package org.wildfly.security.auth.server;

import java.security.AccessController;
import java.security.Principal;
import java.security.spec.AlgorithmParameterSpec;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
import java.util.LinkedHashMap;
import java.util.Map;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.ScheduledExecutorService;
import java.util.concurrent.ScheduledThreadPoolExecutor;
import java.util.concurrent.ThreadFactory;
import java.util.function.Consumer;
import java.util.function.Function;
import java.util.function.Predicate;
import java.util.function.Supplier;
import java.util.function.UnaryOperator;
import org.jboss.threads.JBossThreadFactory;
import org.wildfly.common.Assert;
import org.wildfly.common.function.ExceptionBiFunction;
import org.wildfly.common.function.ExceptionFunction;
import org.wildfly.security._private.ElytronMessages;
import org.wildfly.security.auth.SupportLevel;
import org.wildfly.security.auth.principal.AnonymousPrincipal;
import org.wildfly.security.auth.principal.NamePrincipal;
import org.wildfly.security.auth.principal.RealmNestedPrincipal;
import org.wildfly.security.auth.server.event.SecurityEvent;
import org.wildfly.security.authz.AuthorizationIdentity;
import org.wildfly.security.authz.PermissionMapper;
import org.wildfly.security.authz.RoleDecoder;
import org.wildfly.security.authz.RoleMapper;
import org.wildfly.security.authz.Roles;
import org.wildfly.security.credential.BearerTokenCredential;
import org.wildfly.security.credential.Credential;
import org.wildfly.security.credential.PasswordCredential;
import org.wildfly.security.evidence.BearerTokenEvidence;
import org.wildfly.security.evidence.Evidence;
import org.wildfly.security.evidence.PasswordGuessEvidence;
import org.wildfly.security.http.HttpConstants;
import org.wildfly.security.password.interfaces.ClearPassword;
import org.wildfly.security.permission.ElytronPermission;
import org.wildfly.security.permission.PermissionVerifier;

/* loaded from: input_file:org/wildfly/security/auth/server/SecurityDomain.class */
public final class SecurityDomain {
    private static final ConcurrentHashMap<ClassLoader, SecurityDomain> CLASS_LOADER_DOMAIN_MAP;
    private static final RealmInfo EMPTY_REALM_INFO;
    static final ElytronPermission AUTHENTICATE;
    static final ElytronPermission CREATE_SECURITY_DOMAIN;
    static final ElytronPermission REGISTER_SECURITY_DOMAIN;
    static final ElytronPermission GET_SECURITY_DOMAIN;
    static final ElytronPermission UNREGISTER_SECURITY_DOMAIN;
    static final ElytronPermission CREATE_AUTH_CONTEXT;
    static final ElytronPermission GET_IDENTITY;
    static final ElytronPermission GET_IDENTITY_FOR_UPDATE;
    static final ElytronPermission CREATE_AD_HOC_IDENTITY;
    private final Map<String, RealmInfo> realmMap;
    private final String defaultRealmName;
    private final Function<Principal, Principal> preRealmPrincipalRewriter;
    private final RealmMapper realmMapper;
    private final Function<Principal, Principal> postRealmPrincipalRewriter;
    private final ThreadLocal<Supplier<SecurityIdentity>> currentSecurityIdentity;
    private final RoleMapper roleMapper;
    private final SecurityIdentity anonymousIdentity;
    private final PermissionMapper permissionMapper;
    private final Map<String, RoleMapper> categoryRoleMappers;
    private final UnaryOperator<SecurityIdentity> securityIdentityTransformer;
    private final Predicate<SecurityDomain> trustedSecurityDomain;
    private final Consumer<SecurityEvent> securityEventListener;
    static final /* synthetic */ boolean $assertionsDisabled;

    /* loaded from: input_file:org/wildfly/security/auth/server/SecurityDomain$Builder.class */
    public static final class Builder {
        private String defaultRealmName;
        private boolean built = false;
        private final HashMap<String, RealmBuilder> realms = new HashMap<>();
        private Function<Principal, Principal> preRealmRewriter = Function.identity();
        private Function<Principal, Principal> principalDecoder = Function.identity();
        private Function<Principal, Principal> postRealmRewriter = Function.identity();
        private RealmMapper realmMapper = RealmMapper.DEFAULT_REALM_MAPPER;
        private RoleMapper roleMapper = RoleMapper.IDENTITY_ROLE_MAPPER;
        private PermissionMapper permissionMapper = PermissionMapper.EMPTY_PERMISSION_MAPPER;
        private Map<String, RoleMapper> categoryRoleMappers = Collections.emptyMap();
        private UnaryOperator<SecurityIdentity> securityIdentityTransformer = UnaryOperator.identity();
        private Predicate<SecurityDomain> trustedSecurityDomain = securityDomain -> {
            return false;
        };
        private Consumer<SecurityEvent> securityEventListener = securityEvent -> {
        };

        Builder() {
        }

        public Builder setPreRealmRewriter(NameRewriter nameRewriter) {
            return setPreRealmRewriter(nameRewriter.asPrincipalRewriter());
        }

        public Builder setPreRealmRewriter(Function<Principal, Principal> function) {
            Assert.checkNotNullParam("rewriter", function);
            assertNotBuilt();
            this.preRealmRewriter = function;
            return this;
        }

        public Builder setPostRealmRewriter(NameRewriter nameRewriter) {
            return setPostRealmRewriter(nameRewriter.asPrincipalRewriter());
        }

        public Builder setPostRealmRewriter(Function<Principal, Principal> function) {
            Assert.checkNotNullParam("rewriter", function);
            assertNotBuilt();
            this.postRealmRewriter = function;
            return this;
        }

        public Builder setRealmMapper(RealmMapper realmMapper) {
            Assert.checkNotNullParam("realmMapper", realmMapper);
            assertNotBuilt();
            this.realmMapper = realmMapper;
            return this;
        }

        public Builder setRoleMapper(RoleMapper roleMapper) {
            Assert.checkNotNullParam("roleMapper", roleMapper);
            assertNotBuilt();
            this.roleMapper = roleMapper;
            return this;
        }

        public Builder setPermissionMapper(PermissionMapper permissionMapper) {
            Assert.checkNotNullParam("permissionMapper", permissionMapper);
            assertNotBuilt();
            this.permissionMapper = permissionMapper;
            return this;
        }

        public Builder setPrincipalDecoder(PrincipalDecoder principalDecoder) {
            Assert.checkNotNullParam("principalDecoder", principalDecoder);
            assertNotBuilt();
            this.principalDecoder = principalDecoder.asPrincipalRewriter();
            return this;
        }

        public RealmBuilder addRealm(String str, SecurityRealm securityRealm) {
            Assert.checkNotNullParam("name", str);
            Assert.checkNotNullParam("realm", securityRealm);
            assertNotBuilt();
            return new RealmBuilder(this, str, securityRealm);
        }

        Builder addRealm(RealmBuilder realmBuilder) {
            this.realms.put(realmBuilder.getName(), realmBuilder);
            return this;
        }

        public String getDefaultRealmName() {
            return this.defaultRealmName;
        }

        public Builder setDefaultRealmName(String str) {
            Assert.checkNotNullParam("defaultRealmName", str);
            assertNotBuilt();
            this.defaultRealmName = str;
            return this;
        }

        public Map<String, RoleMapper> getCategoryRoleMappers() {
            return this.categoryRoleMappers;
        }

        public void setCategoryRoleMappers(Map<String, RoleMapper> map) {
            Assert.checkNotNullParam("categoryRoleMappers", map);
            this.categoryRoleMappers = map;
        }

        public Builder setSecurityIdentityTransformer(UnaryOperator<SecurityIdentity> unaryOperator) {
            Assert.checkNotNullParam("securityIdentityTransformer", unaryOperator);
            this.securityIdentityTransformer = unaryOperator;
            return this;
        }

        public Builder setTrustedSecurityDomainPredicate(Predicate<SecurityDomain> predicate) {
            Assert.checkNotNullParam("trustedSecurityDomain", predicate);
            this.trustedSecurityDomain = predicate;
            return this;
        }

        public Builder setSecurityEventListener(Consumer<SecurityEvent> consumer) {
            this.securityEventListener = (Consumer) Assert.checkNotNullParam("securityEventListener", consumer);
            return this;
        }

        public SecurityDomain build() {
            SecurityManager securityManager = System.getSecurityManager();
            if (securityManager != null) {
                securityManager.checkPermission(SecurityDomain.CREATE_SECURITY_DOMAIN);
            }
            LinkedHashMap linkedHashMap = new LinkedHashMap(this.realms.size());
            for (RealmBuilder realmBuilder : this.realms.values()) {
                linkedHashMap.put(realmBuilder.getName(), new RealmInfo(realmBuilder));
            }
            if (this.defaultRealmName != null && !linkedHashMap.containsKey(this.defaultRealmName)) {
                throw ElytronMessages.log.realmMapDoesNotContainDefault(this.defaultRealmName);
            }
            assertNotBuilt();
            this.built = true;
            if (ElytronMessages.log.isTraceEnabled()) {
                ElytronMessages.log.tracef("Building security domain with defaultRealmName %s.", this.defaultRealmName);
                if (linkedHashMap.size() > 1) {
                    ElytronMessages.log.tracef("The following additional realms were added: %s.", linkedHashMap.keySet().toString());
                }
            }
            return new SecurityDomain(this, linkedHashMap);
        }

        void assertNotBuilt() {
            if (this.built) {
                throw ElytronMessages.log.builderAlreadyBuilt();
            }
        }
    }

    /* loaded from: input_file:org/wildfly/security/auth/server/SecurityDomain$RealmBuilder.class */
    public static class RealmBuilder {
        private final Builder parent;
        private final String name;
        private final SecurityRealm realm;
        private RoleMapper roleMapper = RoleMapper.IDENTITY_ROLE_MAPPER;
        private Function<Principal, Principal> principalRewriter = Function.identity();
        private RoleDecoder roleDecoder = RoleDecoder.DEFAULT;
        private boolean built = false;

        RealmBuilder(Builder builder, String str, SecurityRealm securityRealm) {
            this.parent = builder;
            this.name = str;
            this.realm = securityRealm;
        }

        public String getName() {
            return this.name;
        }

        public SecurityRealm getRealm() {
            return this.realm;
        }

        public RoleMapper getRoleMapper() {
            return this.roleMapper;
        }

        public RealmBuilder setRoleMapper(RoleMapper roleMapper) {
            assertNotBuilt();
            Assert.checkNotNullParam("roleMapper", roleMapper);
            this.roleMapper = roleMapper;
            return this;
        }

        public Function<Principal, Principal> getPrincipalRewriter() {
            return this.principalRewriter;
        }

        public RealmBuilder setPrincipalRewriter(Function<Principal, Principal> function) {
            Assert.checkNotNullParam("principalRewriter", function);
            assertNotBuilt();
            this.principalRewriter = function;
            return this;
        }

        @Deprecated
        public RealmBuilder setNameRewriter(NameRewriter nameRewriter) {
            return setPrincipalRewriter(nameRewriter.asPrincipalRewriter());
        }

        public RoleDecoder getRoleDecoder() {
            return this.roleDecoder;
        }

        public RealmBuilder setRoleDecoder(RoleDecoder roleDecoder) {
            Assert.checkNotNullParam("roleDecoder", roleDecoder);
            assertNotBuilt();
            this.roleDecoder = roleDecoder;
            return this;
        }

        public Builder build() {
            assertNotBuilt();
            return this.parent.addRealm(this);
        }

        private void assertNotBuilt() {
            this.parent.assertNotBuilt();
            if (this.built) {
                throw ElytronMessages.log.builderAlreadyBuilt();
            }
        }
    }

    /* loaded from: input_file:org/wildfly/security/auth/server/SecurityDomain$ScheduledExecutorServiceProvider.class */
    private static class ScheduledExecutorServiceProvider {
        private static final ThreadFactory threadFactory = (ThreadFactory) AccessController.doPrivileged(() -> {
            return new JBossThreadFactory(new ThreadGroup("SecurityDomain ThreadGroup"), Boolean.FALSE, null, "%G - %t", null, null);
        });
        private static final ScheduledThreadPoolExecutor INSTANCE = new ScheduledThreadPoolExecutor(1, threadFactory);

        private ScheduledExecutorServiceProvider() {
        }

        static {
            INSTANCE.setRemoveOnCancelPolicy(true);
            INSTANCE.setExecuteExistingDelayedTasksAfterShutdownPolicy(false);
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v25, types: [java.util.Map] */
    /* JADX WARN: Type inference failed for: r0v29, types: [java.util.Map] */
    SecurityDomain(Builder builder, LinkedHashMap<String, RealmInfo> linkedHashMap) {
        LinkedHashMap linkedHashMap2;
        this.realmMap = linkedHashMap;
        this.defaultRealmName = builder.defaultRealmName;
        this.preRealmPrincipalRewriter = builder.principalDecoder.andThen(builder.preRealmRewriter);
        this.realmMapper = builder.realmMapper;
        this.roleMapper = builder.roleMapper;
        this.permissionMapper = builder.permissionMapper;
        this.postRealmPrincipalRewriter = builder.postRealmRewriter;
        this.securityIdentityTransformer = builder.securityIdentityTransformer;
        this.trustedSecurityDomain = builder.trustedSecurityDomain;
        this.securityEventListener = builder.securityEventListener;
        Map map = builder.categoryRoleMappers;
        if (map.isEmpty()) {
            linkedHashMap2 = Collections.emptyMap();
        } else if (map.size() == 1) {
            Map.Entry entry = (Map.Entry) map.entrySet().iterator().next();
            linkedHashMap2 = Collections.singletonMap(entry.getKey(), entry.getValue());
        } else {
            linkedHashMap2 = new LinkedHashMap(map);
        }
        this.categoryRoleMappers = linkedHashMap2;
        this.anonymousIdentity = (SecurityIdentity) Assert.assertNotNull(this.securityIdentityTransformer.apply(new SecurityIdentity(this, AnonymousPrincipal.getInstance(), EMPTY_REALM_INFO, AuthorizationIdentity.EMPTY, linkedHashMap2, IdentityCredentials.NONE, IdentityCredentials.NONE)));
        this.currentSecurityIdentity = ThreadLocal.withInitial(() -> {
            return this.anonymousIdentity;
        });
    }

    public void registerWithClassLoader(ClassLoader classLoader) {
        Assert.checkNotNullParam("classLoader", classLoader);
        SecurityManager securityManager = System.getSecurityManager();
        if (securityManager != null) {
            securityManager.checkPermission(REGISTER_SECURITY_DOMAIN);
        }
        SecurityDomain putIfAbsent = CLASS_LOADER_DOMAIN_MAP.putIfAbsent(classLoader, this);
        if (putIfAbsent != null && putIfAbsent != this) {
            throw ElytronMessages.log.classLoaderSecurityDomainExists();
        }
    }

    public static SecurityDomain getCurrent() {
        ClassLoader contextClassLoader;
        SecurityManager securityManager = System.getSecurityManager();
        if (securityManager != null) {
            securityManager.checkPermission(GET_SECURITY_DOMAIN);
        }
        Thread currentThread = Thread.currentThread();
        if (securityManager != null) {
            currentThread.getClass();
            contextClassLoader = (ClassLoader) AccessController.doPrivileged(currentThread::getContextClassLoader);
        } else {
            contextClassLoader = currentThread.getContextClassLoader();
        }
        if (contextClassLoader != null) {
            return CLASS_LOADER_DOMAIN_MAP.get(contextClassLoader);
        }
        return null;
    }

    public static SecurityDomain forIdentity(SecurityIdentity securityIdentity) {
        Assert.checkNotNullParam("identity", securityIdentity);
        SecurityManager securityManager = System.getSecurityManager();
        if (securityManager != null) {
            securityManager.checkPermission(GET_SECURITY_DOMAIN);
        }
        return securityIdentity.getSecurityDomain();
    }

    public static void unregisterClassLoader(ClassLoader classLoader) {
        Assert.checkNotNullParam("classLoader", classLoader);
        SecurityManager securityManager = System.getSecurityManager();
        if (securityManager != null) {
            securityManager.checkPermission(UNREGISTER_SECURITY_DOMAIN);
        }
        CLASS_LOADER_DOMAIN_MAP.remove(classLoader);
    }

    public static Builder builder() {
        return new Builder();
    }

    public ServerAuthenticationContext createNewAuthenticationContext() {
        SecurityManager securityManager = System.getSecurityManager();
        if (securityManager != null) {
            securityManager.checkPermission(CREATE_AUTH_CONTEXT);
        }
        return new ServerAuthenticationContext(this, MechanismConfigurationSelector.constantSelector(MechanismConfiguration.EMPTY));
    }

    public ServerAuthenticationContext createNewAuthenticationContext(MechanismConfigurationSelector mechanismConfigurationSelector) {
        SecurityManager securityManager = System.getSecurityManager();
        if (securityManager != null) {
            securityManager.checkPermission(CREATE_AUTH_CONTEXT);
        }
        return new ServerAuthenticationContext(this, mechanismConfigurationSelector);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public ServerAuthenticationContext createNewAuthenticationContext(SecurityIdentity securityIdentity, MechanismConfigurationSelector mechanismConfigurationSelector) {
        if ($assertionsDisabled || securityIdentity.getSecurityDomain() == this) {
            return new ServerAuthenticationContext(securityIdentity, mechanismConfigurationSelector);
        }
        throw new AssertionError();
    }

    public SecurityIdentity authenticate(Evidence evidence) throws RealmUnavailableException, SecurityException {
        return authenticate((Principal) null, evidence);
    }

    public SecurityIdentity authenticate(String str, Evidence evidence) throws RealmUnavailableException, SecurityException {
        return authenticate(str != null ? new NamePrincipal(str) : null, evidence);
    }

    public SecurityIdentity authenticate(Principal principal, Evidence evidence) throws RealmUnavailableException, SecurityException {
        SecurityManager securityManager = System.getSecurityManager();
        if (securityManager != null) {
            securityManager.checkPermission(AUTHENTICATE);
        }
        ServerAuthenticationContext serverAuthenticationContext = new ServerAuthenticationContext(this, MechanismConfigurationSelector.constantSelector(MechanismConfiguration.EMPTY));
        if (principal != null) {
            serverAuthenticationContext.setAuthenticationPrincipal(principal);
        }
        if (!serverAuthenticationContext.verifyEvidence(evidence)) {
            serverAuthenticationContext.fail();
            throw ElytronMessages.log.authenticationFailedEvidenceVerification();
        }
        if (!serverAuthenticationContext.authorize()) {
            serverAuthenticationContext.fail();
            throw ElytronMessages.log.authenticationFailedAuthorization();
        }
        if (evidence instanceof PasswordGuessEvidence) {
            serverAuthenticationContext.addPrivateCredential(new PasswordCredential(ClearPassword.createRaw(ClearPassword.ALGORITHM_CLEAR, ((PasswordGuessEvidence) PasswordGuessEvidence.class.cast(evidence)).getGuess())));
        } else if (evidence instanceof BearerTokenEvidence) {
            serverAuthenticationContext.addPrivateCredential(new BearerTokenCredential(((BearerTokenEvidence) BearerTokenEvidence.class.cast(evidence)).getToken()));
        } else {
            ElytronMessages.log.tracef("Evidence [%s] does not map to a supported credential type. Credentials are not available from authorized identity and identity propagation may not work", evidence.getClass().getName());
        }
        serverAuthenticationContext.succeed();
        return serverAuthenticationContext.getAuthorizedIdentity();
    }

    public RealmIdentity getIdentity(String str) throws RealmUnavailableException {
        Assert.checkNotNullParam("name", str);
        return getIdentity(new NamePrincipal(str));
    }

    public RealmIdentity getIdentity(Principal principal) throws RealmUnavailableException, IllegalArgumentException {
        SecurityManager securityManager = System.getSecurityManager();
        if (securityManager != null) {
            securityManager.checkPermission(GET_IDENTITY);
        }
        return (RealmIdentity) getIdentityPrivileged(principal, SecurityRealm.class, (v0, v1) -> {
            return v0.getRealmIdentity(v1);
        }, () -> {
            return RealmIdentity.NON_EXISTENT;
        }, () -> {
            return RealmIdentity.ANONYMOUS;
        });
    }

    public ModifiableRealmIdentity getIdentityForUpdate(Principal principal) throws RealmUnavailableException, IllegalArgumentException {
        SecurityManager securityManager = System.getSecurityManager();
        if (securityManager != null) {
            securityManager.checkPermission(GET_IDENTITY_FOR_UPDATE);
        }
        return (ModifiableRealmIdentity) getIdentityPrivileged(principal, ModifiableSecurityRealm.class, (v0, v1) -> {
            return v0.getRealmIdentityForUpdate(v1);
        }, () -> {
            return ModifiableRealmIdentity.NON_EXISTENT;
        }, () -> {
            return ModifiableRealmIdentity.NON_EXISTENT;
        });
    }

    public ExceptionFunction<Principal, RealmIdentity, RealmUnavailableException> getIdentityLookupFunction() {
        SecurityManager securityManager = System.getSecurityManager();
        if (securityManager != null) {
            securityManager.checkPermission(GET_IDENTITY);
        }
        return principal -> {
            return (RealmIdentity) getIdentityPrivileged(principal, SecurityRealm.class, (v0, v1) -> {
                return v0.getRealmIdentity(v1);
            }, () -> {
                return RealmIdentity.NON_EXISTENT;
            }, () -> {
                return RealmIdentity.ANONYMOUS;
            });
        };
    }

    public ExceptionFunction<Principal, ModifiableRealmIdentity, RealmUnavailableException> getIdentityLookupForUpdateFunction() {
        SecurityManager securityManager = System.getSecurityManager();
        if (securityManager != null) {
            securityManager.checkPermission(GET_IDENTITY_FOR_UPDATE);
        }
        return principal -> {
            return (ModifiableRealmIdentity) getIdentityPrivileged(principal, ModifiableSecurityRealm.class, (v0, v1) -> {
                return v0.getRealmIdentityForUpdate(v1);
            }, () -> {
                return ModifiableRealmIdentity.NON_EXISTENT;
            }, () -> {
                return ModifiableRealmIdentity.NON_EXISTENT;
            });
        };
    }

    <I, R extends SecurityRealm> I getIdentityPrivileged(Principal principal, Class<R> cls, ExceptionBiFunction<R, Principal, I, RealmUnavailableException> exceptionBiFunction, Supplier<I> supplier, Supplier<I> supplier2) throws RealmUnavailableException {
        Assert.checkNotNullParam("principal", principal);
        if (principal instanceof AnonymousPrincipal) {
            return supplier2.get();
        }
        if (principal instanceof RealmNestedPrincipal) {
            RealmNestedPrincipal realmNestedPrincipal = (RealmNestedPrincipal) principal;
            SecurityRealm securityRealm = getRealmInfo(realmNestedPrincipal.getRealmName()).getSecurityRealm();
            return cls.isInstance(securityRealm) ? exceptionBiFunction.apply(cls.cast(securityRealm), realmNestedPrincipal.getNestedPrincipal()) : supplier.get();
        }
        Principal apply = this.preRealmPrincipalRewriter.apply(principal);
        if (apply == null) {
            throw ElytronMessages.log.invalidName();
        }
        String mapRealmName = mapRealmName(apply, null);
        RealmInfo realmInfo = getRealmInfo(mapRealmName);
        SecurityRealm securityRealm2 = realmInfo.getSecurityRealm();
        if (!$assertionsDisabled && securityRealm2 == null) {
            throw new AssertionError();
        }
        Principal apply2 = this.postRealmPrincipalRewriter.apply(apply);
        if (apply2 == null) {
            throw ElytronMessages.log.invalidName();
        }
        Principal apply3 = realmInfo.getPrincipalRewriter().apply(apply2);
        if (apply3 == null) {
            throw ElytronMessages.log.invalidName();
        }
        ElytronMessages.log.tracef("Principal mapping: [%s], pre-realm rewritten: [%s], realm name: [%s], post realm rewritten: [%s], realm rewritten: [%s]", principal, apply, mapRealmName, apply2, apply3);
        return cls.isInstance(securityRealm2) ? exceptionBiFunction.apply(cls.cast(securityRealm2), apply3) : supplier.get();
    }

    SecurityRealm getRealm(String str) {
        return getRealmInfo(str).getSecurityRealm();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public RealmInfo getRealmInfo(String str) {
        RealmInfo realmInfo = this.realmMap.get(str);
        if (realmInfo == null) {
            realmInfo = this.realmMap.get(this.defaultRealmName);
        }
        if (realmInfo == null) {
            ElytronMessages.log.tracef("Unable to obtain RealmInfo [%s] and no default set - using empty", str);
            realmInfo = EMPTY_REALM_INFO;
        }
        return realmInfo;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public Collection<RealmInfo> getRealmInfos() {
        return this.realmMap.values();
    }

    public SupportLevel getCredentialAcquireSupport(Class<? extends Credential> cls, String str, AlgorithmParameterSpec algorithmParameterSpec) {
        return getSupportLevel(securityRealm -> {
            try {
                return securityRealm.getCredentialAcquireSupport(cls, str, algorithmParameterSpec);
            } catch (RealmUnavailableException e) {
                ElytronMessages.log.trace("Failed to obtain credential acquire support from realm", e);
                return null;
            }
        });
    }

    public SupportLevel getCredentialAcquireSupport(Class<? extends Credential> cls, String str) {
        return getCredentialAcquireSupport(cls, str, null);
    }

    public SupportLevel getCredentialAcquireSupport(Class<? extends Credential> cls) {
        return getCredentialAcquireSupport(cls, null);
    }

    public SupportLevel getEvidenceVerifySupport(Class<? extends Evidence> cls, String str) {
        return getSupportLevel(securityRealm -> {
            try {
                return securityRealm.getEvidenceVerifySupport(cls, str);
            } catch (RealmUnavailableException e) {
                ElytronMessages.log.trace("Failed to obtain evidence verify support from realm", e);
                return null;
            }
        });
    }

    public SupportLevel getEvidenceVerifySupport(Class<? extends Evidence> cls) {
        return getEvidenceVerifySupport(cls, null);
    }

    private SupportLevel getSupportLevel(Function<SecurityRealm, SupportLevel> function) {
        SupportLevel supportLevel = null;
        SupportLevel supportLevel2 = null;
        Iterator<RealmInfo> it = this.realmMap.values().iterator();
        while (it.hasNext()) {
            SupportLevel apply = function.apply(it.next().getSecurityRealm());
            if (apply != null) {
                if (supportLevel2 == null || supportLevel == null) {
                    supportLevel = apply;
                    supportLevel2 = apply;
                } else {
                    if (apply.compareTo(supportLevel2) < 0) {
                        supportLevel2 = apply;
                    }
                    if (apply.compareTo(supportLevel) > 0) {
                        supportLevel = apply;
                    }
                }
            }
        }
        return (supportLevel2 == null || supportLevel == null) ? SupportLevel.UNSUPPORTED : minMax(supportLevel2, supportLevel);
    }

    private SupportLevel minMax(SupportLevel supportLevel, SupportLevel supportLevel2) {
        return supportLevel == supportLevel2 ? supportLevel : supportLevel2 == SupportLevel.UNSUPPORTED ? SupportLevel.UNSUPPORTED : supportLevel == SupportLevel.SUPPORTED ? SupportLevel.SUPPORTED : SupportLevel.POSSIBLY_SUPPORTED;
    }

    public SecurityIdentity getCurrentSecurityIdentity() {
        SecurityIdentity securityIdentity = this.currentSecurityIdentity.get().get();
        return securityIdentity == null ? this.anonymousIdentity : securityIdentity;
    }

    public SecurityIdentity getAnonymousSecurityIdentity() {
        return this.anonymousIdentity;
    }

    public SecurityIdentity createAdHocIdentity(String str) {
        Assert.checkNotNullParam("name", str);
        return createAdHocIdentity(new NamePrincipal(str));
    }

    public SecurityIdentity createAdHocIdentity(Principal principal) {
        Assert.checkNotNullParam("principal", principal);
        SecurityManager securityManager = System.getSecurityManager();
        if (securityManager != null) {
            securityManager.checkPermission(CREATE_AD_HOC_IDENTITY);
        }
        return new SecurityIdentity(this, principal, EMPTY_REALM_INFO, AuthorizationIdentity.EMPTY, Collections.emptyMap(), IdentityCredentials.NONE, IdentityCredentials.NONE);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public Supplier<SecurityIdentity> getAndSetCurrentSecurityIdentity(Supplier<SecurityIdentity> supplier) {
        try {
            Supplier<SecurityIdentity> supplier2 = this.currentSecurityIdentity.get();
            return supplier2 == null ? this.anonymousIdentity : supplier2;
        } finally {
            if (supplier == this.anonymousIdentity) {
                this.currentSecurityIdentity.remove();
            } else {
                this.currentSecurityIdentity.set(supplier);
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void setCurrentSecurityIdentity(Supplier<SecurityIdentity> supplier) {
        if (supplier == this.anonymousIdentity) {
            this.currentSecurityIdentity.remove();
        } else {
            this.currentSecurityIdentity.set(supplier);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public Roles mapRoles(SecurityIdentity securityIdentity) {
        Assert.checkNotNullParam("securityIdentity", securityIdentity);
        AuthorizationIdentity authorizationIdentity = securityIdentity.getAuthorizationIdentity();
        RealmInfo realmInfo = securityIdentity.getRealmInfo();
        Roles decodeRoles = realmInfo.getRoleDecoder().decodeRoles(authorizationIdentity);
        Roles mapRoles = realmInfo.getRoleMapper().mapRoles(decodeRoles);
        Roles mapRoles2 = this.roleMapper.mapRoles(mapRoles);
        if (ElytronMessages.log.isTraceEnabled()) {
            ElytronMessages.log.tracef("Role mapping: principal [%s] -> decoded roles [%s] -> realm mapped roles [%s] -> domain mapped roles [%s]", securityIdentity.getPrincipal(), String.join(", ", decodeRoles), String.join(", ", mapRoles), String.join(", ", mapRoles2));
        }
        return mapRoles2;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public PermissionVerifier mapPermissions(SecurityIdentity securityIdentity) {
        Assert.checkNotNullParam("securityIdentity", securityIdentity);
        Roles roles = securityIdentity.getRoles();
        PermissionVerifier mapPermissions = this.permissionMapper.mapPermissions(securityIdentity, roles);
        return ElytronMessages.log.isTraceEnabled() ? permission -> {
            boolean implies = mapPermissions.implies(permission);
            ElytronMessages.log.tracef("Permission mapping: identity [%s] with roles [%s] implies %s = %b", securityIdentity.getPrincipal(), String.join(", ", roles), permission, Boolean.valueOf(implies));
            return implies;
        } : mapPermissions;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public Function<Principal, Principal> getPreRealmRewriter() {
        return this.preRealmPrincipalRewriter;
    }

    String mapRealmName(Principal principal, Evidence evidence) {
        String realmMapping = this.realmMapper.getRealmMapping(principal, evidence);
        return realmMapping != null ? realmMapping : this.defaultRealmName;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public String getDefaultRealmName() {
        return this.defaultRealmName;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public RealmMapper getRealmMapper() {
        return this.realmMapper;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public Function<Principal, Principal> getPostRealmRewriter() {
        return this.postRealmPrincipalRewriter;
    }

    RoleMapper getRoleMapper() {
        return this.roleMapper;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public Map<String, RoleMapper> getCategoryRoleMappers() {
        return this.categoryRoleMappers;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public SecurityIdentity transform(SecurityIdentity securityIdentity) {
        Assert.checkNotNullParam("securityIdentity", securityIdentity);
        return (SecurityIdentity) Assert.assertNotNull(this.securityIdentityTransformer.apply(securityIdentity));
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean trustsDomain(SecurityDomain securityDomain) {
        Assert.checkNotNullParam(HttpConstants.DOMAIN, securityDomain);
        return this == securityDomain || this.trustedSecurityDomain.test(securityDomain);
    }

    void handleSecurityEvent(SecurityEvent securityEvent) {
        this.securityEventListener.accept(securityEvent);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static void safeHandleSecurityEvent(SecurityDomain securityDomain, SecurityEvent securityEvent) {
        Assert.checkNotNullParam(HttpConstants.DOMAIN, securityDomain);
        Assert.checkNotNullParam("event", securityEvent);
        try {
            securityDomain.handleSecurityEvent(securityEvent);
        } catch (Exception e) {
            ElytronMessages.log.eventHandlerFailed(e);
        }
    }

    public static ScheduledExecutorService getScheduledExecutorService() {
        return ScheduledExecutorServiceProvider.INSTANCE;
    }

    static {
        $assertionsDisabled = !SecurityDomain.class.desiredAssertionStatus();
        CLASS_LOADER_DOMAIN_MAP = new ConcurrentHashMap<>();
        EMPTY_REALM_INFO = new RealmInfo();
        AUTHENTICATE = ElytronPermission.forName("authenticate");
        CREATE_SECURITY_DOMAIN = ElytronPermission.forName("createSecurityDomain");
        REGISTER_SECURITY_DOMAIN = ElytronPermission.forName("registerSecurityDomain");
        GET_SECURITY_DOMAIN = ElytronPermission.forName("getSecurityDomain");
        UNREGISTER_SECURITY_DOMAIN = ElytronPermission.forName("unregisterSecurityDomain");
        CREATE_AUTH_CONTEXT = ElytronPermission.forName("createServerAuthenticationContext");
        GET_IDENTITY = ElytronPermission.forName("getIdentity");
        GET_IDENTITY_FOR_UPDATE = ElytronPermission.forName("getIdentityForUpdate");
        CREATE_AD_HOC_IDENTITY = ElytronPermission.forName("createAdHocIdentity");
    }
}
