package org.apache.geronimo.security.jacc.mappingprovider;

import java.security.Principal;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import javax.security.auth.Subject;
import javax.security.auth.login.LoginException;
import javax.security.jacc.PolicyContextException;
import org.apache.geronimo.gbean.GBeanInfo;
import org.apache.geronimo.gbean.GBeanInfoBuilder;
import org.apache.geronimo.security.ContextManager;
import org.apache.geronimo.security.IdentificationPrincipal;
import org.apache.geronimo.security.SecurityNames;
import org.apache.geronimo.security.credentialstore.CredentialStore;
import org.apache.geronimo.security.deploy.SubjectInfo;
import org.apache.geronimo.security.jacc.PrincipalRoleMapper;

/* loaded from: input_file:org/apache/geronimo/security/jacc/mappingprovider/ApplicationPrincipalRoleConfigurationManager.class */
public class ApplicationPrincipalRoleConfigurationManager implements PrincipalRoleMapper {
    private static PrincipalRoleConfigurationFactory principalRoleConfigurationFactory;
    private final Map<Principal, Set<String>> principalRoleMap;
    private final Map<String, Subject> roleDesignates = new HashMap();
    private final Subject defaultSubject;
    public static final GBeanInfo GBEAN_INFO;

    public ApplicationPrincipalRoleConfigurationManager(Map<Principal, Set<String>> map, SubjectInfo subjectInfo, Map<String, SubjectInfo> map2, CredentialStore credentialStore) throws PolicyContextException, ClassNotFoundException, LoginException {
        if (credentialStore == null && (!map2.isEmpty() || subjectInfo != null)) {
            throw new NullPointerException("No CredentialStore supplied to resolve default and run-as subjects");
        }
        this.principalRoleMap = map;
        if (subjectInfo == null) {
            this.defaultSubject = ContextManager.EMPTY;
        } else {
            this.defaultSubject = credentialStore.getSubject(subjectInfo.getRealm(), subjectInfo.getId());
            registerSubject(this.defaultSubject);
        }
        for (Map.Entry<String, SubjectInfo> entry : map2.entrySet()) {
            String key = entry.getKey();
            SubjectInfo value = entry.getValue();
            if (value == null || credentialStore == null) {
                throw new NullPointerException("No subjectInfo for role " + key);
            }
            Subject subject = credentialStore.getSubject(value.getRealm(), value.getId());
            registerSubject(subject);
            this.roleDesignates.put(key, subject);
        }
    }

    public static void setPrincipalRoleConfigurationFactory(PrincipalRoleConfigurationFactory principalRoleConfigurationFactory2) {
        if (principalRoleConfigurationFactory != null) {
            throw new IllegalStateException("ApplicationPrincipalRoleConfigurationManager.principalRoleConfigurationFactory already set");
        }
        principalRoleConfigurationFactory = principalRoleConfigurationFactory2;
    }

    @Override // org.apache.geronimo.security.jacc.PrincipalRoleMapper
    public void install(Set<String> set) throws PolicyContextException {
        if (principalRoleConfigurationFactory == null) {
            throw new IllegalStateException("Inconsistent security setup.  PrincipalRoleConfigurationFactory is not set");
        }
        Iterator<String> it = set.iterator();
        while (it.hasNext()) {
            principalRoleConfigurationFactory.getPrincipalRoleConfiguration(it.next()).setPrincipalRoleMapping(this.principalRoleMap);
        }
    }

    @Override // org.apache.geronimo.security.jacc.PrincipalRoleMapper
    public void uninstall(Set<String> set) throws PolicyContextException {
    }

    private void registerSubject(Subject subject) {
        ContextManager.registerSubject(subject);
        subject.getPrincipals().add(new IdentificationPrincipal(ContextManager.getSubjectId(subject)));
    }

    @Override // org.apache.geronimo.security.jacc.RunAsSource
    public Subject getDefaultSubject() {
        return this.defaultSubject;
    }

    @Override // org.apache.geronimo.security.jacc.RunAsSource
    public Subject getSubjectForRole(String str) {
        if (str == null) {
            return null;
        }
        Subject subject = this.roleDesignates.get(str);
        if (subject == null) {
            throw new IllegalStateException("no run-as identity configured for role: " + str);
        }
        return subject;
    }

    public void doStart() throws Exception {
    }

    public void doStop() throws Exception {
        Iterator<Map.Entry<String, Subject>> it = this.roleDesignates.entrySet().iterator();
        while (it.hasNext()) {
            ContextManager.unregisterSubject(it.next().getValue());
        }
        if (this.defaultSubject != ContextManager.EMPTY) {
            ContextManager.unregisterSubject(this.defaultSubject);
        }
    }

    public void doFail() {
    }

    public GBeanInfo getGBeanInfo() {
        return GBEAN_INFO;
    }

    static {
        GBeanInfoBuilder createStatic = GBeanInfoBuilder.createStatic(ApplicationPrincipalRoleConfigurationManager.class, SecurityNames.JACC_MANAGER);
        createStatic.addAttribute("principalRoleMap", Map.class, true);
        createStatic.addAttribute("defaultSubjectInfo", SubjectInfo.class, true);
        createStatic.addAttribute("roleDesignates", Map.class, true);
        createStatic.addReference("CredentialStore", CredentialStore.class, "GBean");
        createStatic.setConstructor(new String[]{"principalRoleMap", "defaultSubjectInfo", "roleDesignates", "CredentialStore"});
        GBEAN_INFO = createStatic.getBeanInfo();
    }
}
