package org.switchyard.security.provider;

import java.security.Principal;
import java.security.acl.Group;
import java.util.Collections;
import java.util.Iterator;
import java.util.Set;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import org.switchyard.ServiceSecurity;
import org.switchyard.common.lang.Strings;
import org.switchyard.common.type.reflect.Construction;
import org.switchyard.security.BaseSecurityLogger;
import org.switchyard.security.callback.handler.NamePasswordCallbackHandler;
import org.switchyard.security.callback.handler.SwitchYardCallbackHandler;
import org.switchyard.security.context.SecurityContext;
import org.switchyard.security.credential.SubjectCredential;
import org.switchyard.security.principal.GroupPrincipal;
import org.switchyard.security.principal.RolePrincipal;

/* loaded from: input_file:org/switchyard/security/provider/JaasSecurityProvider.class */
public class JaasSecurityProvider implements SecurityProvider {
    @Override // org.switchyard.security.provider.SecurityProvider
    public boolean authenticate(ServiceSecurity serviceSecurity, SecurityContext securityContext) {
        boolean z = false;
        Class callbackHandler = serviceSecurity.getCallbackHandler();
        if (callbackHandler == null) {
            callbackHandler = NamePasswordCallbackHandler.class;
        }
        CallbackHandler callbackHandler2 = (CallbackHandler) Construction.construct(callbackHandler);
        if (callbackHandler2 instanceof SwitchYardCallbackHandler) {
            SwitchYardCallbackHandler switchYardCallbackHandler = (SwitchYardCallbackHandler) callbackHandler2;
            switchYardCallbackHandler.setProperties(serviceSecurity.getProperties());
            switchYardCallbackHandler.setCredentials(securityContext.getCredentials());
        }
        String securityDomain = serviceSecurity.getSecurityDomain();
        try {
            new LoginContext(securityDomain, securityContext.getSubject(securityDomain), callbackHandler2).login();
            z = true;
        } catch (LoginException e) {
            BaseSecurityLogger.ROOT_LOGGER.authenticateLoginException(e.getMessage(), e);
        }
        return z;
    }

    @Override // org.switchyard.security.provider.SecurityProvider
    public boolean propagate(ServiceSecurity serviceSecurity, SecurityContext securityContext) {
        Subject subject = securityContext.getSubject(serviceSecurity.getSecurityDomain());
        Iterator it = securityContext.getCredentials(SubjectCredential.class).iterator();
        while (it.hasNext()) {
            transfer(((SubjectCredential) it.next()).getSubject(), subject);
        }
        return true;
    }

    protected void transfer(Subject subject, Subject subject2) {
        if (subject2 == null || subject == null || subject2 == subject || subject2.equals(subject)) {
            return;
        }
        Set<Principal> principals = subject2.getPrincipals();
        GroupPrincipal groupPrincipal = null;
        for (Principal principal : subject.getPrincipals()) {
            if ((principal instanceof Group) && GroupPrincipal.ROLES.equals(principal.getName())) {
                Group group = (Group) principal;
                if (groupPrincipal == null) {
                    groupPrincipal = getRoleGroup(subject2);
                }
                if (groupPrincipal != group) {
                    Iterator it = Collections.list(group.members()).iterator();
                    while (it.hasNext()) {
                        Principal principal2 = (Principal) it.next();
                        groupPrincipal.addMember(principal2 instanceof RolePrincipal ? (RolePrincipal) principal2 : new RolePrincipal(principal2.getName()));
                    }
                }
            } else {
                principals.add(principal);
            }
        }
        subject2.getPrivateCredentials().addAll(subject.getPrivateCredentials());
        subject2.getPublicCredentials().addAll(subject.getPublicCredentials());
    }

    private GroupPrincipal getRoleGroup(Subject subject) {
        GroupPrincipal groupPrincipal = null;
        Iterator it = subject.getPrincipals(GroupPrincipal.class).iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            GroupPrincipal groupPrincipal2 = (GroupPrincipal) it.next();
            if (GroupPrincipal.ROLES.equals(groupPrincipal2.getName())) {
                groupPrincipal = groupPrincipal2;
                break;
            }
        }
        if (groupPrincipal == null) {
            groupPrincipal = new GroupPrincipal(GroupPrincipal.ROLES);
            subject.getPrincipals().add(groupPrincipal);
        }
        return groupPrincipal;
    }

    @Override // org.switchyard.security.provider.SecurityProvider
    public boolean addRunAs(ServiceSecurity serviceSecurity, SecurityContext securityContext) {
        String trimToNull = Strings.trimToNull(serviceSecurity.getRunAs());
        if (trimToNull == null) {
            return false;
        }
        getRoleGroup(securityContext.getSubject(serviceSecurity.getSecurityDomain())).addMember(new RolePrincipal(trimToNull));
        return true;
    }

    @Override // org.switchyard.security.provider.SecurityProvider
    public boolean checkRolesAllowed(ServiceSecurity serviceSecurity, SecurityContext securityContext) {
        Set rolesAllowed = serviceSecurity.getRolesAllowed();
        if (rolesAllowed.isEmpty()) {
            return true;
        }
        String securityDomain = serviceSecurity.getSecurityDomain();
        Iterator it = rolesAllowed.iterator();
        while (it.hasNext()) {
            if (securityContext.isCallerInRole((String) it.next(), securityDomain)) {
                return true;
            }
        }
        return false;
    }

    @Override // org.switchyard.security.provider.SecurityProvider
    public boolean clear(ServiceSecurity serviceSecurity, SecurityContext securityContext) {
        String securityDomain;
        if (serviceSecurity == null || (securityDomain = serviceSecurity.getSecurityDomain()) == null) {
            return true;
        }
        securityContext.clearSubject(securityDomain);
        return true;
    }
}
