package org.apache.tomee.catalina;

import java.io.Serializable;
import java.security.Principal;
import java.util.HashSet;
import java.util.LinkedHashSet;
import java.util.LinkedList;
import java.util.Set;
import java.util.UUID;
import java.util.concurrent.Callable;
import javax.security.auth.Subject;
import javax.security.auth.login.CredentialNotFoundException;
import javax.security.auth.login.LoginException;
import javax.servlet.http.HttpServletRequest;
import org.apache.catalina.Engine;
import org.apache.catalina.Realm;
import org.apache.catalina.Service;
import org.apache.catalina.connector.Request;
import org.apache.openejb.BeanContext;
import org.apache.openejb.core.security.AbstractSecurityService;
import org.apache.openejb.loader.SystemInstance;
import org.apache.openejb.spi.CallerPrincipal;
import org.apache.tomee.loader.TomcatHelper;
import org.hsqldb.Tokens;

/* loaded from: input_file:lib/tomee-catalina-8.0.5.jar:org/apache/tomee/catalina/TomcatSecurityService.class */
public class TomcatSecurityService extends AbstractSecurityService {
    private static final boolean ONLY_DEFAULT_REALM = "true".equals(SystemInstance.get().getProperty("tomee.realm.only-default", "false"));
    protected static final ThreadLocal<LinkedList<Subject>> RUN_AS_STACK = new ThreadLocal<LinkedList<Subject>>() { // from class: org.apache.tomee.catalina.TomcatSecurityService.1
        /* JADX INFO: Access modifiers changed from: protected */
        /* JADX WARN: Can't rename method to resolve collision */
        @Override // java.lang.ThreadLocal
        public LinkedList<Subject> initialValue() {
            return new LinkedList<>();
        }
    };
    private Realm defaultRealm;

    /* JADX INFO: Access modifiers changed from: protected */
    /* loaded from: input_file:lib/tomee-catalina-8.0.5.jar:org/apache/tomee/catalina/TomcatSecurityService$RunAsRole.class */
    public static class RunAsRole implements Principal {
        private final String name;

        public RunAsRole(String str) {
            if (str == null) {
                throw new NullPointerException("name is null");
            }
            this.name = str;
        }

        @Override // java.security.Principal
        public String getName() {
            return this.name;
        }

        @Override // java.security.Principal
        public String toString() {
            return "[RunAsRole: " + this.name + Tokens.T_RIGHTBRACKET;
        }

        @Override // java.security.Principal
        public boolean equals(Object obj) {
            if (this == obj) {
                return true;
            }
            if (obj == null || getClass() != obj.getClass()) {
                return false;
            }
            return this.name.equals(((RunAsRole) obj).name);
        }

        @Override // java.security.Principal
        public int hashCode() {
            return this.name.hashCode();
        }
    }

    @CallerPrincipal
    /* loaded from: input_file:lib/tomee-catalina-8.0.5.jar:org/apache/tomee/catalina/TomcatSecurityService$TomcatUser.class */
    public static class TomcatUser implements Principal {
        private final Realm realm;
        private final Principal tomcatPrincipal;

        public TomcatUser(Realm realm, Principal principal) {
            if (realm == null) {
                throw new NullPointerException("realm is null");
            }
            if (principal == null) {
                throw new NullPointerException("tomcatPrincipal is null");
            }
            this.realm = realm;
            this.tomcatPrincipal = principal;
        }

        public Realm getRealm() {
            return this.realm;
        }

        public Principal getTomcatPrincipal() {
            return this.tomcatPrincipal;
        }

        @Override // java.security.Principal
        public String getName() {
            return this.tomcatPrincipal.getName();
        }

        @Override // java.security.Principal
        public String toString() {
            return "[TomcatUser: " + this.tomcatPrincipal + Tokens.T_RIGHTBRACKET;
        }

        @Override // java.security.Principal
        public boolean equals(Object obj) {
            if (this == obj) {
                return true;
            }
            if (obj == null || getClass() != obj.getClass()) {
                return false;
            }
            TomcatUser tomcatUser = (TomcatUser) obj;
            return this.realm.equals(tomcatUser.realm) && this.tomcatPrincipal.equals(tomcatUser.tomcatPrincipal);
        }

        @Override // java.security.Principal
        public int hashCode() {
            return (31 * this.realm.hashCode()) + this.tomcatPrincipal.hashCode();
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:lib/tomee-catalina-8.0.5.jar:org/apache/tomee/catalina/TomcatSecurityService$WebAppState.class */
    public static class WebAppState implements Serializable {
        private final AbstractSecurityService.Identity oldIdentity;
        private final boolean hadRunAs;

        public WebAppState(AbstractSecurityService.Identity identity, boolean z) {
            this.oldIdentity = identity;
            this.hadRunAs = z;
        }
    }

    public TomcatSecurityService() {
        for (Service service : TomcatHelper.getServer().findServices()) {
            if (service.getContainer() instanceof Engine) {
                Engine container = service.getContainer();
                if (container.getRealm() != null) {
                    this.defaultRealm = container.getRealm();
                    return;
                }
            }
        }
    }

    @Override // org.apache.openejb.core.security.AbstractSecurityService, org.apache.openejb.spi.SecurityService
    public boolean isCallerInRole(String str) {
        Principal callerPrincipal = getCallerPrincipal();
        if (!TomcatUser.class.isInstance(callerPrincipal)) {
            return super.isCallerInRole(str);
        }
        if ("**".equals(str)) {
            return true;
        }
        String[] roles = ((TomcatUser) callerPrincipal).getTomcatPrincipal().getRoles();
        if (roles == null) {
            return false;
        }
        for (String str2 : roles) {
            if (str2.equals(str)) {
                return true;
            }
        }
        return false;
    }

    /* JADX WARN: Can't rename method to resolve collision */
    @Override // org.apache.openejb.spi.SecurityService
    public UUID login(String str, String str2, String str3) throws LoginException {
        Realm findRealm = findRealm(str);
        if (findRealm == null) {
            throw new LoginException("No Tomcat realm available");
        }
        Principal authenticate = findRealm.authenticate(str2, str3);
        if (authenticate == null) {
            throw new CredentialNotFoundException(str2);
        }
        return registerSubject(createSubject(findRealm, authenticate));
    }

    private Realm findRealm(String str) {
        Realm realm;
        if (ONLY_DEFAULT_REALM || str == null || str.isEmpty()) {
            return this.defaultRealm;
        }
        TomcatWebAppBuilder tomcatWebAppBuilder = (TomcatWebAppBuilder) SystemInstance.get().getComponent(TomcatWebAppBuilder.class);
        return (tomcatWebAppBuilder == null || (realm = tomcatWebAppBuilder.getRealms().get(new StringBuilder().append('/').append(str).toString())) == null) ? this.defaultRealm : realm;
    }

    private Subject createSubject(Realm realm, Principal principal) {
        HashSet hashSet = new HashSet();
        if (principal.getClass().isAnnotationPresent(CallerPrincipal.class)) {
            hashSet.add(principal);
        } else {
            hashSet.add(new TomcatUser(realm, principal));
        }
        return new Subject(true, hashSet, new HashSet(), new HashSet());
    }

    @Override // org.apache.openejb.core.security.AbstractSecurityService, org.apache.openejb.core.security.jacc.BasicPolicyConfiguration.RoleResolver
    public Set<String> getLogicalRoles(Principal[] principalArr, Set<String> set) {
        LinkedHashSet linkedHashSet = new LinkedHashSet(set.size());
        for (String str : set) {
            int length = principalArr.length;
            int i = 0;
            while (true) {
                if (i < length) {
                    Principal principal = principalArr[i];
                    if (principal instanceof TomcatUser) {
                        TomcatUser tomcatUser = (TomcatUser) principal;
                        if (TomcatHelper.hasRole(tomcatUser.getRealm(), tomcatUser.getTomcatPrincipal(), str)) {
                            linkedHashSet.add(str);
                            break;
                        }
                    } else if (principal != null && str.equals(principal.getName())) {
                        linkedHashSet.add(str);
                    }
                    i++;
                }
            }
        }
        return linkedHashSet;
    }

    @Override // org.apache.openejb.core.security.AbstractSecurityService, org.apache.openejb.spi.SecurityService
    public Principal getCallerPrincipal() {
        AbstractSecurityService.Identity identity = clientIdentity.get();
        if (identity != null) {
            Set<Principal> principals = identity.getSubject().getPrincipals();
            for (Principal principal : principals) {
                if (principal.getClass().isAnnotationPresent(CallerPrincipal.class)) {
                    return principal;
                }
            }
            if (!principals.isEmpty()) {
                return principals.iterator().next();
            }
        }
        return super.getCallerPrincipal();
    }

    public Object enterWebApp(Realm realm, Principal principal, String str) {
        AbstractSecurityService.Identity identity = null;
        if (principal != null) {
            identity = new AbstractSecurityService.Identity(createSubject(realm, principal), null);
        }
        WebAppState webAppState = new WebAppState(clientIdentity.get(), str != null);
        clientIdentity.set(identity);
        if (str != null) {
            RUN_AS_STACK.get().addFirst(createRunAsSubject(str));
        }
        return webAppState;
    }

    @Override // org.apache.openejb.core.security.AbstractSecurityService, org.apache.openejb.spi.SecurityService
    public void onLogout(HttpServletRequest httpServletRequest) {
        Request request = OpenEJBSecurityListener.requests.get();
        Object note = request == null ? null : request.getNote(TomEERealm.SECURITY_NOTE);
        if (note != null) {
            exitWebApp(note);
        } else {
            super.onLogout(httpServletRequest);
        }
    }

    public void exitWebApp(Object obj) {
        if (obj instanceof WebAppState) {
            WebAppState webAppState = (WebAppState) obj;
            if (webAppState.oldIdentity == null) {
                clientIdentity.remove();
            } else {
                clientIdentity.set(webAppState.oldIdentity);
            }
            if (webAppState.hadRunAs) {
                RUN_AS_STACK.get().removeFirst();
            }
        }
    }

    @Override // org.apache.openejb.core.security.AbstractSecurityService
    public Subject getRunAsSubject(BeanContext beanContext) {
        Subject runAsSubject = super.getRunAsSubject(beanContext);
        if (runAsSubject != null) {
            return runAsSubject;
        }
        LinkedList<Subject> linkedList = RUN_AS_STACK.get();
        if (linkedList.isEmpty()) {
            return null;
        }
        return linkedList.getFirst();
    }

    protected Subject createRunAsSubject(String str) {
        if (str == null) {
            return null;
        }
        HashSet hashSet = new HashSet();
        hashSet.add(new RunAsRole(str));
        return new Subject(true, hashSet, new HashSet(), new HashSet());
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.openejb.core.security.AbstractSecurityService
    public AbstractSecurityService.SecurityContext getDefaultSecurityContext() {
        Object attribute;
        Request request = OpenEJBSecurityListener.requests.get();
        if (request != null && (attribute = request.getAttribute("javax.security.auth.subject.callable")) != null && Callable.class.isInstance(attribute)) {
            try {
                return new AbstractSecurityService.SecurityContext((Subject) ((Callable) Callable.class.cast(attribute)).call());
            } catch (Exception e) {
            }
        }
        return super.getDefaultSecurityContext();
    }
}
