package org.glassfish.exousia;

import jakarta.security.jacc.EJBMethodPermission;
import jakarta.security.jacc.EJBRoleRefPermission;
import jakarta.security.jacc.PolicyConfiguration;
import jakarta.security.jacc.PolicyConfigurationFactory;
import jakarta.security.jacc.PolicyContext;
import jakarta.security.jacc.PolicyContextException;
import jakarta.security.jacc.WebResourcePermission;
import jakarta.security.jacc.WebRoleRefPermission;
import jakarta.security.jacc.WebUserDataPermission;
import jakarta.servlet.ServletContext;
import jakarta.servlet.http.HttpServletRequest;
import java.lang.reflect.Method;
import java.net.URL;
import java.security.AccessController;
import java.security.CodeSource;
import java.security.Permission;
import java.security.Permissions;
import java.security.Policy;
import java.security.Principal;
import java.security.PrivilegedActionException;
import java.security.ProtectionDomain;
import java.security.cert.Certificate;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.function.Function;
import java.util.function.Supplier;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.security.auth.Subject;
import org.eclipse.tags.shaded.org.apache.xpath.compiler.PsuedoNames;
import org.glassfish.exousia.constraints.SecurityConstraint;
import org.glassfish.exousia.constraints.transformer.ConstraintsToPermissionsTransformer;
import org.glassfish.exousia.mapping.SecurityRoleRef;
import org.glassfish.exousia.modules.def.DefaultPolicy;
import org.glassfish.exousia.modules.def.DefaultPolicyConfigurationFactory;
import org.glassfish.exousia.permissions.JakartaPermissions;
import org.glassfish.exousia.permissions.RolesToPermissionsTransformer;
import org.glassfish.exousia.spi.PrincipalMapper;

/* loaded from: input_file:org/glassfish/exousia/AuthorizationService.class */
public class AuthorizationService {
    static final Logger logger = Logger.getLogger(AuthorizationService.class.getName());
    private static final boolean isSecMgrOff;
    public static final String HTTP_SERVLET_REQUEST = "jakarta.servlet.http.HttpServletRequest";
    public static final String SUBJECT = "javax.security.auth.Subject.container";
    public static final String FACTORY = "jakarta.security.jacc.PolicyConfigurationFactory.provider";
    public static final String ENTERPRISE_BEAN = "jakarta.ejb.EnterpriseBean";
    public static final String ENTERPRISE_BEAN_ARGUMENTS = "jakarta.ejb.arguments";
    public static final String PRINCIPAL_MAPPER = "jakarta.authorization.PrincipalMapper.provider";
    private final String contextId;
    private Function<Set<Principal>, ProtectionDomain> protectionDomainCreator;
    private final Policy policy;
    private final PolicyConfigurationFactory factory;
    private final PolicyConfiguration policyConfiguration;
    private final CodeSource emptyCodeSource;
    private final ProtectionDomain emptyProtectionDomain;
    private String constrainedUriRequestAttribute;

    /* JADX INFO: Access modifiers changed from: private */
    @FunctionalInterface
    /* loaded from: input_file:org/glassfish/exousia/AuthorizationService$PrivilegedExceptionRunnable.class */
    public interface PrivilegedExceptionRunnable {
        void run() throws PrivilegedActionException;
    }

    @FunctionalInterface
    /* loaded from: input_file:org/glassfish/exousia/AuthorizationService$ThrowableSupplier.class */
    public interface ThrowableSupplier<T> {
        T get() throws Throwable;
    }

    public AuthorizationService(ServletContext servletContext, Supplier<Subject> supplier) {
        this(DefaultPolicyConfigurationFactory.class, DefaultPolicy.class, getServletContextId(servletContext), supplier);
    }

    public AuthorizationService(String str, Supplier<Subject> supplier) {
        this(DefaultPolicyConfigurationFactory.class, DefaultPolicy.class, str, supplier);
    }

    public AuthorizationService(Class<?> cls, Class<? extends Policy> cls2, String str, Supplier<Subject> supplier) {
        this(cls, cls2, str, supplier, (PrincipalMapper) null);
    }

    public AuthorizationService(Class<?> cls, Class<? extends Policy> cls2, String str, Supplier<Subject> supplier, PrincipalMapper principalMapper) {
        this(installFactory(cls), installPolicy(cls2), str, supplier, principalMapper);
    }

    public AuthorizationService(String str, Supplier<Subject> supplier, PrincipalMapper principalMapper) {
        this(getFactory(), getPolicy(), str, supplier, principalMapper);
    }

    public AuthorizationService(PolicyConfigurationFactory policyConfigurationFactory, Policy policy, String str, Supplier<Subject> supplier, PrincipalMapper principalMapper) {
        this.protectionDomainCreator = this::newProtectionDomain;
        this.emptyCodeSource = new CodeSource((URL) null, (Certificate[]) null);
        this.emptyProtectionDomain = newProtectionDomain(null);
        try {
            this.factory = policyConfigurationFactory;
            this.policyConfiguration = policyConfigurationFactory.getPolicyConfiguration(str, false);
            this.policy = Policy.getPolicy();
            this.contextId = str;
            PolicyContext.setContextID(str);
            PolicyContext.registerHandler(SUBJECT, new DefaultPolicyContextHandler(SUBJECT, supplier), true);
            PolicyContext.registerHandler(PRINCIPAL_MAPPER, new DefaultPolicyContextHandler(PRINCIPAL_MAPPER, () -> {
                return principalMapper;
            }), true);
        } catch (PolicyContextException | IllegalArgumentException | SecurityException e) {
            throw new IllegalStateException(e);
        }
    }

    public void setRequestSupplier(Supplier<HttpServletRequest> supplier) {
        try {
            PolicyContext.registerHandler(HTTP_SERVLET_REQUEST, new DefaultPolicyContextHandler(HTTP_SERVLET_REQUEST, supplier), true);
        } catch (PolicyContextException e) {
            throw new IllegalStateException(e);
        }
    }

    public void setSubjectSupplier(Supplier<Subject> supplier) {
        try {
            PolicyContext.registerHandler(SUBJECT, new DefaultPolicyContextHandler(SUBJECT, supplier), true);
        } catch (PolicyContextException e) {
            throw new IllegalStateException(e);
        }
    }

    public void setEnterpriseBeanSupplier(Supplier<Object> supplier) {
        try {
            PolicyContext.registerHandler(ENTERPRISE_BEAN, new DefaultPolicyContextHandler(ENTERPRISE_BEAN, supplier), true);
        } catch (PolicyContextException e) {
            throw new IllegalStateException(e);
        }
    }

    public Function<Set<Principal>, ProtectionDomain> getProtectionDomainCreator() {
        return this.protectionDomainCreator;
    }

    public void setProtectionDomainCreator(Function<Set<Principal>, ProtectionDomain> function) {
        this.protectionDomainCreator = function;
    }

    public String getConstrainedUriRequestAttribute() {
        return this.constrainedUriRequestAttribute;
    }

    public void setConstrainedUriRequestAttribute(String str) {
        this.constrainedUriRequestAttribute = str;
    }

    public void addConstraintsToPolicy(List<SecurityConstraint> list, Set<String> set, boolean z, Map<String, List<SecurityRoleRef>> map) {
        try {
            addPermissionsToPolicy(ConstraintsToPermissionsTransformer.createResourceAndDataPermissions(set, z, list));
            addPermissionsToPolicy(RolesToPermissionsTransformer.createWebRoleRefPermission(set, map));
        } catch (PolicyContextException e) {
            throw new IllegalStateException(e);
        }
    }

    public void addPermissionsToPolicy(JakartaPermissions jakartaPermissions) {
        try {
            this.policyConfiguration.addToExcludedPolicy(jakartaPermissions.getExcluded());
            this.policyConfiguration.addToUncheckedPolicy(jakartaPermissions.getUnchecked());
            for (Map.Entry<String, Permissions> entry : jakartaPermissions.getPerRole().entrySet()) {
                this.policyConfiguration.addToRole(entry.getKey(), entry.getValue());
            }
        } catch (PolicyContextException e) {
            throw new IllegalStateException(e);
        }
    }

    public void removeStatementsFromPolicy(Set<String> set) {
        try {
            boolean inService = this.factory.inService(this.contextId);
            PolicyConfiguration policyConfiguration = this.factory.getPolicyConfiguration(this.contextId, false);
            policyConfiguration.removeUncheckedPolicy();
            policyConfiguration.removeExcludedPolicy();
            if (set != null) {
                Iterator<String> it = set.iterator();
                while (it.hasNext()) {
                    policyConfiguration.removeRole(it.next());
                }
            }
            policyConfiguration.removeRole("*");
            policyConfiguration.removeRole("*");
            if (inService) {
                this.policy.refresh();
            }
        } catch (PolicyContextException e) {
            throw new IllegalStateException(e);
        }
    }

    public boolean linkPolicy(String str, boolean z) {
        try {
            boolean inService = this.factory.inService(this.contextId);
            if (str == null) {
                return inService;
            }
            if (inService != z) {
                throw new IllegalStateException("Inconsistent Module State");
            }
            if (!inService) {
                this.factory.getPolicyConfiguration(this.contextId, false).linkConfiguration(this.factory.getPolicyConfiguration(str, false));
            }
            return z;
        } catch (PolicyContextException e) {
            throw new IllegalStateException(e.toString());
        }
    }

    public static boolean linkPolicy(String str, String str2, boolean z) {
        try {
            PolicyConfigurationFactory policyConfigurationFactory = PolicyConfigurationFactory.getPolicyConfigurationFactory();
            boolean inService = policyConfigurationFactory.inService(str);
            if (str2 == null) {
                return inService;
            }
            if (inService != z) {
                throw new IllegalStateException("Inconsistent Module State");
            }
            if (!inService) {
                policyConfigurationFactory.getPolicyConfiguration(str, false).linkConfiguration(policyConfigurationFactory.getPolicyConfiguration(str2, false));
            }
            return z;
        } catch (PolicyContextException | ClassNotFoundException e) {
            throw new IllegalStateException(e.toString());
        }
    }

    public void commitPolicy() {
        try {
            if (!this.factory.inService(this.contextId)) {
                this.policyConfiguration.commit();
                logger.log(Level.FINE, () -> {
                    return "Jakarta Authorization: committed policy for context: " + this.contextId;
                });
            }
            this.policy.refresh();
        } catch (PolicyContextException e) {
            throw new IllegalStateException(e);
        }
    }

    public static void commitPolicy(String str) {
        try {
            if (!PolicyConfigurationFactory.getPolicyConfigurationFactory().inService(str)) {
                PolicyConfigurationFactory.getPolicyConfigurationFactory().getPolicyConfiguration(str, false).commit();
                logger.log(Level.FINE, () -> {
                    return "Jakarta Authorization: committed policy for context: " + str;
                });
            }
            Policy.getPolicy().refresh();
        } catch (PolicyContextException | ClassNotFoundException e) {
            throw new IllegalStateException(e);
        }
    }

    public void refresh() {
        try {
            if (this.factory.inService(this.contextId)) {
                this.policy.refresh();
            }
        } catch (PolicyContextException e) {
            throw new IllegalStateException(e);
        }
    }

    public PolicyConfiguration getPolicyConfiguration() {
        return this.policyConfiguration;
    }

    public boolean checkWebUserDataPermission(HttpServletRequest httpServletRequest) {
        return checkPermission(new WebUserDataPermission(httpServletRequest));
    }

    public boolean checkWebUserDataPermission(String str, String str2, boolean z) {
        return checkPermission(new WebUserDataPermission(str, str2 == null ? null : new String[]{str2}, z ? "CONFIDENTIAL" : null));
    }

    public boolean checkWebUserDataPermission(String str, String str2, boolean z, Set<Principal> set) {
        return checkPermission(new WebUserDataPermission(str, str2 == null ? null : new String[]{str2}, z ? "CONFIDENTIAL" : null), set);
    }

    public boolean checkPublicWebResourcePermission(HttpServletRequest httpServletRequest) {
        return checkPermission(new WebResourcePermission(getConstrainedURI(httpServletRequest), httpServletRequest.getMethod()));
    }

    public boolean checkWebResourcePermission(HttpServletRequest httpServletRequest) {
        try {
            Subject subject = (Subject) PolicyContext.getContext(SUBJECT);
            return checkWebResourcePermission(httpServletRequest, subject == null ? null : subject.getPrincipals());
        } catch (PolicyContextException e) {
            throw new IllegalStateException(e);
        }
    }

    public boolean checkWebResourcePermission(HttpServletRequest httpServletRequest, Set<Principal> set) {
        return checkPermission(new WebResourcePermission(getConstrainedURI(httpServletRequest), httpServletRequest.getMethod()), set);
    }

    public boolean checkWebRoleRefPermission(String str, String str2) {
        try {
            Subject subject = (Subject) PolicyContext.getContext(SUBJECT);
            return checkWebRoleRefPermission(str, str2, subject == null ? null : subject.getPrincipals());
        } catch (PolicyContextException e) {
            throw new IllegalStateException(e);
        }
    }

    public boolean checkWebRoleRefPermission(String str, String str2, Set<Principal> set) {
        return checkPermission(new WebRoleRefPermission(str, str2), set);
    }

    public boolean checkBeanRoleRefPermission(String str, String str2, Set<Principal> set) {
        EJBRoleRefPermission eJBRoleRefPermission = new EJBRoleRefPermission(str, str2);
        boolean checkPermissionScoped = checkPermissionScoped(eJBRoleRefPermission, set);
        logger.fine(() -> {
            return "Authorization: checkBeanRoleRefPermission Result: " + checkPermissionScoped + " EJBRoleRefPermission (Name) = " + eJBRoleRefPermission.getName() + " (Action) = " + eJBRoleRefPermission.getActions() + " (Codesource) = " + this.protectionDomainCreator.apply(set).getCodeSource();
        });
        return checkPermissionScoped;
    }

    public boolean checkBeanMethodPermission(String str, String str2, Method method, Set<Principal> set) {
        EJBMethodPermission eJBMethodPermission = new EJBMethodPermission(str, str2, method);
        boolean checkPermissionScoped = checkPermissionScoped(eJBMethodPermission, set);
        logger.fine(() -> {
            return "Authorization: Access Control Decision Result: " + checkPermissionScoped + " EJBMethodPermission (Name) = " + eJBMethodPermission.getName() + " (Action) = " + eJBMethodPermission.getActions();
        });
        return checkPermissionScoped;
    }

    public Object invokeBeanMethod(Object obj, Method method, Object[] objArr) throws Throwable {
        return runInScope(() -> {
            return method.invoke(obj, objArr);
        });
    }

    public void deletePolicy() {
        try {
            boolean inService = this.factory.inService(this.contextId);
            this.factory.getPolicyConfiguration(this.contextId, false).delete();
            if (inService) {
                this.policy.refresh();
            }
        } catch (PolicyContextException e) {
            throw new IllegalStateException(e.toString());
        }
    }

    public static void deletePolicy(String str) {
        try {
            PolicyConfigurationFactory policyConfigurationFactory = PolicyConfigurationFactory.getPolicyConfigurationFactory();
            boolean inService = policyConfigurationFactory.inService(str);
            policyConfigurationFactory.getPolicyConfiguration(str, false).delete();
            if (inService) {
                Policy.getPolicy().refresh();
            }
        } catch (PolicyContextException | ClassNotFoundException e) {
            throw new IllegalStateException(e.toString());
        }
    }

    boolean checkPermission(Permission permission) {
        return this.policy.implies(this.emptyProtectionDomain, permission);
    }

    boolean checkPermission(Permission permission, Set<Principal> set) {
        return this.policy.implies(newProtectionDomain(set), permission);
    }

    boolean checkPermissionScoped(Permission permission, Set<Principal> set) {
        String str = null;
        try {
            try {
                str = setThreadContextId(this.contextId);
                boolean implies = this.policy.implies(this.protectionDomainCreator.apply(set), permission);
                try {
                    setPolicyContextChecked(str, this.contextId);
                } catch (Throwable th) {
                    logger.log(Level.SEVERE, "jacc_policy_context_exception", th);
                }
                return implies;
            } catch (Throwable th2) {
                logger.log(Level.SEVERE, "jacc_is_caller_in_role_exception", th2);
                try {
                    setPolicyContextChecked(str, this.contextId);
                    return false;
                } catch (Throwable th3) {
                    logger.log(Level.SEVERE, "jacc_policy_context_exception", th3);
                    return false;
                }
            }
        } catch (Throwable th4) {
            try {
                setPolicyContextChecked(str, this.contextId);
            } catch (Throwable th5) {
                logger.log(Level.SEVERE, "jacc_policy_context_exception", th5);
            }
            throw th4;
        }
    }

    public Object runInScope(ThrowableSupplier<Object> throwableSupplier) throws Throwable {
        String threadContextId = setThreadContextId(this.contextId);
        try {
            Object obj = throwableSupplier.get();
            setPolicyContextChecked(threadContextId, this.contextId);
            return obj;
        } catch (Throwable th) {
            setPolicyContextChecked(threadContextId, this.contextId);
            throw th;
        }
    }

    private static PolicyConfigurationFactory installFactory(Class<?> cls) {
        System.setProperty(FACTORY, cls.getName());
        return getFactory();
    }

    private static Policy installPolicy(Class<? extends Policy> cls) {
        try {
            Policy.setPolicy(cls.getConstructor(new Class[0]).newInstance(new Object[0]));
            return getPolicy();
        } catch (IllegalArgumentException | ReflectiveOperationException | SecurityException e) {
            throw new IllegalStateException(e);
        }
    }

    private static PolicyConfigurationFactory getFactory() {
        try {
            return PolicyConfigurationFactory.getPolicyConfigurationFactory();
        } catch (PolicyContextException | ClassNotFoundException e) {
            throw new IllegalStateException(e);
        }
    }

    private static Policy getPolicy() {
        return Policy.getPolicy();
    }

    private ProtectionDomain newProtectionDomain(Set<Principal> set) {
        return new ProtectionDomain(this.emptyCodeSource, null, null, set == null ? null : (Principal[]) set.toArray(new Principal[0]));
    }

    private String getConstrainedURI(HttpServletRequest httpServletRequest) {
        String str;
        if (this.constrainedUriRequestAttribute != null && (str = (String) httpServletRequest.getAttribute(this.constrainedUriRequestAttribute)) != null) {
            return str;
        }
        String requestRelativeURI = getRequestRelativeURI(httpServletRequest);
        return requestRelativeURI.equals(PsuedoNames.PSEUDONAME_ROOT) ? "" : requestRelativeURI.replaceAll(":", "%3A");
    }

    private String getRequestRelativeURI(HttpServletRequest httpServletRequest) {
        return httpServletRequest.getRequestURI().substring(httpServletRequest.getContextPath().length());
    }

    public static String getServletContextId(ServletContext servletContext) {
        return servletContext.getVirtualServerName() + " " + servletContext.getContextPath();
    }

    public static void setThreadContextId(ServletContext servletContext) {
        PolicyContext.setContextID(getServletContextId(servletContext));
    }

    public static String setThreadContextId(String str) {
        String contextID = PolicyContext.getContextID();
        setPolicyContextChecked(str, contextID);
        return contextID;
    }

    private static void setPolicyContextChecked(String str, String str2) {
        if (str != null) {
            if (str2 == null || !str2.equals(str)) {
                logger.fine(() -> {
                    return "Authorization: Changing Policy Context ID: oldContextId = " + str2 + " newContextId = " + str;
                });
                try {
                    doPrivileged(() -> {
                        PolicyContext.setContextID(str);
                    });
                } catch (Exception e) {
                    if (!(e instanceof PrivilegedActionException)) {
                        throw new IllegalStateException(e);
                    }
                    throw new IllegalStateException(e.getCause());
                }
            }
        }
    }

    public static void doPrivileged(PrivilegedExceptionRunnable privilegedExceptionRunnable) throws Exception {
        if (isSecMgrOff) {
            privilegedExceptionRunnable.run();
        }
        AccessController.doPrivileged(() -> {
            privilegedExceptionRunnable.run();
            return null;
        });
    }

    static {
        isSecMgrOff = System.getSecurityManager() == null;
    }
}
