package org.jboss.as.connector.security;

import jakarta.resource.spi.security.PasswordCredential;
import java.net.URI;
import java.security.AccessController;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.kerberos.KerberosPrincipal;
import org.jboss.as.connector._private.Capabilities;
import org.jboss.as.connector.logging.ConnectorLogger;
import org.jboss.as.controller.capability.RuntimeCapability;
import org.jboss.as.server.CurrentServiceContainer;
import org.jboss.jca.core.spi.security.SubjectFactory;
import org.jboss.msc.service.ServiceContainer;
import org.wildfly.security.auth.callback.CredentialCallback;
import org.wildfly.security.auth.client.AuthenticationContext;
import org.wildfly.security.auth.client.AuthenticationContextConfigurationClient;
import org.wildfly.security.auth.principal.NamePrincipal;
import org.wildfly.security.credential.GSSKerberosCredential;
import org.wildfly.security.manager.WildFlySecurityManager;

/* loaded from: input_file:org/jboss/as/connector/security/ElytronSubjectFactory.class */
public class ElytronSubjectFactory implements SubjectFactory, Capabilities {
    private static final RuntimeCapability<Void> AUTHENTICATION_CONTEXT_RUNTIME_CAPABILITY = RuntimeCapability.Builder.of(Capabilities.AUTHENTICATION_CONTEXT_CAPABILITY, true, AuthenticationContext.class).build();
    private static final AuthenticationContextConfigurationClient AUTH_CONFIG_CLIENT = (AuthenticationContextConfigurationClient) AccessController.doPrivileged(AuthenticationContextConfigurationClient.ACTION);
    private final AuthenticationContext authenticationContext;
    private URI targetURI;

    public ElytronSubjectFactory() {
        this(null, null);
    }

    public ElytronSubjectFactory(AuthenticationContext authenticationContext, URI uri) {
        this.authenticationContext = authenticationContext;
        this.targetURI = uri;
    }

    public Subject createSubject() {
        Subject createSubject = createSubject(getAuthenticationContext());
        if (ConnectorLogger.ROOT_LOGGER.isTraceEnabled()) {
            ConnectorLogger.ROOT_LOGGER.subject(createSubject, Integer.toHexString(System.identityHashCode(createSubject)));
        }
        return createSubject;
    }

    public Subject createSubject(String str) {
        Subject createSubject = createSubject((str == null || str.isEmpty()) ? getAuthenticationContext() : (AuthenticationContext) currentServiceContainer().getRequiredService(AUTHENTICATION_CONTEXT_RUNTIME_CAPABILITY.getCapabilityServiceName(new String[]{str})).getValue());
        if (ConnectorLogger.ROOT_LOGGER.isTraceEnabled()) {
            ConnectorLogger.ROOT_LOGGER.subject(createSubject, Integer.toHexString(System.identityHashCode(createSubject)));
        }
        return createSubject;
    }

    private Subject createSubject(AuthenticationContext authenticationContext) {
        CallbackHandler callbackHandler = AUTH_CONFIG_CLIENT.getCallbackHandler(AUTH_CONFIG_CLIENT.getAuthenticationConfiguration(this.targetURI, authenticationContext));
        Callback nameCallback = new NameCallback("Username: ");
        PasswordCallback passwordCallback = new PasswordCallback("Password: ", false);
        Callback credentialCallback = new CredentialCallback(GSSKerberosCredential.class);
        try {
            callbackHandler.handle(new Callback[]{nameCallback, passwordCallback, credentialCallback});
            Subject subject = new Subject();
            if (credentialCallback.getCredential() != null) {
                GSSKerberosCredential gSSKerberosCredential = (GSSKerberosCredential) GSSKerberosCredential.class.cast(credentialCallback.getCredential());
                addPrivateCredential(subject, gSSKerberosCredential.getKerberosTicket());
                addPrivateCredential(subject, gSSKerberosCredential.getGssCredential());
                subject.getPrincipals().add(new KerberosPrincipal(gSSKerberosCredential.getGssCredential().getName().toString()));
            }
            if (nameCallback.getName() != null) {
                subject.getPrincipals().add(new NamePrincipal(nameCallback.getName()));
            }
            if (passwordCallback.getPassword() != null) {
                addPrivateCredential(subject, new PasswordCredential(nameCallback.getName(), passwordCallback.getPassword()));
            }
            return subject;
        } catch (Exception e) {
            throw new SecurityException(e);
        }
    }

    private ServiceContainer currentServiceContainer() {
        return WildFlySecurityManager.isChecking() ? (ServiceContainer) AccessController.doPrivileged(CurrentServiceContainer.GET_ACTION) : CurrentServiceContainer.getServiceContainer();
    }

    private void addPrivateCredential(Subject subject, Object obj) {
        if (WildFlySecurityManager.isChecking()) {
            AccessController.doPrivileged(() -> {
                subject.getPrivateCredentials().add(obj);
                return null;
            });
        } else {
            subject.getPrivateCredentials().add(obj);
        }
    }

    public String toString() {
        StringBuilder sb = new StringBuilder();
        sb.append("ElytronSubjectFactory@").append(Integer.toHexString(System.identityHashCode(this)));
        sb.append("]");
        return sb.toString();
    }

    private AuthenticationContext getAuthenticationContext() {
        return this.authenticationContext == null ? AuthenticationContext.captureCurrent() : this.authenticationContext;
    }
}
