package org.jboss.security.plugins;

import com.sun.xacml.Policy;
import java.io.InputStream;
import java.net.URL;
import java.security.Principal;
import java.security.acl.Group;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.jacc.PolicyContext;
import javax.security.jacc.PolicyContextException;
import org.jboss.logging.Logger;
import org.jboss.security.AnybodyPrincipal;
import org.jboss.security.AuthorizationManager;
import org.jboss.security.NobodyPrincipal;
import org.jboss.security.SecurityAssociation;
import org.jboss.security.SecurityContext;
import org.jboss.security.Util;
import org.jboss.security.authorization.AuthorizationContext;
import org.jboss.security.authorization.AuthorizationException;
import org.jboss.security.authorization.PolicyRegistration;
import org.jboss.security.authorization.Resource;
import org.jboss.util.CachePolicy;
import org.jboss.util.TimedCachePolicy;
import org.jboss.util.xml.DOMUtils;

/* loaded from: input_file:org/jboss/security/plugins/JBossAuthorizationManager.class */
public class JBossAuthorizationManager implements AuthorizationManager, PolicyRegistration {
    private CachePolicy domainCache;
    private String securityDomain;
    private static Logger log;
    private CallbackHandler callbackHandler;
    static Class class$org$jboss$security$plugins$JBossAuthorizationManager$AuthorizationCacheEntry;
    static Class class$org$jboss$security$plugins$JBossAuthorizationManager;
    static Class class$java$security$acl$Group;
    static Class class$java$security$Principal;
    private Map contextIdToPolicy = new HashMap();
    protected boolean trace = log.isTraceEnabled();

    /* loaded from: input_file:org/jboss/security/plugins/JBossAuthorizationManager$AuthorizationCacheEntry.class */
    public static class AuthorizationCacheEntry implements TimedCachePolicy.TimedEntry {
        private static Logger log;
        private static boolean trace;
        private Subject subject;
        private Principal callerPrincipal;
        private long expirationTime;
        private boolean needsDestroy;
        private int activeUsers;

        public AuthorizationCacheEntry(long j) {
            this.expirationTime = j;
            if (this.expirationTime != -1) {
                this.expirationTime *= 1000;
            }
        }

        synchronized int acquire() {
            int i = this.activeUsers;
            this.activeUsers = i + 1;
            return i;
        }

        synchronized int release() {
            int i = this.activeUsers;
            this.activeUsers = i - 1;
            if (this.needsDestroy && i == 0) {
                if (trace) {
                    log.trace("needsDestroy is true, doing logout");
                }
                logout();
            }
            return i;
        }

        synchronized void logout() {
            if (trace) {
                log.trace(new StringBuffer().append("logout, subject=").append(this.subject).append(", this=").append(this).toString());
            }
            try {
                this.subject = null;
            } catch (Throwable th) {
                if (trace) {
                    log.trace("Cache entry logout failed", th);
                }
            }
        }

        @Override // org.jboss.util.TimedCachePolicy.TimedEntry
        public void init(long j) {
            this.expirationTime += j;
        }

        @Override // org.jboss.util.TimedCachePolicy.TimedEntry
        public boolean isCurrent(long j) {
            boolean z = this.expirationTime == -1;
            if (!z) {
                z = this.expirationTime > j;
            }
            return z;
        }

        @Override // org.jboss.util.TimedCachePolicy.TimedEntry
        public boolean refresh() {
            return false;
        }

        @Override // org.jboss.util.TimedCachePolicy.TimedEntry
        public void destroy() {
            if (trace) {
                log.trace(new StringBuffer().append("destroy, subject=").append(this.subject).append(", this=").append(this).append(", activeUsers=").append(this.activeUsers).toString());
            }
            synchronized (this) {
                if (this.activeUsers == 0) {
                    this.callerPrincipal = null;
                } else {
                    if (trace) {
                        log.trace(new StringBuffer().append("destroy saw activeUsers=").append(this.activeUsers).toString());
                    }
                    this.needsDestroy = true;
                }
            }
        }

        @Override // org.jboss.util.TimedCachePolicy.TimedEntry
        public Object getValue() {
            return this;
        }

        public String toString() {
            StringBuffer stringBuffer = new StringBuffer(super.toString());
            stringBuffer.append('[');
            stringBuffer.append(SubjectActions.toString(this.subject));
            stringBuffer.append(",callerPrincipal=");
            stringBuffer.append(this.callerPrincipal);
            stringBuffer.append(",expirationTime=");
            stringBuffer.append(this.expirationTime);
            stringBuffer.append(']');
            return stringBuffer.toString();
        }

        static {
            Class cls;
            if (JBossAuthorizationManager.class$org$jboss$security$plugins$JBossAuthorizationManager$AuthorizationCacheEntry == null) {
                cls = JBossAuthorizationManager.class$("org.jboss.security.plugins.JBossAuthorizationManager$AuthorizationCacheEntry");
                JBossAuthorizationManager.class$org$jboss$security$plugins$JBossAuthorizationManager$AuthorizationCacheEntry = cls;
            } else {
                cls = JBossAuthorizationManager.class$org$jboss$security$plugins$JBossAuthorizationManager$AuthorizationCacheEntry;
            }
            log = Logger.getLogger(cls);
            trace = log.isTraceEnabled();
        }
    }

    public JBossAuthorizationManager(String str, CallbackHandler callbackHandler) {
        this.callbackHandler = null;
        this.securityDomain = str;
        this.callbackHandler = callbackHandler;
    }

    @Override // org.jboss.security.AuthorizationManager
    public int authorize(Resource resource) throws AuthorizationException {
        Subject subject = null;
        try {
            subject = (Subject) PolicyContext.getContext("javax.security.auth.Subject.container");
        } catch (PolicyContextException e) {
            log.error("Error obtaining AuthenticatedSubject:", e);
        }
        return new AuthorizationContext(this.securityDomain, subject, this.callbackHandler).authorize(resource);
    }

    @Override // org.jboss.security.RealmMapping
    public boolean doesUserHaveRole(Principal principal, Set set) {
        boolean z = false;
        Group currentRoles = getCurrentRoles();
        if (this.trace) {
            log.trace(new StringBuffer().append("doesUserHaveRole(Set), roles: ").append(currentRoles).toString());
        }
        if (currentRoles != null) {
            Iterator it = set.iterator();
            while (!z && it.hasNext()) {
                Principal principal2 = (Principal) it.next();
                z = doesRoleGroupHaveRole(principal2, currentRoles);
                if (this.trace) {
                    log.trace(new StringBuffer().append("hasRole(").append(principal2).append(")=").append(z).toString());
                }
            }
            if (this.trace) {
                log.trace(new StringBuffer().append("hasRole=").append(z).toString());
            }
        }
        return z;
    }

    public boolean doesUserHaveRole(Principal principal, Principal principal2) {
        return doesRoleGroupHaveRole(principal2, getCurrentRoles());
    }

    @Override // org.jboss.security.AuthorizationManager
    public boolean doesUserHaveRole(String str) {
        throw new IllegalStateException("Not implemented: doesUserHaveRole");
    }

    @Override // org.jboss.security.RealmMapping
    public Set getUserRoles(Principal principal) {
        return getRolesAsSet(getCurrentRoles());
    }

    @Override // org.jboss.security.RealmMapping
    public Principal getPrincipal(Principal principal) {
        updateCache(principal);
        Principal principal2 = principal;
        synchronized (this.domainCache) {
            AuthorizationCacheEntry cacheInfo = getCacheInfo(principal, false);
            if (this.trace) {
                log.trace(new StringBuffer().append("getPrincipal, cache info: ").append(cacheInfo).toString());
            }
            if (cacheInfo != null) {
                principal2 = cacheInfo.callerPrincipal;
                if (principal2 == null) {
                    principal2 = principal;
                }
                cacheInfo.release();
            }
        }
        return principal2;
    }

    public void setCachePolicy(CachePolicy cachePolicy) {
        this.domainCache = cachePolicy;
        log.debug(new StringBuffer().append("CachePolicy set to: ").append(cachePolicy).toString());
    }

    protected AuthorizationCacheEntry getCacheInfo(Principal principal, boolean z) {
        AuthorizationCacheEntry authorizationCacheEntry;
        if (this.domainCache == null) {
            return null;
        }
        synchronized (this.domainCache) {
            authorizationCacheEntry = z ? (AuthorizationCacheEntry) this.domainCache.get(principal) : (AuthorizationCacheEntry) this.domainCache.peek(principal);
            if (authorizationCacheEntry != null) {
                authorizationCacheEntry.acquire();
            }
        }
        return authorizationCacheEntry;
    }

    private void updateCache(Principal principal) {
        Class cls;
        Class cls2;
        Subject activeSubject = SubjectActions.getActiveSubject();
        if (activeSubject == null) {
            if (this.trace) {
                log.trace("updateCache:Subject on the SecurityAssociation is null");
                return;
            }
            return;
        }
        AuthorizationCacheEntry authorizationCacheEntry = new AuthorizationCacheEntry(this.domainCache instanceof TimedCachePolicy ? ((TimedCachePolicy) this.domainCache).getDefaultLifetime() : 0L);
        authorizationCacheEntry.subject = activeSubject;
        if (class$java$security$acl$Group == null) {
            cls = class$("java.security.acl.Group");
            class$java$security$acl$Group = cls;
        } else {
            cls = class$java$security$acl$Group;
        }
        for (Group group : activeSubject.getPrincipals(cls)) {
            if (group.getName().equals("CallerPrincipal")) {
                Enumeration<? extends Principal> members = group.members();
                if (members.hasMoreElements()) {
                    authorizationCacheEntry.callerPrincipal = members.nextElement();
                }
            }
        }
        if (principal == null && authorizationCacheEntry.callerPrincipal == null) {
            if (class$java$security$Principal == null) {
                cls2 = class$("java.security.Principal");
                class$java$security$Principal = cls2;
            } else {
                cls2 = class$java$security$Principal;
            }
            for (Principal principal2 : activeSubject.getPrincipals(cls2)) {
                if (!(principal2 instanceof Group)) {
                    authorizationCacheEntry.callerPrincipal = principal2;
                }
            }
        }
        synchronized (this.domainCache) {
            if (this.domainCache.peek(principal) != null) {
                this.domainCache.remove(principal);
            }
            if (authorizationCacheEntry.callerPrincipal != null) {
                this.domainCache.insert(principal, authorizationCacheEntry);
            }
            if (this.trace) {
                log.trace(new StringBuffer().append("Inserted cache info: ").append(authorizationCacheEntry).toString());
            }
        }
    }

    protected boolean doesRoleGroupHaveRole(Principal principal, Group group) {
        if (principal instanceof NobodyPrincipal) {
            return false;
        }
        boolean isMember = group.isMember(principal);
        if (!isMember) {
            isMember = principal instanceof AnybodyPrincipal;
        }
        return isMember;
    }

    @Override // org.jboss.security.authorization.PolicyRegistration
    public void registerPolicy(String str, URL url) {
        try {
            if (this.trace) {
                log.trace(new StringBuffer().append("Registering policy for contextId:").append(str).append(" and location:").append(url.getPath()).toString());
            }
            registerPolicy(str, url.openStream());
        } catch (Exception e) {
            log.debug("Error in registering xacml policy:", e);
        }
    }

    @Override // org.jboss.security.authorization.PolicyRegistration
    public void registerPolicy(String str, InputStream inputStream) {
        try {
            this.contextIdToPolicy.put(str, Policy.getInstance(DOMUtils.parse(inputStream)));
        } catch (Exception e) {
            log.debug("Error in registering xacml policy:", e);
        }
    }

    @Override // org.jboss.security.authorization.PolicyRegistration
    public void deRegisterPolicy(String str) {
        this.contextIdToPolicy.remove(str);
        if (this.trace) {
            log.trace(new StringBuffer().append("DeRegistered policy for contextId:").append(str).toString());
        }
    }

    @Override // org.jboss.security.authorization.PolicyRegistration
    public Object getPolicy(String str, Map map) {
        return this.contextIdToPolicy.get(str);
    }

    public String toString() {
        StringBuffer stringBuffer = new StringBuffer();
        stringBuffer.append("[AuthorizationManager:class=").append(getClass().getName());
        stringBuffer.append(":").append(this.securityDomain).append(":");
        stringBuffer.append("]");
        return stringBuffer.toString();
    }

    public String getSecurityDomain() {
        return this.securityDomain;
    }

    private HashSet getRolesAsSet(Group group) {
        HashSet hashSet = null;
        if (group != null) {
            hashSet = new HashSet();
            Enumeration<? extends Principal> members = group.members();
            while (members.hasMoreElements()) {
                hashSet.add(members.nextElement());
            }
        }
        return hashSet;
    }

    private Group getCurrentRoles() {
        boolean z = false;
        Group subjectRoles = Util.getSubjectRoles(SubjectActions.getActiveSubject());
        SecurityContext securityContext = SecurityAssociation.getSecurityContext();
        if (securityContext == null) {
            securityContext = new SecurityContext();
            SecurityAssociation.setSecurityContext(securityContext);
        }
        Group roles = securityContext.getRoles(this.securityDomain);
        if (roles == null) {
            z = true;
        }
        Group copyGroups = copyGroups(roles, subjectRoles);
        if (subjectRoles != copyGroups || z) {
            securityContext.setRoles(copyGroups, this.securityDomain);
        }
        return securityContext.getRoles(this.securityDomain);
    }

    private Group copyGroups(Group group, Group group2) {
        if (group2 == null) {
            return group;
        }
        if (group != null || group2 == null) {
            Enumeration<? extends Principal> members = group2.members();
            while (members.hasMoreElements()) {
                group.addMember(members.nextElement());
            }
        } else {
            group = group2;
        }
        return group;
    }

    static Class class$(String str) {
        try {
            return Class.forName(str);
        } catch (ClassNotFoundException e) {
            throw new NoClassDefFoundError().initCause(e);
        }
    }

    static {
        Class cls;
        if (class$org$jboss$security$plugins$JBossAuthorizationManager == null) {
            cls = class$("org.jboss.security.plugins.JBossAuthorizationManager");
            class$org$jboss$security$plugins$JBossAuthorizationManager = cls;
        } else {
            cls = class$org$jboss$security$plugins$JBossAuthorizationManager;
        }
        log = Logger.getLogger(cls);
    }
}
