package org.jboss.as.domain.management.access;

import java.security.AccessController;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.Iterator;
import java.util.Locale;
import org.jboss.as.controller.OperationContext;
import org.jboss.as.controller.OperationFailedException;
import org.jboss.as.controller.OperationStepHandler;
import org.jboss.as.controller.PathAddress;
import org.jboss.as.controller.PathElement;
import org.jboss.as.controller.descriptions.ModelDescriptionConstants;
import org.jboss.as.controller.operations.common.Util;
import org.jboss.as.controller.registry.Resource;
import org.jboss.as.domain.management.CoreManagementResourceDefinition;
import org.jboss.as.domain.management.access.AccessAuthorizationResourceDefinition;
import org.jboss.as.domain.management.logging.DomainManagementLogger;
import org.jboss.dmr.ModelNode;

/* loaded from: input_file:org/jboss/as/domain/management/access/RbacSanityCheckOperation.class */
public class RbacSanityCheckOperation implements OperationStepHandler {
    private static final OperationContext.AttachmentKey<RbacSanityCheckOperation> KEY = OperationContext.AttachmentKey.create(RbacSanityCheckOperation.class);
    private static final RbacSanityCheckOperation INSTANCE = new RbacSanityCheckOperation();

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/jboss/as/domain/management/access/RbacSanityCheckOperation$ModelChecker.class */
    public static class ModelChecker {
        private final OperationContext context;
        private final Resource managementResource;
        private ModelNode accessAuthorization;

        private ModelChecker(OperationContext operationContext, Resource resource) {
            this.context = operationContext;
            this.managementResource = resource;
        }

        boolean isRbacEnabled() throws OperationFailedException {
            return AccessAuthorizationResourceDefinition.Provider.valueOf(AccessAuthorizationResourceDefinition.PROVIDER.resolveModelAttribute(this.context, getAccessAuthorization()).asString().toUpperCase(Locale.ENGLISH)) == AccessAuthorizationResourceDefinition.Provider.RBAC;
        }

        boolean doRoleMappingsExist() throws OperationFailedException {
            Resource child = this.managementResource.getChild(PathElement.pathElement("access", "authorization"));
            Iterator<String> it = child.getChildrenNames("role-mapping").iterator();
            while (it.hasNext()) {
                Resource child2 = child.getChild(PathElement.pathElement("role-mapping", it.next()));
                ModelNode model = child2.getModel();
                if ((model.get(ModelDescriptionConstants.INCLUDE_ALL).isDefined() && model.require(ModelDescriptionConstants.INCLUDE_ALL).asBoolean()) || child2.getChildren(ModelDescriptionConstants.INCLUDE).size() > 0) {
                    return true;
                }
            }
            return false;
        }

        private ModelNode getAccessAuthorization() {
            if (this.accessAuthorization == null) {
                PathElement pathElement = PathElement.pathElement("access", "authorization");
                if (this.managementResource.hasChild(pathElement)) {
                    Resource child = this.managementResource.getChild(pathElement);
                    if (child.isModelDefined()) {
                        this.accessAuthorization = child.getModel();
                    }
                }
            }
            return this.accessAuthorization;
        }
    }

    private RbacSanityCheckOperation() {
    }

    @Override // org.jboss.as.controller.OperationStepHandler
    public void execute(final OperationContext operationContext, ModelNode modelNode) throws OperationFailedException {
        try {
            AccessController.doPrivileged(new PrivilegedExceptionAction<Void>() { // from class: org.jboss.as.domain.management.access.RbacSanityCheckOperation.1
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.security.PrivilegedExceptionAction
                public Void run() throws OperationFailedException {
                    ModelChecker modelChecker = new ModelChecker(operationContext, operationContext.readResource(PathAddress.EMPTY_ADDRESS));
                    if (!modelChecker.isRbacEnabled() || modelChecker.doRoleMappingsExist()) {
                        return null;
                    }
                    throw DomainManagementLogger.ROOT_LOGGER.inconsistentRbacConfiguration();
                }
            });
        } catch (PrivilegedActionException e) {
            Exception exception = e.getException();
            if (!(exception instanceof OperationFailedException)) {
                throw new OperationFailedException(exception);
            }
            throw ((OperationFailedException) exception);
        }
    }

    public static void addOperation(OperationContext operationContext) {
        if (((RbacSanityCheckOperation) operationContext.getAttachment(KEY)) == null && operationContext.isNormalServer()) {
            operationContext.addStep(createOperation(), INSTANCE, OperationContext.Stage.MODEL);
            operationContext.attach(KEY, INSTANCE);
        }
    }

    private static ModelNode createOperation() {
        return Util.createEmptyOperation("rbac-sanity-check", PathAddress.pathAddress(CoreManagementResourceDefinition.PATH_ELEMENT));
    }
}
