package org.wildfly.security.authz.jacc;

import java.security.AccessController;
import java.security.CodeSource;
import java.security.Permission;
import java.security.PermissionCollection;
import java.security.Permissions;
import java.security.Policy;
import java.security.Principal;
import java.security.PrivilegedAction;
import java.security.ProtectionDomain;
import java.util.Enumeration;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import javax.security.jacc.EJBMethodPermission;
import javax.security.jacc.EJBRoleRefPermission;
import javax.security.jacc.PolicyContext;
import javax.security.jacc.PolicyContextException;
import javax.security.jacc.WebResourcePermission;
import javax.security.jacc.WebRoleRefPermission;
import javax.security.jacc.WebUserDataPermission;
import net.bytebuddy.implementation.MethodDelegation;
import org.wildfly.common.Assert;
import org.wildfly.security._private.ElytronMessages;
import org.wildfly.security.auth.server.SecurityIdentity;
import org.wildfly.security.authz.Roles;
import org.wildfly.security.manager.WildFlySecurityManager;

/* loaded from: input_file:m2repo/org/wildfly/security/wildfly-elytron/1.1.6.Final/wildfly-elytron-1.1.6.Final.jar:org/wildfly/security/authz/jacc/JaccDelegatingPolicy.class */
public class JaccDelegatingPolicy extends Policy {
    private static final PrivilegedAction<Policy> GET_POLICY_ACTION = Policy::getPolicy;
    private static final String ANY_AUTHENTICATED_USER_ROLE = "**";
    private final Policy delegate;
    private final Set<Class<? extends Permission>> supportedPermissionTypes;

    public JaccDelegatingPolicy() {
        this(WildFlySecurityManager.isChecking() ? (Policy) AccessController.doPrivileged(GET_POLICY_ACTION) : Policy.getPolicy());
    }

    public JaccDelegatingPolicy(Policy policy) {
        this.supportedPermissionTypes = new HashSet();
        this.delegate = (Policy) Assert.checkNotNullParam(MethodDelegation.ImplementationDelegate.FIELD_NAME_PREFIX, policy);
        this.supportedPermissionTypes.add(WebResourcePermission.class);
        this.supportedPermissionTypes.add(WebRoleRefPermission.class);
        this.supportedPermissionTypes.add(WebUserDataPermission.class);
        this.supportedPermissionTypes.add(EJBMethodPermission.class);
        this.supportedPermissionTypes.add(EJBRoleRefPermission.class);
    }

    @Override // java.security.Policy
    public boolean implies(ProtectionDomain protectionDomain, Permission permission) {
        try {
            if (isJaccPermission(permission)) {
                ElytronPolicyConfiguration elytronPolicyConfiguration = (ElytronPolicyConfiguration) ElytronPolicyConfigurationFactory.getCurrentPolicyConfiguration();
                if (impliesExcludedPermission(permission, elytronPolicyConfiguration)) {
                    return false;
                }
                if (impliesUncheckedPermission(permission, elytronPolicyConfiguration) || impliesRolePermission(protectionDomain, permission, elytronPolicyConfiguration)) {
                    return true;
                }
            }
            if (impliesIdentityPermission(permission)) {
                return true;
            }
        } catch (Exception e) {
            ElytronMessages.log.authzFailedToCheckPermission(protectionDomain, permission, e);
        }
        return this.delegate.implies(protectionDomain, permission);
    }

    @Override // java.security.Policy
    public PermissionCollection getPermissions(final ProtectionDomain protectionDomain) {
        ElytronMessages.log.getPermissionsNotSupported();
        return new PermissionCollection() { // from class: org.wildfly.security.authz.jacc.JaccDelegatingPolicy.1
            @Override // java.security.PermissionCollection
            public void add(Permission permission) {
                throw ElytronMessages.log.readOnlyPermissionCollection();
            }

            @Override // java.security.PermissionCollection
            public boolean implies(Permission permission) {
                return JaccDelegatingPolicy.this.implies(protectionDomain, permission);
            }

            @Override // java.security.PermissionCollection
            public Enumeration<Permission> elements() {
                return JaccDelegatingPolicy.this.delegate.getPermissions(protectionDomain).elements();
            }
        };
    }

    @Override // java.security.Policy
    public PermissionCollection getPermissions(CodeSource codeSource) {
        return codeSource == null ? Policy.UNSUPPORTED_EMPTY_COLLECTION : getPermissions(new ProtectionDomain(codeSource, null));
    }

    @Override // java.security.Policy
    public void refresh() {
        this.delegate.refresh();
    }

    private boolean impliesIdentityPermission(Permission permission) {
        SecurityIdentity currentSecurityIdentity = getCurrentSecurityIdentity();
        return currentSecurityIdentity != null && currentSecurityIdentity.implies(permission);
    }

    private SecurityIdentity getCurrentSecurityIdentity() {
        try {
            return (SecurityIdentity) PolicyContext.getContext(SecurityIdentityHandler.KEY);
        } catch (Exception e) {
            ElytronMessages.log.authzCouldNotObtainSecurityIdentity(e);
            return null;
        }
    }

    private void extractRolesFromCurrentIdentity(Set<String> set) throws PolicyContextException, ClassNotFoundException {
        Roles roles;
        SecurityIdentity currentSecurityIdentity = getCurrentSecurityIdentity();
        if (currentSecurityIdentity == null || (roles = currentSecurityIdentity.getRoles()) == null) {
            return;
        }
        Iterator<String> it = roles.iterator();
        while (it.hasNext()) {
            set.add(it.next());
        }
    }

    private void extractRolesFromProtectionDomain(ProtectionDomain protectionDomain, Set<String> set) {
        Principal[] principals = protectionDomain.getPrincipals();
        if (principals != null) {
            for (Principal principal : principals) {
                set.add(principal.getName());
            }
        }
    }

    private boolean impliesRolePermission(ProtectionDomain protectionDomain, Permission permission, ElytronPolicyConfiguration elytronPolicyConfiguration) throws PolicyContextException, ClassNotFoundException {
        HashSet hashSet = new HashSet();
        extractRolesFromProtectionDomain(protectionDomain, hashSet);
        extractRolesFromCurrentIdentity(hashSet);
        hashSet.add("**");
        Map<String, Permissions> rolePermissions = elytronPolicyConfiguration.getRolePermissions();
        synchronized (rolePermissions) {
            Iterator<String> it = hashSet.iterator();
            while (it.hasNext()) {
                Permissions permissions = rolePermissions.get(it.next());
                if (permissions != null && permissions.implies(permission)) {
                    return true;
                }
            }
            return false;
        }
    }

    private boolean impliesUncheckedPermission(Permission permission, ElytronPolicyConfiguration elytronPolicyConfiguration) {
        boolean implies;
        Permissions uncheckedPermissions = elytronPolicyConfiguration.getUncheckedPermissions();
        synchronized (uncheckedPermissions) {
            implies = uncheckedPermissions.implies(permission);
        }
        return implies;
    }

    private boolean impliesExcludedPermission(Permission permission, ElytronPolicyConfiguration elytronPolicyConfiguration) {
        boolean implies;
        Permissions excludedPermissions = elytronPolicyConfiguration.getExcludedPermissions();
        synchronized (excludedPermissions) {
            implies = excludedPermissions.implies(permission);
        }
        return implies;
    }

    private boolean isJaccPermission(Permission permission) {
        return this.supportedPermissionTypes.contains(permission.getClass());
    }
}
