package org.jboss.as.controller.access.permission;

import java.security.Permission;
import java.security.PermissionCollection;
import java.util.Collections;
import java.util.Enumeration;
import java.util.Set;
import org.jboss.as.controller.ControlledProcessState;
import org.jboss.as.controller.PathAddress;
import org.jboss.as.controller.access.Action;
import org.jboss.as.controller.access.AuthorizationResult;
import org.jboss.as.controller.access.Authorizer;
import org.jboss.as.controller.access.Caller;
import org.jboss.as.controller.access.Environment;
import org.jboss.as.controller.access.JmxAction;
import org.jboss.as.controller.access.TargetAttribute;
import org.jboss.as.controller.access.TargetResource;
import org.jboss.as.controller.access.rbac.StandardRole;
import org.jboss.as.controller.logging.ControllerLogger;
import org.jboss.as.controller.operations.common.Util;
import org.jboss.as.domain.management.ModelDescriptionConstants;
import org.jboss.dmr.ModelNode;

/* loaded from: input_file:org/jboss/as/controller/access/permission/ManagementPermissionAuthorizer.class */
public class ManagementPermissionAuthorizer implements Authorizer {
    private static final Action FAKE_JMX_ACTION;
    private final PermissionFactory permissionFactory;
    private final JmxPermissionFactory jmxPermissionFactory;
    static final /* synthetic */ boolean $assertionsDisabled;

    public ManagementPermissionAuthorizer(PermissionFactory permissionFactory, JmxPermissionFactory jmxPermissionFactory) {
        this.permissionFactory = permissionFactory;
        this.jmxPermissionFactory = jmxPermissionFactory;
    }

    @Override // org.jboss.as.controller.access.Authorizer
    public Authorizer.AuthorizerDescription getDescription() {
        return new Authorizer.AuthorizerDescription() { // from class: org.jboss.as.controller.access.permission.ManagementPermissionAuthorizer.1
            @Override // org.jboss.as.controller.access.Authorizer.AuthorizerDescription
            public boolean isRoleBased() {
                return true;
            }

            @Override // org.jboss.as.controller.access.Authorizer.AuthorizerDescription
            public Set<String> getStandardRoles() {
                return Collections.emptySet();
            }
        };
    }

    @Override // org.jboss.as.controller.access.Authorizer
    public AuthorizationResult authorize(Caller caller, Environment environment, Action action, TargetAttribute targetAttribute) {
        if ($assertionsDisabled || assertSameAddress(action, targetAttribute.getTargetResource())) {
            return environment.getProcessState() == ControlledProcessState.State.STARTING ? AuthorizationResult.PERMITTED : authorize(this.permissionFactory.getUserPermissions(caller, environment, action, targetAttribute), this.permissionFactory.getRequiredPermissions(action, targetAttribute));
        }
        throw new AssertionError();
    }

    @Override // org.jboss.as.controller.access.Authorizer
    public AuthorizationResult authorize(Caller caller, Environment environment, Action action, TargetResource targetResource) {
        PermissionCollection userPermissions;
        if (!$assertionsDisabled && !assertSameAddress(action, targetResource)) {
            throw new AssertionError();
        }
        if (environment.getProcessState() != ControlledProcessState.State.STARTING && (userPermissions = this.permissionFactory.getUserPermissions(caller, environment, action, targetResource)) != AllPermissionsCollection.INSTANCE) {
            return authorize(userPermissions, this.permissionFactory.getRequiredPermissions(action, targetResource));
        }
        return AuthorizationResult.PERMITTED;
    }

    private static boolean assertSameAddress(Action action, TargetResource targetResource) {
        ModelNode operation = action.getOperation();
        return operation == null || targetResource.getResourceAddress().equals(PathAddress.pathAddress(operation.get("address")));
    }

    private AuthorizationResult authorize(PermissionCollection permissionCollection, PermissionCollection permissionCollection2) {
        Enumeration<Permission> elements = permissionCollection2.elements();
        while (elements.hasMoreElements()) {
            if (!permissionCollection.implies(elements.nextElement())) {
                return new AuthorizationResult(AuthorizationResult.Decision.DENY, new ModelNode(ControllerLogger.ROOT_LOGGER.permissionDenied()));
            }
        }
        return AuthorizationResult.PERMITTED;
    }

    @Override // org.jboss.as.controller.access.Authorizer
    public AuthorizationResult authorizeJmxOperation(Caller caller, Environment environment, JmxAction jmxAction) {
        Set<String> userRoles = this.jmxPermissionFactory.getUserRoles(caller, null, FAKE_JMX_ACTION, (TargetResource) null);
        return jmxAction.getImpact() == JmxAction.Impact.EXTRA_SENSITIVE ? authorize(userRoles, StandardRole.SUPERUSER, StandardRole.ADMINISTRATOR) : this.jmxPermissionFactory.isNonFacadeMBeansSensitive() ? jmxAction.getImpact() == JmxAction.Impact.READ_ONLY ? authorize(userRoles, StandardRole.SUPERUSER, StandardRole.ADMINISTRATOR, StandardRole.AUDITOR) : authorize(userRoles, StandardRole.SUPERUSER, StandardRole.ADMINISTRATOR) : jmxAction.getImpact() == JmxAction.Impact.READ_ONLY ? AuthorizationResult.PERMITTED : authorize(userRoles, StandardRole.SUPERUSER, StandardRole.ADMINISTRATOR, StandardRole.OPERATOR, StandardRole.MAINTAINER);
    }

    @Override // org.jboss.as.controller.access.Authorizer
    public Set<String> getCallerRoles(Caller caller, Environment environment, Set<String> set) {
        return null;
    }

    private AuthorizationResult authorize(Set<String> set, StandardRole... standardRoleArr) {
        for (StandardRole standardRole : standardRoleArr) {
            if (set.contains(standardRole.getOfficialForm())) {
                return AuthorizationResult.PERMITTED;
            }
        }
        return new AuthorizationResult(AuthorizationResult.Decision.DENY);
    }

    static {
        $assertionsDisabled = !ManagementPermissionAuthorizer.class.desiredAssertionStatus();
        FAKE_JMX_ACTION = new Action(Util.createOperation(ModelDescriptionConstants.TEST, PathAddress.EMPTY_ADDRESS), null);
    }
}
