package org.wildfly.extension.elytron;

import java.security.AccessController;
import java.security.Policy;
import java.security.Principal;
import java.security.PrivilegedAction;
import java.security.acl.Group;
import java.util.Collections;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Set;
import java.util.function.Supplier;
import javax.security.auth.Subject;
import javax.security.jacc.PolicyContext;
import javax.security.jacc.PolicyContextException;
import javax.security.jacc.PolicyContextHandler;
import org.jboss.as.controller.AttributeDefinition;
import org.jboss.as.controller.ObjectListAttributeDefinition;
import org.jboss.as.controller.ObjectTypeAttributeDefinition;
import org.jboss.as.controller.OperationContext;
import org.jboss.as.controller.OperationFailedException;
import org.jboss.as.controller.OperationStepHandler;
import org.jboss.as.controller.PathElement;
import org.jboss.as.controller.ReloadRequiredRemoveStepHandler;
import org.jboss.as.controller.ReloadRequiredWriteAttributeHandler;
import org.jboss.as.controller.ResourceDefinition;
import org.jboss.as.controller.SimpleAttributeDefinition;
import org.jboss.as.controller.SimpleAttributeDefinitionBuilder;
import org.jboss.as.controller.SimpleResourceDefinition;
import org.jboss.as.controller.capability.RuntimeCapability;
import org.jboss.as.controller.registry.AttributeAccess;
import org.jboss.as.controller.registry.ManagementResourceRegistration;
import org.jboss.as.controller.registry.OperationEntry;
import org.jboss.as.controller.registry.Resource;
import org.jboss.dmr.ModelNode;
import org.jboss.dmr.ModelType;
import org.jboss.msc.service.Service;
import org.jboss.msc.service.ServiceBuilder;
import org.jboss.msc.service.ServiceController;
import org.jboss.msc.service.ServiceName;
import org.jboss.msc.service.StartContext;
import org.jboss.msc.service.StartException;
import org.jboss.msc.service.StopContext;
import org.jboss.msc.value.InjectedValue;
import org.jboss.security.auth.callback.CallbackHandlerPolicyContextHandler;
import org.jboss.security.jacc.SubjectPolicyContextHandler;
import org.wildfly.common.Assert;
import org.wildfly.security.auth.principal.NamePrincipal;
import org.wildfly.security.auth.server.SecurityDomain;
import org.wildfly.security.auth.server.SecurityIdentity;
import org.wildfly.security.authz.jacc.ElytronPolicyConfigurationFactory;
import org.wildfly.security.authz.jacc.JaccDelegatingPolicy;
import org.wildfly.security.credential.Credential;
import org.wildfly.security.credential.KeyPairCredential;
import org.wildfly.security.credential.PasswordCredential;
import org.wildfly.security.credential.PublicKeyCredential;
import org.wildfly.security.credential.SecretKeyCredential;
import org.wildfly.security.credential.X509CertificateChainPrivateCredential;
import org.wildfly.security.credential.X509CertificateChainPublicCredential;
import org.wildfly.security.manager.WildFlySecurityManager;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:org/wildfly/extension/elytron/PolicyDefinitions.class */
public class PolicyDefinitions {
    private static final String DEFAULT_POLICY_NAME = "policy";
    static final SimpleAttributeDefinition DEFAULT_POLICY = new SimpleAttributeDefinitionBuilder(ElytronDescriptionConstants.DEFAULT_POLICY, ModelType.STRING, true).setDefaultValue(new ModelNode("policy")).setAllowExpression(false).setMinSize(1).setFlags(new AttributeAccess.Flag[]{AttributeAccess.Flag.RESTART_RESOURCE_SERVICES}).build();

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/wildfly/extension/elytron/PolicyDefinitions$CustomPolicyDefinition.class */
    public static class CustomPolicyDefinition {
        static final SimpleAttributeDefinition NAME = new SimpleAttributeDefinitionBuilder(ElytronDescriptionConstants.NAME, ModelType.STRING, false).setMinSize(1).build();
        static final SimpleAttributeDefinition CLASS_NAME = ClassLoadingAttributeDefinitions.CLASS_NAME;
        static final SimpleAttributeDefinition MODULE = ClassLoadingAttributeDefinitions.MODULE;
        static ObjectTypeAttributeDefinition POLICY = new ObjectTypeAttributeDefinition.Builder(ElytronDescriptionConstants.CUSTOM_POLICY, new AttributeDefinition[]{NAME, CLASS_NAME, MODULE}).build();
        static final ObjectListAttributeDefinition POLICIES = new ObjectListAttributeDefinition.Builder(ElytronDescriptionConstants.CUSTOM_POLICY, POLICY).setAllowNull(true).build();

        CustomPolicyDefinition() {
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/wildfly/extension/elytron/PolicyDefinitions$JaccPolicyDefinition.class */
    public static class JaccPolicyDefinition {
        static final SimpleAttributeDefinition NAME = new SimpleAttributeDefinitionBuilder(ElytronDescriptionConstants.NAME, ModelType.STRING, false).setMinSize(1).build();
        static final SimpleAttributeDefinition POLICY_PROVIDER = new SimpleAttributeDefinitionBuilder("policy", ModelType.STRING, true).setDefaultValue(new ModelNode(JaccDelegatingPolicy.class.getName())).setMinSize(1).build();
        static final SimpleAttributeDefinition CONFIGURATION_FACTORY = new SimpleAttributeDefinitionBuilder(ElytronDescriptionConstants.CONFIGURATION_FACTORY, ModelType.STRING, true).setDefaultValue(new ModelNode(ElytronPolicyConfigurationFactory.class.getName())).setMinSize(1).build();
        static final SimpleAttributeDefinition MODULE = ClassLoadingAttributeDefinitions.MODULE;
        static ObjectTypeAttributeDefinition POLICY = new ObjectTypeAttributeDefinition.Builder(ElytronDescriptionConstants.JACC_POLICY, new AttributeDefinition[]{NAME, POLICY_PROVIDER, CONFIGURATION_FACTORY, MODULE}).build();
        static final ObjectListAttributeDefinition POLICIES = new ObjectListAttributeDefinition.Builder(ElytronDescriptionConstants.JACC_POLICY, POLICY).setMinSize(1).setAllowNull(true).build();

        JaccPolicyDefinition() {
        }
    }

    /* loaded from: input_file:org/wildfly/extension/elytron/PolicyDefinitions$SubjectUtil.class */
    static final class SubjectUtil {

        /* JADX INFO: Access modifiers changed from: private */
        /* loaded from: input_file:org/wildfly/extension/elytron/PolicyDefinitions$SubjectUtil$SimpleGroup.class */
        public static class SimpleGroup implements Group {
            private final String name;
            private final Set<Principal> principals = new HashSet();

            SimpleGroup(String str) {
                this.name = str;
            }

            @Override // java.security.Principal
            public String getName() {
                return this.name;
            }

            @Override // java.security.acl.Group
            public boolean addMember(Principal principal) {
                return this.principals.add(principal);
            }

            @Override // java.security.acl.Group
            public boolean removeMember(Principal principal) {
                return this.principals.remove(principal);
            }

            @Override // java.security.acl.Group
            public Enumeration<? extends Principal> members() {
                return Collections.enumeration(this.principals);
            }

            @Override // java.security.acl.Group
            public boolean isMember(Principal principal) {
                return this.principals.contains(principal);
            }
        }

        SubjectUtil() {
        }

        public static Subject fromSecurityIdentity(SecurityIdentity securityIdentity) {
            Assert.checkNotNullParam("securityIdentity", securityIdentity);
            Subject subject = new Subject();
            subject.getPrincipals().add(securityIdentity.getPrincipal());
            SimpleGroup simpleGroup = new SimpleGroup("Roles");
            Iterator it = securityIdentity.getRoles().iterator();
            while (it.hasNext()) {
                simpleGroup.addMember(new NamePrincipal((String) it.next()));
            }
            subject.getPrincipals().add(simpleGroup);
            SimpleGroup simpleGroup2 = new SimpleGroup("CallerPrincipal");
            simpleGroup2.addMember(securityIdentity.getPrincipal());
            subject.getPrincipals().add(simpleGroup2);
            Iterator it2 = securityIdentity.getPublicCredentials().iterator();
            while (it2.hasNext()) {
                Credential credential = (Credential) it2.next();
                if (credential instanceof PublicKeyCredential) {
                    subject.getPublicCredentials().add(credential.castAs(PublicKeyCredential.class).getPublicKey());
                } else if (credential instanceof X509CertificateChainPublicCredential) {
                    subject.getPublicCredentials().add(credential.castAs(X509CertificateChainPublicCredential.class).getCertificateChain());
                } else {
                    subject.getPublicCredentials().add(credential);
                }
            }
            Iterator it3 = securityIdentity.getPrivateCredentials().iterator();
            while (it3.hasNext()) {
                Credential credential2 = (Credential) it3.next();
                if (credential2 instanceof PasswordCredential) {
                    addPrivateCredential(subject, credential2.castAs(PasswordCredential.class).getPassword());
                } else if (credential2 instanceof SecretKeyCredential) {
                    addPrivateCredential(subject, credential2.castAs(SecretKeyCredential.class).getSecretKey());
                } else if (credential2 instanceof KeyPairCredential) {
                    addPrivateCredential(subject, credential2.castAs(KeyPairCredential.class).getKeyPair());
                } else if (credential2 instanceof X509CertificateChainPrivateCredential) {
                    addPrivateCredential(subject, credential2.castAs(X509CertificateChainPrivateCredential.class).getCertificateChain());
                } else {
                    addPrivateCredential(subject, credential2);
                }
            }
            addPrivateCredential(subject, securityIdentity);
            return subject;
        }

        static void addPrivateCredential(Subject subject, Object obj) {
            if (WildFlySecurityManager.isChecking()) {
                AccessController.doPrivileged(() -> {
                    subject.getPrivateCredentials().add(obj);
                    return null;
                });
            } else {
                subject.getPrivateCredentials().add(obj);
            }
        }
    }

    PolicyDefinitions() {
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static ResourceDefinition getPolicy() {
        final AttributeDefinition[] attributeDefinitionArr = {DEFAULT_POLICY, JaccPolicyDefinition.POLICIES, CustomPolicyDefinition.POLICIES};
        return new SimpleResourceDefinition(new SimpleResourceDefinition.Parameters(PathElement.pathElement("policy"), ElytronExtension.getResourceDescriptionResolver("policy")).setAddHandler(new BaseAddHandler(Capabilities.POLICY_RUNTIME_CAPABILITY, attributeDefinitionArr) { // from class: org.wildfly.extension.elytron.PolicyDefinitions.1
            protected void performRuntime(OperationContext operationContext, ModelNode modelNode, ModelNode modelNode2) throws OperationFailedException {
                String value = operationContext.getCurrentAddress().getLastElement().getValue();
                ServiceName capabilityServiceName = Capabilities.POLICY_RUNTIME_CAPABILITY.getCapabilityServiceName(Policy.class);
                InjectedValue<Supplier<Policy>> injectedValue = new InjectedValue<>();
                ServiceBuilder addService = operationContext.getServiceTarget().addService(capabilityServiceName, createPolicyService(injectedValue));
                Supplier policyProvider = PolicyDefinitions.getPolicyProvider(operationContext, modelNode2, value, addService);
                injectedValue.setValue(() -> {
                    return policyProvider;
                });
                addService.setInitialMode(ServiceController.Mode.ACTIVE).install();
                if (operationContext.isBooting()) {
                    return;
                }
                operationContext.reloadRequired();
            }

            private Service<Policy> createPolicyService(final InjectedValue<Supplier<Policy>> injectedValue) {
                return new Service<Policy>() { // from class: org.wildfly.extension.elytron.PolicyDefinitions.1.1
                    volatile Policy delegated;
                    volatile Policy policy;

                    public void start(StartContext startContext) throws StartException {
                        this.delegated = getPolicy();
                        this.policy = (Policy) ((Supplier) injectedValue.getValue()).get();
                        try {
                            setPolicy(this.policy);
                            this.policy.refresh();
                        } catch (Exception e) {
                            setPolicy(this.delegated);
                            throw new RuntimeException("Failed to set policy [" + this.policy + "]", e);
                        }
                    }

                    public void stop(StopContext stopContext) {
                        setPolicy(this.delegated);
                    }

                    /* renamed from: getValue, reason: merged with bridge method [inline-methods] */
                    public Policy m70getValue() throws IllegalStateException, IllegalArgumentException {
                        return this.policy;
                    }

                    private void setPolicy(Policy policy) {
                        if (WildFlySecurityManager.isChecking()) {
                            AccessController.doPrivileged(setPolicyAction(policy));
                        } else {
                            setPolicyAction(policy).run();
                        }
                    }

                    private PrivilegedAction<Void> setPolicyAction(Policy policy) {
                        return () -> {
                            Policy.setPolicy(policy);
                            return null;
                        };
                    }

                    private Policy getPolicy() {
                        return WildFlySecurityManager.isChecking() ? (Policy) AccessController.doPrivileged(getPolicyAction()) : getPolicyAction().run();
                    }

                    private PrivilegedAction<Policy> getPolicyAction() {
                        return Policy::getPolicy;
                    }
                };
            }
        }).setRemoveHandler(new ReloadRequiredRemoveStepHandler()).setAddRestartLevel(OperationEntry.Flag.RESTART_ALL_SERVICES).setRemoveRestartLevel(OperationEntry.Flag.RESTART_ALL_SERVICES).setCapabilities(new RuntimeCapability[]{Capabilities.POLICY_RUNTIME_CAPABILITY})) { // from class: org.wildfly.extension.elytron.PolicyDefinitions.2
            public void registerAttributes(ManagementResourceRegistration managementResourceRegistration) {
                ReloadRequiredWriteAttributeHandler reloadRequiredWriteAttributeHandler = new ReloadRequiredWriteAttributeHandler(attributeDefinitionArr) { // from class: org.wildfly.extension.elytron.PolicyDefinitions.2.1
                    protected void validateUpdatedModel(OperationContext operationContext, Resource resource) throws OperationFailedException {
                        ModelNode model = resource.getModel();
                        String value = operationContext.getCurrentAddress().getLastElement().getValue();
                        if (model.hasDefined(ElytronDescriptionConstants.DEFAULT_POLICY)) {
                            value = ElytronExtension.asStringIfDefined(operationContext, PolicyDefinitions.DEFAULT_POLICY, model);
                        }
                        PolicyDefinitions.getPolicyProvider(operationContext, model, value, null);
                    }
                };
                for (AttributeDefinition attributeDefinition : attributeDefinitionArr) {
                    managementResourceRegistration.registerReadWriteAttribute(attributeDefinition, (OperationStepHandler) null, reloadRequiredWriteAttributeHandler);
                }
            }
        };
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static Supplier<Policy> getPolicyProvider(OperationContext operationContext, ModelNode modelNode, String str, ServiceBuilder<Policy> serviceBuilder) throws OperationFailedException {
        HashMap hashMap = new HashMap();
        hashMap.computeIfAbsent(str, str2 -> {
            try {
                return configureJaccPolicy(operationContext, modelNode, str2, serviceBuilder);
            } catch (OperationFailedException e) {
                throw new RuntimeException((Throwable) e);
            }
        });
        hashMap.computeIfAbsent(str, str3 -> {
            try {
                return configureCustomPolicies(operationContext, modelNode, str3);
            } catch (OperationFailedException e) {
                throw new RuntimeException((Throwable) e);
            }
        });
        if (hashMap.isEmpty()) {
            throw new OperationFailedException("Could find policy provider with name [" + str + "]");
        }
        return (Supplier) hashMap.get(str);
    }

    private static Supplier<Policy> configureCustomPolicies(OperationContext operationContext, ModelNode modelNode, String str) throws OperationFailedException {
        ModelNode modelNode2 = modelNode.get(ElytronDescriptionConstants.CUSTOM_POLICY);
        if (!modelNode2.isDefined()) {
            return null;
        }
        for (ModelNode modelNode3 : modelNode2.asList()) {
            if (str.equals(ElytronExtension.asStringIfDefined(operationContext, CustomPolicyDefinition.NAME, modelNode3))) {
                String asStringIfDefined = ElytronExtension.asStringIfDefined(operationContext, CustomPolicyDefinition.CLASS_NAME, modelNode3);
                String asStringIfDefined2 = ElytronExtension.asStringIfDefined(operationContext, CustomPolicyDefinition.MODULE, modelNode3);
                return () -> {
                    return newPolicy(asStringIfDefined, asStringIfDefined2);
                };
            }
        }
        return null;
    }

    private static Supplier<Policy> configureJaccPolicy(OperationContext operationContext, ModelNode modelNode, String str, ServiceBuilder<Policy> serviceBuilder) throws OperationFailedException {
        ModelNode modelNode2 = modelNode.get(ElytronDescriptionConstants.JACC_POLICY);
        if (!modelNode2.isDefined()) {
            return null;
        }
        for (ModelNode modelNode3 : modelNode2.asList()) {
            if (str.equals(ElytronExtension.asStringIfDefined(operationContext, JaccPolicyDefinition.NAME, modelNode3))) {
                final String asStringIfDefined = ElytronExtension.asStringIfDefined(operationContext, JaccPolicyDefinition.POLICY_PROVIDER, modelNode3);
                final String asStringIfDefined2 = ElytronExtension.asStringIfDefined(operationContext, JaccPolicyDefinition.CONFIGURATION_FACTORY, modelNode3);
                final String asStringIfDefined3 = ElytronExtension.asStringIfDefined(operationContext, JaccPolicyDefinition.MODULE, modelNode3);
                if (serviceBuilder != null) {
                    serviceBuilder.addAliases(new ServiceName[]{Capabilities.JACC_POLICY_RUNTIME_CAPABILITY.getCapabilityServiceName()});
                }
                return new Supplier<Policy>() { // from class: org.wildfly.extension.elytron.PolicyDefinitions.3
                    /* JADX WARN: Can't rename method to resolve collision */
                    @Override // java.util.function.Supplier
                    public Policy get() {
                        if (asStringIfDefined2 != null) {
                            if (WildFlySecurityManager.isChecking()) {
                                AccessController.doPrivileged(setConfigurationProviderSystemProperty());
                            } else {
                                setConfigurationProviderSystemProperty().run();
                            }
                        }
                        Policy newPolicy = PolicyDefinitions.newPolicy(asStringIfDefined, asStringIfDefined3);
                        try {
                            PolicyContext.registerHandler("javax.security.auth.Subject.container", createSubjectPolicyContextHandler(), true);
                            PolicyContext.registerHandler("org.jboss.security.auth.spi.CallbackHandler", createCallbackHandlerContextHandler(), true);
                            PolicyContext.registerHandler(SecurityIdentity.class.getName(), createSecurityIdentityContextHandler(), true);
                            return newPolicy;
                        } catch (PolicyContextException e) {
                            throw new RuntimeException("Failed to register policy context handlers.", e);
                        }
                    }

                    private PrivilegedAction<Void> setConfigurationProviderSystemProperty() {
                        String str2 = asStringIfDefined2;
                        return () -> {
                            if (WildFlySecurityManager.isChecking()) {
                                WildFlySecurityManager.setPropertyPrivileged("javax.security.jacc.PolicyConfigurationFactory.provider", str2);
                                return null;
                            }
                            System.setProperty("javax.security.jacc.PolicyConfigurationFactory.provider", str2);
                            return null;
                        };
                    }

                    private PolicyContextHandler createSecurityIdentityContextHandler() {
                        return new PolicyContextHandler() { // from class: org.wildfly.extension.elytron.PolicyDefinitions.3.1
                            final String KEY = SecurityIdentity.class.getName();

                            public Object getContext(String str2, Object obj) throws PolicyContextException {
                                SecurityDomain current;
                                SecurityIdentity currentSecurityIdentity;
                                if (!supports(str2) || (current = SecurityDomain.getCurrent()) == null || (currentSecurityIdentity = current.getCurrentSecurityIdentity()) == null) {
                                    return null;
                                }
                                return currentSecurityIdentity;
                            }

                            public String[] getKeys() throws PolicyContextException {
                                return new String[]{this.KEY};
                            }

                            public boolean supports(String str2) throws PolicyContextException {
                                return getKeys()[0].equalsIgnoreCase(str2);
                            }
                        };
                    }

                    private PolicyContextHandler createCallbackHandlerContextHandler() {
                        return new PolicyContextHandler() { // from class: org.wildfly.extension.elytron.PolicyDefinitions.3.2
                            CallbackHandlerPolicyContextHandler legacy = new CallbackHandlerPolicyContextHandler();

                            public Object getContext(String str2, Object obj) throws PolicyContextException {
                                return this.legacy.getContext(str2, obj);
                            }

                            public String[] getKeys() throws PolicyContextException {
                                return this.legacy.getKeys();
                            }

                            public boolean supports(String str2) throws PolicyContextException {
                                return this.legacy.supports(str2);
                            }
                        };
                    }

                    private PolicyContextHandler createSubjectPolicyContextHandler() {
                        return new PolicyContextHandler() { // from class: org.wildfly.extension.elytron.PolicyDefinitions.3.3
                            SubjectPolicyContextHandler legacy = new SubjectPolicyContextHandler();

                            public Object getContext(String str2, Object obj) throws PolicyContextException {
                                if (!supports(str2)) {
                                    return null;
                                }
                                SecurityIdentity securityIdentity = (SecurityIdentity) PolicyContext.getContext(SecurityIdentity.class.getName());
                                return securityIdentity == null ? this.legacy.getContext(str2, obj) : SubjectUtil.fromSecurityIdentity(securityIdentity);
                            }

                            public String[] getKeys() throws PolicyContextException {
                                return this.legacy.getKeys();
                            }

                            public boolean supports(String str2) throws PolicyContextException {
                                return this.legacy.supports(str2);
                            }
                        };
                    }
                };
            }
        }
        return null;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static Policy newPolicy(String str, String str2) {
        try {
            return (Policy) Policy.class.cast(ClassLoadingAttributeDefinitions.resolveClassLoader(str2).loadClass(str).newInstance());
        } catch (Exception e) {
            throw new RuntimeException("Failed to create policy [" + str + "]", e);
        }
    }
}
