
import java.util.function.Supplier;
import javax.naming.NamingException;
import javax.security.auth.Subject;
import org.jboss.as.core.security.RealmGroup;
import org.jboss.as.core.security.RealmUser;
import org.jboss.as.domain.management.SecurityRealm;
import org.jboss.as.domain.management.connections.ldap.LdapConnectionManager;
import org.jboss.as.domain.management.logging.DomainManagementLogger;
import org.jboss.as.domain.management.security.BaseLdapGroupSearchResource;
import org.jboss.as.domain.management.security.SecurityRealmService;
import org.jboss.msc.Service;
import org.jboss.msc.service.ServiceName;
import org.jboss.msc.service.StartContext;
import org.jboss.msc.service.StopContext;
import org.wildfly.security.auth.SupportLevel;
import org.wildfly.security.auth.server.RealmIdentity;
import org.wildfly.security.auth.server.RealmUnavailableException;
import org.wildfly.security.auth.server.SecurityRealm;
import org.wildfly.security.authz.AuthorizationIdentity;
import org.wildfly.security.authz.MapAttributes;
import org.wildfly.security.credential.Credential;
import org.wildfly.security.evidence.Evidence;
import org.wildfly.security.manager.WildFlySecurityManager;

/* loaded from: input_file:wildfly.zip:modules/system/layers/base/org/jboss/as/domain-management/main/wildfly-domain-management-14.0.0.Final.jar:org/jboss/as/domain/management/security/LdapSubjectSupplementalService.class */
public class LdapSubjectSupplementalService implements Service, SubjectSupplementalService {
    private final Consumer<SubjectSupplementalService> subjectSupplementalServiceConsumer;
    private final Supplier<LdapConnectionManager> connectionManagerSupplier;
    private final Supplier<LdapSearcherCache<LdapEntry, String>> userSearcherSupplier;
    private final Supplier<LdapSearcherCache<LdapEntry[], LdapEntry>> groupSearcherSupplier;
    private LdapSearcherCache<LdapEntry, String> userSearcher;
    private LdapSearcherCache<LdapEntry[], LdapEntry> groupSearcher;
    protected final int searchTimeLimit = 10000;
    private final String realmName;
    private final boolean shareConnection;
    private final boolean forceUserDnSearch;
    private final boolean iterative;
    private final BaseLdapGroupSearchResource.GroupName groupName;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:wildfly.zip:modules/system/layers/base/org/jboss/as/domain-management/main/wildfly-domain-management-14.0.0.Final.jar:org/jboss/as/domain/management/security/LdapSubjectSupplementalService$LdapGroupSearcher.class */
    public class LdapGroupSearcher {
        private final Set<LdapEntry> searchedPerformed = new HashSet();
        private final Map<String, Object> sharedState;

        protected LdapGroupSearcher(Map<String, Object> map) {
            this.sharedState = map;
        }

        Set<String> loadGroups(Set<String> set) throws IOException {
            LdapConnectionHandler newInstance;
            HashSet hashSet = new HashSet();
            if (this.sharedState.containsKey(LdapConnectionHandler.class.getName())) {
                DomainManagementLogger.SECURITY_LOGGER.trace("Using existing LdapConnectionHandler from shared state.");
                newInstance = (LdapConnectionHandler) this.sharedState.remove(LdapConnectionHandler.class.getName());
            } else {
                DomainManagementLogger.SECURITY_LOGGER.trace("Creating new LdapConnectionHandler.");
                newInstance = LdapConnectionHandler.newInstance((LdapConnectionManager) LdapSubjectSupplementalService.this.connectionManagerSupplier.get());
            }
            try {
                try {
                    for (String str : set) {
                        DomainManagementLogger.SECURITY_LOGGER.tracef("Loading groups for '%s'", str);
                        hashSet.addAll(loadGroups(str, newInstance));
                    }
                    return hashSet;
                } catch (Exception e) {
                    DomainManagementLogger.SECURITY_LOGGER.trace("Failure supplementing Subject", e);
                    if (e instanceof IOException) {
                        throw ((IOException) e);
                    }
                    throw new IOException(e);
                }
            } finally {
                newInstance.close();
            }
        }

        private Set<String> loadGroups(String str, LdapConnectionHandler ldapConnectionHandler) throws IOException, NamingException {
            LdapEntry ldapEntry = null;
            if (!LdapSubjectSupplementalService.this.forceUserDnSearch && this.sharedState.containsKey(LdapEntry.class.getName())) {
                ldapEntry = (LdapEntry) this.sharedState.get(LdapEntry.class.getName());
                DomainManagementLogger.SECURITY_LOGGER.tracef("Loaded from sharedState '%s'", ldapEntry);
            }
            if (ldapEntry == null || !str.equals(ldapEntry.getSimpleName())) {
                ldapEntry = (LdapEntry) LdapSubjectSupplementalService.this.userSearcher.search(ldapConnectionHandler, str).getResult();
                DomainManagementLogger.SECURITY_LOGGER.tracef("Performed userSearch '%s'", ldapEntry);
            }
            return loadGroups(ldapEntry, ldapConnectionHandler);
        }

        private Set<String> loadGroups(LdapEntry ldapEntry, LdapConnectionHandler ldapConnectionHandler) throws IOException, NamingException {
            HashSet hashSet = new HashSet();
            Stack stack = new Stack();
            stack.push(loadGroupEntries(ldapEntry, ldapConnectionHandler));
            while (!stack.isEmpty()) {
                for (LdapEntry ldapEntry2 : (LdapEntry[]) stack.pop()) {
                    String simpleName = LdapSubjectSupplementalService.this.groupName == BaseLdapGroupSearchResource.GroupName.SIMPLE ? ldapEntry2.getSimpleName() : ldapEntry2.getDistinguishedName();
                    DomainManagementLogger.SECURITY_LOGGER.tracef("Adding RealmGroup '%s'", simpleName);
                    hashSet.add(simpleName);
                    if (LdapSubjectSupplementalService.this.iterative) {
                        DomainManagementLogger.SECURITY_LOGGER.tracef("Performing iterative load for %s", ldapEntry2);
                        stack.push(loadGroupEntries(ldapEntry2, ldapConnectionHandler));
                    }
                }
            }
            return hashSet;
        }

        private LdapEntry[] loadGroupEntries(LdapEntry ldapEntry, LdapConnectionHandler ldapConnectionHandler) throws IOException, NamingException {
            if (this.searchedPerformed.add(ldapEntry)) {
                return (LdapEntry[]) LdapSubjectSupplementalService.this.groupSearcher.search(ldapConnectionHandler, ldapEntry).getResult();
            }
            DomainManagementLogger.SECURITY_LOGGER.tracef("A search has already been performed for %s", ldapEntry);
            return new LdapEntry[0];
        }
    }

    /* loaded from: input_file:wildfly.zip:modules/system/layers/base/org/jboss/as/domain-management/main/wildfly-domain-management-14.0.0.Final.jar:org/jboss/as/domain/management/security/LdapSubjectSupplementalService$LdapSubjectSupplemental.class */
    class LdapSubjectSupplemental implements SubjectSupplemental {
        private final LdapGroupSearcher ldapGroupSearcher;

        protected LdapSubjectSupplemental(Map<String, Object> map) {
            this.ldapGroupSearcher = new LdapGroupSearcher(map);
        }

        @Override // org.jboss.as.domain.management.security.SubjectSupplemental
        public void supplementSubject(Subject subject) throws IOException {
            ClassLoader currentContextClassLoaderPrivileged = WildFlySecurityManager.setCurrentContextClassLoaderPrivileged((Class<?>) LdapSubjectSupplemental.class);
            try {
                Set principals = subject.getPrincipals(RealmUser.class);
                Set<Principal> principals2 = subject.getPrincipals();
                HashSet hashSet = new HashSet();
                HashSet hashSet2 = new HashSet();
                Iterator it = principals.iterator();
                while (it.hasNext()) {
                    hashSet2.add(((RealmUser) it.next()).getName());
                }
                Iterator<String> it2 = this.ldapGroupSearcher.loadGroups(hashSet2).iterator();
                while (it2.hasNext()) {
                    hashSet.add(new RealmGroup(LdapSubjectSupplementalService.this.realmName, it2.next()));
                }
                principals2.addAll(hashSet);
                WildFlySecurityManager.setCurrentContextClassLoaderPrivileged(currentContextClassLoaderPrivileged);
            } catch (Throwable th) {
                WildFlySecurityManager.setCurrentContextClassLoaderPrivileged(currentContextClassLoaderPrivileged);
                throw th;
            }
        }
    }

    /* loaded from: input_file:wildfly.zip:modules/system/layers/base/org/jboss/as/domain-management/main/wildfly-domain-management-14.0.0.Final.jar:org/jboss/as/domain/management/security/LdapSubjectSupplementalService$SecurityRealmImpl.class */
    private class SecurityRealmImpl implements SecurityRealm {

        /* loaded from: input_file:wildfly.zip:modules/system/layers/base/org/jboss/as/domain-management/main/wildfly-domain-management-14.0.0.Final.jar:org/jboss/as/domain/management/security/LdapSubjectSupplementalService$SecurityRealmImpl$RealmIdentityImpl.class */
        private class RealmIdentityImpl implements RealmIdentity {
            private final LdapGroupSearcher ldapGroupSearcher;
            private final Principal principal;
            private Set<String> groups;

            public RealmIdentityImpl(Principal principal, Map<String, Object> map) {
                this.ldapGroupSearcher = new LdapGroupSearcher(map != null ? map : new HashMap<>());
                this.principal = principal;
            }

            @Override // org.wildfly.security.auth.server.RealmIdentity
            public Principal getRealmIdentityPrincipal() {
                return this.principal;
            }

            @Override // org.wildfly.security.auth.server.RealmIdentity
            public SupportLevel getCredentialAcquireSupport(Class<? extends Credential> cls, String str) throws RealmUnavailableException {
                return SecurityRealmImpl.this.getCredentialAcquireSupport(cls, str);
            }

            @Override // org.wildfly.security.auth.server.RealmIdentity
            public SupportLevel getCredentialAcquireSupport(Class<? extends Credential> cls, String str, AlgorithmParameterSpec algorithmParameterSpec) throws RealmUnavailableException {
                return SecurityRealmImpl.this.getCredentialAcquireSupport(cls, str, algorithmParameterSpec);
            }

            @Override // org.wildfly.security.auth.server.RealmIdentity
            public <C extends Credential> C getCredential(Class<C> cls) throws RealmUnavailableException {
                return null;
            }

            @Override // org.wildfly.security.auth.server.RealmIdentity
            public SupportLevel getEvidenceVerifySupport(Class<? extends Evidence> cls, String str) throws RealmUnavailableException {
                return SecurityRealmImpl.this.getEvidenceVerifySupport(cls, str);
            }

            @Override // org.wildfly.security.auth.server.RealmIdentity
            public boolean verifyEvidence(Evidence evidence) throws RealmUnavailableException {
                return false;
            }

            @Override // org.wildfly.security.auth.server.RealmIdentity
            public boolean exists() throws RealmUnavailableException {
                Set<String> groups = getGroups();
                return groups != null && groups.size() > 0;
            }

            @Override // org.wildfly.security.auth.server.RealmIdentity
            public AuthorizationIdentity getAuthorizationIdentity() throws RealmUnavailableException {
                Set<String> groups = getGroups();
                if (groups == null || groups.size() <= 0) {
                    DomainManagementLogger.SECURITY_LOGGER.tracef("No groups found for identity '%s' in LDAP file.", this.principal.getName());
                    return AuthorizationIdentity.EMPTY;
                }
                HashMap hashMap = new HashMap();
                hashMap.put("GROUPS", Collections.unmodifiableSet(groups));
                return AuthorizationIdentity.basicIdentity(new MapAttributes((Map<String, ? extends Collection<String>>) Collections.unmodifiableMap(hashMap)));
            }

            private synchronized Set<String> getGroups() throws RealmUnavailableException {
                if (this.groups == null) {
                    ClassLoader currentContextClassLoaderPrivileged = WildFlySecurityManager.setCurrentContextClassLoaderPrivileged((Class<?>) LdapSubjectSupplemental.class);
                    try {
                        try {
                            this.groups = this.ldapGroupSearcher.loadGroups(Collections.singleton(this.principal.getName()));
                            WildFlySecurityManager.setCurrentContextClassLoaderPrivileged(currentContextClassLoaderPrivileged);
                        } catch (IOException e) {
                            throw new RealmUnavailableException(e);
                        }
                    } catch (Throwable th) {
                        WildFlySecurityManager.setCurrentContextClassLoaderPrivileged(currentContextClassLoaderPrivileged);
                        throw th;
                    }
                }
                return this.groups;
            }
        }

        private SecurityRealmImpl() {
        }

        @Override // org.wildfly.security.auth.server.SecurityRealm
        public RealmIdentity getRealmIdentity(Principal principal) throws RealmUnavailableException {
            return new RealmIdentityImpl(principal, SecurityRealmService.SharedStateSecurityRealm.getSharedState());
        }

        @Override // org.wildfly.security.auth.server.SecurityRealm
        public SupportLevel getCredentialAcquireSupport(Class<? extends Credential> cls, String str) throws RealmUnavailableException {
            return SupportLevel.UNSUPPORTED;
        }

        @Override // org.wildfly.security.auth.server.SecurityRealm
        public SupportLevel getCredentialAcquireSupport(Class<? extends Credential> cls, String str, AlgorithmParameterSpec algorithmParameterSpec) throws RealmUnavailableException {
            return SupportLevel.UNSUPPORTED;
        }

        @Override // org.wildfly.security.auth.server.SecurityRealm
        public SupportLevel getEvidenceVerifySupport(Class<? extends Evidence> cls, String str) throws RealmUnavailableException {
            return SupportLevel.UNSUPPORTED;
        }
    }

    /* loaded from: input_file:wildfly.zip:modules/system/layers/base/org/jboss/as/domain-management/main/wildfly-domain-management-14.0.0.Final.jar:org/jboss/as/domain/management/security/LdapSubjectSupplementalService$ServiceUtil.class */
    public static final class ServiceUtil {
        private static final String SERVICE_SUFFIX = "ldap-authorization";

        private ServiceUtil() {
        }

        public static ServiceName createServiceName(String str) {
            return SecurityRealm.ServiceUtil.createServiceName(str).append(SERVICE_SUFFIX);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public LdapSubjectSupplementalService(Consumer<SubjectSupplementalService> consumer, Supplier<LdapConnectionManager> supplier, Supplier<LdapSearcherCache<LdapEntry, String>> supplier2, Supplier<LdapSearcherCache<LdapEntry[], LdapEntry>> supplier3, String str, boolean z, boolean z2, boolean z3, BaseLdapGroupSearchResource.GroupName groupName) {
        this.subjectSupplementalServiceConsumer = consumer;
        this.connectionManagerSupplier = supplier;
        this.userSearcherSupplier = supplier2;
        this.groupSearcherSupplier = supplier3;
        this.realmName = str;
        this.shareConnection = z;
        this.forceUserDnSearch = z2;
        this.iterative = z3;
        this.groupName = groupName;
    }

    @Override // org.jboss.msc.Service
    public void start(StartContext startContext) {
        this.userSearcher = this.userSearcherSupplier != null ? this.userSearcherSupplier.get() : null;
        this.groupSearcher = this.groupSearcherSupplier.get();
        if (DomainManagementLogger.SECURITY_LOGGER.isTraceEnabled()) {
            DomainManagementLogger.SECURITY_LOGGER.tracef("LdapSubjectSupplementalService realmName=%s", this.realmName);
            DomainManagementLogger.SECURITY_LOGGER.tracef("LdapSubjectSupplementalService shareConnection=%b", Boolean.valueOf(this.shareConnection));
            DomainManagementLogger.SECURITY_LOGGER.tracef("LdapSubjectSupplementalService forceUserDnSearch=%b", Boolean.valueOf(this.forceUserDnSearch));
            DomainManagementLogger.SECURITY_LOGGER.tracef("LdapSubjectSupplementalService iterative=%b", Boolean.valueOf(this.iterative));
            DomainManagementLogger.SECURITY_LOGGER.tracef("LdapSubjectSupplementalService groupName=%s", this.groupName);
        }
        this.subjectSupplementalServiceConsumer.accept(this);
    }

    @Override // org.jboss.msc.Service
    public void stop(StopContext stopContext) {
        this.subjectSupplementalServiceConsumer.accept(null);
        this.groupSearcher = null;
        this.userSearcher = null;
    }

    @Override // org.jboss.as.domain.management.security.SubjectSupplementalService
    public SubjectSupplemental getSubjectSupplemental(Map<String, Object> map) {
        return new LdapSubjectSupplemental(map);
    }

    @Override // org.jboss.as.domain.management.security.SubjectSupplementalService
    public org.wildfly.security.auth.server.SecurityRealm getElytronSecurityRealm() {
        return new SecurityRealmImpl();
    }
}
