package org.jboss.ejb3.security;

import java.lang.reflect.Method;
import java.lang.reflect.Modifier;
import java.security.CodeSource;
import java.security.Policy;
import java.security.Principal;
import java.security.ProtectionDomain;
import java.util.Set;
import javax.annotation.security.DenyAll;
import javax.annotation.security.PermitAll;
import javax.annotation.security.RolesAllowed;
import javax.security.auth.Subject;
import javax.security.jacc.EJBMethodPermission;
import javax.security.jacc.PolicyConfiguration;
import javax.security.jacc.PolicyContextException;
import org.jboss.annotation.security.SecurityDomain;
import org.jboss.aop.metadata.SimpleClassMetaDataBinding;
import org.jboss.aop.metadata.SimpleClassMetaDataLoader;
import org.jboss.deployment.DeploymentInfo;
import org.jboss.ejb3.EJBContainer;
import org.jboss.logging.Logger;

/* loaded from: input_file:org/jboss/ejb3/security/JaccHelper.class */
public class JaccHelper {
    static Logger log = Logger.getLogger(JaccHelper.class);

    public static PolicyConfiguration initialiseJacc(String str) throws Exception {
        log.debug("Initialising JACC Context for deployment: " + str);
        return Ejb3PolicyConfigurationFactory.getPolicyConfigurationFactory().getPolicyConfiguration(str, true);
    }

    public static void putJaccInService(PolicyConfiguration policyConfiguration, DeploymentInfo deploymentInfo) throws Exception {
        DeploymentInfo deploymentInfo2;
        deploymentInfo.context.put("javax.security.jacc.PolicyConfiguration", policyConfiguration);
        DeploymentInfo deploymentInfo3 = deploymentInfo;
        while (true) {
            deploymentInfo2 = deploymentInfo3;
            if (deploymentInfo2.parent == null) {
                break;
            } else {
                deploymentInfo3 = deploymentInfo2.parent;
            }
        }
        PolicyConfiguration policyConfiguration2 = (PolicyConfiguration) deploymentInfo2.context.get("javax.security.jacc.PolicyConfiguration");
        if (policyConfiguration2 != null && policyConfiguration2 != policyConfiguration) {
            policyConfiguration2.linkConfiguration(policyConfiguration);
        }
        policyConfiguration.commit();
        log.debug("JACC Policy Configuration for deployment has been put in service");
    }

    public static void unregisterJacc(String str) throws Exception {
        Ejb3PolicyConfigurationFactory.getPolicyConfigurationFactory().getPolicyConfiguration(str, true).delete();
    }

    public static void configureContainer(String str, EJBContainer eJBContainer) {
        try {
            addJaccContextToContainer(str, eJBContainer);
            addPermissions(eJBContainer, Ejb3PolicyConfigurationFactory.getPolicyConfigurationFactory().getPolicyConfiguration(str, false));
        } catch (Exception e) {
            e.printStackTrace();
            throw new RuntimeException(e);
        }
    }

    private static void addPermissions(EJBContainer eJBContainer, PolicyConfiguration policyConfiguration) {
        if (((SecurityDomain) eJBContainer.resolveAnnotation(SecurityDomain.class)) == null) {
            log.debug(eJBContainer.getEjbName() + " has no @SecurityDomain - skipping JACC configuration");
            return;
        }
        log.debug(eJBContainer.getEjbName() + " has @SecurityDomain - peforming JACC configuration");
        PermitAll permitAll = (PermitAll) eJBContainer.resolveAnnotation(PermitAll.class);
        RolesAllowed rolesAllowed = (RolesAllowed) eJBContainer.resolveAnnotation(RolesAllowed.class);
        if (permitAll != null && rolesAllowed != null) {
            throw new RuntimeException("Cannot annotate a bean with both @Unchecked and @MethodPermissions");
        }
        String ejbName = eJBContainer.getEjbName();
        for (Method method : eJBContainer.getBeanClass().getDeclaredMethods()) {
            if (Modifier.isPublic(method.getModifiers())) {
                EJBMethodPermission eJBMethodPermission = new EJBMethodPermission(ejbName, null, method);
                log.debug("Creating permission: " + eJBMethodPermission);
                PermitAll permitAll2 = (PermitAll) eJBContainer.resolveAnnotation(method, PermitAll.class);
                RolesAllowed rolesAllowed2 = (RolesAllowed) eJBContainer.resolveAnnotation(method, RolesAllowed.class);
                DenyAll denyAll = (DenyAll) eJBContainer.resolveAnnotation(method, DenyAll.class);
                int annotationCount = getAnnotationCount(permitAll2, rolesAllowed2, denyAll);
                if (annotationCount != 0 || rolesAllowed != null || permitAll != null) {
                    if (annotationCount > 1) {
                        throw new RuntimeException("You can only use one of @PermitAll, @DenyAll or @RolesAllowed per method");
                    }
                    if (permitAll2 != null) {
                        try {
                            policyConfiguration.addToUncheckedPolicy(eJBMethodPermission);
                            log.debug("Adding permission to unchecked policy");
                        } catch (PolicyContextException e) {
                            throw new RuntimeException(e);
                        }
                    } else if (rolesAllowed2 != null) {
                        addToRole(policyConfiguration, eJBMethodPermission, rolesAllowed2);
                    } else if (denyAll != null) {
                        policyConfiguration.addToExcludedPolicy(eJBMethodPermission);
                        log.debug("Adding permission to excluded policy");
                    } else if (permitAll != null) {
                        policyConfiguration.addToUncheckedPolicy(eJBMethodPermission);
                        log.debug("Adding permission to unchecked policy");
                    } else if (rolesAllowed != null) {
                        addToRole(policyConfiguration, eJBMethodPermission, rolesAllowed);
                    } else {
                        policyConfiguration.addToUncheckedPolicy(eJBMethodPermission);
                        log.debug("Adding permission to unchecked policy");
                    }
                }
            }
        }
    }

    private static int getAnnotationCount(PermitAll permitAll, RolesAllowed rolesAllowed, DenyAll denyAll) {
        int i = 0;
        if (permitAll != null) {
            i = 0 + 1;
        }
        if (rolesAllowed != null) {
            i++;
        }
        if (denyAll != null) {
            i++;
        }
        return i;
    }

    private static void addToRole(PolicyConfiguration policyConfiguration, EJBMethodPermission eJBMethodPermission, RolesAllowed rolesAllowed) throws PolicyContextException {
        String[] value = rolesAllowed.value();
        for (int i = 0; i < value.length; i++) {
            policyConfiguration.addToRole(value[i], eJBMethodPermission);
            log.debug("Adding permission to role: " + value[i]);
        }
    }

    private static void addJaccContextToContainer(String str, EJBContainer eJBContainer) {
        SimpleClassMetaDataBinding simpleClassMetaDataBinding = new SimpleClassMetaDataBinding(SimpleClassMetaDataLoader.singleton, eJBContainer.getBeanClassName(), JaccAuthorizationInterceptor.JACC, eJBContainer.getBeanClassName());
        simpleClassMetaDataBinding.addDefaultMetaData(JaccAuthorizationInterceptor.JACC, JaccAuthorizationInterceptor.CTX, str);
        eJBContainer.addClassMetaData(simpleClassMetaDataBinding);
    }

    public static void checkPermission(CodeSource codeSource, EJBMethodPermission eJBMethodPermission) throws SecurityException {
        try {
            Policy policy = Policy.getPolicy();
            Subject contextSubject = SecurityActions.getContextSubject();
            Principal[] principalArr = null;
            if (contextSubject != null) {
                Set<Principal> principals = contextSubject.getPrincipals();
                principalArr = new Principal[principals.size()];
                principals.toArray(principalArr);
            }
            if (policy.implies(new ProtectionDomain(codeSource, null, null, principalArr), eJBMethodPermission)) {
            } else {
                throw new SecurityException("Denied: " + eJBMethodPermission + ", caller=" + contextSubject);
            }
        } catch (PolicyContextException e) {
            throw new RuntimeException(e);
        }
    }
}
