package org.wildfly.extension.undertow;

import io.undertow.security.idm.Account;
import io.undertow.server.HttpHandler;
import io.undertow.server.HttpServerExchange;
import io.undertow.server.session.SecureRandomSessionIdGenerator;
import io.undertow.server.session.SessionConfig;
import io.undertow.server.session.SessionManager;
import io.undertow.servlet.api.AuthMethodConfig;
import io.undertow.servlet.api.AuthorizationManager;
import io.undertow.servlet.api.Deployment;
import io.undertow.servlet.api.DeploymentInfo;
import io.undertow.servlet.api.FilterInfo;
import io.undertow.servlet.api.LifecycleInterceptor;
import io.undertow.servlet.api.LoginConfig;
import io.undertow.servlet.api.ServletInfo;
import io.undertow.servlet.api.SingleConstraintMatch;
import io.undertow.servlet.api.TransportGuaranteeType;
import io.undertow.servlet.core.DefaultAuthorizationManager;
import io.undertow.servlet.handlers.ServletRequestContext;
import io.undertow.servlet.spec.HttpSessionImpl;
import io.undertow.servlet.spec.ServletContextImpl;
import io.undertow.servlet.util.SavedRequest;
import java.io.IOException;
import java.io.InputStream;
import java.security.AccessController;
import java.security.Permission;
import java.security.Policy;
import java.security.PrivilegedActionException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedHashMap;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;
import java.util.function.BiFunction;
import java.util.function.Consumer;
import java.util.function.Function;
import java.util.function.Predicate;
import java.util.function.UnaryOperator;
import java.util.stream.Collectors;
import javax.security.jacc.WebResourcePermission;
import javax.security.jacc.WebRoleRefPermission;
import javax.servlet.Filter;
import javax.servlet.RequestDispatcher;
import javax.servlet.Servlet;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpServletResponseWrapper;
import javax.servlet.http.HttpSession;
import org.jboss.as.clustering.controller.SimpleCapabilityServiceBuilder;
import org.jboss.as.controller.AbstractAddStepHandler;
import org.jboss.as.controller.AttributeDefinition;
import org.jboss.as.controller.CapabilityServiceBuilder;
import org.jboss.as.controller.CapabilityServiceTarget;
import org.jboss.as.controller.OperationContext;
import org.jboss.as.controller.OperationFailedException;
import org.jboss.as.controller.OperationStepHandler;
import org.jboss.as.controller.PersistentResourceDefinition;
import org.jboss.as.controller.ServiceRemoveStepHandler;
import org.jboss.as.controller.SimpleAttributeDefinition;
import org.jboss.as.controller.SimpleAttributeDefinitionBuilder;
import org.jboss.as.controller.StringListAttributeDefinition;
import org.jboss.as.controller.access.constraint.ApplicationTypeConfig;
import org.jboss.as.controller.access.constraint.SensitivityClassification;
import org.jboss.as.controller.access.management.ApplicationTypeAccessConstraintDefinition;
import org.jboss.as.controller.access.management.SensitiveTargetAccessConstraintDefinition;
import org.jboss.as.controller.capability.RuntimeCapability;
import org.jboss.as.controller.registry.ManagementResourceRegistration;
import org.jboss.as.controller.registry.Resource;
import org.jboss.dmr.ModelNode;
import org.jboss.dmr.ModelType;
import org.jboss.metadata.javaee.jboss.RunAsIdentityMetaData;
import org.jboss.msc.inject.Injector;
import org.jboss.msc.service.Service;
import org.jboss.msc.service.ServiceController;
import org.jboss.msc.service.ServiceName;
import org.jboss.msc.service.StartContext;
import org.jboss.msc.service.StartException;
import org.jboss.msc.service.StopContext;
import org.jboss.msc.value.InjectedValue;
import org.wildfly.clustering.service.Builder;
import org.wildfly.elytron.web.undertow.server.ElytronContextAssociationHandler;
import org.wildfly.elytron.web.undertow.server.ElytronHttpExchange;
import org.wildfly.elytron.web.undertow.server.ElytronRunAsHandler;
import org.wildfly.elytron.web.undertow.server.ScopeSessionListener;
import org.wildfly.extension.undertow.SingleSignOnDefinition;
import org.wildfly.extension.undertow.logging.UndertowLogger;
import org.wildfly.extension.undertow.security.jacc.JACCAuthorizationManager;
import org.wildfly.extension.undertow.security.sso.DistributableSecurityDomainSingleSignOnManagerBuilderProvider;
import org.wildfly.security.auth.server.HttpAuthenticationFactory;
import org.wildfly.security.auth.server.RealmIdentity;
import org.wildfly.security.auth.server.RealmUnavailableException;
import org.wildfly.security.auth.server.SecurityDomain;
import org.wildfly.security.auth.server.SecurityIdentity;
import org.wildfly.security.authz.AuthorizationFailureException;
import org.wildfly.security.authz.RoleMapper;
import org.wildfly.security.authz.Roles;
import org.wildfly.security.http.HttpAuthenticationException;
import org.wildfly.security.http.HttpConstants;
import org.wildfly.security.http.HttpScope;
import org.wildfly.security.http.HttpScopeNotification;
import org.wildfly.security.http.HttpServerAuthenticationMechanism;
import org.wildfly.security.http.HttpServerAuthenticationMechanismFactory;
import org.wildfly.security.http.Scope;
import org.wildfly.security.http.util.PropertiesServerMechanismFactory;
import org.wildfly.security.http.util.sso.DefaultSingleSignOnManager;
import org.wildfly.security.http.util.sso.SingleSignOnServerMechanismFactory;
import org.wildfly.security.http.util.sso.SingleSignOnSessionFactory;
import org.wildfly.security.manager.WildFlySecurityManager;

/* loaded from: input_file:m2repo/org/wildfly/wildfly-undertow/11.0.0.Final/wildfly-undertow-11.0.0.Final.jar:org/wildfly/extension/undertow/ApplicationSecurityDomainDefinition.class */
public class ApplicationSecurityDomainDefinition extends PersistentResourceDefinition {
    private static final String ANONYMOUS_PRINCIPAL = "anonymous";
    private static final String SERVLET = "servlet";
    private static final String EJB = "ejb";
    static final RuntimeCapability<Void> APPLICATION_SECURITY_DOMAIN_RUNTIME_CAPABILITY = RuntimeCapability.Builder.of(Capabilities.CAPABILITY_APPLICATION_SECURITY_DOMAIN, true, (Class<?>) BiFunction.class).build();
    static final SimpleAttributeDefinition HTTP_AUTHENTICATION_FACTORY = new SimpleAttributeDefinitionBuilder("http-authentication-factory", ModelType.STRING, false).setMinSize(1).setRestartAllServices().setCapabilityReference("org.wildfly.security.http-authentication-factory").setAccessConstraints(SensitiveTargetAccessConstraintDefinition.AUTHENTICATION_FACTORY_REF).build();
    static final SimpleAttributeDefinition OVERRIDE_DEPLOYMENT_CONFIG = new SimpleAttributeDefinitionBuilder(Constants.OVERRIDE_DEPLOYMENT_CONFIG, ModelType.BOOLEAN, true).setDefaultValue(new ModelNode(false)).setRestartAllServices().build();
    private static final StringListAttributeDefinition REFERENCING_DEPLOYMENTS = ((StringListAttributeDefinition.Builder) new StringListAttributeDefinition.Builder(Constants.REFERENCING_DEPLOYMENTS).setStorageRuntime()).build();
    static final SimpleAttributeDefinition ENABLE_JACC = new SimpleAttributeDefinitionBuilder(Constants.ENABLE_JACC, ModelType.BOOLEAN, true).setDefaultValue(new ModelNode(false)).setMinSize(1).setRestartAllServices().build();
    private static final AttributeDefinition[] ATTRIBUTES = {HTTP_AUTHENTICATION_FACTORY, OVERRIDE_DEPLOYMENT_CONFIG, ENABLE_JACC};
    static final ApplicationSecurityDomainDefinition INSTANCE = new ApplicationSecurityDomainDefinition();
    private static final Set<String> knownApplicationSecurityDomains = Collections.synchronizedSet(new HashSet());

    /* loaded from: input_file:m2repo/org/wildfly/wildfly-undertow/11.0.0.Final/wildfly-undertow-11.0.0.Final.jar:org/wildfly/extension/undertow/ApplicationSecurityDomainDefinition$AddHandler.class */
    private static class AddHandler extends AbstractAddStepHandler {
        private AddHandler() {
            super(ApplicationSecurityDomainDefinition.ATTRIBUTES);
        }

        /* JADX INFO: Access modifiers changed from: protected */
        @Override // org.jboss.as.controller.AbstractAddStepHandler
        public void populateModel(OperationContext operationContext, ModelNode modelNode, Resource resource) throws OperationFailedException {
            super.populateModel(operationContext, modelNode, resource);
            ApplicationSecurityDomainDefinition.knownApplicationSecurityDomains.add(operationContext.getCurrentAddressValue());
        }

        /* JADX INFO: Access modifiers changed from: protected */
        @Override // org.jboss.as.controller.AbstractAddStepHandler
        public void performRuntime(OperationContext operationContext, ModelNode modelNode, Resource resource) throws OperationFailedException {
            ModelNode model = resource.getModel();
            CapabilityServiceTarget capabilityServiceTarget = operationContext.getCapabilityServiceTarget();
            String asString = ApplicationSecurityDomainDefinition.HTTP_AUTHENTICATION_FACTORY.resolveModelAttribute(operationContext, model).asString();
            boolean asBoolean = ApplicationSecurityDomainDefinition.OVERRIDE_DEPLOYMENT_CONFIG.resolveModelAttribute(operationContext, model).asBoolean();
            boolean asBoolean2 = ApplicationSecurityDomainDefinition.ENABLE_JACC.resolveModelAttribute(operationContext, model).asBoolean();
            String currentAddressValue = operationContext.getCurrentAddressValue();
            ApplicationSecurityDomainService applicationSecurityDomainService = new ApplicationSecurityDomainService(asBoolean, asBoolean2);
            CapabilityServiceBuilder initialMode = capabilityServiceTarget.addCapability(ApplicationSecurityDomainDefinition.APPLICATION_SECURITY_DOMAIN_RUNTIME_CAPABILITY, applicationSecurityDomainService).setInitialMode(ServiceController.Mode.LAZY);
            initialMode.addCapabilityRequirement("org.wildfly.security.http-authentication-factory", HttpAuthenticationFactory.class, applicationSecurityDomainService.getHttpAuthenticationFactoryInjector(), asString);
            if (asBoolean2) {
                initialMode.addCapabilityRequirement(Capabilities.REF_JACC_POLICY, Policy.class);
            }
            if (resource.hasChild(UndertowExtension.PATH_SSO)) {
                ModelNode model2 = resource.getChild(UndertowExtension.PATH_SSO).getModel();
                SingleSignOnServerMechanismFactory.SingleSignOnConfiguration singleSignOnConfiguration = new SingleSignOnServerMechanismFactory.SingleSignOnConfiguration(SingleSignOnDefinition.Attribute.COOKIE_NAME.resolveModelAttribute(operationContext, model2).asString(), SingleSignOnDefinition.Attribute.DOMAIN.resolveModelAttribute(operationContext, model2).asString(), SingleSignOnDefinition.Attribute.PATH.resolveModelAttribute(operationContext, model2).asString(), SingleSignOnDefinition.Attribute.HTTP_ONLY.resolveModelAttribute(operationContext, model2).asBoolean(), SingleSignOnDefinition.Attribute.SECURE.resolveModelAttribute(operationContext, model2).asBoolean());
                ServiceName serviceName = new SingleSignOnManagerServiceNameProvider(currentAddressValue).getServiceName();
                SecureRandomSessionIdGenerator secureRandomSessionIdGenerator = new SecureRandomSessionIdGenerator();
                Optional<U> map = DistributableSecurityDomainSingleSignOnManagerBuilderProvider.INSTANCE.map(distributableSecurityDomainSingleSignOnManagerBuilderProvider -> {
                    return distributableSecurityDomainSingleSignOnManagerBuilderProvider.getBuilder(serviceName, currentAddressValue, secureRandomSessionIdGenerator);
                });
                ConcurrentHashMap concurrentHashMap = new ConcurrentHashMap();
                secureRandomSessionIdGenerator.getClass();
                ((org.jboss.as.clustering.controller.CapabilityServiceBuilder) map.orElse(new SimpleCapabilityServiceBuilder(serviceName, new DefaultSingleSignOnManager(concurrentHashMap, secureRandomSessionIdGenerator::createSessionId)))).configure(operationContext).build(capabilityServiceTarget).setInitialMode(ServiceController.Mode.ON_DEMAND).install();
                Builder<SingleSignOnSessionFactory> configure = new SingleSignOnSessionFactoryBuilder(currentAddressValue).configure(operationContext, model2);
                configure.build(capabilityServiceTarget).setInitialMode(ServiceController.Mode.ON_DEMAND).install();
                InjectedValue injectedValue = new InjectedValue();
                initialMode.addDependency(configure.getServiceName(), SingleSignOnSessionFactory.class, (Injector) injectedValue);
                applicationSecurityDomainService.getSingleSignOnSessionFactoryInjector().inject(httpServerAuthenticationMechanismFactory -> {
                    return new SingleSignOnServerMechanismFactory(httpServerAuthenticationMechanismFactory, (SingleSignOnSessionFactory) injectedValue.getValue(), singleSignOnConfiguration);
                });
            }
            initialMode.install();
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:m2repo/org/wildfly/wildfly-undertow/11.0.0.Final/wildfly-undertow-11.0.0.Final.jar:org/wildfly/extension/undertow/ApplicationSecurityDomainDefinition$ApplicationSecurityDomainService.class */
    public static class ApplicationSecurityDomainService implements Service<BiFunction<DeploymentInfo, Function<String, RunAsIdentityMetaData>, Registration>> {
        private final boolean overrideDeploymentConfig;
        private final InjectedValue<HttpAuthenticationFactory> httpAuthenticationFactoryInjector;
        private final InjectedValue<UnaryOperator<HttpServerAuthenticationMechanismFactory>> singleSignOnTransformer;
        private final Set<RegistrationImpl> registrations;
        private final boolean enableJacc;
        private SecurityDomain securityDomain;
        private HttpAuthenticationFactory httpAuthenticationFactory;

        /* JADX INFO: Access modifiers changed from: private */
        /* loaded from: input_file:m2repo/org/wildfly/wildfly-undertow/11.0.0.Final/wildfly-undertow-11.0.0.Final.jar:org/wildfly/extension/undertow/ApplicationSecurityDomainDefinition$ApplicationSecurityDomainService$RegistrationImpl.class */
        public class RegistrationImpl implements Registration {
            private final DeploymentInfo deploymentInfo;

            private RegistrationImpl(DeploymentInfo deploymentInfo) {
                this.deploymentInfo = deploymentInfo;
            }

            @Override // org.wildfly.extension.undertow.ApplicationSecurityDomainDefinition.Registration
            public void cancel() {
                if (WildFlySecurityManager.isChecking()) {
                    AccessController.doPrivileged(() -> {
                        SecurityDomain.unregisterClassLoader(this.deploymentInfo.getClassLoader());
                        return null;
                    });
                } else {
                    SecurityDomain.unregisterClassLoader(this.deploymentInfo.getClassLoader());
                }
                synchronized (ApplicationSecurityDomainService.this.registrations) {
                    ApplicationSecurityDomainService.this.registrations.remove(this);
                }
            }
        }

        /* loaded from: input_file:m2repo/org/wildfly/wildfly-undertow/11.0.0.Final/wildfly-undertow-11.0.0.Final.jar:org/wildfly/extension/undertow/ApplicationSecurityDomainDefinition$ApplicationSecurityDomainService$RunAsLifecycleInterceptor.class */
        private class RunAsLifecycleInterceptor implements LifecycleInterceptor {
            private final Function<String, RunAsIdentityMetaData> runAsMapper;

            RunAsLifecycleInterceptor(Function<String, RunAsIdentityMetaData> function) {
                this.runAsMapper = function;
            }

            private void doIt(ServletInfo servletInfo, LifecycleInterceptor.LifecycleContext lifecycleContext) throws ServletException {
                RunAsIdentityMetaData apply = this.runAsMapper.apply(servletInfo.getName());
                if (apply == null) {
                    lifecycleContext.proceed();
                    return;
                }
                try {
                    ApplicationSecurityDomainService.this.performMapping(ApplicationSecurityDomainService.this.securityDomain.getAnonymousSecurityIdentity(), apply).runAs(() -> {
                        lifecycleContext.proceed();
                        return null;
                    });
                } catch (PrivilegedActionException e) {
                    Throwable cause = e.getCause();
                    if (!(cause instanceof ServletException)) {
                        throw new ServletException(cause);
                    }
                    throw ((ServletException) cause);
                }
            }

            @Override // io.undertow.servlet.api.LifecycleInterceptor
            public void init(ServletInfo servletInfo, Servlet servlet, LifecycleInterceptor.LifecycleContext lifecycleContext) throws ServletException {
                doIt(servletInfo, lifecycleContext);
            }

            @Override // io.undertow.servlet.api.LifecycleInterceptor
            public void init(FilterInfo filterInfo, Filter filter, LifecycleInterceptor.LifecycleContext lifecycleContext) throws ServletException {
                lifecycleContext.proceed();
            }

            @Override // io.undertow.servlet.api.LifecycleInterceptor
            public void destroy(ServletInfo servletInfo, Servlet servlet, LifecycleInterceptor.LifecycleContext lifecycleContext) throws ServletException {
                doIt(servletInfo, lifecycleContext);
            }

            @Override // io.undertow.servlet.api.LifecycleInterceptor
            public void destroy(FilterInfo filterInfo, Filter filter, LifecycleInterceptor.LifecycleContext lifecycleContext) throws ServletException {
                lifecycleContext.proceed();
            }
        }

        private ApplicationSecurityDomainService(boolean z, boolean z2) {
            this.httpAuthenticationFactoryInjector = new InjectedValue<>();
            this.singleSignOnTransformer = new InjectedValue<>();
            this.registrations = new HashSet();
            this.overrideDeploymentConfig = z;
            this.enableJacc = z2;
        }

        @Override // org.jboss.msc.service.Service
        public void start(StartContext startContext) throws StartException {
            this.httpAuthenticationFactory = this.httpAuthenticationFactoryInjector.getValue();
            this.securityDomain = this.httpAuthenticationFactory.getSecurityDomain();
        }

        @Override // org.jboss.msc.service.Service
        public void stop(StopContext stopContext) {
            this.httpAuthenticationFactory = null;
        }

        @Override // org.jboss.msc.value.Value
        public BiFunction<DeploymentInfo, Function<String, RunAsIdentityMetaData>, Registration> getValue() throws IllegalStateException, IllegalArgumentException {
            return this::applyElytronSecurity;
        }

        /* JADX INFO: Access modifiers changed from: private */
        public Injector<HttpAuthenticationFactory> getHttpAuthenticationFactoryInjector() {
            return this.httpAuthenticationFactoryInjector;
        }

        Injector<UnaryOperator<HttpServerAuthenticationMechanismFactory>> getSingleSignOnSessionFactoryInjector() {
            return this.singleSignOnTransformer;
        }

        private Registration applyElytronSecurity(DeploymentInfo deploymentInfo, Function<String, RunAsIdentityMetaData> function) {
            ScopeSessionListener build = ScopeSessionListener.builder().addScopeResolver(Scope.APPLICATION, ApplicationSecurityDomainService::applicationScope).build();
            if (WildFlySecurityManager.isChecking()) {
                AccessController.doPrivileged(() -> {
                    this.securityDomain.registerWithClassLoader(deploymentInfo.getClassLoader());
                    return null;
                });
            } else {
                this.securityDomain.registerWithClassLoader(deploymentInfo.getClassLoader());
            }
            deploymentInfo.addSessionListener(build);
            deploymentInfo.addInnerHandlerChainWrapper(httpHandler -> {
                return finalSecurityHandlers(httpHandler, function);
            });
            deploymentInfo.setInitialSecurityWrapper(httpHandler2 -> {
                return initialSecurityHandler(deploymentInfo, httpHandler2, build);
            });
            deploymentInfo.addLifecycleInterceptor(new RunAsLifecycleInterceptor(function));
            if (this.enableJacc) {
                deploymentInfo.setAuthorizationManager(new JACCAuthorizationManager());
            } else {
                deploymentInfo.setAuthorizationManager(createElytronAuthorizationManager());
            }
            RegistrationImpl registrationImpl = new RegistrationImpl(deploymentInfo);
            synchronized (this.registrations) {
                this.registrations.add(registrationImpl);
            }
            return registrationImpl;
        }

        private List<HttpServerAuthenticationMechanism> getAuthenticationMechanisms(Map<String, Map<String, String>> map) {
            ArrayList arrayList = new ArrayList(map.size());
            map.forEach((str, map2) -> {
                try {
                    UnaryOperator<HttpServerAuthenticationMechanismFactory> optionalValue = this.singleSignOnTransformer.getOptionalValue();
                    HttpServerAuthenticationMechanism createMechanism = this.httpAuthenticationFactory.createMechanism(str, httpServerAuthenticationMechanismFactory -> {
                        PropertiesServerMechanismFactory propertiesServerMechanismFactory = new PropertiesServerMechanismFactory(httpServerAuthenticationMechanismFactory, map2);
                        return optionalValue != null ? (HttpServerAuthenticationMechanismFactory) optionalValue.apply(propertiesServerMechanismFactory) : propertiesServerMechanismFactory;
                    });
                    if (createMechanism != null) {
                        arrayList.add(createMechanism);
                    }
                } catch (HttpAuthenticationException e) {
                    throw new IllegalStateException(e);
                }
            });
            return arrayList;
        }

        private HttpHandler initialSecurityHandler(DeploymentInfo deploymentInfo, HttpHandler httpHandler, ScopeSessionListener scopeSessionListener) {
            Collection mechanismNames = this.httpAuthenticationFactory.getMechanismNames();
            if (mechanismNames.isEmpty()) {
                throw UndertowLogger.ROOT_LOGGER.noMechanismsAvailable();
            }
            HashMap hashMap = new HashMap();
            hashMap.put(HttpConstants.CONFIG_CONTEXT_PATH, deploymentInfo.getContextPath());
            LoginConfig loginConfig = deploymentInfo.getLoginConfig();
            if (loginConfig != null) {
                String realmName = loginConfig.getRealmName();
                if (realmName != null) {
                    hashMap.put(HttpConstants.CONFIG_REALM, realmName);
                }
                String loginPage = loginConfig.getLoginPage();
                if (loginPage != null) {
                    hashMap.put(HttpConstants.CONFIG_LOGIN_PAGE, loginPage);
                }
                String errorPage = loginConfig.getErrorPage();
                if (errorPage != null) {
                    hashMap.put(HttpConstants.CONFIG_ERROR_PAGE, errorPage);
                }
            }
            Map unmodifiableMap = Collections.unmodifiableMap(hashMap);
            LinkedHashMap linkedHashMap = new LinkedHashMap();
            if (this.overrideDeploymentConfig || loginConfig == null) {
                mechanismNames.forEach(str -> {
                });
            } else {
                List<AuthMethodConfig> authMethods = loginConfig.getAuthMethods();
                if (authMethods.isEmpty()) {
                    throw UndertowLogger.ROOT_LOGGER.noMechanismsSelected();
                }
                authMethods.forEach(authMethodConfig -> {
                    Map map;
                    String name = authMethodConfig.getName();
                    if (!mechanismNames.contains(name)) {
                        throw UndertowLogger.ROOT_LOGGER.requiredMechanismNotAvailable(name, mechanismNames);
                    }
                    Map<String, String> properties = authMethodConfig.getProperties();
                    if (properties != null) {
                        HashMap hashMap2 = new HashMap(unmodifiableMap);
                        hashMap2.putAll(properties);
                        map = Collections.unmodifiableMap(hashMap2);
                    } else {
                        map = unmodifiableMap;
                    }
                    linkedHashMap.put(name, map);
                });
            }
            HashMap hashMap2 = new HashMap();
            hashMap2.put(Scope.APPLICATION, ApplicationSecurityDomainService::applicationScope);
            hashMap2.put(Scope.EXCHANGE, ApplicationSecurityDomainService::requestScope);
            hashMap2.put(Scope.SESSION, httpServerExchange -> {
                return sessionScope(httpServerExchange, scopeSessionListener);
            });
            return ElytronContextAssociationHandler.builder().setNext(httpHandler).setSecurityDomain(this.httpAuthenticationFactory.getSecurityDomain()).setMechanismSupplier(() -> {
                return getAuthenticationMechanisms(linkedHashMap);
            }).setHttpExchangeSupplier(httpServerExchange2 -> {
                return new ElytronHttpExchange(httpServerExchange2, hashMap2, scopeSessionListener) { // from class: org.wildfly.extension.undertow.ApplicationSecurityDomainDefinition.ApplicationSecurityDomainService.1
                    @Override // org.wildfly.elytron.web.undertow.server.ElytronHttpExchange
                    protected SessionManager getSessionManager() {
                        return ((ServletRequestContext) httpServerExchange2.getAttachment(ServletRequestContext.ATTACHMENT_KEY)).getDeployment().getSessionManager();
                    }

                    @Override // org.wildfly.elytron.web.undertow.server.ElytronHttpExchange
                    protected SessionConfig getSessionConfig() {
                        return ((ServletRequestContext) httpServerExchange2.getAttachment(ServletRequestContext.ATTACHMENT_KEY)).getCurrentServletContext().getSessionConfig();
                    }

                    @Override // org.wildfly.security.http.HttpExchangeSpi
                    public int forward(String str2) {
                        ServletRequestContext servletRequestContext = (ServletRequestContext) httpServerExchange2.getAttachment(ServletRequestContext.ATTACHMENT_KEY);
                        ServletRequest servletRequest = servletRequestContext.getServletRequest();
                        ServletResponse servletResponse = servletRequestContext.getServletResponse();
                        RequestDispatcher requestDispatcher = servletRequest.getRequestDispatcher(str2);
                        FormResponseWrapper formResponseWrapper = (httpServerExchange2.getStatusCode() == 200 || !(servletResponse instanceof HttpServletResponse)) ? null : new FormResponseWrapper((HttpServletResponse) servletResponse);
                        try {
                            requestDispatcher.forward(servletRequest, formResponseWrapper != null ? formResponseWrapper : servletResponse);
                            return formResponseWrapper != null ? formResponseWrapper.getStatus() : httpServerExchange2.getStatusCode();
                        } catch (IOException e) {
                            throw new RuntimeException(e);
                        } catch (ServletException e2) {
                            throw new RuntimeException(e2);
                        }
                    }

                    @Override // org.wildfly.security.http.HttpExchangeSpi
                    public boolean suspendRequest() {
                        SavedRequest.trySaveRequest(httpServerExchange2);
                        return true;
                    }

                    @Override // org.wildfly.security.http.HttpExchangeSpi
                    public boolean resumeRequest() {
                        HttpSessionImpl session = ((ServletRequestContext) httpServerExchange2.getAttachment(ServletRequestContext.ATTACHMENT_KEY)).getCurrentServletContext().getSession(httpServerExchange2, false);
                        if (session == null) {
                            return true;
                        }
                        SavedRequest.tryRestoreRequest(httpServerExchange2, session);
                        return true;
                    }
                };
            }).build();
        }

        private static HttpScope applicationScope(HttpServerExchange httpServerExchange) {
            ServletRequestContext servletRequestContext = (ServletRequestContext) httpServerExchange.getAttachment(ServletRequestContext.ATTACHMENT_KEY);
            if (servletRequestContext == null) {
                return null;
            }
            final Deployment deployment = servletRequestContext.getDeployment();
            final ServletContextImpl servletContext = deployment.getServletContext();
            return new HttpScope() { // from class: org.wildfly.extension.undertow.ApplicationSecurityDomainDefinition.ApplicationSecurityDomainService.2
                @Override // org.wildfly.security.http.HttpScope
                public String getID() {
                    return Deployment.this.getDeploymentInfo().getDeploymentName();
                }

                @Override // org.wildfly.security.http.HttpScope
                public boolean supportsAttachments() {
                    return true;
                }

                @Override // org.wildfly.security.http.HttpScope
                public void setAttachment(String str, Object obj) {
                    servletContext.setAttribute(str, obj);
                }

                @Override // org.wildfly.security.http.HttpScope
                public Object getAttachment(String str) {
                    return servletContext.getAttribute(str);
                }

                @Override // org.wildfly.security.http.HttpScope
                public boolean supportsResources() {
                    return true;
                }

                @Override // org.wildfly.security.http.HttpScope
                public InputStream getResource(String str) {
                    return servletContext.getResourceAsStream(str);
                }
            };
        }

        private static HttpScope requestScope(HttpServerExchange httpServerExchange) {
            ServletRequestContext servletRequestContext = (ServletRequestContext) httpServerExchange.getAttachment(ServletRequestContext.ATTACHMENT_KEY);
            if (servletRequestContext == null) {
                return null;
            }
            final ServletRequest servletRequest = servletRequestContext.getServletRequest();
            return new HttpScope() { // from class: org.wildfly.extension.undertow.ApplicationSecurityDomainDefinition.ApplicationSecurityDomainService.3
                @Override // org.wildfly.security.http.HttpScope
                public boolean supportsAttachments() {
                    return true;
                }

                @Override // org.wildfly.security.http.HttpScope
                public void setAttachment(String str, Object obj) {
                    ServletRequest.this.setAttribute(str, obj);
                }

                @Override // org.wildfly.security.http.HttpScope
                public Object getAttachment(String str) {
                    return ServletRequest.this.getAttribute(str);
                }
            };
        }

        /* JADX INFO: Access modifiers changed from: private */
        public static HttpScope sessionScope(HttpServerExchange httpServerExchange, final ScopeSessionListener scopeSessionListener) {
            final ServletRequestContext servletRequestContext = (ServletRequestContext) httpServerExchange.getAttachment(ServletRequestContext.ATTACHMENT_KEY);
            return new HttpScope() { // from class: org.wildfly.extension.undertow.ApplicationSecurityDomainDefinition.ApplicationSecurityDomainService.4
                private HttpSession session;

                {
                    this.session = ServletRequestContext.this.getOriginalRequest().getSession(false);
                }

                @Override // org.wildfly.security.http.HttpScope
                public String getID() {
                    if (exists()) {
                        return this.session.getId();
                    }
                    return null;
                }

                @Override // org.wildfly.security.http.HttpScope
                public boolean exists() {
                    return this.session != null;
                }

                @Override // org.wildfly.security.http.HttpScope
                public synchronized boolean create() {
                    if (exists()) {
                        return false;
                    }
                    this.session = ServletRequestContext.this.getOriginalRequest().getSession(true);
                    return this.session != null;
                }

                @Override // org.wildfly.security.http.HttpScope
                public boolean supportsAttachments() {
                    return true;
                }

                @Override // org.wildfly.security.http.HttpScope
                public void setAttachment(String str, Object obj) {
                    if (exists()) {
                        this.session.setAttribute(str, obj);
                    }
                }

                @Override // org.wildfly.security.http.HttpScope
                public Object getAttachment(String str) {
                    if (exists()) {
                        return this.session.getAttribute(str);
                    }
                    return null;
                }

                @Override // org.wildfly.security.http.HttpScope
                public boolean supportsInvalidation() {
                    return true;
                }

                @Override // org.wildfly.security.http.HttpScope
                public boolean invalidate() {
                    if (!exists()) {
                        return false;
                    }
                    try {
                        this.session.invalidate();
                        return true;
                    } catch (IllegalStateException e) {
                        UndertowLogger.ROOT_LOGGER.debugf("Failed to invalidate session", e);
                        return false;
                    }
                }

                @Override // org.wildfly.security.http.HttpScope
                public boolean supportsNotifications() {
                    return true;
                }

                @Override // org.wildfly.security.http.HttpScope
                public void registerForNotification(Consumer<HttpScopeNotification> consumer) {
                    if (exists()) {
                        scopeSessionListener.registerListener(this.session.getId(), consumer);
                    }
                }
            };
        }

        private HttpHandler finalSecurityHandlers(HttpHandler httpHandler, Function<String, RunAsIdentityMetaData> function) {
            return new ElytronRunAsHandler(httpHandler, (securityIdentity, httpServerExchange) -> {
                return mapIdentity(securityIdentity, httpServerExchange, function);
            });
        }

        private SecurityIdentity mapIdentity(SecurityIdentity securityIdentity, HttpServerExchange httpServerExchange, Function<String, RunAsIdentityMetaData> function) {
            return performMapping(securityIdentity, function.apply(((ServletRequestContext) httpServerExchange.getAttachment(ServletRequestContext.ATTACHMENT_KEY)).getCurrentServlet().getManagedServlet().getServletInfo().getName()));
        }

        /* JADX INFO: Access modifiers changed from: private */
        public SecurityIdentity performMapping(SecurityIdentity securityIdentity, RunAsIdentityMetaData runAsIdentityMetaData) {
            if (runAsIdentityMetaData == null) {
                return securityIdentity;
            }
            SecurityIdentity anonymousSecurityIdentity = securityIdentity != null ? securityIdentity : this.securityDomain.getAnonymousSecurityIdentity();
            String principalName = runAsIdentityMetaData.getPrincipalName();
            if (principalName.equals("anonymous")) {
                try {
                    anonymousSecurityIdentity = anonymousSecurityIdentity.createRunAsAnonymous();
                } catch (AuthorizationFailureException e) {
                    anonymousSecurityIdentity = anonymousSecurityIdentity.createRunAsAnonymous(false);
                }
            } else if (runAsPrincipalExists(this.securityDomain, principalName)) {
                try {
                    anonymousSecurityIdentity = anonymousSecurityIdentity.createRunAsIdentity(principalName);
                } catch (AuthorizationFailureException e2) {
                    anonymousSecurityIdentity = anonymousSecurityIdentity.createRunAsIdentity(principalName, false);
                }
            } else {
                anonymousSecurityIdentity = this.securityDomain.createAdHocIdentity(principalName);
            }
            HashSet hashSet = new HashSet(runAsIdentityMetaData.getRunAsRoles().size());
            hashSet.add(runAsIdentityMetaData.getRoleName());
            hashSet.addAll(runAsIdentityMetaData.getRunAsRoles());
            RoleMapper constant = RoleMapper.constant(Roles.fromSet(hashSet));
            Roles roles = anonymousSecurityIdentity.getRoles(ApplicationSecurityDomainDefinition.SERVLET);
            SecurityIdentity withRoleMapper = anonymousSecurityIdentity.withRoleMapper(ApplicationSecurityDomainDefinition.SERVLET, constant.or(roles2 -> {
                return roles;
            }));
            Roles roles3 = withRoleMapper.getRoles(ApplicationSecurityDomainDefinition.EJB);
            return withRoleMapper.withRoleMapper(ApplicationSecurityDomainDefinition.EJB, constant.or(roles4 -> {
                return roles3;
            }));
        }

        private boolean runAsPrincipalExists(SecurityDomain securityDomain, String str) {
            RealmIdentity realmIdentity = null;
            try {
                try {
                    realmIdentity = securityDomain.getIdentity(str);
                    boolean exists = realmIdentity.exists();
                    if (realmIdentity != null) {
                        realmIdentity.dispose();
                    }
                    return exists;
                } catch (RealmUnavailableException e) {
                    throw UndertowLogger.ROOT_LOGGER.unableToObtainIdentity(str, e);
                }
            } catch (Throwable th) {
                if (realmIdentity != null) {
                    realmIdentity.dispose();
                }
                throw th;
            }
        }

        private AuthorizationManager createElytronAuthorizationManager() {
            return new AuthorizationManager() { // from class: org.wildfly.extension.undertow.ApplicationSecurityDomainDefinition.ApplicationSecurityDomainService.5
                @Override // io.undertow.servlet.api.AuthorizationManager
                public boolean isUserInRole(String str, Account account, ServletInfo servletInfo, HttpServletRequest httpServletRequest, Deployment deployment) {
                    return DefaultAuthorizationManager.INSTANCE.isUserInRole(str, account, servletInfo, httpServletRequest, deployment);
                }

                @Override // io.undertow.servlet.api.AuthorizationManager
                public boolean canAccessResource(List<SingleConstraintMatch> list, Account account, ServletInfo servletInfo, HttpServletRequest httpServletRequest, Deployment deployment) {
                    if (DefaultAuthorizationManager.INSTANCE.canAccessResource(list, account, servletInfo, httpServletRequest, deployment)) {
                        return true;
                    }
                    SecurityIdentity currentSecurityIdentity = ApplicationSecurityDomainService.this.httpAuthenticationFactory.getSecurityDomain().getCurrentSecurityIdentity();
                    if (currentSecurityIdentity == null) {
                        return false;
                    }
                    ArrayList arrayList = new ArrayList();
                    arrayList.add(new WebResourcePermission(getCanonicalURI(httpServletRequest), httpServletRequest.getMethod()));
                    currentSecurityIdentity.getRoles("web", true).forEach(str -> {
                        arrayList.add(new WebRoleRefPermission(getCanonicalURI(httpServletRequest), str));
                    });
                    Iterator it = arrayList.iterator();
                    while (it.hasNext()) {
                        if (currentSecurityIdentity.implies((Permission) it.next())) {
                            return true;
                        }
                    }
                    return false;
                }

                @Override // io.undertow.servlet.api.AuthorizationManager
                public TransportGuaranteeType transportGuarantee(TransportGuaranteeType transportGuaranteeType, TransportGuaranteeType transportGuaranteeType2, HttpServletRequest httpServletRequest) {
                    return DefaultAuthorizationManager.INSTANCE.transportGuarantee(transportGuaranteeType, transportGuaranteeType2, httpServletRequest);
                }

                private String getCanonicalURI(HttpServletRequest httpServletRequest) {
                    String substring = httpServletRequest.getRequestURI().substring(httpServletRequest.getContextPath().length());
                    if (substring == null || substring.equals("/")) {
                        substring = "";
                    }
                    return substring;
                }
            };
        }

        /* JADX INFO: Access modifiers changed from: private */
        public String[] getDeployments() {
            String[] strArr;
            synchronized (this.registrations) {
                strArr = (String[]) ((List) this.registrations.stream().map(registrationImpl -> {
                    return registrationImpl.deploymentInfo.getDeploymentName();
                }).collect(Collectors.toList())).toArray(new String[this.registrations.size()]);
            }
            return strArr;
        }
    }

    /* loaded from: input_file:m2repo/org/wildfly/wildfly-undertow/11.0.0.Final/wildfly-undertow-11.0.0.Final.jar:org/wildfly/extension/undertow/ApplicationSecurityDomainDefinition$FormResponseWrapper.class */
    private static class FormResponseWrapper extends HttpServletResponseWrapper {
        private int status;

        private FormResponseWrapper(HttpServletResponse httpServletResponse) {
            super(httpServletResponse);
            this.status = 200;
        }

        @Override // javax.servlet.http.HttpServletResponseWrapper, javax.servlet.http.HttpServletResponse
        public void setStatus(int i, String str) {
            this.status = i;
        }

        @Override // javax.servlet.http.HttpServletResponseWrapper, javax.servlet.http.HttpServletResponse
        public void setStatus(int i) {
            this.status = i;
        }

        @Override // javax.servlet.http.HttpServletResponseWrapper, javax.servlet.http.HttpServletResponse
        public int getStatus() {
            return this.status;
        }
    }

    /* loaded from: input_file:m2repo/org/wildfly/wildfly-undertow/11.0.0.Final/wildfly-undertow-11.0.0.Final.jar:org/wildfly/extension/undertow/ApplicationSecurityDomainDefinition$ReferencingDeploymentsHandler.class */
    private static class ReferencingDeploymentsHandler implements OperationStepHandler {
        private ReferencingDeploymentsHandler() {
        }

        @Override // org.jboss.as.controller.OperationStepHandler
        public void execute(OperationContext operationContext, ModelNode modelNode) throws OperationFailedException {
            ServiceController<?> requiredService = operationContext.getServiceRegistry(false).getRequiredService(ApplicationSecurityDomainDefinition.APPLICATION_SECURITY_DOMAIN_RUNTIME_CAPABILITY.fromBaseCapability(operationContext.getCurrentAddressValue()).getCapabilityServiceName(BiFunction.class));
            ModelNode modelNode2 = new ModelNode();
            if (requiredService.getState() == ServiceController.State.UP) {
                Service<?> service = requiredService.getService();
                if (service instanceof ApplicationSecurityDomainService) {
                    for (String str : ((ApplicationSecurityDomainService) service).getDeployments()) {
                        modelNode2.add(str);
                    }
                }
            }
            operationContext.getResult().set(modelNode2);
        }
    }

    /* loaded from: input_file:m2repo/org/wildfly/wildfly-undertow/11.0.0.Final/wildfly-undertow-11.0.0.Final.jar:org/wildfly/extension/undertow/ApplicationSecurityDomainDefinition$Registration.class */
    public interface Registration {
        void cancel();
    }

    /* loaded from: input_file:m2repo/org/wildfly/wildfly-undertow/11.0.0.Final/wildfly-undertow-11.0.0.Final.jar:org/wildfly/extension/undertow/ApplicationSecurityDomainDefinition$RemoveHandler.class */
    private static class RemoveHandler extends ServiceRemoveStepHandler {
        protected RemoveHandler(AbstractAddStepHandler abstractAddStepHandler) {
            super(abstractAddStepHandler);
        }

        /* JADX INFO: Access modifiers changed from: protected */
        @Override // org.jboss.as.controller.AbstractRemoveStepHandler
        public void performRemove(OperationContext operationContext, ModelNode modelNode, ModelNode modelNode2) throws OperationFailedException {
            super.performRemove(operationContext, modelNode, modelNode2);
            ApplicationSecurityDomainDefinition.knownApplicationSecurityDomains.remove(operationContext.getCurrentAddressValue());
        }

        /* JADX INFO: Access modifiers changed from: protected */
        @Override // org.jboss.as.controller.ServiceRemoveStepHandler, org.jboss.as.controller.AbstractRemoveStepHandler
        public void performRuntime(OperationContext operationContext, ModelNode modelNode, ModelNode modelNode2) {
            super.performRuntime(operationContext, modelNode, modelNode2);
            if (operationContext.isResourceServiceRestartAllowed()) {
                String currentAddressValue = operationContext.getCurrentAddressValue();
                operationContext.removeService(new SingleSignOnManagerServiceNameProvider(currentAddressValue).getServiceName());
                operationContext.removeService(new SingleSignOnSessionFactoryServiceNameProvider(currentAddressValue).getServiceName());
            }
        }

        @Override // org.jboss.as.controller.ServiceRemoveStepHandler
        protected ServiceName serviceName(String str) {
            return ApplicationSecurityDomainDefinition.APPLICATION_SECURITY_DOMAIN_RUNTIME_CAPABILITY.fromBaseCapability(str).getCapabilityServiceName(BiFunction.class);
        }
    }

    private ApplicationSecurityDomainDefinition() {
        this((PersistentResourceDefinition.Parameters) new PersistentResourceDefinition.Parameters(UndertowExtension.PATH_APPLICATION_SECURITY_DOMAIN, UndertowExtension.getResolver(Constants.APPLICATION_SECURITY_DOMAIN)).setCapabilities(APPLICATION_SECURITY_DOMAIN_RUNTIME_CAPABILITY).addAccessConstraints(new SensitiveTargetAccessConstraintDefinition(new SensitivityClassification("undertow", Constants.APPLICATION_SECURITY_DOMAIN, false, false, false)), new ApplicationTypeAccessConstraintDefinition(new ApplicationTypeConfig("undertow", Constants.APPLICATION_SECURITY_DOMAIN))), new AddHandler());
    }

    private ApplicationSecurityDomainDefinition(PersistentResourceDefinition.Parameters parameters, AbstractAddStepHandler abstractAddStepHandler) {
        super(parameters.setAddHandler((OperationStepHandler) abstractAddStepHandler).setRemoveHandler((OperationStepHandler) new RemoveHandler(abstractAddStepHandler)));
    }

    @Override // org.jboss.as.controller.PersistentResourceDefinition, org.jboss.as.controller.SimpleResourceDefinition, org.jboss.as.controller.ResourceDefinition
    public void registerAttributes(ManagementResourceRegistration managementResourceRegistration) {
        knownApplicationSecurityDomains.clear();
        super.registerAttributes(managementResourceRegistration);
        managementResourceRegistration.registerReadOnlyAttribute(REFERENCING_DEPLOYMENTS, new ReferencingDeploymentsHandler());
    }

    @Override // org.jboss.as.controller.PersistentResourceDefinition
    protected List<? extends PersistentResourceDefinition> getChildren() {
        return Collections.singletonList(new ApplicationSecurityDomainSingleSignOnDefinition());
    }

    @Override // org.jboss.as.controller.PersistentResourceDefinition
    public Collection<AttributeDefinition> getAttributes() {
        return Arrays.asList(ATTRIBUTES);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public Predicate<String> getKnownSecurityDomainPredicate() {
        Set<String> set = knownApplicationSecurityDomains;
        set.getClass();
        return (v1) -> {
            return r0.contains(v1);
        };
    }
}
