package org.jboss.as.security.service;

import java.lang.reflect.Method;
import java.security.AccessController;
import java.security.CodeSource;
import java.security.Principal;
import java.security.PrivilegedAction;
import java.security.acl.Group;
import java.util.Collection;
import java.util.Collections;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.security.auth.Subject;
import org.jboss.as.core.security.ServerSecurityManager;
import org.jboss.as.core.security.SubjectUserInfo;
import org.jboss.as.domain.management.security.PasswordCredential;
import org.jboss.as.security.Constants;
import org.jboss.as.security.SecurityMessages;
import org.jboss.as.security.remoting.RemotingConnectionCredential;
import org.jboss.as.security.remoting.RemotingConnectionPrincipal;
import org.jboss.metadata.javaee.spec.SecurityRolesMetaData;
import org.jboss.remoting3.Connection;
import org.jboss.security.AuthorizationManager;
import org.jboss.security.ISecurityManagement;
import org.jboss.security.RunAs;
import org.jboss.security.RunAsIdentity;
import org.jboss.security.SecurityContext;
import org.jboss.security.SecurityContextAssociation;
import org.jboss.security.SecurityContextFactory;
import org.jboss.security.SecurityContextUtil;
import org.jboss.security.SimplePrincipal;
import org.jboss.security.SubjectInfo;
import org.jboss.security.audit.AuditEvent;
import org.jboss.security.audit.AuditManager;
import org.jboss.security.authorization.resources.EJBResource;
import org.jboss.security.callbacks.SecurityContextCallbackHandler;
import org.jboss.security.identity.Identity;
import org.jboss.security.identity.Role;
import org.jboss.security.identity.RoleGroup;
import org.jboss.security.identity.plugins.SimpleIdentity;
import org.jboss.security.identity.plugins.SimpleRoleGroup;
import org.jboss.security.javaee.SecurityHelperFactory;

/* loaded from: input_file:org/jboss/as/security/service/SimpleSecurityManager.class */
public class SimpleSecurityManager implements ServerSecurityManager {
    private ThreadLocalStack<SecurityContext> contexts;
    private boolean propagate;
    private ISecurityManagement securityManagement;

    public SimpleSecurityManager() {
        this.contexts = new ThreadLocalStack<>();
        this.propagate = true;
        this.securityManagement = null;
    }

    public SimpleSecurityManager(SimpleSecurityManager simpleSecurityManager) {
        this.contexts = new ThreadLocalStack<>();
        this.propagate = true;
        this.securityManagement = null;
        this.securityManagement = simpleSecurityManager.securityManagement;
        this.propagate = false;
    }

    private PrivilegedAction<SecurityContext> securityContext() {
        return new PrivilegedAction<SecurityContext>() { // from class: org.jboss.as.security.service.SimpleSecurityManager.1
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedAction
            public SecurityContext run() {
                return SecurityContextAssociation.getSecurityContext();
            }
        };
    }

    private SecurityContext establishSecurityContext(String str) {
        try {
            SecurityContext createSecurityContext = SecurityContextFactory.createSecurityContext(str);
            if (this.securityManagement == null) {
                throw SecurityMessages.MESSAGES.securityManagementNotInjected();
            }
            createSecurityContext.setSecurityManagement(this.securityManagement);
            SecurityContextAssociation.setSecurityContext(createSecurityContext);
            return createSecurityContext;
        } catch (Exception e) {
            throw SecurityMessages.MESSAGES.securityException(e);
        }
    }

    public void setSecurityManagement(ISecurityManagement iSecurityManagement) {
        this.securityManagement = iSecurityManagement;
    }

    public Principal getCallerPrincipal() {
        SecurityContext securityContext = (SecurityContext) AccessController.doPrivileged(securityContext());
        if (securityContext == null) {
            return getUnauthenticatedIdentity().asPrincipal();
        }
        Principal incomingRunAs = securityContext.getIncomingRunAs();
        if (incomingRunAs == null) {
            incomingRunAs = getPrincipal(getSubjectInfo(securityContext).getAuthenticatedSubject());
        }
        return incomingRunAs == null ? getUnauthenticatedIdentity().asPrincipal() : incomingRunAs;
    }

    public Subject getSubject() {
        SecurityContext securityContext = (SecurityContext) AccessController.doPrivileged(securityContext());
        if (securityContext != null) {
            return getSubjectInfo(securityContext).getAuthenticatedSubject();
        }
        return null;
    }

    private Principal getPrincipal(Subject subject) {
        Set<Principal> principals;
        Principal principal = null;
        Principal principal2 = null;
        if (subject != null && (principals = subject.getPrincipals()) != null && !principals.isEmpty()) {
            for (Principal principal3 : principals) {
                if (!(principal3 instanceof Group) && principal == null) {
                    principal = principal3;
                }
                if (principal3 instanceof Group) {
                    Group group = (Group) Group.class.cast(principal3);
                    if (group.getName().equals("CallerPrincipal") && principal2 == null) {
                        Enumeration<? extends Principal> members = group.members();
                        if (members.hasMoreElements()) {
                            principal2 = members.nextElement();
                        }
                    }
                }
            }
        }
        return principal2 == null ? principal : principal2;
    }

    public boolean isCallerInRole(Object obj, Map<String, Collection<String>> map, String... strArr) {
        Set securityRoleNamesByPrincipal;
        SecurityRolesMetaData securityRolesMetaData = (SecurityRolesMetaData) obj;
        SecurityContext securityContext = (SecurityContext) AccessController.doPrivileged(securityContext());
        if (securityContext == null) {
            return false;
        }
        RunAsIdentity incomingRunAs = securityContext.getIncomingRunAs();
        RoleGroup subjectRoles = (incomingRunAs == null || !(incomingRunAs instanceof RunAsIdentity)) ? getSubjectRoles(securityContext.getAuthorizationManager(), new SecurityContextCallbackHandler(securityContext), getSubjectInfo(securityContext).getAuthenticatedSubject()) : incomingRunAs.getRunAsRolesAsRoleGroup();
        if (subjectRoles == null) {
            return false;
        }
        List roles = subjectRoles.getRoles();
        HashSet hashSet = new HashSet();
        for (String str : strArr) {
            hashSet.add(str);
        }
        HashSet hashSet2 = new HashSet();
        Iterator it = roles.iterator();
        while (it.hasNext()) {
            hashSet2.add(((Role) it.next()).getRoleName());
        }
        if (securityRolesMetaData != null && (securityRoleNamesByPrincipal = securityRolesMetaData.getSecurityRoleNamesByPrincipal(getCallerPrincipal().getName())) != null) {
            hashSet2.addAll(securityRoleNamesByPrincipal);
        }
        if (!Collections.disjoint(hashSet, hashSet2)) {
            return true;
        }
        if (map == null) {
            return false;
        }
        Iterator it2 = hashSet2.iterator();
        while (it2.hasNext()) {
            if (!Collections.disjoint(hashSet, getRoleAliases((String) it2.next(), map))) {
                return true;
            }
        }
        return false;
    }

    public boolean authorize(String str, CodeSource codeSource, String str2, Method method, Set<Principal> set, String str3) {
        SecurityContext securityContext = (SecurityContext) AccessController.doPrivileged(securityContext());
        if (securityContext == null) {
            return false;
        }
        EJBResource eJBResource = new EJBResource(new HashMap());
        eJBResource.setEjbName(str);
        eJBResource.setEjbMethod(method);
        eJBResource.setEjbMethodInterface(str2);
        eJBResource.setEjbMethodRoles(new SimpleRoleGroup(set));
        eJBResource.setCodeSource(codeSource);
        eJBResource.setPolicyContextID(str3);
        eJBResource.setCallerRunAsIdentity(securityContext.getIncomingRunAs());
        eJBResource.setCallerSubject(securityContext.getUtil().getSubject());
        eJBResource.setPrincipal(securityContext.getUtil().getUserPrincipal());
        try {
            return SecurityHelperFactory.getEJBAuthorizationHelper(securityContext).authorize(eJBResource);
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }

    public void push(String str) {
        SecurityContext securityContext = SecurityContextAssociation.getSecurityContext();
        this.contexts.push(securityContext);
        SecurityContext establishSecurityContext = establishSecurityContext(str);
        if (this.propagate && securityContext != null) {
            establishSecurityContext.setSubjectInfo(getSubjectInfo(securityContext));
            establishSecurityContext.setIncomingRunAs(securityContext.getOutgoingRunAs());
        }
        RunAs incomingRunAs = establishSecurityContext.getIncomingRunAs();
        if ((incomingRunAs != null && (incomingRunAs instanceof RunAsIdentity)) || !SecurityActions.remotingContextIsSet()) {
            return;
        }
        SecurityContextUtil util = establishSecurityContext.getUtil();
        Connection remotingContextGetConnection = SecurityActions.remotingContextGetConnection();
        SubjectUserInfo userInfo = remotingContextGetConnection.getUserInfo();
        SimplePrincipal simplePrincipal = null;
        Object obj = null;
        if (userInfo instanceof SubjectUserInfo) {
            Set privateCredentials = userInfo.getSubject().getPrivateCredentials(PasswordCredential.class);
            if (privateCredentials.size() > 0) {
                PasswordCredential passwordCredential = (PasswordCredential) privateCredentials.iterator().next();
                simplePrincipal = new SimplePrincipal(passwordCredential.getUserName());
                obj = new String(passwordCredential.getCredential());
            }
        }
        if (simplePrincipal == null || obj == null) {
            simplePrincipal = new RemotingConnectionPrincipal(remotingContextGetConnection);
            obj = new RemotingConnectionCredential(remotingContextGetConnection);
        }
        SecurityActions.remotingContextClear();
        util.createSubjectInfo(simplePrincipal, obj, (Subject) null);
    }

    public void push(String str, String str2, char[] cArr, Subject subject) {
        SecurityContext securityContext = SecurityContextAssociation.getSecurityContext();
        this.contexts.push(securityContext);
        SecurityContext establishSecurityContext = establishSecurityContext(str);
        if (this.propagate && securityContext != null) {
            establishSecurityContext.setSubjectInfo(getSubjectInfo(securityContext));
            establishSecurityContext.setIncomingRunAs(securityContext.getOutgoingRunAs());
        }
        RunAs incomingRunAs = establishSecurityContext.getIncomingRunAs();
        if (incomingRunAs != null && (incomingRunAs instanceof RunAsIdentity)) {
            return;
        }
        establishSecurityContext.getUtil().createSubjectInfo(new SimplePrincipal(str2), new String(cArr), subject);
    }

    public void authenticate() {
        authenticate(null, null, null);
    }

    public void authenticate(String str, String str2, Set<String> set) {
        SecurityContext securityContext = SecurityContextAssociation.getSecurityContext();
        Object credential = securityContext.getUtil().getCredential();
        Subject subject = null;
        if (credential instanceof RemotingConnectionCredential) {
            subject = ((RemotingConnectionCredential) credential).getSubject();
        }
        if (!authenticate(securityContext, subject)) {
            throw SecurityMessages.MESSAGES.invalidUserException();
        }
        SecurityContext peek = this.contexts.peek();
        if (str != null) {
            securityContext.setOutgoingRunAs(new RunAsIdentity(str, str2, set));
        } else {
            if (!this.propagate || peek == null || peek.getOutgoingRunAs() == null) {
                return;
            }
            securityContext.setOutgoingRunAs(peek.getOutgoingRunAs());
        }
    }

    private boolean authenticate(SecurityContext securityContext, Subject subject) {
        SecurityContextUtil util = securityContext.getUtil();
        SubjectInfo subjectInfo = getSubjectInfo(securityContext);
        if (subject == null) {
            subject = new Subject();
        }
        Principal userPrincipal = util.getUserPrincipal();
        Principal principal = userPrincipal;
        Object credential = util.getCredential();
        boolean z = false;
        if (userPrincipal == null) {
            Identity unauthenticatedIdentity = getUnauthenticatedIdentity();
            subjectInfo.addIdentity(unauthenticatedIdentity);
            principal = unauthenticatedIdentity.asPrincipal();
            subject.getPrincipals().add(principal);
            z = true;
        } else {
            subject.getPrincipals().add(userPrincipal);
        }
        if (!z) {
            z = securityContext.getAuthenticationManager().isValid(userPrincipal, credential, subject);
        }
        if (z) {
            subjectInfo.setAuthenticatedSubject(subject);
        }
        AuditManager auditManager = securityContext.getAuditManager();
        if (auditManager != null) {
            audit(z ? "Success" : "Failure", auditManager, principal);
        }
        return z;
    }

    private Identity getUnauthenticatedIdentity() {
        return new SimpleIdentity("anonymous");
    }

    public void pop() {
        SecurityContextAssociation.setSecurityContext(this.contexts.pop());
    }

    private Set<String> getRoleAliases(String str, Map<String, Collection<String>> map) {
        if (map == null || map.isEmpty()) {
            return Collections.emptySet();
        }
        HashSet hashSet = new HashSet();
        for (Map.Entry<String, Collection<String>> entry : map.entrySet()) {
            String key = entry.getKey();
            Collection<String> value = entry.getValue();
            if (value != null && value.contains(str)) {
                hashSet.add(key);
            }
        }
        return hashSet;
    }

    private void audit(String str, AuditManager auditManager, Principal principal) {
        AuditEvent auditEvent = new AuditEvent("Success");
        HashMap hashMap = new HashMap();
        hashMap.put(Constants.PRINCIPAL_ARGUMENT, principal != null ? principal.getName() : "null");
        hashMap.put("Source", getClass().getCanonicalName());
        hashMap.put("Action", Constants.AUTHENTICATION);
        auditEvent.setContextMap(hashMap);
        auditManager.audit(auditEvent);
    }

    private SubjectInfo getSubjectInfo(final SecurityContext securityContext) {
        return System.getSecurityManager() == null ? securityContext.getSubjectInfo() : (SubjectInfo) AccessController.doPrivileged(new PrivilegedAction<SubjectInfo>() { // from class: org.jboss.as.security.service.SimpleSecurityManager.2
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedAction
            public SubjectInfo run() {
                return securityContext.getSubjectInfo();
            }
        });
    }

    private RoleGroup getSubjectRoles(final AuthorizationManager authorizationManager, final SecurityContextCallbackHandler securityContextCallbackHandler, final Subject subject) {
        return System.getSecurityManager() == null ? authorizationManager.getSubjectRoles(subject, securityContextCallbackHandler) : (RoleGroup) AccessController.doPrivileged(new PrivilegedAction<RoleGroup>() { // from class: org.jboss.as.security.service.SimpleSecurityManager.3
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedAction
            public RoleGroup run() {
                return authorizationManager.getSubjectRoles(subject, securityContextCallbackHandler);
            }
        });
    }
}
