package org.jboss.as.controller.access.rbac;

import java.security.Permission;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import java.util.WeakHashMap;
import org.jboss.as.controller.ControllerLogger;
import org.jboss.as.controller.access.Action;
import org.jboss.as.controller.access.Caller;
import org.jboss.as.controller.access.Environment;
import org.jboss.as.controller.access.TargetAttribute;
import org.jboss.as.controller.access.TargetResource;

/* loaded from: input_file:org/jboss/as/controller/access/rbac/ConfigurableRoleMapper.class */
public class ConfigurableRoleMapper implements RoleMapper {
    private static final String IN_VM_ROLE = StandardRole.SUPERUSER.toString();
    private static final RunAsRolePermission RUN_AS_IN_VM_ROLE = new RunAsRolePermission(IN_VM_ROLE);
    private volatile HashMap<String, Role> roles = new HashMap<>();
    private final Map<Object, Role> removedRoles = new WeakHashMap();
    private volatile boolean useRealmRoles;

    /* loaded from: input_file:org/jboss/as/controller/access/rbac/ConfigurableRoleMapper$MatchType.class */
    public enum MatchType {
        EXCLUDE,
        INCLUDE
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/jboss/as/controller/access/rbac/ConfigurableRoleMapper$Principal.class */
    public final class Principal {
        private final PrincipalType type;
        private final String realm;
        private final String name;
        private final int hashCode;

        private Principal(PrincipalType principalType, String str, String str2) {
            this.type = principalType;
            this.name = str;
            this.realm = str2;
            this.hashCode = principalType.ordinal() * str.hashCode() * (str2 == null ? 31 : str2.hashCode());
        }

        public PrincipalType getType() {
            return this.type;
        }

        public String getRealm() {
            return this.realm;
        }

        public String getName() {
            return this.name;
        }

        public int hashCode() {
            return this.hashCode;
        }

        public boolean equals(Object obj) {
            if (obj instanceof Principal) {
                return equals((Principal) obj);
            }
            return false;
        }

        public boolean equals(Principal principal) {
            return this.type == principal.type && this.name.equals(principal.name) && (this.realm != null ? this.realm.equals(principal.realm) : principal.realm == null);
        }

        public String toString() {
            return "Principal [type=" + this.type + ", realm=" + this.realm + ", name=" + this.name + "]";
        }
    }

    /* loaded from: input_file:org/jboss/as/controller/access/rbac/ConfigurableRoleMapper$PrincipalType.class */
    public enum PrincipalType {
        GROUP,
        USER
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/jboss/as/controller/access/rbac/ConfigurableRoleMapper$Role.class */
    public class Role {
        private final String name;
        private volatile HashSet<Principal> includes;
        private volatile HashSet<Principal> excludes;

        private Role(String str) {
            this.includes = new HashSet<>();
            this.excludes = new HashSet<>();
            this.name = str;
        }

        /* JADX INFO: Access modifiers changed from: private */
        public String getName() {
            return this.name;
        }

        public String toString() {
            StringBuilder sb = new StringBuilder("[Role name='" + this.name + "' ");
            sb.append("{Includes = ");
            Iterator<Principal> it = this.includes.iterator();
            while (it.hasNext()) {
                sb.append(it.next().toString());
            }
            sb.append("}");
            sb.append("{Excludes = ");
            Iterator<Principal> it2 = this.excludes.iterator();
            while (it2.hasNext()) {
                sb.append(it2.next().toString());
            }
            sb.append("}");
            sb.append("]");
            return sb.toString();
        }

        /* JADX INFO: Access modifiers changed from: private */
        public boolean addPrincipalImmediate(Principal principal, MatchType matchType) {
            HashSet<Principal> set = getSet(matchType, true);
            try {
                boolean add = set.add(principal);
                setSet(set, matchType, true);
                return add;
            } catch (Throwable th) {
                setSet(set, matchType, true);
                throw th;
            }
        }

        /* JADX INFO: Access modifiers changed from: private */
        public synchronized boolean addPrincipal(Principal principal, MatchType matchType) {
            HashSet<Principal> set = getSet(matchType, false);
            try {
                boolean add = set.add(principal);
                setSet(set, matchType, false);
                return add;
            } catch (Throwable th) {
                setSet(set, matchType, false);
                throw th;
            }
        }

        /* JADX INFO: Access modifiers changed from: private */
        public synchronized boolean removePrincipal(Principal principal, MatchType matchType) {
            HashSet<Principal> set = getSet(matchType, false);
            try {
                boolean remove = set.remove(principal);
                setSet(set, matchType, false);
                return remove;
            } catch (Throwable th) {
                setSet(set, matchType, false);
                throw th;
            }
        }

        /* JADX INFO: Access modifiers changed from: private */
        public Principal isIncluded(Caller caller) {
            return isInSet(caller, this.includes);
        }

        /* JADX INFO: Access modifiers changed from: private */
        public Principal isExcluded(Caller caller) {
            return isInSet(caller, this.excludes);
        }

        private Principal isInSet(Caller caller, HashSet<Principal> hashSet) {
            String str = null;
            String str2 = null;
            Set<String> set = null;
            Iterator<Principal> it = hashSet.iterator();
            while (it.hasNext()) {
                Principal next = it.next();
                String realm = next.getRealm();
                switch (next.getType()) {
                    case USER:
                        if (realm == null) {
                            String name = next.getName();
                            String accountName = getAccountName(caller, str);
                            str = accountName;
                            if (!name.equals(accountName)) {
                                break;
                            } else {
                                return next;
                            }
                        } else {
                            String name2 = next.getName();
                            String accountName2 = getAccountName(caller, str);
                            str = accountName2;
                            if (name2.equals(accountName2)) {
                                String realmName = getRealmName(caller, str2);
                                str2 = realmName;
                                if (!realm.equals(realmName)) {
                                    break;
                                } else {
                                    return next;
                                }
                            } else {
                                continue;
                            }
                        }
                    case GROUP:
                        if (realm == null) {
                            Set<String> groups = getGroups(caller, set);
                            set = groups;
                            if (!groups.contains(next.getName())) {
                                break;
                            } else {
                                return next;
                            }
                        } else {
                            Set<String> groups2 = getGroups(caller, set);
                            set = groups2;
                            if (groups2.contains(next.getName())) {
                                String realmName2 = getRealmName(caller, str2);
                                str2 = realmName2;
                                if (!realm.equals(realmName2)) {
                                    break;
                                } else {
                                    return next;
                                }
                            } else {
                                continue;
                            }
                        }
                }
            }
            return null;
        }

        private String getAccountName(Caller caller, String str) {
            return str != null ? str : caller.getName();
        }

        private String getRealmName(Caller caller, String str) {
            return str != null ? str : caller.getRealm();
        }

        private Set<String> getGroups(Caller caller, Set<String> set) {
            return set != null ? set : caller.getAssociatedGroups();
        }

        private HashSet<Principal> getSet(MatchType matchType, boolean z) {
            HashSet<Principal> hashSet;
            switch (matchType) {
                case INCLUDE:
                    hashSet = this.includes;
                    break;
                default:
                    hashSet = this.excludes;
                    break;
            }
            return z ? hashSet : new HashSet<>(hashSet);
        }

        private void setSet(HashSet<Principal> hashSet, MatchType matchType, boolean z) {
            if (z) {
                return;
            }
            switch (matchType) {
                case INCLUDE:
                    this.includes = hashSet;
                    return;
                case EXCLUDE:
                    this.excludes = hashSet;
                    return;
                default:
                    return;
            }
        }
    }

    public void addRoleImmediate(String str) {
        this.roles.put(str, new Role(str));
    }

    public synchronized void addRole(String str) {
        HashMap<String, Role> hashMap = new HashMap<>(this.roles);
        if (hashMap.containsKey(str)) {
            return;
        }
        hashMap.put(str, new Role(str));
        this.roles = hashMap;
    }

    public synchronized Object removeRole(String str) {
        HashMap<String, Role> hashMap = new HashMap<>(this.roles);
        if (!hashMap.containsKey(str)) {
            return null;
        }
        Role remove = hashMap.remove(str);
        Object obj = new Object();
        this.removedRoles.put(obj, remove);
        this.roles = hashMap;
        return obj;
    }

    public synchronized boolean undoRemove(Object obj) {
        HashMap<String, Role> hashMap = new HashMap<>(this.roles);
        Role remove = this.removedRoles.remove(obj);
        if (remove == null || hashMap.containsKey(remove.getName())) {
            return false;
        }
        hashMap.put(remove.getName(), remove);
        this.roles = hashMap;
        return true;
    }

    public boolean addPrincipal(String str, PrincipalType principalType, MatchType matchType, String str2, String str3, boolean z) {
        Role role = this.roles.get(str);
        if (role != null) {
            return z ? role.addPrincipalImmediate(createPrincipal(principalType, str2, str3), matchType) : role.addPrincipal(createPrincipal(principalType, str2, str3), matchType);
        }
        return false;
    }

    public boolean removePrincipal(String str, PrincipalType principalType, MatchType matchType, String str2, String str3) {
        Role role = this.roles.get(str);
        if (role != null) {
            return role.removePrincipal(createPrincipal(principalType, str2, str3), matchType);
        }
        return false;
    }

    private Principal createPrincipal(PrincipalType principalType, String str, String str2) {
        return new Principal(principalType, str, str2);
    }

    public void setUseRealmRoles(boolean z) {
        this.useRealmRoles = z;
    }

    @Override // org.jboss.as.controller.access.rbac.RoleMapper
    public Set<String> mapRoles(Caller caller, Environment environment, Action action, TargetAttribute targetAttribute) {
        return mapRoles(caller);
    }

    @Override // org.jboss.as.controller.access.rbac.RoleMapper
    public Set<String> mapRoles(Caller caller, Environment environment, Action action, TargetResource targetResource) {
        return mapRoles(caller);
    }

    private Set<String> mapRoles(Caller caller) {
        HashMap<String, Role> hashMap;
        HashSet hashSet = new HashSet();
        boolean isTraceEnabled = ControllerLogger.ACCESS_LOGGER.isTraceEnabled();
        if (caller.hasSubject()) {
            if (this.useRealmRoles) {
                hashMap = new HashMap<>(this.roles);
                Iterator<String> it = caller.getAssociatedRoles().iterator();
                while (it.hasNext()) {
                    String upperCase = it.next().toUpperCase();
                    if (hashMap.containsKey(upperCase)) {
                        Principal isExcluded = hashMap.remove(upperCase).isExcluded(caller);
                        if (isExcluded == null) {
                            if (isTraceEnabled) {
                                ControllerLogger.ACCESS_LOGGER.tracef("User '%s' assigned role '%s' due to realm assignment and no exclusion in role mapping definition.", caller.getName(), upperCase);
                            }
                            hashSet.add(upperCase);
                        } else if (isTraceEnabled) {
                            ControllerLogger.ACCESS_LOGGER.tracef("User '%s' NOT assigned role '%s' despite realm assignment due to exclusion match against %s.", caller.getName(), upperCase, isExcluded);
                        }
                    } else {
                        if (isTraceEnabled) {
                            ControllerLogger.ACCESS_LOGGER.tracef("User '%s' assigned role '%s' due to realm assignment and no role mapping to check for exclusion.", caller.getName(), upperCase);
                        }
                        hashSet.add(upperCase);
                    }
                }
            } else {
                hashMap = this.roles;
            }
            for (Role role : hashMap.values()) {
                Principal isIncluded = role.isIncluded(caller);
                if (isIncluded != null) {
                    Principal isExcluded2 = role.isExcluded(caller);
                    if (isExcluded2 == null) {
                        if (isTraceEnabled) {
                            ControllerLogger.ACCESS_LOGGER.tracef("User '%s' assiged role '%s' due to match on inclusion %s", caller.getName(), role.getName(), isIncluded);
                        }
                        hashSet.add(role.getName());
                    } else if (isTraceEnabled) {
                        ControllerLogger.ACCESS_LOGGER.tracef("User '%s' denied membership of role '%s' due to exclusion %s", caller.getName(), role.getName(), isExcluded2);
                    }
                } else if (isTraceEnabled) {
                    ControllerLogger.ACCESS_LOGGER.tracef("User '%s' not assigned role '%s' as no match on the include definition of the role mapping.", caller.getName(), role.getName());
                }
            }
        } else {
            checkPermission(RUN_AS_IN_VM_ROLE);
            ControllerLogger.ACCESS_LOGGER.tracef("Assigning role '%s' for call with no assigned Subject (An IN-VM Call).", IN_VM_ROLE);
            hashSet.add(IN_VM_ROLE);
        }
        if (isTraceEnabled) {
            StringBuilder append = new StringBuilder("User '").append(caller.getName()).append("' Assigned Roles { ");
            Iterator it2 = hashSet.iterator();
            while (it2.hasNext()) {
                append.append("'").append((String) it2.next()).append("' ");
            }
            append.append("}");
            ControllerLogger.ACCESS_LOGGER.trace(append.toString());
        }
        return Collections.unmodifiableSet(hashSet);
    }

    private static void checkPermission(Permission permission) {
        SecurityManager securityManager = System.getSecurityManager();
        if (securityManager != null) {
            securityManager.checkPermission(permission);
        }
    }
}
