package org.switchyard.security.jboss.provider;

import java.security.AccessController;
import java.security.Principal;
import java.security.PrivilegedAction;
import java.security.acl.Group;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Set;
import javax.security.auth.Subject;
import org.jboss.security.RunAs;
import org.jboss.security.RunAsIdentity;
import org.jboss.security.SecurityContext;
import org.jboss.security.SecurityContextAssociation;
import org.jboss.security.SecurityContextFactory;
import org.jboss.security.identity.Role;
import org.jboss.security.identity.RoleGroup;
import org.jboss.security.identity.extensions.CredentialIdentityFactory;
import org.jboss.security.identity.plugins.SimpleRoleGroup;
import org.jboss.security.mapping.MappingResult;
import org.picketlink.identity.federation.bindings.jboss.auth.mapping.STSGroupMappingProvider;
import org.picketlink.identity.federation.bindings.jboss.auth.mapping.STSPrincipalMappingProvider;
import org.switchyard.ServiceSecurity;
import org.switchyard.security.credential.AssertionCredential;
import org.switchyard.security.jboss.JBossSecurityLogger;
import org.switchyard.security.principal.GroupPrincipal;
import org.switchyard.security.principal.RolePrincipal;
import org.switchyard.security.principal.UserPrincipal;
import org.switchyard.security.provider.DefaultSecurityProvider;
import org.w3c.dom.Element;

/* loaded from: input_file:META-INF/repository/fuse-eap-distro-6.2.1.redhat-216.zip:modules/system/layers/soa/org/switchyard/security/main/switchyard-security-jboss-2.0.1.redhat-621216.jar:org/switchyard/security/jboss/provider/JBossSecurityProvider.class */
public class JBossSecurityProvider extends DefaultSecurityProvider {

    /* loaded from: input_file:META-INF/repository/fuse-eap-distro-6.2.1.redhat-216.zip:modules/system/layers/soa/org/switchyard/security/main/switchyard-security-jboss-2.0.1.redhat-621216.jar:org/switchyard/security/jboss/provider/JBossSecurityProvider$JBossContainerContext.class */
    private static final class JBossContainerContext {
        private final SecurityContext _securityContext;
        private final RoleGroup _roleGroup;
        private final RunAs _runAs;

        private JBossContainerContext(SecurityContext securityContext, RoleGroup roleGroup, RunAs runAs) {
            this._securityContext = securityContext;
            this._roleGroup = roleGroup;
            this._runAs = runAs;
        }
    }

    @Override // org.switchyard.security.provider.DefaultSecurityProvider, org.switchyard.security.provider.SecurityProvider
    public void populate(ServiceSecurity serviceSecurity, org.switchyard.security.context.SecurityContext securityContext) {
        String securityDomain = serviceSecurity.getSecurityDomain();
        Subject subject = securityContext.getSubject(securityDomain);
        SecurityContext securityContext2 = SecurityContextAssociation.getSecurityContext();
        if (securityContext2 != null) {
            if (!securityDomain.equals(securityContext2.getSecurityDomain())) {
                pushSubjectContext(securityDomain);
            }
            transfer(securityContext2.getUtil().getSubject(), subject);
        } else {
            Iterator it = securityContext.getCredentials(AssertionCredential.class).iterator();
            while (it.hasNext()) {
                Element assertion = ((AssertionCredential) it.next()).getAssertion();
                if (assertion != null) {
                    Subject subject2 = new Subject();
                    boolean z = false;
                    HashMap hashMap = new HashMap();
                    hashMap.put("org.picketlink.identity.federation.core.wstrust.lm.stsToken", assertion);
                    STSPrincipalMappingProvider sTSPrincipalMappingProvider = new STSPrincipalMappingProvider();
                    sTSPrincipalMappingProvider.init(hashMap);
                    MappingResult mappingResult = new MappingResult();
                    sTSPrincipalMappingProvider.setMappingResult(mappingResult);
                    sTSPrincipalMappingProvider.performMapping(hashMap, (Principal) null);
                    Principal principal = (Principal) mappingResult.getMappedObject();
                    if (principal != null) {
                        subject2.getPrincipals().add(new UserPrincipal(principal.getName()));
                        z = true;
                    }
                    STSGroupMappingProvider sTSGroupMappingProvider = new STSGroupMappingProvider();
                    sTSGroupMappingProvider.init(hashMap);
                    MappingResult mappingResult2 = new MappingResult();
                    sTSGroupMappingProvider.setMappingResult(mappingResult2);
                    sTSGroupMappingProvider.performMapping(hashMap, (RoleGroup) null);
                    RoleGroup roleGroup = (RoleGroup) mappingResult2.getMappedObject();
                    if (roleGroup != null) {
                        GroupPrincipal groupPrincipal = null;
                        for (Role role : roleGroup.getRoles()) {
                            if (groupPrincipal == null) {
                                groupPrincipal = new GroupPrincipal("Roles");
                            }
                            groupPrincipal.addMember(new RolePrincipal(role.getRoleName()));
                        }
                        if (groupPrincipal != null) {
                            subject2.getPrincipals().add(groupPrincipal);
                            z = true;
                        }
                    }
                    if (z) {
                        transfer(subject2, subject);
                    }
                }
            }
        }
        super.populate(serviceSecurity, securityContext);
    }

    public void pushSubjectContext(final String str) {
        AccessController.doPrivileged(new PrivilegedAction<Void>() { // from class: org.switchyard.security.jboss.provider.JBossSecurityProvider.1
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedAction
            public Void run() {
                SecurityContext securityContext = SecurityContextAssociation.getSecurityContext();
                SecurityContext createSecurityContext = JBossSecurityProvider.createSecurityContext(str);
                JBossSecurityProvider.setSecurityContextOnAssociation(createSecurityContext);
                createSecurityContext.getUtil().createSubjectInfo(securityContext.getUtil().getUserPrincipal(), securityContext.getUtil().getCredential(), securityContext.getUtil().getSubject());
                return null;
            }
        });
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static SecurityContext createSecurityContext(final String str) {
        return (SecurityContext) AccessController.doPrivileged(new PrivilegedAction<SecurityContext>() { // from class: org.switchyard.security.jboss.provider.JBossSecurityProvider.2
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedAction
            public SecurityContext run() {
                try {
                    return SecurityContextFactory.createSecurityContext(str);
                } catch (Exception e) {
                    throw new RuntimeException(e);
                }
            }
        });
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static void setSecurityContextOnAssociation(final SecurityContext securityContext) {
        AccessController.doPrivileged(new PrivilegedAction<Void>() { // from class: org.switchyard.security.jboss.provider.JBossSecurityProvider.3
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedAction
            public Void run() {
                SecurityContextAssociation.setSecurityContext(securityContext);
                return null;
            }
        });
    }

    @Override // org.switchyard.security.provider.DefaultSecurityProvider
    protected Object setContainerContext(String str, Subject subject, Principal principal, Group group, String str2) throws Exception {
        RunAsIdentity runAsIdentity;
        HashSet hashSet = new HashSet();
        if (str2 != null) {
            hashSet.add(str2);
        }
        if (group != null) {
            Iterator it = Collections.list(group.members()).iterator();
            while (it.hasNext()) {
                Principal principal2 = (Principal) it.next();
                if (str2 == null) {
                    str2 = principal2.getName();
                }
                hashSet.add(principal2.getName());
            }
        }
        if (str2 != null) {
            runAsIdentity = new RunAsIdentity(str2, principal != null ? principal.getName() : null, hashSet);
        } else {
            runAsIdentity = null;
        }
        RunAsIdentity runAsIdentity2 = runAsIdentity;
        SecurityContext securityContext = SecurityContextAssociation.getSecurityContext();
        if (securityContext != null) {
            RoleGroup roles = securityContext.getSubjectInfo().getRoles();
            if (group != null) {
                securityContext.getSubjectInfo().setRoles(new SimpleRoleGroup(group));
            }
            RunAs outgoingRunAs = securityContext.getOutgoingRunAs();
            if (runAsIdentity2 != null) {
                securityContext.setOutgoingRunAs(runAsIdentity2);
            }
            return new JBossContainerContext(securityContext, roles, outgoingRunAs);
        }
        Set<Object> privateCredentials = subject.getPrivateCredentials();
        Object next = !privateCredentials.isEmpty() ? privateCredentials.iterator().next() : null;
        SecurityContext createSecurityContext = SecurityContextFactory.createSecurityContext(str);
        SecurityContextAssociation.setSecurityContext(createSecurityContext);
        if (group != null) {
            SimpleRoleGroup simpleRoleGroup = new SimpleRoleGroup(group);
            createSecurityContext.getUtil().createSubjectInfo(CredentialIdentityFactory.createIdentity(principal, next, simpleRoleGroup), subject);
            createSecurityContext.getSubjectInfo().setRoles(simpleRoleGroup);
        } else {
            createSecurityContext.getUtil().createSubjectInfo(CredentialIdentityFactory.createIdentity(principal, next), subject);
        }
        if (runAsIdentity2 != null) {
            createSecurityContext.setOutgoingRunAs(runAsIdentity2);
        }
        return new JBossContainerContext(null, null, null);
    }

    @Override // org.switchyard.security.provider.DefaultSecurityProvider
    protected void resetContainerContext(Object obj) throws Exception {
        JBossContainerContext jBossContainerContext = (JBossContainerContext) obj;
        if (jBossContainerContext._securityContext == null) {
            SecurityContextAssociation.clearSecurityContext();
            return;
        }
        SecurityContextAssociation.setSecurityContext(jBossContainerContext._securityContext);
        jBossContainerContext._securityContext.getSubjectInfo().setRoles(jBossContainerContext._roleGroup);
        jBossContainerContext._securityContext.setOutgoingRunAs(jBossContainerContext._runAs);
    }

    @Override // org.switchyard.security.provider.DefaultSecurityProvider, org.switchyard.security.provider.SecurityProvider
    public void clear(ServiceSecurity serviceSecurity, org.switchyard.security.context.SecurityContext securityContext) {
        super.clear(serviceSecurity, securityContext);
        try {
            SecurityContext securityContext2 = SecurityContextAssociation.getSecurityContext();
            if (securityContext2 != null && serviceSecurity.getSecurityDomain().equals(securityContext2.getSecurityDomain())) {
                SecurityContextAssociation.clearSecurityContext();
            }
        } catch (Throwable th) {
            JBossSecurityLogger.ROOT_LOGGER.clearSecurityContextAssociation(th);
        }
    }

    static {
        SecurityContextAssociation.getSecurityContext();
    }
}
