package org.jboss.as.domain.management.security;

import java.io.IOException;
import java.security.Principal;
import java.security.spec.AlgorithmParameterSpec;
import java.util.Collections;
import java.util.HashSet;
import java.util.Map;
import java.util.Set;
import java.util.function.Consumer;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.sasl.AuthorizeCallback;
import org.infinispan.xsite.GlobalXSiteAdminOperations;
import org.jboss.as.controller.PathElement;
import org.jboss.as.domain.management.AuthMechanism;
import org.jboss.as.domain.management.RealmConfigurationConstants;
import org.jboss.as.domain.management.SecurityRealm;
import org.jboss.as.domain.management.logging.DomainManagementLogger;
import org.jboss.msc.Service;
import org.jboss.msc.service.ServiceName;
import org.jboss.msc.service.StartContext;
import org.jboss.msc.service.StopContext;
import org.wildfly.security.auth.SupportLevel;
import org.wildfly.security.auth.server.RealmIdentity;
import org.wildfly.security.auth.server.RealmUnavailableException;
import org.wildfly.security.auth.server.SecurityRealm;
import org.wildfly.security.credential.Credential;
import org.wildfly.security.evidence.Evidence;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:org/jboss/as/domain/management/security/LocalCallbackHandlerService.class */
public class LocalCallbackHandlerService implements Service, CallbackHandlerService {
    private static final String SERVICE_SUFFIX = "local";
    private final Consumer<CallbackHandlerService> callbackHandlerServiceConsumer;
    private final String defaultUser;
    private final String allowedUsers;
    private boolean allowAll;
    private final Set<String> allowedUsersSet = new HashSet();
    private final boolean skipGroupLoading;

    /* loaded from: input_file:org/jboss/as/domain/management/security/LocalCallbackHandlerService$LocalCallbackHandler.class */
    private final class LocalCallbackHandler implements CallbackHandler {
        private final Map<String, Object> sharedState;

        private LocalCallbackHandler(Map<String, Object> map) {
            this.sharedState = map;
        }

        @Override // javax.security.auth.callback.CallbackHandler
        public void handle(Callback[] callbackArr) throws IOException, UnsupportedCallbackException {
            for (Callback callback : callbackArr) {
                if (callback instanceof NameCallback) {
                    String defaultName = ((NameCallback) callback).getDefaultName();
                    if (!(LocalCallbackHandlerService.this.allowAll || LocalCallbackHandlerService.this.allowedUsersSet.contains(defaultName))) {
                        DomainManagementLogger.SECURITY_LOGGER.tracef("Username '%s' is not permitted for local authentication.", defaultName);
                        throw DomainManagementLogger.ROOT_LOGGER.invalidLocalUser(defaultName);
                    }
                } else {
                    if (!(callback instanceof AuthorizeCallback)) {
                        throw new UnsupportedCallbackException(callback);
                    }
                    AuthorizeCallback authorizeCallback = (AuthorizeCallback) callback;
                    boolean equals = authorizeCallback.getAuthenticationID().equals(authorizeCallback.getAuthorizationID());
                    if (!equals) {
                        DomainManagementLogger.SECURITY_LOGGER.tracef("Checking 'AuthorizeCallback', authorized=false, authenticationID=%s, authorizationID=%s.", authorizeCallback.getAuthenticationID(), authorizeCallback.getAuthorizationID());
                    }
                    authorizeCallback.setAuthorized(equals);
                    if (equals && LocalCallbackHandlerService.this.skipGroupLoading) {
                        this.sharedState.put(SecurityRealmService.SKIP_GROUP_LOADING_KEY, Boolean.TRUE);
                    }
                }
            }
        }
    }

    /* loaded from: input_file:org/jboss/as/domain/management/security/LocalCallbackHandlerService$LocalSecurityRealm.class */
    private class LocalSecurityRealm implements SecurityRealm {

        /* loaded from: input_file:org/jboss/as/domain/management/security/LocalCallbackHandlerService$LocalSecurityRealm$LocalRealmIdentity.class */
        private class LocalRealmIdentity implements RealmIdentity {
            private final Principal principal;

            LocalRealmIdentity(Principal principal) {
                this.principal = principal;
            }

            @Override // org.wildfly.security.auth.server.RealmIdentity
            public Principal getRealmIdentityPrincipal() {
                return this.principal;
            }

            @Override // org.wildfly.security.auth.server.RealmIdentity
            public SupportLevel getCredentialAcquireSupport(Class<? extends Credential> cls, String str) throws RealmUnavailableException {
                return LocalSecurityRealm.this.getCredentialAcquireSupport(cls, str);
            }

            @Override // org.wildfly.security.auth.server.RealmIdentity
            public SupportLevel getCredentialAcquireSupport(Class<? extends Credential> cls, String str, AlgorithmParameterSpec algorithmParameterSpec) throws RealmUnavailableException {
                return LocalSecurityRealm.this.getCredentialAcquireSupport(cls, str, algorithmParameterSpec);
            }

            @Override // org.wildfly.security.auth.server.RealmIdentity
            public <C extends Credential> C getCredential(Class<C> cls) throws RealmUnavailableException {
                return null;
            }

            @Override // org.wildfly.security.auth.server.RealmIdentity
            public SupportLevel getEvidenceVerifySupport(Class<? extends Evidence> cls, String str) throws RealmUnavailableException {
                return LocalSecurityRealm.this.getEvidenceVerifySupport(cls, str);
            }

            @Override // org.wildfly.security.auth.server.RealmIdentity
            public boolean verifyEvidence(Evidence evidence) throws RealmUnavailableException {
                return false;
            }

            @Override // org.wildfly.security.auth.server.RealmIdentity
            public boolean exists() throws RealmUnavailableException {
                return true;
            }
        }

        private LocalSecurityRealm() {
        }

        @Override // org.wildfly.security.auth.server.SecurityRealm
        public RealmIdentity getRealmIdentity(Principal principal) throws RealmUnavailableException {
            return (LocalCallbackHandlerService.this.allowAll || LocalCallbackHandlerService.this.allowedUsersSet.contains(principal.getName())) ? new LocalRealmIdentity(principal) : RealmIdentity.NON_EXISTENT;
        }

        @Override // org.wildfly.security.auth.server.SecurityRealm
        public SupportLevel getCredentialAcquireSupport(Class<? extends Credential> cls, String str) throws RealmUnavailableException {
            return SupportLevel.UNSUPPORTED;
        }

        @Override // org.wildfly.security.auth.server.SecurityRealm
        public SupportLevel getCredentialAcquireSupport(Class<? extends Credential> cls, String str, AlgorithmParameterSpec algorithmParameterSpec) throws RealmUnavailableException {
            return SupportLevel.UNSUPPORTED;
        }

        @Override // org.wildfly.security.auth.server.SecurityRealm
        public SupportLevel getEvidenceVerifySupport(Class<? extends Evidence> cls, String str) throws RealmUnavailableException {
            return SupportLevel.UNSUPPORTED;
        }
    }

    /* loaded from: input_file:org/jboss/as/domain/management/security/LocalCallbackHandlerService$ServiceUtil.class */
    public static final class ServiceUtil {
        private ServiceUtil() {
        }

        public static ServiceName createServiceName(String str) {
            return SecurityRealm.ServiceUtil.createServiceName(str).append("local");
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public LocalCallbackHandlerService(Consumer<CallbackHandlerService> consumer, String str, String str2, boolean z) {
        this.callbackHandlerServiceConsumer = consumer;
        this.defaultUser = str;
        this.allowedUsers = str2;
        this.skipGroupLoading = z;
    }

    @Override // org.jboss.as.domain.management.security.CallbackHandlerService
    public AuthMechanism getPreferredMechanism() {
        return AuthMechanism.LOCAL;
    }

    @Override // org.jboss.as.domain.management.security.CallbackHandlerService
    public Set<AuthMechanism> getSupplementaryMechanisms() {
        return Collections.emptySet();
    }

    @Override // org.jboss.as.domain.management.security.CallbackHandlerService
    public Map<String, String> getConfigurationOptions() {
        return this.defaultUser != null ? Collections.singletonMap(RealmConfigurationConstants.LOCAL_DEFAULT_USER, this.defaultUser) : Collections.emptyMap();
    }

    @Override // org.jboss.as.domain.management.security.CallbackHandlerService
    public boolean isReadyForHttpChallenge() {
        return false;
    }

    @Override // org.jboss.as.domain.management.security.CallbackHandlerService
    public CallbackHandler getCallbackHandler(Map<String, Object> map) {
        return new LocalCallbackHandler(map);
    }

    @Override // org.jboss.as.domain.management.security.CallbackHandlerService
    public org.wildfly.security.auth.server.SecurityRealm getElytronSecurityRealm() {
        return new LocalSecurityRealm();
    }

    @Override // org.jboss.as.domain.management.security.CallbackHandlerService
    public boolean allowGroupLoading() {
        return !this.skipGroupLoading;
    }

    @Override // org.jboss.msc.Service
    public void start(StartContext startContext) {
        if (this.defaultUser != null) {
            this.allowedUsersSet.add(this.defaultUser);
        }
        if (this.allowedUsers != null) {
            if (PathElement.WILDCARD_VALUE.equals(this.allowedUsers)) {
                this.allowAll = true;
            } else {
                for (String str : this.allowedUsers.split(GlobalXSiteAdminOperations.CACHE_DELIMITER)) {
                    this.allowedUsersSet.add(str);
                }
            }
        }
        this.callbackHandlerServiceConsumer.accept(this);
    }

    @Override // org.jboss.msc.Service
    public void stop(StopContext stopContext) {
        this.callbackHandlerServiceConsumer.accept(null);
        this.allowAll = false;
        this.allowedUsersSet.clear();
    }
}
