package org.jboss.as.remoting;

import java.io.IOException;
import java.security.Principal;
import java.util.ArrayList;
import java.util.Collection;
import java.util.HashSet;
import java.util.LinkedList;
import java.util.Map;
import java.util.Set;
import java.util.UUID;
import javax.net.ssl.SSLContext;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import org.jboss.as.controller.security.InetAddressPrincipal;
import org.jboss.as.core.security.RealmUser;
import org.jboss.as.core.security.SubjectUserInfo;
import org.jboss.as.core.security.UniqueIdUserInfo;
import org.jboss.as.domain.management.AuthMechanism;
import org.jboss.as.domain.management.RealmConfigurationConstants;
import org.jboss.as.domain.management.SecurityRealm;
import org.jboss.as.remoting.logging.RemotingLogger;
import org.jboss.remoting3.Remoting;
import org.jboss.remoting3.security.AuthorizingCallbackHandler;
import org.jboss.remoting3.security.ServerAuthenticationProvider;
import org.jboss.remoting3.security.SimpleUserInfo;
import org.jboss.remoting3.security.UserInfo;
import org.jboss.remoting3.security.UserPrincipal;
import org.jboss.sasl.callback.DigestHashCallback;
import org.jboss.sasl.callback.VerifyPasswordCallback;
import org.jboss.sasl.gssapi.SubjectFactory;
import org.jboss.sasl.gssapi.SubjectIdentity;
import org.xnio.Option;
import org.xnio.OptionMap;
import org.xnio.Options;
import org.xnio.Property;
import org.xnio.Sequence;
import org.xnio.SslClientAuthMode;
import org.xnio.Xnio;
import org.xnio.ssl.JsseXnioSsl;
import org.xnio.ssl.XnioSsl;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:org/jboss/as/remoting/RealmSecurityProvider.class */
public class RealmSecurityProvider implements RemotingSecurityProvider {
    static final String SASL_OPT_REALM_PROPERTY = "com.sun.security.sasl.digest.realm";
    static final String SASL_OPT_ALT_PROTO_PROPERTY = "org.jboss.sasl.digest.alternative_protocols";
    static final String SASL_OPT_PRE_DIGESTED_PROPERTY = "org.jboss.sasl.digest.pre_digested";
    static final String SASL_OPT_LOCAL_DEFAULT_USER = "jboss.sasl.local-user.default-user";
    static final String SASL_OPT_LOCAL_USER_CHALLENGE_PATH = "jboss.sasl.local-user.challenge-path";
    static final String SASL_OPT_SUBJECT_FACTORY = "org.jboss.sasl.gssapi.subject_factory";
    static final String ANONYMOUS = "ANONYMOUS";
    static final String DIGEST_MD5 = "DIGEST-MD5";
    static final String EXTERNAL = "EXTERNAL";
    static final String GSSAPI = "GSSAPI";
    static final String JBOSS_LOCAL_USER = "JBOSS-LOCAL-USER";
    static final String PLAIN = "PLAIN";
    private final SecurityRealm realm;
    private final CallbackHandler serverCallbackHandler;
    private final String tokensDir;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/jboss/as/remoting/RealmSecurityProvider$RealmCallbackHandler.class */
    public class RealmCallbackHandler implements AuthorizingCallbackHandler {
        private final org.jboss.as.domain.management.AuthorizingCallbackHandler innerHandler;

        RealmCallbackHandler(org.jboss.as.domain.management.AuthorizingCallbackHandler authorizingCallbackHandler) {
            this.innerHandler = authorizingCallbackHandler;
        }

        @Override // javax.security.auth.callback.CallbackHandler
        public void handle(Callback[] callbackArr) throws IOException, UnsupportedCallbackException {
            this.innerHandler.handle(callbackArr);
        }

        @Override // org.jboss.remoting3.security.AuthorizingCallbackHandler
        public UserInfo createUserInfo(Collection<Principal> collection) throws IOException {
            ArrayList arrayList = new ArrayList(collection.size());
            InetAddressPrincipal inetAddressPrincipal = null;
            for (Principal principal : collection) {
                if (principal instanceof UserPrincipal) {
                    if (RealmSecurityProvider.this.realm != null) {
                        arrayList.add(new RealmUser(RealmSecurityProvider.this.realm.getName(), principal.getName()));
                    } else {
                        arrayList.add(new RealmUser(principal.getName()));
                    }
                } else if (principal instanceof org.jboss.remoting3.security.InetAddressPrincipal) {
                    inetAddressPrincipal = new InetAddressPrincipal(((org.jboss.remoting3.security.InetAddressPrincipal) principal).getInetAddress());
                }
            }
            SubjectUserInfo createSubjectUserInfo = this.innerHandler.createSubjectUserInfo(arrayList);
            Subject subject = createSubjectUserInfo.getSubject();
            subject.getPrincipals().addAll(collection);
            if (inetAddressPrincipal != null) {
                subject.getPrincipals().add(inetAddressPrincipal);
            }
            return new RealmSubjectUserInfo(createSubjectUserInfo);
        }
    }

    /* loaded from: input_file:org/jboss/as/remoting/RealmSecurityProvider$RealmSubjectFactory.class */
    private class RealmSubjectFactory implements SubjectFactory {
        private RealmSubjectFactory() {
        }

        public SubjectIdentity getSubjectIdentity(String str, String str2) {
            final org.jboss.as.domain.management.SubjectIdentity subjectIdentity = RealmSecurityProvider.this.realm.getSubjectIdentity(str, str2);
            if (subjectIdentity != null) {
                return new SubjectIdentity() { // from class: org.jboss.as.remoting.RealmSecurityProvider.RealmSubjectFactory.1
                    public Subject getSubject() {
                        return subjectIdentity.getSubject();
                    }

                    public void dispose() {
                        subjectIdentity.logout();
                    }
                };
            }
            return null;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/jboss/as/remoting/RealmSecurityProvider$RealmSubjectUserInfo.class */
    public static class RealmSubjectUserInfo implements SubjectUserInfo, UserInfo, UniqueIdUserInfo {
        private final SubjectUserInfo subjectUserInfo;
        private final String id;

        private RealmSubjectUserInfo(SubjectUserInfo subjectUserInfo) {
            this.subjectUserInfo = subjectUserInfo;
            this.id = UUID.randomUUID().toString();
        }

        @Override // org.jboss.as.core.security.SubjectUserInfo
        public String getUserName() {
            return this.subjectUserInfo.getUserName();
        }

        @Override // org.jboss.as.core.security.SubjectUserInfo
        public Collection<Principal> getPrincipals() {
            return this.subjectUserInfo.getPrincipals();
        }

        @Override // org.jboss.as.core.security.SubjectUserInfo
        public Subject getSubject() {
            return this.subjectUserInfo.getSubject();
        }

        @Override // org.jboss.as.core.security.UniqueIdUserInfo
        public String getId() {
            return this.id;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public RealmSecurityProvider(SecurityRealm securityRealm, CallbackHandler callbackHandler, String str) {
        this.realm = securityRealm;
        this.serverCallbackHandler = callbackHandler;
        this.tokensDir = str;
    }

    @Override // org.jboss.as.remoting.RemotingSecurityProvider
    public OptionMap getOptionMap() {
        LinkedList linkedList = new LinkedList();
        HashSet hashSet = new HashSet();
        OptionMap.Builder builder = OptionMap.builder();
        if (this.realm == null) {
            linkedList.add("ANONYMOUS");
            builder.set(Options.SASL_POLICY_NOANONYMOUS, false);
            builder.set(Options.SSL_ENABLED, false);
        } else {
            Set<AuthMechanism> supportedAuthenticationMechanisms = this.realm.getSupportedAuthenticationMechanisms();
            if (supportedAuthenticationMechanisms.contains(AuthMechanism.LOCAL)) {
                linkedList.add("JBOSS-LOCAL-USER");
                Map<String, String> mechanismConfig = this.realm.getMechanismConfig(AuthMechanism.LOCAL);
                if (mechanismConfig.containsKey(RealmConfigurationConstants.LOCAL_DEFAULT_USER)) {
                    hashSet.add(Property.of("jboss.sasl.local-user.default-user", mechanismConfig.get(RealmConfigurationConstants.LOCAL_DEFAULT_USER)));
                }
                if (this.tokensDir != null) {
                    hashSet.add(Property.of("jboss.sasl.local-user.challenge-path", this.tokensDir));
                }
            }
            if (supportedAuthenticationMechanisms.contains(AuthMechanism.KERBEROS)) {
                linkedList.add(GSSAPI);
                hashSet.add(Property.of(SASL_OPT_SUBJECT_FACTORY, new RealmSubjectFactory()));
            }
            if (supportedAuthenticationMechanisms.contains(AuthMechanism.DIGEST)) {
                linkedList.add("DIGEST-MD5");
                hashSet.add(Property.of(SASL_OPT_REALM_PROPERTY, this.realm.getName()));
                hashSet.add(Property.of(SASL_OPT_ALT_PROTO_PROPERTY, "remote,remoting"));
                Map<String, String> mechanismConfig2 = this.realm.getMechanismConfig(AuthMechanism.DIGEST);
                boolean z = true;
                if (mechanismConfig2.containsKey(RealmConfigurationConstants.DIGEST_PLAIN_TEXT)) {
                    z = Boolean.parseBoolean(mechanismConfig2.get(RealmConfigurationConstants.DIGEST_PLAIN_TEXT));
                }
                if (!z) {
                    hashSet.add(Property.of(SASL_OPT_PRE_DIGESTED_PROPERTY, Boolean.TRUE.toString()));
                }
            }
            if (supportedAuthenticationMechanisms.contains(AuthMechanism.PLAIN)) {
                linkedList.add("PLAIN");
                builder.set(Options.SASL_POLICY_NOPLAINTEXT, false);
            }
            if (this.realm.getSSLContext() == null) {
                builder.set(Options.SSL_ENABLED, false);
            } else if (supportedAuthenticationMechanisms.contains(AuthMechanism.CLIENT_CERT)) {
                builder.set(Options.SSL_ENABLED, true);
                builder.set(Options.SSL_STARTTLS, true);
                linkedList.add(0, "EXTERNAL");
                builder.set((Option<Option<SslClientAuthMode>>) Options.SSL_CLIENT_AUTH_MODE, (Option<SslClientAuthMode>) SslClientAuthMode.REQUESTED);
            } else {
                builder.set(Options.SSL_ENABLED, true);
                builder.set(Options.SSL_STARTTLS, true);
            }
        }
        if (linkedList.size() == 0) {
            throw RemotingLogger.ROOT_LOGGER.noSupportingMechanismsForRealm();
        }
        builder.set((Option<Option<Sequence<String>>>) Options.SASL_MECHANISMS, (Option<Sequence<String>>) Sequence.of((Collection) linkedList));
        builder.set((Option<Option<Sequence<Property>>>) Options.SASL_PROPERTIES, (Option<Sequence<Property>>) Sequence.of((Collection) hashSet));
        return builder.getMap();
    }

    @Override // org.jboss.as.remoting.RemotingSecurityProvider
    public ServerAuthenticationProvider getServerAuthenticationProvider() {
        return new ServerAuthenticationProvider() { // from class: org.jboss.as.remoting.RealmSecurityProvider.1
            @Override // org.jboss.remoting3.security.ServerAuthenticationProvider
            public AuthorizingCallbackHandler getCallbackHandler(String str) {
                final CallbackHandler callbackHandler = RealmSecurityProvider.this.getCallbackHandler(str);
                return callbackHandler instanceof AuthorizingCallbackHandler ? (AuthorizingCallbackHandler) callbackHandler : new AuthorizingCallbackHandler() { // from class: org.jboss.as.remoting.RealmSecurityProvider.1.1
                    @Override // javax.security.auth.callback.CallbackHandler
                    public void handle(Callback[] callbackArr) throws IOException, UnsupportedCallbackException {
                        callbackHandler.handle(callbackArr);
                    }

                    @Override // org.jboss.remoting3.security.AuthorizingCallbackHandler
                    public UserInfo createUserInfo(Collection<Principal> collection) {
                        return new SimpleUserInfo(collection);
                    }
                };
            }
        };
    }

    @Override // org.jboss.as.remoting.RemotingSecurityProvider
    public XnioSsl getXnioSsl() {
        SSLContext sSLContext;
        if (this.realm == null || (sSLContext = this.realm.getSSLContext()) == null) {
            return null;
        }
        return new JsseXnioSsl(Xnio.getInstance(Remoting.class.getClassLoader()), OptionMap.EMPTY, sSLContext);
    }

    public CallbackHandler getCallbackHandler(String str) {
        RealmCallbackHandler realmCallbackHandler;
        if ("ANONYMOUS".equals(str) && this.realm == null) {
            return new RealmCallbackHandler(new org.jboss.as.domain.management.AuthorizingCallbackHandler() { // from class: org.jboss.as.remoting.RealmSecurityProvider.2
                @Override // javax.security.auth.callback.CallbackHandler
                public void handle(Callback[] callbackArr) throws IOException, UnsupportedCallbackException {
                    if (0 < callbackArr.length) {
                        throw RemotingLogger.ROOT_LOGGER.anonymousMechanismNotExpected(callbackArr[0]);
                    }
                }

                @Override // org.jboss.as.domain.management.AuthorizingCallbackHandler
                public SubjectUserInfo createSubjectUserInfo(Collection<Principal> collection) throws IOException {
                    final Subject subject = new Subject();
                    Set<Principal> principals = subject.getPrincipals();
                    for (Principal principal : collection) {
                        principals.add(principal);
                        if (principal instanceof UserPrincipal) {
                            principals.add(new RealmUser(principal.getName()));
                        } else if (principal instanceof org.jboss.remoting3.security.InetAddressPrincipal) {
                            principals.add(new InetAddressPrincipal(((org.jboss.remoting3.security.InetAddressPrincipal) principal).getInetAddress()));
                        }
                    }
                    final String name = ((RealmUser) subject.getPrincipals(RealmUser.class).iterator().next()).getName();
                    return new SubjectUserInfo() { // from class: org.jboss.as.remoting.RealmSecurityProvider.2.1
                        @Override // org.jboss.as.core.security.SubjectUserInfo
                        public String getUserName() {
                            return name;
                        }

                        @Override // org.jboss.as.core.security.SubjectUserInfo
                        public Subject getSubject() {
                            return subject;
                        }

                        @Override // org.jboss.as.core.security.SubjectUserInfo
                        public Collection<Principal> getPrincipals() {
                            return subject.getPrincipals();
                        }
                    };
                }
            });
        }
        if ("JBOSS-LOCAL-USER".equals(str)) {
            return new RealmCallbackHandler(this.realm.getAuthorizingCallbackHandler(AuthMechanism.LOCAL));
        }
        if ("EXTERNAL".equals(str)) {
            return new RealmCallbackHandler(this.realm.getAuthorizingCallbackHandler(AuthMechanism.CLIENT_CERT));
        }
        if ("DIGEST-MD5".equals(str)) {
            realmCallbackHandler = new RealmCallbackHandler(this.realm.getAuthorizingCallbackHandler(AuthMechanism.DIGEST));
        } else if ("PLAIN".equals(str)) {
            realmCallbackHandler = new RealmCallbackHandler(this.realm.getAuthorizingCallbackHandler(AuthMechanism.PLAIN));
        } else {
            if (!GSSAPI.equals(str)) {
                return null;
            }
            realmCallbackHandler = new RealmCallbackHandler(this.realm.getAuthorizingCallbackHandler(AuthMechanism.KERBEROS));
        }
        if (this.serverCallbackHandler == null) {
            return realmCallbackHandler;
        }
        final RealmCallbackHandler realmCallbackHandler2 = realmCallbackHandler;
        return new AuthorizingCallbackHandler() { // from class: org.jboss.as.remoting.RealmSecurityProvider.3
            private boolean serverHandled = false;

            @Override // javax.security.auth.callback.CallbackHandler
            public void handle(Callback[] callbackArr) throws IOException, UnsupportedCallbackException {
                RealmSecurityProvider.this.serverCallbackHandler.handle(callbackArr);
                if (handled(callbackArr)) {
                    this.serverHandled = true;
                } else {
                    realmCallbackHandler2.handle(callbackArr);
                }
            }

            private boolean handled(Callback[] callbackArr) {
                for (Callback callback : callbackArr) {
                    if (callback instanceof PasswordCallback) {
                        char[] password = ((PasswordCallback) callback).getPassword();
                        return password != null && password.length > 0;
                    }
                    if (callback instanceof VerifyPasswordCallback) {
                        return ((VerifyPasswordCallback) callback).isVerified();
                    }
                    if (callback instanceof DigestHashCallback) {
                        return ((DigestHashCallback) callback).getHash() != null;
                    }
                }
                return false;
            }

            @Override // org.jboss.remoting3.security.AuthorizingCallbackHandler
            public UserInfo createUserInfo(Collection<Principal> collection) throws IOException {
                if (!this.serverHandled) {
                    return realmCallbackHandler2.createUserInfo(collection);
                }
                final Subject subject = new Subject();
                Set<Principal> principals = subject.getPrincipals();
                for (Principal principal : collection) {
                    principals.add(principal);
                    principals.add(new RealmUser(principal.getName()));
                }
                return new RealmSubjectUserInfo(new SubjectUserInfo() { // from class: org.jboss.as.remoting.RealmSecurityProvider.3.1
                    @Override // org.jboss.as.core.security.SubjectUserInfo
                    public String getUserName() {
                        return ((RealmUser) subject.getPrincipals(RealmUser.class).iterator().next()).getName();
                    }

                    @Override // org.jboss.as.core.security.SubjectUserInfo
                    public Subject getSubject() {
                        return subject;
                    }

                    @Override // org.jboss.as.core.security.SubjectUserInfo
                    public Collection<Principal> getPrincipals() {
                        return subject.getPrincipals();
                    }
                });
            }
        };
    }
}
