package org.jboss.web.tomcat.security;

import java.io.IOException;
import java.lang.reflect.Method;
import java.security.CodeSource;
import java.security.Permission;
import java.security.Policy;
import java.security.Principal;
import java.security.ProtectionDomain;
import java.util.List;
import java.util.Set;
import javax.security.auth.Subject;
import javax.security.jacc.PolicyContext;
import javax.security.jacc.PolicyContextException;
import javax.security.jacc.WebResourcePermission;
import javax.security.jacc.WebRoleRefPermission;
import javax.security.jacc.WebUserDataPermission;
import javax.servlet.http.HttpServletRequest;
import org.apache.catalina.Context;
import org.apache.catalina.Wrapper;
import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response;
import org.apache.catalina.deploy.SecurityConstraint;
import org.jboss.logging.Logger;
import org.jboss.metadata.SecurityRoleRefMetaData;
import org.jboss.metadata.WebMetaData;

/* loaded from: input_file:org/jboss/web/tomcat/security/JaccAuthorizationRealm.class */
public class JaccAuthorizationRealm extends JBossSecurityMgrRealm {
    private static final String SUBJECT_CONTEXT_KEY = "javax.security.auth.Subject.container";
    static Logger log = Logger.getLogger(JaccAuthorizationRealm.class);
    private static ThreadLocal activeRequest = new ThreadLocal();
    private boolean unprotectedResourceDelegation = false;
    private String securityConstraintProviderClass = "";
    protected Policy policy = Policy.getPolicy();
    private boolean trace = log.isTraceEnabled();

    @Override // org.jboss.web.tomcat.security.JBossSecurityMgrRealm
    public boolean hasResourcePermission(Request request, Response response, SecurityConstraint[] securityConstraintArr, Context context) throws IOException {
        Wrapper wrapper = request.getWrapper();
        if (wrapper != null) {
            activeRequest.set(getServletName(wrapper));
        }
        Principal principal = request.getPrincipal();
        WebResourcePermission webResourcePermission = new WebResourcePermission(requestURI(request), request.getRequest().getMethod());
        boolean checkSecurityAssociation = checkSecurityAssociation((Permission) webResourcePermission, principal);
        if (this.trace) {
            log.trace("hasResourcePermission, perm=" + webResourcePermission + ", allowed=" + checkSecurityAssociation);
        }
        if (!checkSecurityAssociation) {
            response.sendError(403, sm.getString("realmBase.forbidden"));
        }
        return checkSecurityAssociation;
    }

    @Override // org.jboss.web.tomcat.security.JBossSecurityMgrRealm
    public boolean hasRole(Principal principal, String str) {
        String str2 = (String) activeRequest.get();
        List securityRoleRefs = ((WebMetaData) SecurityAssociationValve.activeWebMetaData.get()).getSecurityRoleRefs(str2);
        String str3 = str;
        int size = securityRoleRefs != null ? securityRoleRefs.size() : 0;
        int i = 0;
        while (true) {
            if (i >= size) {
                break;
            }
            SecurityRoleRefMetaData securityRoleRefMetaData = (SecurityRoleRefMetaData) securityRoleRefs.get(i);
            if (securityRoleRefMetaData.getLink().equals(str)) {
                str3 = securityRoleRefMetaData.getName();
                break;
            }
            i++;
        }
        WebRoleRefPermission webRoleRefPermission = new WebRoleRefPermission(str2, str3);
        Principal[] principalArr = {principal};
        Set principalRoles = getPrincipalRoles(principal);
        if (principalRoles != null) {
            principalArr = new Principal[principalRoles.size()];
            principalRoles.toArray(principalArr);
        }
        boolean checkSecurityAssociation = checkSecurityAssociation((Permission) webRoleRefPermission, principalArr);
        if (this.trace) {
            log.trace("hasRole, perm=" + webRoleRefPermission + ", allowed=" + checkSecurityAssociation);
        }
        return checkSecurityAssociation;
    }

    public boolean hasUserDataPermission(Request request, Response response, SecurityConstraint[] securityConstraintArr) throws IOException {
        HttpServletRequest request2 = request.getRequest();
        establishSubjectContext(request.getPrincipal());
        WebUserDataPermission webUserDataPermission = new WebUserDataPermission(requestURI(request), request2.getMethod());
        if (this.trace) {
            log.trace("hasUserDataPermission, p=" + webUserDataPermission);
        }
        boolean z = false;
        try {
            z = checkSecurityAssociation((Permission) webUserDataPermission, (Principal[]) null);
        } catch (Exception e) {
            if (this.trace) {
                log.trace("Failed to checkSecurityAssociation", e);
            }
        }
        if (!z) {
            z = super.hasUserDataPermission(request, response, securityConstraintArr);
        }
        return z;
    }

    public String getSecurityConstraintProviderClass() {
        return this.securityConstraintProviderClass;
    }

    public void setSecurityConstraintProviderClass(String str) {
        this.securityConstraintProviderClass = str;
    }

    public boolean isUnprotectedResourceDelegation() {
        return this.unprotectedResourceDelegation;
    }

    public void setUnprotectedResourceDelegation(boolean z) {
        this.unprotectedResourceDelegation = z;
    }

    public SecurityConstraint[] findSecurityConstraints(Request request, Context context) {
        SecurityConstraint[] findSecurityConstraints = super.findSecurityConstraints(request, context);
        if ((findSecurityConstraints == null || findSecurityConstraints.length == 0) && this.unprotectedResourceDelegation) {
            findSecurityConstraints = getSecurityConstraintsFromProvider(request, context);
        }
        return findSecurityConstraints;
    }

    protected boolean checkSecurityAssociation(Permission permission, Principal principal) {
        Subject establishSubjectContext = establishSubjectContext(principal);
        Principal[] principalArr = null;
        if (establishSubjectContext != null) {
            if (this.trace) {
                log.trace("No active subject found, using ");
            }
            Set<Principal> principals = establishSubjectContext.getPrincipals();
            principalArr = new Principal[principals.size()];
            principals.toArray(principalArr);
        }
        return checkSecurityAssociation(permission, principalArr);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean checkSecurityAssociation(Permission permission, Principal[] principalArr) {
        boolean implies = this.policy.implies(new ProtectionDomain((CodeSource) JaccContextValve.activeCS.get(), null, null, principalArr), permission);
        if (this.trace) {
            log.trace((implies ? "Allowed: " : "Denied: ") + permission);
        }
        return implies;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    /* JADX WARN: Multi-variable type inference failed */
    public Subject establishSubjectContext(Principal principal) {
        Subject subject = null;
        try {
            subject = (Subject) PolicyContext.getContext(SUBJECT_CONTEXT_KEY);
        } catch (PolicyContextException e) {
            if (this.trace) {
                log.trace("Failed to get subject from PolicyContext", e);
            }
        }
        if (subject == null && (principal instanceof JBossGenericPrincipal)) {
            JBossGenericPrincipal jBossGenericPrincipal = (JBossGenericPrincipal) principal;
            subject = jBossGenericPrincipal.getSubject();
            if (this.trace) {
                log.trace("Restoring principal info from cache");
            }
            SecurityAssociationActions.setPrincipalInfo(jBossGenericPrincipal.getAuthPrincipal(), jBossGenericPrincipal.getCredentials(), jBossGenericPrincipal.getSubject());
        }
        return subject;
    }

    private String getServletName(Wrapper wrapper) {
        String[] findMappings = wrapper.findMappings();
        if (this.trace) {
            log.trace("[getServletName:servletmappings=" + findMappings + ":servlet.getName()=" + wrapper.getName() + "]");
        }
        return (!"jsp".equals(wrapper.getName()) || findMappings == null || findMappings[0].indexOf("*.jsp") <= -1) ? wrapper.getName() : "";
    }

    private SecurityConstraint[] getSecurityConstraintsFromProvider(Request request, Context context) {
        SecurityConstraint[] securityConstraintArr = null;
        Class<?>[] clsArr = {Request.class, Context.class};
        Object[] objArr = {request, context};
        try {
            securityConstraintArr = (SecurityConstraint[]) this.policy.getClass().getMethod("findSecurityConstraints", clsArr).invoke(this.policy, objArr);
        } catch (Throwable th) {
            if (this.trace) {
                log.error("Error obtaining security constraints from policy", th);
            }
        }
        if (securityConstraintArr == null || securityConstraintArr.length == 0) {
            if (this.securityConstraintProviderClass != "" && this.securityConstraintProviderClass.length() != 0) {
                try {
                    Class<?> loadClass = Thread.currentThread().getContextClassLoader().loadClass(this.securityConstraintProviderClass);
                    Object newInstance = loadClass.newInstance();
                    Method method = loadClass.getMethod("findSecurityConstraints", clsArr);
                    if (this.trace) {
                        log.trace("findSecurityConstraints method found in securityConstraintProviderClass");
                    }
                    securityConstraintArr = (SecurityConstraint[]) method.invoke(newInstance, objArr);
                } catch (Throwable th2) {
                    log.error("Error instantiating " + this.securityConstraintProviderClass, th2);
                }
            } else if (this.trace) {
                log.trace("unprotectedResourceDelegation is true but securityConstraintProviderClass is empty");
            }
        }
        return securityConstraintArr;
    }

    static String requestURI(Request request) {
        String string = request.getMappingData().requestPath.getString();
        if (string == null || string.equals("/")) {
            string = "";
        }
        return string;
    }
}
