package org.wildfly.extension.undertow.security.jaspi;

import io.undertow.security.api.AuthenticatedSessionManager;
import io.undertow.security.api.AuthenticationMechanism;
import io.undertow.security.api.SecurityContext;
import io.undertow.security.idm.Account;
import io.undertow.server.ConduitWrapper;
import io.undertow.server.HttpServerExchange;
import io.undertow.servlet.handlers.ServletRequestContext;
import io.undertow.util.AttachmentKey;
import io.undertow.util.ConduitFactory;
import java.security.Principal;
import java.util.HashSet;
import java.util.Iterator;
import javax.security.auth.Subject;
import javax.security.auth.message.AuthException;
import javax.servlet.ServletRequest;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.jboss.security.SecurityContextAssociation;
import org.jboss.security.auth.callback.JASPICallbackHandler;
import org.jboss.security.auth.callback.JBossCallbackHandler;
import org.jboss.security.auth.message.GenericMessageInfo;
import org.jboss.security.identity.Role;
import org.jboss.security.identity.RoleGroup;
import org.jboss.security.identity.plugins.SimpleRole;
import org.jboss.security.identity.plugins.SimpleRoleGroup;
import org.jboss.security.plugins.auth.JASPIServerAuthenticationManager;
import org.wildfly.extension.undertow.UndertowLogger;
import org.wildfly.extension.undertow.UndertowMessages;
import org.wildfly.extension.undertow.security.AccountImpl;
import org.xnio.conduits.Conduit;
import org.xnio.conduits.StreamSinkConduit;

/* loaded from: input_file:org/wildfly/extension/undertow/security/jaspi/JASPIAuthenticationMechanism.class */
public class JASPIAuthenticationMechanism implements AuthenticationMechanism {
    private static final String JASPI_HTTP_SERVLET_LAYER = "HttpServlet";
    private static final String MECHANISM_NAME = "JASPIC";
    private static final String JASPI_AUTH_TYPE = "javax.servlet.http.authType";
    private static final String JASPI_REGISTER_SESSION = "javax.servlet.http.registerSession";
    public static final AttachmentKey<HttpServerExchange> HTTP_SERVER_EXCHANGE_ATTACHMENT_KEY = AttachmentKey.create(HttpServerExchange.class);
    public static final AttachmentKey<SecurityContext> SECURITY_CONTEXT_ATTACHMENT_KEY = AttachmentKey.create(SecurityContext.class);
    private final String securityDomain;
    private final String configuredAuthMethod;

    public JASPIAuthenticationMechanism(String str, String str2) {
        this.securityDomain = str;
        this.configuredAuthMethod = str2;
    }

    public AuthenticationMechanism.AuthenticationMechanismOutcome authenticate(HttpServerExchange httpServerExchange, SecurityContext securityContext) {
        AuthenticationMechanism.AuthenticationMechanismOutcome authenticationMechanismOutcome;
        ServletRequestContext servletRequestContext = (ServletRequestContext) httpServerExchange.getAttachment(ServletRequestContext.ATTACHMENT_KEY);
        JASPIServerAuthenticationManager createJASPIAuthenticationManager = createJASPIAuthenticationManager();
        GenericMessageInfo createMessageInfo = createMessageInfo(httpServerExchange, securityContext);
        String buildApplicationIdentifier = buildApplicationIdentifier(servletRequestContext);
        JASPICallbackHandler jASPICallbackHandler = new JASPICallbackHandler();
        UndertowLogger.ROOT_LOGGER.debugf("validateRequest for layer [%s] and applicationContextIdentifier [%s]", JASPI_HTTP_SERVLET_LAYER, buildApplicationIdentifier);
        Account account = null;
        JASPICSecurityContext securityContext2 = httpServerExchange.getSecurityContext();
        AuthenticatedSessionManager authenticatedSessionManager = (AuthenticatedSessionManager) httpServerExchange.getAttachment(AuthenticatedSessionManager.ATTACHMENT_KEY);
        if (authenticatedSessionManager != null) {
            account = authenticatedSessionManager.lookupSession(httpServerExchange).getAccount();
            if (account != null) {
                securityContext2.setCachedAuthenticatedAccount(account);
            }
        }
        AuthenticationMechanism.AuthenticationMechanismOutcome authenticationMechanismOutcome2 = AuthenticationMechanism.AuthenticationMechanismOutcome.NOT_AUTHENTICATED;
        Account account2 = null;
        boolean isValid = createJASPIAuthenticationManager.isValid(createMessageInfo, new Subject(), JASPI_HTTP_SERVLET_LAYER, buildApplicationIdentifier, jASPICallbackHandler);
        securityContext2.setCachedAuthenticatedAccount(null);
        if (isValid) {
            account2 = createAccount(account, SecurityActions.getSecurityContext());
        }
        String str = (String) createMessageInfo.getMap().get(JASPI_AUTH_TYPE);
        if (str == null) {
            str = this.configuredAuthMethod != null ? this.configuredAuthMethod : MECHANISM_NAME;
        }
        if (isValid && account2 != null) {
            authenticationMechanismOutcome = AuthenticationMechanism.AuthenticationMechanismOutcome.AUTHENTICATED;
            Object obj = createMessageInfo.getMap().get(JASPI_REGISTER_SESSION);
            boolean z = false;
            if (obj != null && (obj instanceof String)) {
                z = Boolean.valueOf((String) obj).booleanValue();
            }
            securityContext.authenticationComplete(account2, str, z);
        } else if (isValid && account2 == null && !isMandatory(servletRequestContext).booleanValue()) {
            authenticationMechanismOutcome = AuthenticationMechanism.AuthenticationMechanismOutcome.NOT_ATTEMPTED;
        } else {
            authenticationMechanismOutcome = AuthenticationMechanism.AuthenticationMechanismOutcome.NOT_AUTHENTICATED;
            securityContext.authenticationFailed("JASPIC authentication failed.", str);
        }
        ServletRequestContext servletRequestContext2 = (ServletRequestContext) httpServerExchange.getAttachment(ServletRequestContext.ATTACHMENT_KEY);
        servletRequestContext2.setServletRequest((HttpServletRequest) createMessageInfo.getRequestMessage());
        servletRequestContext2.setServletResponse((HttpServletResponse) createMessageInfo.getResponseMessage());
        secureResponse(httpServerExchange, securityContext, createJASPIAuthenticationManager, createMessageInfo, jASPICallbackHandler);
        return authenticationMechanismOutcome;
    }

    public AuthenticationMechanism.ChallengeResult sendChallenge(HttpServerExchange httpServerExchange, SecurityContext securityContext) {
        return new AuthenticationMechanism.ChallengeResult(true);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public boolean wasAuthExceptionThrown() {
        return SecurityContextAssociation.getSecurityContext().getData().get(AuthException.class.getName()) != null;
    }

    private JASPIServerAuthenticationManager createJASPIAuthenticationManager() {
        return new JASPIServerAuthenticationManager(this.securityDomain, new JBossCallbackHandler());
    }

    /* JADX INFO: Access modifiers changed from: private */
    public String buildApplicationIdentifier(ServletRequestContext servletRequestContext) {
        ServletRequest servletRequest = servletRequestContext.getServletRequest();
        return servletRequest.getServletContext().getVirtualServerName() + " " + servletRequest.getServletContext().getContextPath();
    }

    private GenericMessageInfo createMessageInfo(HttpServerExchange httpServerExchange, SecurityContext securityContext) {
        ServletRequestContext servletRequestContext = (ServletRequestContext) httpServerExchange.getAttachment(ServletRequestContext.ATTACHMENT_KEY);
        GenericMessageInfo genericMessageInfo = new GenericMessageInfo();
        genericMessageInfo.setRequestMessage(servletRequestContext.getServletRequest());
        genericMessageInfo.setResponseMessage(servletRequestContext.getServletResponse());
        genericMessageInfo.getMap().put("javax.security.auth.message.MessagePolicy.isMandatory", isMandatory(servletRequestContext).toString());
        genericMessageInfo.getMap().put(SECURITY_CONTEXT_ATTACHMENT_KEY, securityContext);
        genericMessageInfo.getMap().put(HTTP_SERVER_EXCHANGE_ATTACHMENT_KEY, httpServerExchange);
        return genericMessageInfo;
    }

    private Account createAccount(Account account, org.jboss.security.SecurityContext securityContext) {
        if (securityContext == null) {
            throw UndertowMessages.MESSAGES.nullParamter("org.jboss.security.SecurityContext");
        }
        Principal userPrincipal = securityContext.getUtil().getUserPrincipal();
        if (userPrincipal == null) {
            return null;
        }
        if (account == null || account.getPrincipal() != userPrincipal) {
            HashSet hashSet = new HashSet();
            RoleGroup roles = securityContext.getUtil().getRoles();
            if (roles != null) {
                Iterator it = roles.getRoles().iterator();
                while (it.hasNext()) {
                    hashSet.add(((Role) it.next()).getRoleName());
                }
            }
            return new AccountImpl(userPrincipal, hashSet, securityContext.getUtil().getCredential());
        }
        securityContext.getUtil().createSubjectInfo(userPrincipal, ((AccountImpl) account).getCredential(), (Subject) null);
        SimpleRoleGroup simpleRoleGroup = new SimpleRoleGroup("Roles");
        Iterator it2 = account.getRoles().iterator();
        while (it2.hasNext()) {
            simpleRoleGroup.addRole(new SimpleRole((String) it2.next()));
        }
        securityContext.getUtil().setRoles(simpleRoleGroup);
        return account;
    }

    private void secureResponse(HttpServerExchange httpServerExchange, SecurityContext securityContext, final JASPIServerAuthenticationManager jASPIServerAuthenticationManager, final GenericMessageInfo genericMessageInfo, final JASPICallbackHandler jASPICallbackHandler) {
        httpServerExchange.addResponseWrapper(new ConduitWrapper<StreamSinkConduit>() { // from class: org.wildfly.extension.undertow.security.jaspi.JASPIAuthenticationMechanism.1
            public StreamSinkConduit wrap(ConduitFactory<StreamSinkConduit> conduitFactory, HttpServerExchange httpServerExchange2) {
                String buildApplicationIdentifier = JASPIAuthenticationMechanism.this.buildApplicationIdentifier((ServletRequestContext) httpServerExchange2.getAttachment(ServletRequestContext.ATTACHMENT_KEY));
                if (!JASPIAuthenticationMechanism.this.wasAuthExceptionThrown()) {
                    UndertowLogger.ROOT_LOGGER.debugf("secureResponse for layer [%s] and applicationContextIdentifier [%s].", JASPIAuthenticationMechanism.JASPI_HTTP_SERVLET_LAYER, buildApplicationIdentifier);
                    jASPIServerAuthenticationManager.secureResponse(genericMessageInfo, new Subject(), JASPIAuthenticationMechanism.JASPI_HTTP_SERVLET_LAYER, buildApplicationIdentifier, jASPICallbackHandler);
                    ServletRequestContext servletRequestContext = (ServletRequestContext) httpServerExchange2.getAttachment(ServletRequestContext.ATTACHMENT_KEY);
                    servletRequestContext.setServletRequest((HttpServletRequest) genericMessageInfo.getRequestMessage());
                    servletRequestContext.setServletResponse((HttpServletResponse) genericMessageInfo.getResponseMessage());
                }
                return conduitFactory.create();
            }

            /* renamed from: wrap, reason: collision with other method in class */
            public /* bridge */ /* synthetic */ Conduit m98wrap(ConduitFactory conduitFactory, HttpServerExchange httpServerExchange2) {
                return wrap((ConduitFactory<StreamSinkConduit>) conduitFactory, httpServerExchange2);
            }
        });
    }

    private Boolean isMandatory(ServletRequestContext servletRequestContext) {
        return Boolean.valueOf((servletRequestContext.getCurrentServlet() == null || servletRequestContext.getCurrentServlet().getManagedServlet() == null || servletRequestContext.getCurrentServlet().getManagedServlet().getServletInfo() == null || servletRequestContext.getCurrentServlet().getManagedServlet().getServletInfo().getServletSecurityInfo() == null || servletRequestContext.getCurrentServlet().getManagedServlet().getServletInfo().getServletSecurityInfo().getRolesAllowed() == null || servletRequestContext.getCurrentServlet().getManagedServlet().getServletInfo().getServletSecurityInfo().getRolesAllowed().isEmpty()) ? false : true);
    }
}
