package org.jboss.web.tomcat.security;

import java.io.IOException;
import java.lang.reflect.Method;
import java.security.Policy;
import java.security.Principal;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import javax.naming.Context;
import javax.naming.InitialContext;
import javax.naming.NamingException;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.jacc.PolicyContext;
import javax.security.jacc.PolicyContextException;
import javax.servlet.http.HttpServletRequest;
import org.apache.catalina.Wrapper;
import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response;
import org.apache.catalina.deploy.SecurityConstraint;
import org.apache.catalina.realm.GenericPrincipal;
import org.apache.catalina.realm.RealmBase;
import org.jboss.logging.Logger;
import org.jboss.metadata.javaee.spec.SecurityRoleRefMetaData;
import org.jboss.metadata.javaee.spec.SecurityRoleRefsMetaData;
import org.jboss.metadata.web.jboss.JBossWebMetaData;
import org.jboss.security.AuthorizationManager;
import org.jboss.security.CertificatePrincipal;
import org.jboss.security.RealmMapping;
import org.jboss.security.SecurityContext;
import org.jboss.security.SimplePrincipal;
import org.jboss.security.SubjectSecurityManager;
import org.jboss.security.audit.AuditEvent;
import org.jboss.security.audit.AuditManager;
import org.jboss.security.auth.callback.CallbackHandlerPolicyContextHandler;
import org.jboss.security.auth.certs.SubjectDNMapping;
import org.jboss.security.integration.web.WebAuthorizationHelper;

/* loaded from: input_file:org/jboss/web/tomcat/security/JBossWebRealm.class */
public class JBossWebRealm extends RealmBase {
    static Logger log = Logger.getLogger(JBossWebRealm.class);
    private static final String SUBJECT_CONTEXT_KEY = "javax.security.auth.Subject.container";
    protected CertificatePrincipal certMapping = new SubjectDNMapping();
    private boolean trace = log.isTraceEnabled();
    protected String securityDomain = "jboss-web-policy";
    protected boolean unprotectedResourceDelegation = false;
    protected String securityConstraintProviderClass = "";
    protected boolean enableAudit = true;
    protected boolean ignoreBaseDecision = false;

    public void setCertificatePrincipal(String str) {
        try {
            this.certMapping = (CertificatePrincipal) Thread.currentThread().getContextClassLoader().loadClass(str).newInstance();
        } catch (Exception e) {
            log.error("Failed to load CertificatePrincipal: " + str, e);
            this.certMapping = new SubjectDNMapping();
        }
    }

    public void setSecurityConstraintProviderClass(String str) {
        this.securityConstraintProviderClass = str;
    }

    public void setSecurityDomain(String str) {
        this.securityDomain = str;
    }

    public void setUnprotectedResourceDelegation(boolean z) {
        this.unprotectedResourceDelegation = z;
    }

    public void setEnableAudit(boolean z) {
        this.enableAudit = z;
    }

    public void setIgnoreBaseDecision(boolean z) {
        this.ignoreBaseDecision = z;
    }

    public Principal authenticate(X509Certificate[] x509CertificateArr) {
        Principal principal = null;
        Context securityNamingContext = getSecurityNamingContext();
        if (securityNamingContext == null) {
            if (!this.trace) {
                return null;
            }
            log.trace("No security context for authenticate(X509Certificate[])");
            return null;
        }
        try {
            SubjectSecurityManager subjectSecurityManager = (SubjectSecurityManager) securityNamingContext.lookup("securityMgr");
            Subject subject = new Subject();
            Principal prinicipal = this.certMapping.toPrinicipal(x509CertificateArr);
            if (subjectSecurityManager.isValid(prinicipal, x509CertificateArr, subject)) {
                if (this.trace) {
                    log.trace("User: " + prinicipal + " is authenticated");
                }
                this.securityDomain = subjectSecurityManager.getSecurityDomain();
                SecurityAssociationActions.setPrincipalInfo(prinicipal, x509CertificateArr, subject);
                RealmMapping realmMapping = (RealmMapping) securityNamingContext.lookup("realmMapping");
                Principal principal2 = realmMapping.getPrincipal(prinicipal);
                if (this.trace) {
                    log.trace("Mapped from input principal: " + prinicipal + "to: " + principal2);
                }
                principal = getCachingPrincpal(realmMapping, prinicipal, principal2, x509CertificateArr, subject);
                if (this.enableAudit) {
                    successAudit(prinicipal, principal);
                }
            } else {
                if (this.trace) {
                    log.trace("User: " + prinicipal + " is NOT authenticated");
                }
                if (this.enableAudit) {
                    failureAudit(prinicipal);
                }
                principal = null;
            }
        } catch (NamingException e) {
            log.error("Error during authenticate", e);
            if (this.enableAudit) {
                errorAudit(null, e);
            }
        }
        return principal;
    }

    public Principal authenticate(String str, String str2, String str3, String str4, String str5, String str6, String str7, String str8) {
        Principal principal;
        Context securityNamingContext = getSecurityNamingContext();
        if (securityNamingContext == null) {
            if (!this.trace) {
                return null;
            }
            log.trace("No security context for authenticate(String, String)");
            return null;
        }
        if (SecurityAssociationValve.userPrincipal.get() == null && str == null && str2 == null) {
            return null;
        }
        try {
            try {
                CallbackHandlerPolicyContextHandler.setCallbackHandler(new DigestCallbackHandler(str, str3, str4, str5, str6, str7, str8));
                SubjectSecurityManager subjectSecurityManager = (SubjectSecurityManager) securityNamingContext.lookup("securityMgr");
                SimplePrincipal simplePrincipal = new SimplePrincipal(str);
                Subject subject = new Subject();
                if (subjectSecurityManager.isValid(simplePrincipal, str2, subject)) {
                    log.trace("User: " + str + " is authenticated");
                    this.securityDomain = subjectSecurityManager.getSecurityDomain();
                    SecurityAssociationActions.setPrincipalInfo(simplePrincipal, str2, subject);
                    RealmMapping realmMapping = (RealmMapping) securityNamingContext.lookup("realmMapping");
                    Principal principal2 = realmMapping.getPrincipal(simplePrincipal);
                    if (this.trace) {
                        log.trace("Mapped from input principal: " + simplePrincipal + "to: " + principal2);
                    }
                    principal = getCachingPrincpal(realmMapping, simplePrincipal, principal2, str2, subject);
                    if (this.enableAudit) {
                        successAudit(simplePrincipal, principal);
                    }
                } else {
                    if (this.enableAudit) {
                        failureAudit(simplePrincipal);
                    }
                    principal = null;
                    if (this.trace) {
                        log.trace("User: " + str + " is NOT authenticated");
                    }
                }
                CallbackHandlerPolicyContextHandler.setCallbackHandler((CallbackHandler) null);
            } catch (NamingException e) {
                principal = null;
                log.error("Error during authenticate", e);
                if (this.enableAudit) {
                    errorAudit(null, e);
                }
                CallbackHandlerPolicyContextHandler.setCallbackHandler((CallbackHandler) null);
            }
            if (this.trace) {
                log.trace("End authenticate, principal=" + principal);
            }
            return principal;
        } catch (Throwable th) {
            CallbackHandlerPolicyContextHandler.setCallbackHandler((CallbackHandler) null);
            throw th;
        }
    }

    public Principal authenticate(String str, String str2) {
        Principal principal;
        if (this.trace) {
            log.trace("Begin authenticate, username=" + str);
        }
        Context securityNamingContext = getSecurityNamingContext();
        if (securityNamingContext == null) {
            if (!this.trace) {
                return null;
            }
            log.trace("No security context for authenticate(String, String)");
            return null;
        }
        if (SecurityAssociationValve.userPrincipal.get() == null && str == null && str2 == null) {
            return null;
        }
        try {
            SubjectSecurityManager subjectSecurityManager = (SubjectSecurityManager) securityNamingContext.lookup("securityMgr");
            SimplePrincipal simplePrincipal = new SimplePrincipal(str);
            Subject subject = new Subject();
            if (subjectSecurityManager.isValid(simplePrincipal, str2, subject)) {
                log.trace("User: " + str + " is authenticated");
                this.securityDomain = subjectSecurityManager.getSecurityDomain();
                SecurityAssociationActions.setPrincipalInfo(simplePrincipal, str2, subject);
                RealmMapping realmMapping = (RealmMapping) securityNamingContext.lookup("realmMapping");
                Principal principal2 = realmMapping.getPrincipal(simplePrincipal);
                if (this.trace) {
                    log.trace("Mapped from input principal: " + simplePrincipal + "to: " + principal2);
                }
                principal = getCachingPrincpal(realmMapping, simplePrincipal, principal2, str2, subject);
                if (this.enableAudit) {
                    successAudit(simplePrincipal, principal);
                }
            } else {
                if (this.enableAudit) {
                    failureAudit(simplePrincipal);
                }
                if (this.trace) {
                    log.trace("User: " + str + " is NOT authenticated");
                }
                principal = null;
            }
        } catch (NamingException e) {
            principal = null;
            log.error("Error during authenticate", e);
            if (this.enableAudit) {
                errorAudit(null, e);
            }
        }
        if (this.trace) {
            log.trace("End authenticate, principal=" + principal);
        }
        return principal;
    }

    public Principal authenticate(String str, byte[] bArr) {
        return authenticate(str, new String(bArr));
    }

    public SecurityConstraint[] findSecurityConstraints(Request request, org.apache.catalina.Context context) {
        SecurityConstraint[] findSecurityConstraints = super.findSecurityConstraints(request, context);
        if ((findSecurityConstraints == null || findSecurityConstraints.length == 0) && this.unprotectedResourceDelegation) {
            findSecurityConstraints = getSecurityConstraintsFromProvider(request, context);
        }
        return findSecurityConstraints;
    }

    public boolean hasResourcePermission(Request request, Response response, SecurityConstraint[] securityConstraintArr, org.apache.catalina.Context context) throws IOException {
        boolean z = false;
        boolean hasResourcePermission = this.ignoreBaseDecision ? true : super.hasResourcePermission(request, response, securityConstraintArr, context);
        if (hasResourcePermission) {
            Subject establishSubjectContext = establishSubjectContext(request.getPrincipal());
            SecurityContext securityContext = SecurityAssociationActions.getSecurityContext();
            AuthorizationManager authorizationManager = getAuthorizationManager();
            HashMap hashMap = new HashMap();
            hashMap.put("resourcePermissionCheck", Boolean.TRUE);
            hashMap.put("policyRegistration", authorizationManager);
            hashMap.put("securityConstraints", securityConstraintArr);
            z = new WebAuthorizationHelper(securityContext, this.enableAudit).checkResourcePermission(hashMap, request, response, establishSubjectContext, authorizationManager, requestURI(request));
        }
        if (this.trace) {
            log.trace("hasResourcePerm:RealmBase says:" + hasResourcePermission + "::Authz framework says:" + z + ":final=" + z);
        }
        if (!z) {
            response.sendError(403, sm.getString("realmBase.forbidden"));
        }
        return z;
    }

    public boolean hasRole(Principal principal, String str) {
        SecurityRoleRefsMetaData securityRoleRefs;
        String str2 = null;
        Wrapper wrapper = SecurityAssociationValve.activeRequest.get().getWrapper();
        if (wrapper != null) {
            str2 = getServletName(wrapper);
        }
        if (str2 == null) {
            throw new IllegalStateException("servletName is null");
        }
        JBossWebMetaData jBossWebMetaData = SecurityAssociationValve.activeWebMetaData.get();
        String str3 = str;
        if (jBossWebMetaData != null && (securityRoleRefs = jBossWebMetaData.getServlets().get(str2).getSecurityRoleRefs()) != null) {
            Iterator it = securityRoleRefs.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                SecurityRoleRefMetaData securityRoleRefMetaData = (SecurityRoleRefMetaData) it.next();
                if (securityRoleRefMetaData.getRoleLink().equals(str)) {
                    str3 = securityRoleRefMetaData.getName();
                    break;
                }
            }
        }
        boolean z = false;
        boolean hasRole = this.ignoreBaseDecision ? true : super.hasRole(principal, str);
        if (hasRole) {
            z = new WebAuthorizationHelper(SecurityAssociationActions.getSecurityContext(), this.enableAudit).hasRole(str3, principal, str2, getPrincipalRoles(principal), getAuthorizationManager());
        }
        boolean z2 = hasRole && z;
        if (this.trace) {
            log.trace("hasRole:RealmBase says:" + hasRole + "::Authz framework says:" + z + ":final=" + z2);
        }
        return z2;
    }

    public boolean hasUserDataPermission(Request request, Response response, SecurityConstraint[] securityConstraintArr) throws IOException {
        boolean hasUserDataPermission = this.ignoreBaseDecision ? true : super.hasUserDataPermission(request, response, securityConstraintArr);
        if (hasUserDataPermission) {
            establishSubjectContext(request.getPrincipal());
            HashMap hashMap = new HashMap();
            hashMap.put("securityConstraints", securityConstraintArr);
            hashMap.put("userDataPermissionCheck", Boolean.TRUE);
            SecurityContext securityContext = SecurityAssociationActions.getSecurityContext();
            AuthorizationManager authorizationManager = getAuthorizationManager();
            if (authorizationManager == null) {
                throw new IllegalStateException("Null AuthorizationManager for SC:" + securityContext.getSecurityDomain());
            }
            hasUserDataPermission = new WebAuthorizationHelper(securityContext, this.enableAudit).hasUserDataPermission(hashMap, request, response, authorizationManager);
        }
        return hasUserDataPermission;
    }

    protected Principal getCachingPrincpal(RealmMapping realmMapping, Principal principal, Principal principal2, Object obj, Subject subject) {
        Set userRoles = realmMapping.getUserRoles(principal);
        ArrayList arrayList = new ArrayList();
        if (userRoles != null) {
            Iterator it = userRoles.iterator();
            while (it.hasNext()) {
                arrayList.add(((Principal) it.next()).getName());
            }
        }
        return new JBossGenericPrincipal(this, subject, principal, principal2, obj, arrayList, userRoles);
    }

    protected String getName() {
        return getClass().getName();
    }

    protected String getPassword(String str) {
        return null;
    }

    protected Principal getPrincipal(String str) {
        return new SimplePrincipal(str);
    }

    static String requestURI(Request request) {
        String string = request.getMappingData().requestPath.getString();
        if (string == null || string.equals("/")) {
            string = "";
        }
        return string;
    }

    protected Set<Principal> getPrincipalRoles(Principal principal) {
        if (!(principal instanceof GenericPrincipal)) {
            throw new IllegalStateException("Expected GenericPrincipal, but saw: " + principal.getClass());
        }
        String[] roles = ((GenericPrincipal) principal).getRoles();
        HashSet hashSet = new HashSet();
        if (roles != null) {
            for (String str : roles) {
                hashSet.add(new SimplePrincipal(str));
            }
        }
        return hashSet;
    }

    /* JADX WARN: Multi-variable type inference failed */
    private Subject establishSubjectContext(Principal principal) {
        Subject subject = null;
        try {
            subject = (Subject) PolicyContext.getContext(SUBJECT_CONTEXT_KEY);
        } catch (PolicyContextException e) {
            if (this.trace) {
                log.trace("Failed to get subject from PolicyContext", e);
            }
        }
        if (subject == null && (principal instanceof JBossGenericPrincipal)) {
            JBossGenericPrincipal jBossGenericPrincipal = (JBossGenericPrincipal) principal;
            subject = jBossGenericPrincipal.getSubject();
            if (this.trace) {
                log.trace("Restoring principal info from cache");
            }
            SecurityAssociationActions.setPrincipalInfo(jBossGenericPrincipal.getAuthPrincipal(), jBossGenericPrincipal.getCredentials(), jBossGenericPrincipal.getSubject());
        }
        return subject;
    }

    private AuthorizationManager getAuthorizationManager() {
        AuthorizationManager authorizationManager = null;
        try {
            authorizationManager = (AuthorizationManager) getSecurityNamingContext().lookup("authorizationMgr");
        } catch (Exception e) {
            if (this.trace) {
                log.trace("Lookup of authorization manager failed", e);
            }
        }
        return authorizationManager;
    }

    private Context getSecurityNamingContext() {
        Context context = null;
        try {
            context = (Context) new InitialContext().lookup("java:comp/env/security");
        } catch (NamingException e) {
        }
        return context;
    }

    private SecurityConstraint[] getSecurityConstraintsFromProvider(Request request, org.apache.catalina.Context context) {
        SecurityConstraint[] securityConstraintArr = null;
        Class<?>[] clsArr = {Request.class, Context.class};
        Object[] objArr = {request, context};
        try {
            Policy policy = Policy.getPolicy();
            securityConstraintArr = (SecurityConstraint[]) policy.getClass().getMethod("findSecurityConstraints", clsArr).invoke(policy, objArr);
        } catch (Throwable th) {
            if (this.trace) {
                log.error("Error obtaining security constraints from policy", th);
            }
        }
        if (securityConstraintArr == null || securityConstraintArr.length == 0) {
            if (this.securityConstraintProviderClass != "" && this.securityConstraintProviderClass.length() != 0) {
                try {
                    Class<?> loadClass = SecurityAssociationActions.loadClass(this.securityConstraintProviderClass);
                    Object newInstance = loadClass.newInstance();
                    Method method = loadClass.getMethod("findSecurityConstraints", clsArr);
                    if (this.trace) {
                        log.trace("findSecurityConstraints method found in securityConstraintProviderClass");
                    }
                    securityConstraintArr = (SecurityConstraint[]) method.invoke(newInstance, objArr);
                } catch (Throwable th2) {
                    log.error("Error instantiating " + this.securityConstraintProviderClass, th2);
                }
            } else if (this.trace) {
                log.trace("unprotectedResourceDelegation is true but securityConstraintProviderClass is empty");
            }
        }
        return securityConstraintArr;
    }

    private String getServletName(Wrapper wrapper) {
        String[] findMappings = wrapper.findMappings();
        if (this.trace) {
            log.trace("[getServletName:servletmappings=" + findMappings + ":servlet.getName()=" + wrapper.getName() + "]");
        }
        return (!"jsp".equals(wrapper.getName()) || findMappings == null || findMappings[0].indexOf("*.jsp") <= -1) ? wrapper.getName() : "";
    }

    private void audit(String str, Map<String, Object> map, Exception exc) {
        try {
            map.put("request", WebUtil.deriveUsefulInfo((HttpServletRequest) PolicyContext.getContext(HttpServletRequestPolicyContextHandler.WEB_REQUEST_KEY)));
        } catch (PolicyContextException e) {
            if (this.trace) {
                log.trace("Error obtaining the servlet request:", e);
            }
        }
        map.put("Source", getClass().getName());
        AuditEvent auditEvent = new AuditEvent(str);
        auditEvent.setContextMap(map);
        auditEvent.setUnderlyingException(exc);
        SecurityContext securityContext = SecurityAssociationActions.getSecurityContext();
        if (securityContext != null) {
            AuditManager auditManager = securityContext.getAuditManager();
            if (auditManager != null) {
                auditManager.audit(auditEvent);
            } else {
                log.trace("Audit Manager obtained from Security Context is null");
            }
        }
    }

    private void successAudit(Principal principal, Principal principal2) {
        HashMap hashMap = new HashMap();
        hashMap.put("principal", principal2);
        hashMap.put("CallerPrincipal", principal);
        audit("Success", hashMap, null);
    }

    private void failureAudit(Principal principal) {
        HashMap hashMap = new HashMap();
        hashMap.put("principal", principal);
        audit("Failure", hashMap, null);
    }

    private void errorAudit(Principal principal, Exception exc) {
        HashMap hashMap = new HashMap();
        hashMap.put("principal", principal);
        audit("Error", hashMap, exc);
    }
}
