package org.wildfly.extension.undertow.security.jaspi;

import io.undertow.security.api.AuthenticationMechanism;
import io.undertow.security.api.SecurityContext;
import io.undertow.security.idm.Account;
import io.undertow.server.ExchangeCompletionListener;
import io.undertow.server.HttpServerExchange;
import io.undertow.servlet.handlers.ServletRequestContext;
import io.undertow.util.AttachmentKey;
import java.security.Principal;
import java.util.HashSet;
import java.util.Iterator;
import javax.security.auth.Subject;
import javax.security.auth.message.AuthException;
import javax.servlet.ServletRequest;
import org.jboss.security.SecurityContextAssociation;
import org.jboss.security.auth.callback.JASPICallbackHandler;
import org.jboss.security.auth.callback.JBossCallbackHandler;
import org.jboss.security.auth.message.GenericMessageInfo;
import org.jboss.security.identity.Role;
import org.jboss.security.identity.RoleGroup;
import org.jboss.security.plugins.auth.JASPIServerAuthenticationManager;
import org.wildfly.extension.undertow.UndertowLogger;
import org.wildfly.extension.undertow.UndertowMessages;
import org.wildfly.extension.undertow.security.AccountImpl;

/* loaded from: input_file:org/wildfly/extension/undertow/security/jaspi/JASPIAuthenticationMechanism.class */
public class JASPIAuthenticationMechanism implements AuthenticationMechanism {
    private static final String JASPI_HTTP_SERVLET_LAYER = "HttpServlet";
    private static final String MECHANISM_NAME = "JASPI";
    public static final AttachmentKey<HttpServerExchange> HTTP_SERVER_EXCHANGE_ATTACHMENT_KEY = AttachmentKey.create(HttpServerExchange.class);
    public static final AttachmentKey<SecurityContext> SECURITY_CONTEXT_ATTACHMENT_KEY = AttachmentKey.create(SecurityContext.class);
    private final String securityDomain;

    public JASPIAuthenticationMechanism(String str) {
        this.securityDomain = str;
    }

    public AuthenticationMechanism.AuthenticationMechanismOutcome authenticate(HttpServerExchange httpServerExchange, SecurityContext securityContext) {
        AuthenticationMechanism.AuthenticationMechanismOutcome authenticationMechanismOutcome;
        ServletRequestContext servletRequestContext = (ServletRequestContext) httpServerExchange.getAttachment(ServletRequestContext.ATTACHMENT_KEY);
        JASPIServerAuthenticationManager createJASPIAuthenticationManager = createJASPIAuthenticationManager();
        GenericMessageInfo createMessageInfo = createMessageInfo(httpServerExchange, securityContext);
        String buildApplicationIdentifier = buildApplicationIdentifier(servletRequestContext);
        JASPICallbackHandler jASPICallbackHandler = new JASPICallbackHandler();
        UndertowLogger.ROOT_LOGGER.debugf("validateRequest for layer [%s] and applicationContextIdentifier [%s]", JASPI_HTTP_SERVLET_LAYER, buildApplicationIdentifier);
        AuthenticationMechanism.AuthenticationMechanismOutcome authenticationMechanismOutcome2 = AuthenticationMechanism.AuthenticationMechanismOutcome.NOT_AUTHENTICATED;
        Account account = null;
        boolean isValid = createJASPIAuthenticationManager.isValid(createMessageInfo, new Subject(), JASPI_HTTP_SERVLET_LAYER, buildApplicationIdentifier, jASPICallbackHandler);
        if (isValid) {
            account = createAccount(SecurityActions.getSecurityContext());
        }
        if (isValid && account != null) {
            authenticationMechanismOutcome = AuthenticationMechanism.AuthenticationMechanismOutcome.AUTHENTICATED;
            securityContext.authenticationComplete(account, MECHANISM_NAME, false);
        } else if (isValid && account == null && !isMandatory(servletRequestContext).booleanValue()) {
            authenticationMechanismOutcome = AuthenticationMechanism.AuthenticationMechanismOutcome.NOT_ATTEMPTED;
        } else {
            authenticationMechanismOutcome = AuthenticationMechanism.AuthenticationMechanismOutcome.NOT_AUTHENTICATED;
            securityContext.authenticationFailed("JASPI authentication failed.", MECHANISM_NAME);
        }
        secureResponse(httpServerExchange, securityContext, createJASPIAuthenticationManager, createMessageInfo, jASPICallbackHandler);
        return authenticationMechanismOutcome;
    }

    public AuthenticationMechanism.ChallengeResult sendChallenge(HttpServerExchange httpServerExchange, SecurityContext securityContext) {
        return new AuthenticationMechanism.ChallengeResult(true);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public boolean isSecureResponse(ServletRequestContext servletRequestContext, SecurityContext securityContext) {
        return !wasAuthExceptionThrown();
    }

    private boolean wasAuthExceptionThrown() {
        return SecurityContextAssociation.getSecurityContext().getData().get(AuthException.class.getName()) != null;
    }

    private JASPIServerAuthenticationManager createJASPIAuthenticationManager() {
        return new JASPIServerAuthenticationManager(this.securityDomain, new JBossCallbackHandler());
    }

    /* JADX INFO: Access modifiers changed from: private */
    public String buildApplicationIdentifier(ServletRequestContext servletRequestContext) {
        ServletRequest servletRequest = servletRequestContext.getServletRequest();
        return servletRequest.getLocalName() + " " + servletRequest.getServletContext().getContextPath();
    }

    private GenericMessageInfo createMessageInfo(HttpServerExchange httpServerExchange, SecurityContext securityContext) {
        ServletRequestContext servletRequestContext = (ServletRequestContext) httpServerExchange.getAttachment(ServletRequestContext.ATTACHMENT_KEY);
        GenericMessageInfo genericMessageInfo = new GenericMessageInfo();
        genericMessageInfo.setRequestMessage(servletRequestContext.getServletRequest());
        genericMessageInfo.setResponseMessage(servletRequestContext.getServletResponse());
        genericMessageInfo.getMap().put("javax.security.auth.message.MessagePolicy.isMandatory", isMandatory(servletRequestContext).toString());
        genericMessageInfo.getMap().put(SECURITY_CONTEXT_ATTACHMENT_KEY, securityContext);
        genericMessageInfo.getMap().put(HTTP_SERVER_EXCHANGE_ATTACHMENT_KEY, httpServerExchange);
        return genericMessageInfo;
    }

    private Account createAccount(org.jboss.security.SecurityContext securityContext) {
        if (securityContext == null) {
            throw UndertowMessages.MESSAGES.nullParamter("org.jboss.security.SecurityContext");
        }
        Principal userPrincipal = securityContext.getUtil().getUserPrincipal();
        if (userPrincipal == null) {
            return null;
        }
        HashSet hashSet = new HashSet();
        RoleGroup roles = securityContext.getUtil().getRoles();
        if (roles != null) {
            Iterator it = roles.getRoles().iterator();
            while (it.hasNext()) {
                hashSet.add(((Role) it.next()).getRoleName());
            }
        }
        return new AccountImpl(userPrincipal, hashSet, securityContext.getUtil().getCredential());
    }

    private void secureResponse(HttpServerExchange httpServerExchange, final SecurityContext securityContext, final JASPIServerAuthenticationManager jASPIServerAuthenticationManager, final GenericMessageInfo genericMessageInfo, final JASPICallbackHandler jASPICallbackHandler) {
        httpServerExchange.addExchangeCompleteListener(new ExchangeCompletionListener() { // from class: org.wildfly.extension.undertow.security.jaspi.JASPIAuthenticationMechanism.1
            public void exchangeEvent(HttpServerExchange httpServerExchange2, ExchangeCompletionListener.NextListener nextListener) {
                ServletRequestContext servletRequestContext = (ServletRequestContext) httpServerExchange2.getAttachment(ServletRequestContext.ATTACHMENT_KEY);
                String buildApplicationIdentifier = JASPIAuthenticationMechanism.this.buildApplicationIdentifier(servletRequestContext);
                if (JASPIAuthenticationMechanism.this.isSecureResponse(servletRequestContext, securityContext)) {
                    UndertowLogger.ROOT_LOGGER.debugf("secureResponse for layer [%s] and applicationContextIdentifier [%s].", JASPIAuthenticationMechanism.JASPI_HTTP_SERVLET_LAYER, buildApplicationIdentifier);
                    jASPIServerAuthenticationManager.secureResponse(genericMessageInfo, new Subject(), JASPIAuthenticationMechanism.JASPI_HTTP_SERVLET_LAYER, buildApplicationIdentifier, jASPICallbackHandler);
                }
                nextListener.proceed();
            }
        });
    }

    private Boolean isMandatory(ServletRequestContext servletRequestContext) {
        return Boolean.valueOf((servletRequestContext.getCurrentServlet() == null || servletRequestContext.getCurrentServlet().getManagedServlet() == null || servletRequestContext.getCurrentServlet().getManagedServlet().getServletInfo() == null || servletRequestContext.getCurrentServlet().getManagedServlet().getServletInfo().getServletSecurityInfo() == null || servletRequestContext.getCurrentServlet().getManagedServlet().getServletInfo().getServletSecurityInfo().getRolesAllowed() == null || servletRequestContext.getCurrentServlet().getManagedServlet().getServletInfo().getServletSecurityInfo().getRolesAllowed().isEmpty()) ? false : true);
    }
}
