package org.wildfly.security.auth.server;

import java.security.Principal;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
import java.util.LinkedHashMap;
import java.util.Map;
import java.util.function.Function;
import java.util.function.UnaryOperator;
import org.wildfly.common.Assert;
import org.wildfly.security._private.ElytronMessages;
import org.wildfly.security.auth.AuthenticationException;
import org.wildfly.security.auth.permission.LoginPermission;
import org.wildfly.security.auth.principal.AnonymousPrincipal;
import org.wildfly.security.authz.AuthorizationException;
import org.wildfly.security.authz.AuthorizationIdentity;
import org.wildfly.security.authz.PermissionMapper;
import org.wildfly.security.authz.RoleDecoder;
import org.wildfly.security.authz.RoleMapper;
import org.wildfly.security.authz.Roles;
import org.wildfly.security.credential.Credential;
import org.wildfly.security.evidence.Evidence;
import org.wildfly.security.evidence.SecurityIdentityEvidence;
import org.wildfly.security.http.HttpConstants;
import org.wildfly.security.permission.ElytronPermission;
import org.wildfly.security.permission.PermissionVerifier;

/* loaded from: input_file:org/wildfly/security/auth/server/SecurityDomain.class */
public final class SecurityDomain {
    static final ElytronPermission CREATE_SECURITY_DOMAIN;
    private final Map<String, RealmInfo> realmMap;
    private final String defaultRealmName;
    private final NameRewriter preRealmRewriter;
    private final RealmMapper realmMapper;
    private final NameRewriter postRealmRewriter;
    private final ThreadLocal<SecurityIdentity> currentSecurityIdentity;
    private final RoleMapper roleMapper;
    private final PrincipalDecoder principalDecoder;
    private final SecurityIdentity anonymousIdentity;
    private final PermissionMapper permissionMapper;
    private final Map<String, RoleMapper> categoryRoleMappers;
    private final UnaryOperator<SecurityIdentity> securityIdentityTransformer;
    static final /* synthetic */ boolean $assertionsDisabled;

    /* loaded from: input_file:org/wildfly/security/auth/server/SecurityDomain$Builder.class */
    public static final class Builder {
        private String defaultRealmName;
        private boolean built = false;
        private final HashMap<String, RealmBuilder> realms = new HashMap<>();
        private NameRewriter preRealmRewriter = NameRewriter.IDENTITY_REWRITER;
        private NameRewriter postRealmRewriter = NameRewriter.IDENTITY_REWRITER;
        private RealmMapper realmMapper = RealmMapper.DEFAULT_REALM_MAPPER;
        private RoleMapper roleMapper = RoleMapper.IDENTITY_ROLE_MAPPER;
        private PermissionMapper permissionMapper = PermissionMapper.EMPTY_PERMISSION_MAPPER;
        private PrincipalDecoder principalDecoder = PrincipalDecoder.DEFAULT;
        private Map<String, RoleMapper> categoryRoleMappers = Collections.emptyMap();
        private UnaryOperator<SecurityIdentity> securityIdentityTransformer = UnaryOperator.identity();

        Builder() {
        }

        public Builder setPreRealmRewriter(NameRewriter nameRewriter) {
            Assert.checkNotNullParam("rewriter", nameRewriter);
            assertNotBuilt();
            this.preRealmRewriter = nameRewriter;
            return this;
        }

        public Builder setPostRealmRewriter(NameRewriter nameRewriter) {
            Assert.checkNotNullParam("rewriter", nameRewriter);
            assertNotBuilt();
            this.postRealmRewriter = nameRewriter;
            return this;
        }

        public Builder setRealmMapper(RealmMapper realmMapper) {
            Assert.checkNotNullParam("realmMapper", realmMapper);
            assertNotBuilt();
            this.realmMapper = realmMapper;
            return this;
        }

        public Builder setRoleMapper(RoleMapper roleMapper) {
            Assert.checkNotNullParam("roleMapper", roleMapper);
            assertNotBuilt();
            this.roleMapper = roleMapper;
            return this;
        }

        public Builder setPermissionMapper(PermissionMapper permissionMapper) {
            Assert.checkNotNullParam("permissionMapper", permissionMapper);
            assertNotBuilt();
            this.permissionMapper = permissionMapper;
            return this;
        }

        public Builder setPrincipalDecoder(PrincipalDecoder principalDecoder) {
            Assert.checkNotNullParam("principalDecoder", principalDecoder);
            assertNotBuilt();
            this.principalDecoder = principalDecoder;
            return this;
        }

        public RealmBuilder addRealm(String str, SecurityRealm securityRealm) {
            Assert.checkNotNullParam("name", str);
            Assert.checkNotNullParam(HttpConstants.REALM, securityRealm);
            assertNotBuilt();
            return new RealmBuilder(this, str, securityRealm);
        }

        Builder addRealm(RealmBuilder realmBuilder) {
            this.realms.put(realmBuilder.getName(), realmBuilder);
            return this;
        }

        public String getDefaultRealmName() {
            return this.defaultRealmName;
        }

        public Builder setDefaultRealmName(String str) {
            Assert.checkNotNullParam("defaultRealmName", str);
            assertNotBuilt();
            this.defaultRealmName = str;
            return this;
        }

        public Map<String, RoleMapper> getCategoryRoleMappers() {
            return this.categoryRoleMappers;
        }

        public void setCategoryRoleMappers(Map<String, RoleMapper> map) {
            Assert.checkNotNullParam("categoryRoleMappers", map);
            this.categoryRoleMappers = map;
        }

        public Builder setSecurityIdentityTransformer(UnaryOperator<SecurityIdentity> unaryOperator) {
            Assert.checkNotNullParam("securityIdentityTransformer", unaryOperator);
            this.securityIdentityTransformer = unaryOperator;
            return this;
        }

        public SecurityDomain build() {
            SecurityManager securityManager = System.getSecurityManager();
            if (securityManager != null) {
                securityManager.checkPermission(SecurityDomain.CREATE_SECURITY_DOMAIN);
            }
            String str = this.defaultRealmName;
            Assert.checkNotNullParam("defaultRealmName", str);
            LinkedHashMap linkedHashMap = new LinkedHashMap(this.realms.size());
            for (RealmBuilder realmBuilder : this.realms.values()) {
                linkedHashMap.put(realmBuilder.getName(), new RealmInfo(realmBuilder));
            }
            if (!linkedHashMap.containsKey(str)) {
                throw ElytronMessages.log.realmMapDoesNotContainDefault(str);
            }
            assertNotBuilt();
            this.built = true;
            return new SecurityDomain(this, linkedHashMap);
        }

        void assertNotBuilt() {
            if (this.built) {
                throw ElytronMessages.log.builderAlreadyBuilt();
            }
        }
    }

    /* loaded from: input_file:org/wildfly/security/auth/server/SecurityDomain$RealmBuilder.class */
    public static class RealmBuilder {
        private final Builder parent;
        private final String name;
        private final SecurityRealm realm;
        private RoleMapper roleMapper = RoleMapper.IDENTITY_ROLE_MAPPER;
        private NameRewriter nameRewriter = NameRewriter.IDENTITY_REWRITER;
        private RoleDecoder roleDecoder = RoleDecoder.DEFAULT;
        private boolean built = false;

        RealmBuilder(Builder builder, String str, SecurityRealm securityRealm) {
            this.parent = builder;
            this.name = str;
            this.realm = securityRealm;
        }

        public String getName() {
            return this.name;
        }

        public SecurityRealm getRealm() {
            return this.realm;
        }

        public RoleMapper getRoleMapper() {
            return this.roleMapper;
        }

        public RealmBuilder setRoleMapper(RoleMapper roleMapper) {
            assertNotBuilt();
            Assert.checkNotNullParam("roleMapper", roleMapper);
            this.roleMapper = roleMapper;
            return this;
        }

        public NameRewriter getNameRewriter() {
            return this.nameRewriter;
        }

        public RealmBuilder setNameRewriter(NameRewriter nameRewriter) {
            Assert.checkNotNullParam("nameRewriter", nameRewriter);
            assertNotBuilt();
            this.nameRewriter = nameRewriter;
            return this;
        }

        public RoleDecoder getRoleDecoder() {
            return this.roleDecoder;
        }

        public RealmBuilder setRoleDecoder(RoleDecoder roleDecoder) {
            Assert.checkNotNullParam("roleDecoder", roleDecoder);
            assertNotBuilt();
            this.roleDecoder = roleDecoder;
            return this;
        }

        public Builder build() {
            assertNotBuilt();
            return this.parent.addRealm(this);
        }

        private void assertNotBuilt() {
            this.parent.assertNotBuilt();
            if (this.built) {
                throw ElytronMessages.log.builderAlreadyBuilt();
            }
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v24, types: [java.util.Map] */
    /* JADX WARN: Type inference failed for: r0v29, types: [java.util.Map] */
    SecurityDomain(Builder builder, LinkedHashMap<String, RealmInfo> linkedHashMap) {
        LinkedHashMap linkedHashMap2;
        this.realmMap = linkedHashMap;
        this.defaultRealmName = builder.defaultRealmName;
        this.preRealmRewriter = builder.preRealmRewriter;
        this.realmMapper = builder.realmMapper;
        this.roleMapper = builder.roleMapper;
        this.permissionMapper = builder.permissionMapper;
        this.postRealmRewriter = builder.postRealmRewriter;
        this.principalDecoder = builder.principalDecoder;
        this.securityIdentityTransformer = builder.securityIdentityTransformer;
        Map map = builder.categoryRoleMappers;
        if (map.isEmpty()) {
            linkedHashMap2 = Collections.emptyMap();
        } else if (map.size() == 1) {
            Map.Entry entry = (Map.Entry) map.entrySet().iterator().next();
            linkedHashMap2 = Collections.singletonMap(entry.getKey(), entry.getValue());
        } else {
            linkedHashMap2 = new LinkedHashMap(map);
        }
        this.categoryRoleMappers = linkedHashMap2;
        this.anonymousIdentity = (SecurityIdentity) Assert.assertNotNull(this.securityIdentityTransformer.apply(new SecurityIdentity(this, AnonymousPrincipal.getInstance(), new RealmInfo(), AuthorizationIdentity.EMPTY, linkedHashMap2)));
        this.currentSecurityIdentity = ThreadLocal.withInitial(() -> {
            return this.anonymousIdentity;
        });
    }

    public static Builder builder() {
        return new Builder();
    }

    public ServerAuthenticationContext createNewAuthenticationContext() {
        return new ServerAuthenticationContext(this, MechanismConfiguration.EMPTY);
    }

    public ServerAuthenticationContext createNewAuthenticationContext(MechanismConfiguration mechanismConfiguration) {
        return new ServerAuthenticationContext(this, mechanismConfiguration);
    }

    public RealmIdentity mapName(String str) throws RealmUnavailableException {
        Assert.checkNotNullParam("name", str);
        String rewriteName = this.preRealmRewriter.rewriteName(str);
        if (rewriteName == null) {
            throw ElytronMessages.log.invalidName();
        }
        SecurityRealm realm = getRealm(mapRealmName(rewriteName, null, null));
        if (!$assertionsDisabled && realm == null) {
            throw new AssertionError();
        }
        String rewriteName2 = this.postRealmRewriter.rewriteName(rewriteName);
        if (rewriteName2 == null) {
            throw ElytronMessages.log.invalidName();
        }
        return realm.getRealmIdentity(rewriteName2, null, null);
    }

    public RealmIdentity mapPrincipal(Principal principal) throws RealmUnavailableException, IllegalArgumentException {
        Assert.checkNotNullParam("principal", principal);
        String name = this.principalDecoder.getName(principal);
        if (name == null) {
            throw ElytronMessages.log.unrecognizedPrincipalType(principal);
        }
        return mapName(name);
    }

    SecurityRealm getRealm(String str) {
        return getRealmInfo(str).getSecurityRealm();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public RealmInfo getRealmInfo(String str) {
        RealmInfo realmInfo = this.realmMap.get(str);
        if (realmInfo == null) {
            realmInfo = this.realmMap.get(this.defaultRealmName);
        }
        return realmInfo;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public Collection<RealmInfo> getRealmInfos() {
        return this.realmMap.values();
    }

    public SupportLevel getCredentialAcquireSupport(Class<? extends Credential> cls, String str) {
        return getSupportLevel(securityRealm -> {
            try {
                return securityRealm.getCredentialAcquireSupport(cls, str);
            } catch (RealmUnavailableException e) {
                return null;
            }
        });
    }

    public SupportLevel getCredentialAcquireSupport(Class<? extends Credential> cls) {
        return getCredentialAcquireSupport(cls, null);
    }

    public SupportLevel getEvidenceVerifySupport(Class<? extends Evidence> cls, String str) {
        return getSupportLevel(securityRealm -> {
            try {
                return securityRealm.getEvidenceVerifySupport(cls, str);
            } catch (RealmUnavailableException e) {
                return null;
            }
        });
    }

    public SupportLevel getEvidenceVerifySupport(Class<? extends Evidence> cls) {
        return getEvidenceVerifySupport(cls, null);
    }

    private SupportLevel getSupportLevel(Function<SecurityRealm, SupportLevel> function) {
        SupportLevel supportLevel = null;
        SupportLevel supportLevel2 = null;
        Iterator<RealmInfo> it = this.realmMap.values().iterator();
        while (it.hasNext()) {
            SupportLevel apply = function.apply(it.next().getSecurityRealm());
            if (apply != null) {
                if (supportLevel2 == null || supportLevel == null) {
                    supportLevel = apply;
                    supportLevel2 = apply;
                } else {
                    if (apply.compareTo(supportLevel2) < 0) {
                        supportLevel2 = apply;
                    }
                    if (apply.compareTo(supportLevel) > 0) {
                        supportLevel = apply;
                    }
                }
            }
        }
        return (supportLevel2 == null || supportLevel == null) ? SupportLevel.UNSUPPORTED : minMax(supportLevel2, supportLevel);
    }

    private SupportLevel minMax(SupportLevel supportLevel, SupportLevel supportLevel2) {
        return supportLevel == supportLevel2 ? supportLevel : supportLevel2 == SupportLevel.UNSUPPORTED ? SupportLevel.UNSUPPORTED : supportLevel == SupportLevel.SUPPORTED ? SupportLevel.SUPPORTED : SupportLevel.POSSIBLY_SUPPORTED;
    }

    public SecurityIdentity getCurrentSecurityIdentity() {
        SecurityIdentity securityIdentity = this.currentSecurityIdentity.get();
        return securityIdentity == null ? this.anonymousIdentity : securityIdentity;
    }

    public SecurityIdentity getAnonymousSecurityIdentity() {
        return this.anonymousIdentity;
    }

    public SecurityIdentity inflowFromSecurityIdentity(SecurityIdentity securityIdentity) throws AuthenticationException, AuthorizationException {
        return inflowFromSecurityIdentity(securityIdentity, MechanismConfiguration.EMPTY);
    }

    public SecurityIdentity inflowFromSecurityIdentity(SecurityIdentity securityIdentity, MechanismConfiguration mechanismConfiguration) throws AuthenticationException, AuthorizationException {
        Assert.checkNotNullParam("securityIdentity", securityIdentity);
        if (this == securityIdentity.getSecurityDomain()) {
            return securityIdentity;
        }
        SecurityIdentityEvidence securityIdentityEvidence = new SecurityIdentityEvidence(securityIdentity);
        Principal principal = securityIdentityEvidence.getPrincipal();
        if (principal instanceof AnonymousPrincipal) {
            return getAnonymousSecurityIdentity();
        }
        ServerAuthenticationContext createNewAuthenticationContext = createNewAuthenticationContext(mechanismConfiguration);
        try {
            try {
                if (!createNewAuthenticationContext.getEvidenceVerifySupport(SecurityIdentityEvidence.class, null).mayBeSupported() || !createNewAuthenticationContext.verifyEvidence(securityIdentityEvidence)) {
                    throw ElytronMessages.log.establishedIdentityNotTrusted(principal);
                }
                if (!createNewAuthenticationContext.authorize()) {
                    throw ElytronMessages.log.inflowedIdentityNotAuthorized(principal, createNewAuthenticationContext.getAuthenticationPrincipal(), new LoginPermission());
                }
                createNewAuthenticationContext.succeed();
                SecurityIdentity authorizedIdentity = createNewAuthenticationContext.getAuthorizedIdentity();
                if (1 == 0) {
                    createNewAuthenticationContext.fail();
                }
                return authorizedIdentity;
            } catch (RealmUnavailableException e) {
                throw ElytronMessages.log.establishedIdentityNotTrustedRealmProblem(e, principal);
            }
        } catch (Throwable th) {
            if (0 == 0) {
                createNewAuthenticationContext.fail();
            }
            throw th;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public SecurityIdentity getAndSetCurrentSecurityIdentity(SecurityIdentity securityIdentity) {
        try {
            SecurityIdentity securityIdentity2 = this.currentSecurityIdentity.get();
            return securityIdentity2 == null ? this.anonymousIdentity : securityIdentity2;
        } finally {
            if (securityIdentity == this.anonymousIdentity) {
                this.currentSecurityIdentity.remove();
            } else {
                this.currentSecurityIdentity.set(securityIdentity);
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void setCurrentSecurityIdentity(SecurityIdentity securityIdentity) {
        if (securityIdentity == this.anonymousIdentity) {
            this.currentSecurityIdentity.remove();
        } else {
            this.currentSecurityIdentity.set(securityIdentity);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public Roles mapRoles(SecurityIdentity securityIdentity) {
        Assert.checkNotNullParam("securityIdentity", securityIdentity);
        AuthorizationIdentity authorizationIdentity = securityIdentity.getAuthorizationIdentity();
        RealmInfo realmInfo = securityIdentity.getRealmInfo();
        return this.roleMapper.mapRoles(realmInfo.getRoleMapper().mapRoles(realmInfo.getRoleDecoder().decodeRoles(authorizationIdentity)));
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public PermissionVerifier mapPermissions(SecurityIdentity securityIdentity) {
        Assert.checkNotNullParam("securityIdentity", securityIdentity);
        return this.permissionMapper.mapPermissions(securityIdentity.getPrincipal(), securityIdentity.getRoles());
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public NameRewriter getPreRealmRewriter() {
        return this.preRealmRewriter;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public String mapRealmName(String str, Principal principal, Evidence evidence) {
        String realmMapping = this.realmMapper.getRealmMapping(str, principal, evidence);
        return realmMapping != null ? realmMapping : this.defaultRealmName;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public String getDefaultRealmName() {
        return this.defaultRealmName;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public RealmMapper getRealmMapper() {
        return this.realmMapper;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public NameRewriter getPostRealmRewriter() {
        return this.postRealmRewriter;
    }

    RoleMapper getRoleMapper() {
        return this.roleMapper;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public PrincipalDecoder getPrincipalDecoder() {
        return this.principalDecoder;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public Map<String, RoleMapper> getCategoryRoleMappers() {
        return this.categoryRoleMappers;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public SecurityIdentity transform(SecurityIdentity securityIdentity) {
        Assert.checkNotNullParam("securityIdentity", securityIdentity);
        return (SecurityIdentity) Assert.assertNotNull(this.securityIdentityTransformer.apply(securityIdentity));
    }

    static {
        $assertionsDisabled = !SecurityDomain.class.desiredAssertionStatus();
        CREATE_SECURITY_DOMAIN = new ElytronPermission("createSecurityDomain");
    }
}
