package org.apache.geronimo.security.deployment;

import java.security.Principal;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import javax.xml.namespace.QName;
import org.apache.geronimo.common.DeploymentException;
import org.apache.geronimo.deployment.DeploymentContext;
import org.apache.geronimo.deployment.NamespaceDrivenBuilder;
import org.apache.geronimo.deployment.service.SingleGBeanBuilder;
import org.apache.geronimo.deployment.xmlbeans.XmlBeansUtil;
import org.apache.geronimo.gbean.AbstractName;
import org.apache.geronimo.gbean.AbstractNameQuery;
import org.apache.geronimo.gbean.GBeanData;
import org.apache.geronimo.gbean.GBeanInfo;
import org.apache.geronimo.gbean.GBeanInfoBuilder;
import org.apache.geronimo.gbean.GBeanLifecycle;
import org.apache.geronimo.j2ee.deployment.EARContext;
import org.apache.geronimo.kernel.GBeanAlreadyExistsException;
import org.apache.geronimo.kernel.Naming;
import org.apache.geronimo.kernel.repository.Environment;
import org.apache.geronimo.security.credentialstore.CredentialStore;
import org.apache.geronimo.security.deploy.LoginDomainPrincipalInfo;
import org.apache.geronimo.security.deploy.PrincipalInfo;
import org.apache.geronimo.security.deploy.RealmPrincipalInfo;
import org.apache.geronimo.security.deploy.Role;
import org.apache.geronimo.security.deploy.Security;
import org.apache.geronimo.security.deploy.SubjectInfo;
import org.apache.geronimo.security.jacc.ApplicationPolicyConfigurationManager;
import org.apache.geronimo.security.jacc.mappingprovider.ApplicationPrincipalRoleConfigurationManager;
import org.apache.geronimo.security.util.ConfigurationUtil;
import org.apache.geronimo.xbeans.geronimo.security.GerLoginDomainPrincipalType;
import org.apache.geronimo.xbeans.geronimo.security.GerPrincipalType;
import org.apache.geronimo.xbeans.geronimo.security.GerRealmPrincipalType;
import org.apache.geronimo.xbeans.geronimo.security.GerRoleMappingsType;
import org.apache.geronimo.xbeans.geronimo.security.GerRoleType;
import org.apache.geronimo.xbeans.geronimo.security.GerSecurityDocument;
import org.apache.geronimo.xbeans.geronimo.security.GerSecurityType;
import org.apache.geronimo.xbeans.geronimo.security.GerSubjectInfoType;
import org.apache.xmlbeans.QNameSet;
import org.apache.xmlbeans.XmlException;
import org.apache.xmlbeans.XmlObject;

/* loaded from: input_file:org/apache/geronimo/security/deployment/GeronimoSecurityBuilderImpl.class */
public class GeronimoSecurityBuilderImpl implements NamespaceDrivenBuilder, GBeanLifecycle {
    private static final QName SECURITY_QNAME = GerSecurityDocument.type.getDocumentElementName();
    private static final QNameSet SECURITY_QNAME_SET = QNameSet.singleton(SECURITY_QNAME);
    private static final Map<String, String> NAMESPACE_UPDATES = new HashMap();
    private final AbstractNameQuery credentialStoreName;
    public static final GBeanInfo GBEAN_INFO;

    public GeronimoSecurityBuilderImpl(AbstractNameQuery abstractNameQuery) {
        this.credentialStoreName = abstractNameQuery;
    }

    public void doStart() {
        XmlBeansUtil.registerNamespaceUpdates(NAMESPACE_UPDATES);
    }

    public void doStop() {
        XmlBeansUtil.unregisterNamespaceUpdates(NAMESPACE_UPDATES);
    }

    public void doFail() {
        doStop();
    }

    public void buildEnvironment(XmlObject xmlObject, Environment environment) throws DeploymentException {
    }

    public void build(XmlObject xmlObject, DeploymentContext deploymentContext, DeploymentContext deploymentContext2) throws DeploymentException {
        EARContext eARContext = (EARContext) deploymentContext;
        XmlObject[] selectChildren = xmlObject.selectChildren(SECURITY_QNAME_SET);
        if (selectChildren.length > 1) {
            throw new DeploymentException("Unexpected count of security elements in geronimo plan " + selectChildren.length + " qnameset: " + SECURITY_QNAME_SET);
        }
        if (selectChildren.length == 1) {
            try {
                GerSecurityType gerSecurityType = (GerSecurityType) XmlBeansUtil.typedCopy(selectChildren[0], GerSecurityType.type);
                SecurityConfiguration buildSecurityConfiguration = buildSecurityConfiguration(buildSecurityConfig(gerSecurityType), deploymentContext.getClassLoader());
                eARContext.setSecurityConfiguration(buildSecurityConfiguration);
                Naming naming = eARContext.getNaming();
                GBeanData configureRoleMapper = configureRoleMapper(naming, eARContext.getModuleName(), buildSecurityConfiguration);
                try {
                    eARContext.addGBean(configureRoleMapper);
                    GBeanData configureApplicationPolicyManager = configureApplicationPolicyManager(naming, eARContext.getModuleName(), eARContext.getContextIDToPermissionsMap(), buildSecurityConfiguration, gerSecurityType.isSetCredentialStoreRef() ? SingleGBeanBuilder.buildAbstractNameQuery(gerSecurityType.getCredentialStoreRef(), "GBean", Collections.singleton(CredentialStore.class.getName())) : this.credentialStoreName);
                    configureApplicationPolicyManager.setReferencePattern("PrincipalRoleMapper", configureRoleMapper.getAbstractName());
                    try {
                        eARContext.addGBean(configureApplicationPolicyManager);
                        eARContext.setJaccManagerName(configureApplicationPolicyManager.getAbstractName());
                    } catch (GBeanAlreadyExistsException e) {
                        throw new DeploymentException("JACC manager gbean already present", e);
                    }
                } catch (GBeanAlreadyExistsException e2) {
                    throw new DeploymentException("Role mapper gbean already present", e2);
                }
            } catch (XmlException e3) {
                throw new DeploymentException("Could not validate security element", e3);
            }
        }
    }

    private static SecurityConfiguration buildSecurityConfiguration(Security security, ClassLoader classLoader) {
        Map roleSubjectMappings = security.getRoleSubjectMappings();
        HashMap hashMap = new HashMap();
        HashMap hashMap2 = new HashMap();
        buildRolePrincipalMap(security, hashMap2, classLoader);
        invertMap(hashMap2, hashMap);
        return new SecurityConfiguration(hashMap, roleSubjectMappings, security.getDefaultSubjectInfo(), security.getDefaultRole(), security.isDoAsCurrentCaller(), security.isUseContextHandler());
    }

    private static Map invertMap(Map<String, Set<Principal>> map, Map<Principal, Set<String>> map2) {
        for (Map.Entry<String, Set<Principal>> entry : map.entrySet()) {
            String key = entry.getKey();
            for (Principal principal : entry.getValue()) {
                Set<String> set = map2.get(principal);
                if (set == null) {
                    set = new HashSet();
                    map2.put(principal, set);
                }
                set.add(key);
            }
        }
        return map2;
    }

    public static void buildRolePrincipalMap(Security security, Map<String, Set<Principal>> map, ClassLoader classLoader) {
        for (Role role : security.getRoleMappings().values()) {
            String roleName = role.getRoleName();
            HashSet hashSet = new HashSet();
            for (RealmPrincipalInfo realmPrincipalInfo : role.getRealmPrincipals()) {
                hashSet.add(ConfigurationUtil.generateRealmPrincipal(realmPrincipalInfo.getRealm(), realmPrincipalInfo.getDomain(), realmPrincipalInfo, classLoader));
            }
            for (LoginDomainPrincipalInfo loginDomainPrincipalInfo : role.getLoginDomainPrincipals()) {
                hashSet.add(ConfigurationUtil.generateDomainPrincipal(loginDomainPrincipalInfo.getDomain(), loginDomainPrincipalInfo, classLoader));
            }
            Iterator it = role.getPrincipals().iterator();
            while (it.hasNext()) {
                hashSet.add(ConfigurationUtil.generatePrincipal((PrincipalInfo) it.next(), classLoader));
            }
            Set<Principal> set = map.get(roleName);
            if (set == null) {
                set = new HashSet();
                map.put(roleName, set);
            }
            set.addAll(hashSet);
        }
    }

    private Security buildSecurityConfig(GerSecurityType gerSecurityType) {
        if (gerSecurityType == null) {
            return null;
        }
        Security security = new Security();
        security.setDoAsCurrentCaller(gerSecurityType.getDoasCurrentCaller());
        security.setUseContextHandler(gerSecurityType.getUseContextHandler());
        if (gerSecurityType.isSetDefaultRole()) {
            security.setDefaultRole(gerSecurityType.getDefaultRole().trim());
        }
        if (gerSecurityType.isSetRoleMappings()) {
            GerRoleMappingsType roleMappings = gerSecurityType.getRoleMappings();
            for (int i = 0; i < roleMappings.sizeOfRoleArray(); i++) {
                GerRoleType roleArray = roleMappings.getRoleArray(i);
                Role role = new Role();
                String trim = roleArray.getRoleName().trim();
                role.setRoleName(trim);
                if (roleArray.isSetRunAsSubject()) {
                    security.getRoleSubjectMappings().put(trim, buildSubjectInfo(roleArray.getRunAsSubject()));
                }
                for (int i2 = 0; i2 < roleArray.sizeOfRealmPrincipalArray(); i2++) {
                    role.getRealmPrincipals().add(buildRealmPrincipal(roleArray.getRealmPrincipalArray(i2)));
                }
                for (int i3 = 0; i3 < roleArray.sizeOfLoginDomainPrincipalArray(); i3++) {
                    role.getLoginDomainPrincipals().add(buildDomainPrincipal(roleArray.getLoginDomainPrincipalArray(i3)));
                }
                for (int i4 = 0; i4 < roleArray.sizeOfPrincipalArray(); i4++) {
                    role.getPrincipals().add(buildPrincipal(roleArray.getPrincipalArray(i4)));
                }
                security.getRoleMappings().put(trim, role);
            }
        }
        security.setDefaultSubjectInfo(buildSubjectInfo(gerSecurityType.getDefaultSubject()));
        return security;
    }

    private SubjectInfo buildSubjectInfo(GerSubjectInfoType gerSubjectInfoType) {
        if (gerSubjectInfoType == null) {
            return null;
        }
        return new SubjectInfo(gerSubjectInfoType.getRealm().trim(), gerSubjectInfoType.getId().trim());
    }

    private static RealmPrincipalInfo buildRealmPrincipal(GerRealmPrincipalType gerRealmPrincipalType) {
        return new RealmPrincipalInfo(gerRealmPrincipalType.getRealmName().trim(), gerRealmPrincipalType.getDomainName().trim(), gerRealmPrincipalType.getClass1().trim(), gerRealmPrincipalType.getName().trim());
    }

    private static LoginDomainPrincipalInfo buildDomainPrincipal(GerLoginDomainPrincipalType gerLoginDomainPrincipalType) {
        return new LoginDomainPrincipalInfo(gerLoginDomainPrincipalType.getDomainName().trim(), gerLoginDomainPrincipalType.getClass1().trim(), gerLoginDomainPrincipalType.getName().trim());
    }

    public PrincipalInfo buildPrincipal(XmlObject xmlObject) {
        GerPrincipalType gerPrincipalType = (GerPrincipalType) xmlObject;
        return new PrincipalInfo(gerPrincipalType.getClass1().trim(), gerPrincipalType.getName().trim());
    }

    protected GBeanData configureRoleMapper(Naming naming, AbstractName abstractName, SecurityConfiguration securityConfiguration) {
        GBeanData gBeanData = new GBeanData(naming.createChildName(abstractName, "RoleMapper", "RoleMapper"), ApplicationPrincipalRoleConfigurationManager.GBEAN_INFO);
        gBeanData.setAttribute("principalRoleMap", securityConfiguration.getPrincipalRoleMap());
        return gBeanData;
    }

    protected GBeanData configureApplicationPolicyManager(Naming naming, AbstractName abstractName, Map map, SecurityConfiguration securityConfiguration, AbstractNameQuery abstractNameQuery) {
        GBeanData gBeanData = new GBeanData(naming.createChildName(abstractName, "JACCManager", "JACCManager"), ApplicationPolicyConfigurationManager.GBEAN_INFO);
        gBeanData.setAttribute("contextIdToPermissionsMap", map);
        Map<String, SubjectInfo> roleDesignates = securityConfiguration.getRoleDesignates();
        gBeanData.setAttribute("roleDesignates", roleDesignates);
        gBeanData.setAttribute("defaultSubjectInfo", securityConfiguration.getDefaultSubjectInfo());
        if ((roleDesignates != null && !roleDesignates.isEmpty()) || securityConfiguration.getDefaultSubjectInfo() != null) {
            gBeanData.setReferencePattern("CredentialStore", abstractNameQuery);
        }
        return gBeanData;
    }

    public QNameSet getSpecQNameSet() {
        return QNameSet.EMPTY;
    }

    public QNameSet getPlanQNameSet() {
        return SECURITY_QNAME_SET;
    }

    public static GBeanInfo getGBeanInfo() {
        return GBEAN_INFO;
    }

    static {
        NAMESPACE_UPDATES.put("http://geronimo.apache.org/xml/ns/loginconfig", "http://geronimo.apache.org/xml/ns/loginconfig-2.0");
        NAMESPACE_UPDATES.put("http://geronimo.apache.org/xml/ns/loginconfig-1.1", "http://geronimo.apache.org/xml/ns/loginconfig-2.0");
        NAMESPACE_UPDATES.put("http://geronimo.apache.org/xml/ns/loginconfig-1.2", "http://geronimo.apache.org/xml/ns/loginconfig-2.0");
        NAMESPACE_UPDATES.put("http://geronimo.apache.org/xml/ns/security", "http://geronimo.apache.org/xml/ns/security-1.2");
        NAMESPACE_UPDATES.put("http://geronimo.apache.org/xml/ns/security-1.1", "http://geronimo.apache.org/xml/ns/security-2.0");
        NAMESPACE_UPDATES.put("http://geronimo.apache.org/xml/ns/security-1.2", "http://geronimo.apache.org/xml/ns/security-2.0");
        GBeanInfoBuilder createStatic = GBeanInfoBuilder.createStatic(GeronimoSecurityBuilderImpl.class, "ModuleBuilder");
        createStatic.addAttribute("credentialStoreName", AbstractNameQuery.class, true, true);
        createStatic.setConstructor(new String[]{"credentialStoreName"});
        GBEAN_INFO = createStatic.getBeanInfo();
    }
}
