package org.jboss.security.authorization.modules.web;

import java.io.IOException;
import java.security.CodeSource;
import java.security.Permission;
import java.security.Policy;
import java.security.Principal;
import java.security.ProtectionDomain;
import java.util.Map;
import java.util.Set;
import javax.security.auth.Subject;
import javax.security.jacc.WebResourcePermission;
import javax.security.jacc.WebRoleRefPermission;
import javax.security.jacc.WebUserDataPermission;
import javax.servlet.http.HttpServletRequest;
import org.jboss.security.PicketBoxLogger;
import org.jboss.security.PicketBoxMessages;
import org.jboss.security.authorization.PolicyRegistration;
import org.jboss.security.authorization.Resource;
import org.jboss.security.authorization.ResourceKeys;
import org.jboss.security.authorization.modules.AbstractJACCModuleDelegate;
import org.jboss.security.authorization.resources.WebResource;
import org.jboss.security.identity.Role;
import org.jboss.security.identity.RoleGroup;

/* loaded from: input_file:WEB-INF/lib/picketbox-4.0.19.SP4.jar:org/jboss/security/authorization/modules/web/WebJACCPolicyModuleDelegate.class */
public class WebJACCPolicyModuleDelegate extends AbstractJACCModuleDelegate {
    private Policy policy = Policy.getPolicy();
    private HttpServletRequest request = null;
    private CodeSource webCS = null;
    private String canonicalRequestURI = null;

    @Override // org.jboss.security.authorization.modules.AbstractJACCModuleDelegate, org.jboss.security.authorization.modules.AuthorizationModuleDelegate
    public int authorize(Resource resource, Subject subject, RoleGroup roleGroup) {
        if (!(resource instanceof WebResource)) {
            throw PicketBoxMessages.MESSAGES.invalidType(WebResource.class.getName());
        }
        WebResource webResource = (WebResource) resource;
        Map<String, Object> map = resource.getMap();
        if (map == null) {
            throw PicketBoxMessages.MESSAGES.invalidNullProperty("resourceMap");
        }
        this.request = webResource.getServletRequest();
        this.webCS = webResource.getCodeSource();
        this.canonicalRequestURI = webResource.getCanonicalRequestURI();
        String str = (String) map.get(ResourceKeys.ROLENAME);
        Principal principal = (Principal) map.get(ResourceKeys.HASROLE_PRINCIPAL);
        Set<Principal> set = (Set) map.get(ResourceKeys.PRINCIPAL_ROLES);
        String servletName = webResource.getServletName();
        Boolean checkBooleanValue = checkBooleanValue((Boolean) map.get(ResourceKeys.RESOURCE_PERM_CHECK));
        Boolean checkBooleanValue2 = checkBooleanValue((Boolean) map.get(ResourceKeys.USERDATA_PERM_CHECK));
        Boolean checkBooleanValue3 = checkBooleanValue((Boolean) map.get(ResourceKeys.ROLEREF_PERM_CHECK));
        validatePermissionChecks(checkBooleanValue, checkBooleanValue2, checkBooleanValue3);
        boolean z = false;
        try {
            if (checkBooleanValue.booleanValue()) {
                z = hasResourcePermission(subject, roleGroup);
            } else if (checkBooleanValue2.booleanValue()) {
                z = hasUserDataPermission();
            } else if (checkBooleanValue3.booleanValue()) {
                z = hasRole(principal, str, set, servletName);
            } else {
                PicketBoxLogger.LOGGER.debugInvalidWebJaccCheck();
            }
        } catch (IOException e) {
            PicketBoxLogger.LOGGER.debugIgnoredException(e);
        }
        return z ? 1 : -1;
    }

    @Override // org.jboss.security.authorization.modules.AuthorizationModuleDelegate
    public void setPolicyRegistrationManager(PolicyRegistration policyRegistration) {
        this.policyRegistration = policyRegistration;
    }

    private boolean checkPolicy(Permission permission, Principal principal, Subject subject, Role role) {
        return checkPolicy(permission, getPrincipals(subject, role));
    }

    private boolean checkPolicy(Permission permission, Principal[] principalArr) {
        return this.policy.implies(new ProtectionDomain(this.webCS, null, null, principalArr), permission);
    }

    private Boolean checkBooleanValue(Boolean bool) {
        return bool == null ? Boolean.FALSE : bool;
    }

    private boolean hasResourcePermission(Subject subject, Role role) throws IOException {
        Principal userPrincipal = this.request.getUserPrincipal();
        WebResourcePermission webResourcePermission = new WebResourcePermission(this.canonicalRequestURI, this.request.getMethod());
        boolean checkPolicy = checkPolicy(webResourcePermission, userPrincipal, subject, role);
        PicketBoxLogger.LOGGER.traceHasResourcePermission(webResourcePermission.toString(), checkPolicy);
        return checkPolicy;
    }

    private boolean hasRole(Principal principal, String str, Set<Principal> set, String str2) {
        if (str2 == null) {
            throw PicketBoxMessages.MESSAGES.invalidNullArgument("servletName");
        }
        WebRoleRefPermission webRoleRefPermission = new WebRoleRefPermission(str2, str);
        Principal[] principalArr = {principal};
        if (set != null) {
            principalArr = new Principal[set.size()];
            set.toArray(principalArr);
        }
        boolean checkPolicy = checkPolicy(webRoleRefPermission, principalArr);
        PicketBoxLogger.LOGGER.traceHasRolePermission(webRoleRefPermission.toString(), checkPolicy);
        return checkPolicy;
    }

    private boolean hasUserDataPermission() throws IOException {
        WebUserDataPermission webUserDataPermission = new WebUserDataPermission(this.canonicalRequestURI, this.request.getMethod());
        boolean z = false;
        try {
            z = checkPolicy(webUserDataPermission, null);
        } catch (Exception e) {
            PicketBoxLogger.LOGGER.debugIgnoredException(e);
        }
        PicketBoxLogger.LOGGER.traceHasUserDataPermission(webUserDataPermission.toString(), z);
        return z;
    }

    private void validatePermissionChecks(Boolean bool, Boolean bool2, Boolean bool3) {
        if ((bool == Boolean.TRUE && bool2 == Boolean.TRUE && bool3 == Boolean.TRUE) || ((bool == Boolean.TRUE && bool2 == Boolean.TRUE) || (bool2 == Boolean.TRUE && bool3 == Boolean.TRUE))) {
            throw PicketBoxMessages.MESSAGES.invalidPermissionChecks();
        }
    }
}
