package org.jboss.web.tomcat.security;

import java.io.IOException;
import java.security.Principal;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Set;
import javax.naming.Context;
import javax.naming.InitialContext;
import javax.naming.NamingException;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import org.apache.catalina.LifecycleException;
import org.apache.catalina.Realm;
import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response;
import org.apache.catalina.deploy.LoginConfig;
import org.apache.catalina.deploy.SecurityConstraint;
import org.apache.catalina.realm.GenericPrincipal;
import org.apache.catalina.realm.RealmBase;
import org.jboss.logging.Logger;
import org.jboss.security.CertificatePrincipal;
import org.jboss.security.RealmMapping;
import org.jboss.security.SimplePrincipal;
import org.jboss.security.SubjectSecurityManager;
import org.jboss.security.auth.callback.CallbackHandlerPolicyContextHandler;
import org.jboss.security.auth.certs.SubjectDNMapping;

/* loaded from: input_file:org/jboss/web/tomcat/security/JBossSecurityMgrRealm.class */
public class JBossSecurityMgrRealm extends RealmBase implements Realm {
    static Logger log = Logger.getLogger(JBossSecurityMgrRealm.class);
    private boolean trace;
    private CertificatePrincipal certMapping = new SubjectDNMapping();
    private RealmBase.AllRolesMode allRolesMode = RealmBase.AllRolesMode.AUTH_ONLY_MODE;

    public void setCertificatePrincipal(String str) {
        try {
            this.certMapping = (CertificatePrincipal) Thread.currentThread().getContextClassLoader().loadClass(str).newInstance();
        } catch (Exception e) {
            log.error("Failed to load CertificatePrincipal: " + str, e);
            this.certMapping = new SubjectDNMapping();
        }
    }

    protected Context getSecurityContext() {
        Context context = null;
        try {
            context = (Context) new InitialContext().lookup("java:comp/env/security");
        } catch (NamingException e) {
        }
        return context;
    }

    public void start() throws LifecycleException {
        if (((RealmBase) this).started) {
            return;
        }
        super.start();
        this.trace = log.isTraceEnabled();
    }

    public void stop() throws LifecycleException {
        if (((RealmBase) this).started) {
            super.stop();
        }
    }

    public boolean hasResourcePermission(Request request, Response response, SecurityConstraint[] securityConstraintArr, org.apache.catalina.Context context) throws IOException {
        if (securityConstraintArr == null || securityConstraintArr.length == 0) {
            return true;
        }
        boolean z = false;
        LoginConfig loginConfig = context.getLoginConfig();
        if (loginConfig != null && "FORM".equals(loginConfig.getAuthMethod())) {
            String messageBytes = request.getRequestPathMB().toString();
            String loginPage = loginConfig.getLoginPage();
            if (loginPage.equals(messageBytes)) {
                if (!this.trace) {
                    return true;
                }
                log.trace("Allow access to login page " + loginPage);
                return true;
            }
            String errorPage = loginConfig.getErrorPage();
            if (errorPage.equals(messageBytes)) {
                if (!this.trace) {
                    return true;
                }
                log.trace("Allow access to error page " + errorPage);
                return true;
            }
            if (messageBytes.endsWith("/j_security_check")) {
                if (!this.trace) {
                    return true;
                }
                log.trace("Allow access to username/password submission");
                return true;
            }
        }
        Principal principal = request.getPrincipal();
        boolean z2 = false;
        for (SecurityConstraint securityConstraint : securityConstraintArr) {
            String[] findSecurityRoles = securityConstraint.getAllRoles() ? request.getContext().findSecurityRoles() : securityConstraint.findAuthRoles();
            if (findSecurityRoles == null) {
                findSecurityRoles = new String[0];
            }
            if (this.trace) {
                log.trace("Checking roles " + principal);
            }
            if (findSecurityRoles.length == 0 && !securityConstraint.getAllRoles()) {
                if (!securityConstraint.getAuthConstraint()) {
                    if (!this.trace) {
                        return true;
                    }
                    log.trace("Passing all access");
                    return true;
                }
                if (this.trace) {
                    log.trace("No roles");
                }
                z = false;
                z2 = true;
            } else if (principal == null) {
                if (this.trace) {
                    log.trace("No user authenticated, cannot grant access");
                }
                z = false;
            } else if (!z2) {
                for (int i = 0; i < findSecurityRoles.length; i++) {
                    if (hasRole(principal, findSecurityRoles[i])) {
                        z = true;
                    }
                    if (this.trace) {
                        log.trace("No role found:  " + findSecurityRoles[i]);
                    }
                }
            }
        }
        if (this.allRolesMode != RealmBase.AllRolesMode.STRICT_MODE && !z && principal != null) {
            if (this.trace) {
                log.trace("Checking for all roles mode: " + this.allRolesMode);
            }
            int i2 = 0;
            while (true) {
                if (i2 >= securityConstraintArr.length) {
                    break;
                }
                if (securityConstraintArr[i2].getAllRoles()) {
                    if (this.allRolesMode == RealmBase.AllRolesMode.AUTH_ONLY_MODE) {
                        if (this.trace) {
                            log.trace("Granting access for role-name=*, auth-only");
                        }
                        z = true;
                    } else if (request.getContext().findSecurityRoles().length == 0 && this.allRolesMode == RealmBase.AllRolesMode.STRICT_AUTH_ONLY_MODE) {
                        if (this.trace) {
                            log.trace("Granting access for role-name=*, strict auth-only");
                        }
                        z = true;
                    }
                }
                i2++;
            }
        }
        if (!z) {
            response.sendError(403, sm.getString("realmBase.forbidden"));
        }
        return z;
    }

    public Principal authenticate(X509Certificate[] x509CertificateArr) {
        Principal principal = null;
        Context securityContext = getSecurityContext();
        if (securityContext == null) {
            if (!this.trace) {
                return null;
            }
            log.trace("No security context for authenticate(X509Certificate[])");
            return null;
        }
        try {
            SubjectSecurityManager subjectSecurityManager = (SubjectSecurityManager) securityContext.lookup("securityMgr");
            Subject subject = new Subject();
            Principal prinicipal = this.certMapping.toPrinicipal(x509CertificateArr);
            if (subjectSecurityManager.isValid(prinicipal, x509CertificateArr, subject)) {
                if (this.trace) {
                    log.trace("User: " + prinicipal + " is authenticated");
                }
                SecurityAssociationActions.setPrincipalInfo(prinicipal, x509CertificateArr, subject);
                RealmMapping realmMapping = (RealmMapping) securityContext.lookup("realmMapping");
                Principal principal2 = realmMapping.getPrincipal(prinicipal);
                if (this.trace) {
                    log.trace("Mapped from input principal: " + prinicipal + "to: " + principal2);
                }
                principal = getCachingPrincpal(realmMapping, prinicipal, principal2, x509CertificateArr, subject);
            } else {
                if (this.trace) {
                    log.trace("User: " + prinicipal + " is NOT authenticated");
                }
                principal = null;
            }
        } catch (NamingException e) {
            log.error("Error during authenticate", e);
        }
        return principal;
    }

    public Principal authenticate(String str, String str2, String str3, String str4, String str5, String str6, String str7, String str8) {
        Principal principal;
        Context securityContext = getSecurityContext();
        if (securityContext == null) {
            if (!this.trace) {
                return null;
            }
            log.trace("No security context for authenticate(String, String)");
            return null;
        }
        if (SecurityAssociationValve.userPrincipal.get() == null && str == null && str2 == null) {
            return null;
        }
        try {
            try {
                CallbackHandlerPolicyContextHandler.setCallbackHandler(new DigestCallbackHandler(str, str3, str4, str5, str6, str7, str8));
                SubjectSecurityManager subjectSecurityManager = (SubjectSecurityManager) securityContext.lookup("securityMgr");
                SimplePrincipal simplePrincipal = new SimplePrincipal(str);
                Subject subject = new Subject();
                if (subjectSecurityManager.isValid(simplePrincipal, str2, subject)) {
                    log.trace("User: " + str + " is authenticated");
                    SecurityAssociationActions.setPrincipalInfo(simplePrincipal, str2, subject);
                    RealmMapping realmMapping = (RealmMapping) securityContext.lookup("realmMapping");
                    Principal principal2 = realmMapping.getPrincipal(simplePrincipal);
                    if (this.trace) {
                        log.trace("Mapped from input principal: " + simplePrincipal + "to: " + principal2);
                    }
                    principal = getCachingPrincpal(realmMapping, simplePrincipal, principal2, str2, subject);
                } else {
                    principal = null;
                    if (this.trace) {
                        log.trace("User: " + str + " is NOT authenticated");
                    }
                }
                CallbackHandlerPolicyContextHandler.setCallbackHandler((CallbackHandler) null);
            } catch (NamingException e) {
                principal = null;
                log.error("Error during authenticate", e);
                CallbackHandlerPolicyContextHandler.setCallbackHandler((CallbackHandler) null);
            }
            if (this.trace) {
                log.trace("End authenticate, principal=" + principal);
            }
            return principal;
        } catch (Throwable th) {
            CallbackHandlerPolicyContextHandler.setCallbackHandler((CallbackHandler) null);
            throw th;
        }
    }

    public Principal authenticate(String str, String str2) {
        Principal principal;
        if (this.trace) {
            log.trace("Begin authenticate, username=" + str);
        }
        Context securityContext = getSecurityContext();
        if (securityContext == null) {
            if (!this.trace) {
                return null;
            }
            log.trace("No security context for authenticate(String, String)");
            return null;
        }
        if (SecurityAssociationValve.userPrincipal.get() == null && str == null && str2 == null) {
            return null;
        }
        try {
            SubjectSecurityManager subjectSecurityManager = (SubjectSecurityManager) securityContext.lookup("securityMgr");
            SimplePrincipal simplePrincipal = new SimplePrincipal(str);
            Subject subject = new Subject();
            if (subjectSecurityManager.isValid(simplePrincipal, str2, subject)) {
                log.trace("User: " + str + " is authenticated");
                SecurityAssociationActions.setPrincipalInfo(simplePrincipal, str2, subject);
                RealmMapping realmMapping = (RealmMapping) securityContext.lookup("realmMapping");
                Principal principal2 = realmMapping.getPrincipal(simplePrincipal);
                if (this.trace) {
                    log.trace("Mapped from input principal: " + simplePrincipal + "to: " + principal2);
                }
                principal = getCachingPrincpal(realmMapping, simplePrincipal, principal2, str2, subject);
            } else {
                principal = null;
                if (this.trace) {
                    log.trace("User: " + str + " is NOT authenticated");
                }
            }
        } catch (NamingException e) {
            principal = null;
            log.error("Error during authenticate", e);
        }
        if (this.trace) {
            log.trace("End authenticate, principal=" + principal);
        }
        return principal;
    }

    public boolean hasRole(Principal principal, String str) {
        return super.hasRole(principal, str);
    }

    public Principal authenticate(String str, byte[] bArr) {
        return authenticate(str, new String(bArr));
    }

    protected String getName() {
        return getClass().getName();
    }

    protected String getPassword(String str) {
        return null;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Principal getPrincipal(String str) {
        return new SimplePrincipal(str);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Set getPrincipalRoles(Principal principal) {
        if (!(principal instanceof GenericPrincipal)) {
            throw new IllegalStateException("Expected GenericPrincipal, but saw: " + principal.getClass());
        }
        String[] roles = ((GenericPrincipal) principal).getRoles();
        HashSet hashSet = new HashSet();
        if (roles != null) {
            for (String str : roles) {
                hashSet.add(new SimplePrincipal(str));
            }
        }
        return hashSet;
    }

    protected Principal getCachingPrincpal(RealmMapping realmMapping, Principal principal, Principal principal2, Object obj, Subject subject) {
        Set userRoles = realmMapping.getUserRoles(principal);
        ArrayList arrayList = new ArrayList();
        if (userRoles != null) {
            Iterator it = userRoles.iterator();
            while (it.hasNext()) {
                arrayList.add(((Principal) it.next()).getName());
            }
        }
        return new JBossGenericPrincipal(this, subject, principal, principal2, obj, arrayList, userRoles);
    }
}
