package org.jboss.web.tomcat.security;

import java.io.IOException;
import java.security.CodeSource;
import java.security.Permission;
import java.security.Policy;
import java.security.Principal;
import java.security.ProtectionDomain;
import java.util.Set;
import javax.security.auth.Subject;
import javax.security.jacc.PolicyContext;
import javax.security.jacc.PolicyContextException;
import javax.security.jacc.WebResourcePermission;
import javax.security.jacc.WebRoleRefPermission;
import javax.security.jacc.WebUserDataPermission;
import javax.servlet.http.HttpServletRequest;
import org.apache.catalina.Context;
import org.apache.catalina.Wrapper;
import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response;
import org.apache.catalina.deploy.SecurityConstraint;
import org.jboss.logging.Logger;

/* loaded from: input_file:org/jboss/web/tomcat/security/JaccAuthorizationRealm.class */
public class JaccAuthorizationRealm extends JBossSecurityMgrRealm {
    static Logger log;
    private static final String SUBJECT_CONTEXT_KEY = "javax.security.auth.Subject.container";
    private static ThreadLocal activeRequest;
    static Class class$org$jboss$web$tomcat$security$JaccAuthorizationRealm;
    private Policy policy = Policy.getPolicy();
    private boolean trace = log.isTraceEnabled();

    public boolean hasResourcePermission(Request request, Response response, SecurityConstraint[] securityConstraintArr, Context context) throws IOException {
        Wrapper wrapper = request.getWrapper();
        if (wrapper != null) {
            activeRequest.set(wrapper.getName());
        }
        WebResourcePermission webResourcePermission = new WebResourcePermission(request.getRequest());
        boolean checkSecurityAssociation = checkSecurityAssociation((Permission) webResourcePermission, request.getUserPrincipal());
        if (this.trace) {
            log.trace(new StringBuffer().append("hasResourcePermission, perm=").append(webResourcePermission).append(", allowed=").append(checkSecurityAssociation).toString());
        }
        if (!checkSecurityAssociation) {
            response.sendError(403, sm.getString("realmBase.forbidden"));
        }
        return checkSecurityAssociation;
    }

    @Override // org.jboss.web.tomcat.security.JBossSecurityMgrRealm
    public boolean hasRole(Principal principal, String str) {
        WebRoleRefPermission webRoleRefPermission = new WebRoleRefPermission((String) activeRequest.get(), str);
        Principal[] principalArr = {principal};
        Set principalRoles = getPrincipalRoles(principal);
        if (principalRoles != null) {
            principalArr = new Principal[principalRoles.size()];
            principalRoles.toArray(principalArr);
        }
        boolean checkSecurityAssociation = checkSecurityAssociation((Permission) webRoleRefPermission, principalArr);
        if (this.trace) {
            log.trace(new StringBuffer().append("hasRole, perm=").append(webRoleRefPermission).append(", allowed=").append(checkSecurityAssociation).toString());
        }
        return checkSecurityAssociation;
    }

    public boolean hasUserDataPermission(Request request, Response response, SecurityConstraint[] securityConstraintArr) throws IOException {
        HttpServletRequest request2 = request.getRequest();
        establishSubjectContext(request2.getUserPrincipal());
        WebUserDataPermission webUserDataPermission = new WebUserDataPermission(request2);
        if (this.trace) {
            log.trace(new StringBuffer().append("hasUserDataPermission, p=").append(webUserDataPermission).toString());
        }
        boolean z = false;
        try {
            z = checkSecurityAssociation((Permission) webUserDataPermission, (Principal[]) null);
        } catch (Exception e) {
            if (this.trace) {
                log.trace("Failed to checkSecurityAssociation", e);
            }
        }
        if (!z) {
            z = super.hasUserDataPermission(request, response, securityConstraintArr);
        }
        return z;
    }

    private boolean checkSecurityAssociation(Permission permission, Principal principal) {
        Subject establishSubjectContext = establishSubjectContext(principal);
        Principal[] principalArr = null;
        if (establishSubjectContext != null) {
            if (this.trace) {
                log.trace("No active subject found, using ");
            }
            Set<Principal> principals = establishSubjectContext.getPrincipals();
            principalArr = new Principal[principals.size()];
            principals.toArray(principalArr);
        }
        return checkSecurityAssociation(permission, principalArr);
    }

    private boolean checkSecurityAssociation(Permission permission, Principal[] principalArr) {
        boolean implies = this.policy.implies(new ProtectionDomain((CodeSource) JaccContextValve.activeCS.get(), null, null, principalArr), permission);
        if (this.trace) {
            log.trace(new StringBuffer().append(implies ? "Allowed: " : "Denied: ").append(permission).toString());
        }
        return implies;
    }

    /* JADX WARN: Multi-variable type inference failed */
    private Subject establishSubjectContext(Principal principal) {
        Subject subject = null;
        try {
            subject = (Subject) PolicyContext.getContext(SUBJECT_CONTEXT_KEY);
        } catch (PolicyContextException e) {
            if (this.trace) {
                log.trace("Failed to get subject from PolicyContext", e);
            }
        }
        if (subject == null && (principal instanceof JBossGenericPrincipal)) {
            JBossGenericPrincipal jBossGenericPrincipal = (JBossGenericPrincipal) principal;
            subject = jBossGenericPrincipal.getSubject();
            if (this.trace) {
                log.trace("Restoring principal info from cache");
            }
            SecurityAssociationActions.setPrincipalInfo(jBossGenericPrincipal.getAuthPrincipal(), jBossGenericPrincipal.getCredentials(), jBossGenericPrincipal.getSubject());
        }
        return subject;
    }

    static Class class$(String str) {
        try {
            return Class.forName(str);
        } catch (ClassNotFoundException e) {
            throw new NoClassDefFoundError(e.getMessage());
        }
    }

    static {
        Class cls;
        if (class$org$jboss$web$tomcat$security$JaccAuthorizationRealm == null) {
            cls = class$("org.jboss.web.tomcat.security.JaccAuthorizationRealm");
            class$org$jboss$web$tomcat$security$JaccAuthorizationRealm = cls;
        } else {
            cls = class$org$jboss$web$tomcat$security$JaccAuthorizationRealm;
        }
        log = Logger.getLogger(cls);
        activeRequest = new ThreadLocal();
    }
}
