package org.jboss.as.security.service;

import java.lang.reflect.Method;
import java.security.AccessController;
import java.security.CodeSource;
import java.security.Principal;
import java.security.PrivilegedAction;
import java.security.acl.Group;
import java.util.Collection;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import javax.security.auth.Subject;
import javax.security.jacc.PolicyContext;
import org.jboss.as.core.security.ServerSecurityManager;
import org.jboss.as.security.Constants;
import org.jboss.as.security.logging.SecurityLogger;
import org.jboss.as.security.remoting.RemoteConnection;
import org.jboss.as.security.remoting.RemotingConnectionCredential;
import org.jboss.metadata.javaee.spec.SecurityRolesMetaData;
import org.jboss.security.ISecurityManagement;
import org.jboss.security.RunAs;
import org.jboss.security.RunAsIdentity;
import org.jboss.security.SecurityContext;
import org.jboss.security.SecurityContextAssociation;
import org.jboss.security.SecurityContextFactory;
import org.jboss.security.SecurityContextUtil;
import org.jboss.security.SecurityRolesAssociation;
import org.jboss.security.SimplePrincipal;
import org.jboss.security.SubjectInfo;
import org.jboss.security.audit.AuditEvent;
import org.jboss.security.audit.AuditManager;
import org.jboss.security.authorization.resources.EJBResource;
import org.jboss.security.identity.Identity;
import org.jboss.security.identity.RoleGroup;
import org.jboss.security.identity.plugins.SimpleIdentity;
import org.jboss.security.identity.plugins.SimpleRoleGroup;
import org.jboss.security.javaee.AbstractEJBAuthorizationHelper;
import org.jboss.security.javaee.SecurityHelperFactory;
import org.jboss.security.javaee.SecurityRoleRef;
import org.wildfly.security.auth.server.SecurityDomain;
import org.wildfly.security.auth.server.SecurityIdentity;
import org.wildfly.security.credential.PasswordCredential;
import org.wildfly.security.manager.WildFlySecurityManager;
import org.wildfly.security.password.interfaces.ClearPassword;

/* loaded from: input_file:org/jboss/as/security/service/SimpleSecurityManager.class */
public class SimpleSecurityManager implements ServerSecurityManager {
    protected static final PrivilegedAction<SecurityContext> GET_SECURITY_CONTEXT = new PrivilegedAction<SecurityContext>() { // from class: org.jboss.as.security.service.SimpleSecurityManager.1
        /* JADX WARN: Can't rename method to resolve collision */
        @Override // java.security.PrivilegedAction
        public SecurityContext run() {
            return SecurityContextAssociation.getSecurityContext();
        }
    };
    private ThreadLocalStack<SecurityContext> contexts;
    private boolean propagate;
    private ISecurityManagement securityManagement;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/jboss/as/security/service/SimpleSecurityManager$SetSecurityRolesAssociationAction.class */
    public static class SetSecurityRolesAssociationAction implements PrivilegedAction<Map<String, Set<String>>> {
        private final Map<String, Set<String>> mappedRoles;

        SetSecurityRolesAssociationAction(Map<String, Set<String>> map) {
            this.mappedRoles = map;
        }

        /* JADX WARN: Can't rename method to resolve collision */
        @Override // java.security.PrivilegedAction
        public Map<String, Set<String>> run() {
            Map<String, Set<String>> securityRoles = SecurityRolesAssociation.getSecurityRoles();
            SecurityRolesAssociation.setSecurityRoles(this.mappedRoles);
            return securityRoles;
        }
    }

    public SimpleSecurityManager() {
        this.contexts = new ThreadLocalStack<>();
        this.propagate = true;
        this.securityManagement = null;
    }

    public SimpleSecurityManager(SimpleSecurityManager simpleSecurityManager) {
        this.contexts = new ThreadLocalStack<>();
        this.propagate = true;
        this.securityManagement = null;
        this.securityManagement = simpleSecurityManager.securityManagement;
        this.propagate = false;
    }

    private SecurityContext establishSecurityContext(String str) {
        try {
            SecurityContext createSecurityContext = SecurityContextFactory.createSecurityContext(str);
            if (this.securityManagement == null) {
                throw SecurityLogger.ROOT_LOGGER.securityManagementNotInjected();
            }
            createSecurityContext.setSecurityManagement(this.securityManagement);
            SecurityContextAssociation.setSecurityContext(createSecurityContext);
            return createSecurityContext;
        } catch (Exception e) {
            throw SecurityLogger.ROOT_LOGGER.securityException(e);
        }
    }

    public void setSecurityManagement(ISecurityManagement iSecurityManagement) {
        this.securityManagement = iSecurityManagement;
    }

    public Principal getCallerPrincipal() {
        SecurityContext securityContext = WildFlySecurityManager.isChecking() ? (SecurityContext) AccessController.doPrivileged(GET_SECURITY_CONTEXT) : SecurityContextAssociation.getSecurityContext();
        if (securityContext == null) {
            return getUnauthenticatedIdentity().asPrincipal();
        }
        Principal incomingRunAs = securityContext.getIncomingRunAs();
        if (incomingRunAs == null) {
            incomingRunAs = getPrincipal(getSubjectInfo(securityContext).getAuthenticatedSubject());
        }
        return incomingRunAs == null ? getUnauthenticatedIdentity().asPrincipal() : incomingRunAs;
    }

    public Subject getSubject() {
        SecurityContext securityContext = WildFlySecurityManager.isChecking() ? (SecurityContext) AccessController.doPrivileged(GET_SECURITY_CONTEXT) : SecurityContextAssociation.getSecurityContext();
        if (securityContext != null) {
            return getSubjectInfo(securityContext).getAuthenticatedSubject();
        }
        return null;
    }

    private Principal getPrincipal(Subject subject) {
        Set<Principal> principals;
        Principal principal = null;
        Principal principal2 = null;
        if (subject != null && (principals = subject.getPrincipals()) != null && !principals.isEmpty()) {
            for (Principal principal3 : principals) {
                if (!(principal3 instanceof Group) && principal == null) {
                    principal = principal3;
                }
                if (principal3 instanceof Group) {
                    Group group = (Group) Group.class.cast(principal3);
                    if (group.getName().equals("CallerPrincipal") && principal2 == null) {
                        Enumeration<? extends Principal> members = group.members();
                        if (members.hasMoreElements()) {
                            principal2 = members.nextElement();
                        }
                    }
                }
            }
        }
        return principal2 == null ? principal : principal2;
    }

    @Deprecated
    public boolean isCallerInRole(String str, Object obj, Map<String, Collection<String>> map, String... strArr) {
        return isCallerInRole(str, PolicyContext.getContextID(), obj, map, strArr);
    }

    public boolean isCallerInRole(String str, String str2, Object obj, Map<String, Collection<String>> map, String... strArr) {
        SecurityContext securityContext = WildFlySecurityManager.isChecking() ? (SecurityContext) AccessController.doPrivileged(GET_SECURITY_CONTEXT) : SecurityContextAssociation.getSecurityContext();
        if (securityContext == null) {
            return false;
        }
        EJBResource eJBResource = new EJBResource(new HashMap());
        eJBResource.setEjbName(str);
        eJBResource.setPolicyContextID(str2);
        eJBResource.setCallerRunAsIdentity(securityContext.getIncomingRunAs());
        eJBResource.setCallerSubject(securityContext.getUtil().getSubject());
        eJBResource.setPrincipal(securityContext.getUtil().getUserPrincipal());
        if (map != null) {
            HashSet hashSet = new HashSet();
            for (String str3 : map.keySet()) {
                Collection<String> collection = map.get(str3);
                if (collection != null) {
                    Iterator<String> it = collection.iterator();
                    while (it.hasNext()) {
                        hashSet.add(new SecurityRoleRef(str3, it.next()));
                    }
                }
            }
            eJBResource.setSecurityRoleReferences(hashSet);
        }
        Map<String, Set<String>> map2 = null;
        if (obj != null) {
            try {
                try {
                    map2 = setSecurityRolesAssociation(((SecurityRolesMetaData) obj).getPrincipalVersusRolesMap());
                } catch (Exception e) {
                    throw new RuntimeException(e);
                }
            } finally {
                if (obj != null) {
                    setSecurityRolesAssociation(map2);
                }
            }
        }
        AbstractEJBAuthorizationHelper eJBAuthorizationHelper = SecurityHelperFactory.getEJBAuthorizationHelper(securityContext);
        for (String str4 : strArr) {
            if (eJBAuthorizationHelper.isCallerInRole(eJBResource, str4)) {
                return true;
            }
        }
        if (obj != null) {
            setSecurityRolesAssociation(map2);
        }
        return false;
    }

    public boolean authorize(String str, CodeSource codeSource, String str2, Method method, Set<Principal> set, String str3) {
        SecurityContext securityContext = WildFlySecurityManager.isChecking() ? (SecurityContext) AccessController.doPrivileged(GET_SECURITY_CONTEXT) : SecurityContextAssociation.getSecurityContext();
        if (securityContext == null) {
            return false;
        }
        EJBResource eJBResource = new EJBResource(new HashMap());
        eJBResource.setEjbName(str);
        eJBResource.setEjbMethod(method);
        eJBResource.setEjbMethodInterface(str2);
        eJBResource.setEjbMethodRoles(new SimpleRoleGroup(set));
        eJBResource.setCodeSource(codeSource);
        eJBResource.setPolicyContextID(str3);
        eJBResource.setCallerRunAsIdentity(securityContext.getIncomingRunAs());
        eJBResource.setCallerSubject(securityContext.getUtil().getSubject());
        eJBResource.setPrincipal(securityContext.getUtil().getUserPrincipal());
        try {
            return SecurityHelperFactory.getEJBAuthorizationHelper(securityContext).authorize(eJBResource);
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }

    public void push(String str) {
        SecurityContext securityContext = SecurityContextAssociation.getSecurityContext();
        this.contexts.push(securityContext);
        SecurityContext establishSecurityContext = establishSecurityContext(str);
        if (this.propagate && securityContext != null) {
            propagateSubject(establishSecurityContext, securityContext);
            if (securityContext.getOutgoingRunAs() != null) {
                establishSecurityContext.setIncomingRunAs(securityContext.getOutgoingRunAs());
            } else {
                establishSecurityContext.setIncomingRunAs(securityContext.getIncomingRunAs());
            }
        }
        RunAs incomingRunAs = establishSecurityContext.getIncomingRunAs();
        if ((incomingRunAs != null && (incomingRunAs instanceof RunAsIdentity)) || !SecurityActions.remotingContextIsSet()) {
            return;
        }
        SecurityContextUtil util = establishSecurityContext.getUtil();
        RemoteConnection remotingContextGetConnection = SecurityActions.remotingContextGetConnection();
        SecurityIdentity currentSecurityIdentity = SecurityDomain.forIdentity(remotingContextGetConnection.getSecurityIdentity()).getCurrentSecurityIdentity();
        if (currentSecurityIdentity == null) {
            throw SecurityLogger.ROOT_LOGGER.noUserPrincipalFound();
        }
        SimplePrincipal simplePrincipal = new SimplePrincipal(currentSecurityIdentity.getPrincipal().getName());
        PasswordCredential credential = currentSecurityIdentity.getPrivateCredentials().getCredential(PasswordCredential.class, "clear");
        Object str2 = credential != null ? new String(credential.getPassword(ClearPassword.class).getPassword()) : new RemotingConnectionCredential(remotingContextGetConnection, currentSecurityIdentity);
        SecurityActions.remotingContextClear();
        util.createSubjectInfo(simplePrincipal, str2, (Subject) null);
    }

    public void push(String str, String str2, char[] cArr, Subject subject) {
        SecurityContext securityContext = SecurityContextAssociation.getSecurityContext();
        this.contexts.push(securityContext);
        SecurityContext establishSecurityContext = establishSecurityContext(str);
        if (this.propagate && securityContext != null) {
            propagateSubject(establishSecurityContext, securityContext);
            establishSecurityContext.setIncomingRunAs(securityContext.getOutgoingRunAs());
        }
        RunAs incomingRunAs = establishSecurityContext.getIncomingRunAs();
        if (incomingRunAs != null && (incomingRunAs instanceof RunAsIdentity)) {
            return;
        }
        establishSecurityContext.getUtil().createSubjectInfo(new SimplePrincipal(str2), new String(cArr), subject);
    }

    private void propagateSubject(SecurityContext securityContext, SecurityContext securityContext2) {
        SecurityContextUtil util = securityContext2.getUtil();
        SecurityContextUtil util2 = securityContext.getUtil();
        if (securityContext.getSecurityDomain() != null && securityContext2.getSecurityDomain() != null && securityContext.getSecurityDomain().equals(securityContext2.getSecurityDomain())) {
            securityContext.setSubjectInfo(securityContext2.getSubjectInfo());
            return;
        }
        util2.createSubjectInfo(util.getUserPrincipal(), util.getCredential(), util.getSubject());
        if (util.getRoles() != null) {
            try {
                util2.setRoles((RoleGroup) util.getRoles().clone());
            } catch (CloneNotSupportedException e) {
                throw new RuntimeException(e);
            }
        }
        util2.setIdentities(util.getIdentities(Identity.class));
    }

    public void authenticate() {
        authenticate(null, null, null);
    }

    public void authenticate(String str, String str2, Set<String> set) {
        SecurityContext securityContext = SecurityContextAssociation.getSecurityContext();
        SecurityContext peek = this.contexts.peek();
        if (!((securityContext.getSubjectInfo() == null || securityContext.getSubjectInfo().getAuthenticatedSubject() == null || securityContext.getSubjectInfo().getAuthenticatedSubject().getPrincipals().isEmpty() || ((peek == null || !securityContext.getSecurityDomain().equals(peek.getSecurityDomain())) && !(securityContext.getIncomingRunAs() instanceof RunAsIdentity))) ? false : true)) {
            Object credential = securityContext.getUtil().getCredential();
            Subject subject = null;
            if (credential instanceof RemotingConnectionCredential) {
                subject = ((RemotingConnectionCredential) credential).getSubject();
            }
            if (!authenticate(securityContext, subject)) {
                throw SecurityLogger.ROOT_LOGGER.invalidUserException();
            }
        }
        if (str != null) {
            securityContext.setOutgoingRunAs(new RunAsIdentity(str, str2, set));
        } else {
            if (!this.propagate || peek == null || peek.getOutgoingRunAs() == null) {
                return;
            }
            securityContext.setOutgoingRunAs(peek.getOutgoingRunAs());
        }
    }

    private boolean authenticate(SecurityContext securityContext, Subject subject) {
        SecurityContextUtil util = securityContext.getUtil();
        SubjectInfo subjectInfo = getSubjectInfo(securityContext);
        if (subject == null) {
            subject = new Subject();
        }
        Principal userPrincipal = util.getUserPrincipal();
        Principal principal = userPrincipal;
        Object credential = util.getCredential();
        boolean z = false;
        if (userPrincipal == null) {
            Identity unauthenticatedIdentity = getUnauthenticatedIdentity();
            subjectInfo.addIdentity(unauthenticatedIdentity);
            principal = unauthenticatedIdentity.asPrincipal();
            subject.getPrincipals().add(principal);
            z = true;
        } else {
            subject.getPrincipals().add(userPrincipal);
        }
        if (!z) {
            z = securityContext.getAuthenticationManager().isValid(userPrincipal, credential, subject);
        }
        if (z) {
            subjectInfo.setAuthenticatedSubject(subject);
        }
        AuditManager auditManager = securityContext.getAuditManager();
        if (auditManager != null) {
            audit(z ? "Success" : "Failure", auditManager, principal);
        }
        return z;
    }

    private Identity getUnauthenticatedIdentity() {
        return new SimpleIdentity("anonymous");
    }

    public void pop() {
        SecurityContextAssociation.setSecurityContext(this.contexts.pop());
    }

    private void audit(String str, AuditManager auditManager, Principal principal) {
        AuditEvent auditEvent = new AuditEvent(str);
        HashMap hashMap = new HashMap();
        hashMap.put(Constants.PRINCIPAL_ARGUMENT, principal != null ? principal.getName() : "null");
        hashMap.put("Source", getClass().getCanonicalName());
        hashMap.put("Action", Constants.AUTHENTICATION);
        auditEvent.setContextMap(hashMap);
        auditManager.audit(auditEvent);
    }

    private SubjectInfo getSubjectInfo(final SecurityContext securityContext) {
        return System.getSecurityManager() == null ? securityContext.getSubjectInfo() : (SubjectInfo) AccessController.doPrivileged(new PrivilegedAction<SubjectInfo>() { // from class: org.jboss.as.security.service.SimpleSecurityManager.2
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedAction
            public SubjectInfo run() {
                return securityContext.getSubjectInfo();
            }
        });
    }

    private Map<String, Set<String>> setSecurityRolesAssociation(Map<String, Set<String>> map) {
        if (System.getSecurityManager() != null) {
            return (Map) AccessController.doPrivileged(new SetSecurityRolesAssociationAction(map));
        }
        Map<String, Set<String>> securityRoles = SecurityRolesAssociation.getSecurityRoles();
        SecurityRolesAssociation.setSecurityRoles(map);
        return securityRoles;
    }
}
