package org.jboss.as.controller.access.rbac;

import java.security.Permission;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import org.jboss.as.controller.ControllerLogger;
import org.jboss.as.controller.ControllerMessages;
import org.jboss.as.controller.access.Action;
import org.jboss.as.controller.access.AuthorizerConfiguration;
import org.jboss.as.controller.access.Caller;
import org.jboss.as.controller.access.Environment;
import org.jboss.as.controller.access.TargetAttribute;
import org.jboss.as.controller.access.TargetResource;

/* loaded from: input_file:WEB-INF/lib/wildfly-controller-8.2.1.Final.jar:org/jboss/as/controller/access/rbac/StandardRoleMapper.class */
public class StandardRoleMapper implements RoleMapper {
    private static final String IN_VM_ROLE = StandardRole.SUPERUSER.getOfficialForm();
    private static final RunAsRolePermission RUN_AS_IN_VM_ROLE = new RunAsRolePermission(IN_VM_ROLE);
    private final AuthorizerConfiguration authorizerConfiguration;

    public StandardRoleMapper(AuthorizerConfiguration authorizerConfiguration) {
        this.authorizerConfiguration = authorizerConfiguration;
    }

    @Override // org.jboss.as.controller.access.rbac.RoleMapper
    public Set<String> mapRoles(Caller caller, Environment environment, Action action, TargetAttribute targetAttribute) {
        return mapRoles(caller);
    }

    @Override // org.jboss.as.controller.access.rbac.RoleMapper
    public Set<String> mapRoles(Caller caller, Environment environment, Action action, TargetResource targetResource) {
        return mapRoles(caller);
    }

    @Override // org.jboss.as.controller.access.rbac.RoleMapper
    public Set<String> mapRoles(Caller caller, Environment environment, Set<String> set) {
        return mapRoles(caller);
    }

    @Override // org.jboss.as.controller.access.rbac.RoleMapper
    public boolean canRunAs(Set<String> set, String str) {
        if (str == null) {
            return false;
        }
        boolean hasRole = this.authorizerConfiguration.hasRole(str);
        boolean contains = set.contains(StandardRole.SUPERUSER.toString());
        if (!contains || hasRole) {
            return hasRole && contains;
        }
        throw ControllerMessages.MESSAGES.unknownRole(str);
    }

    private Set<String> mapRoles(Caller caller) {
        Map<String, AuthorizerConfiguration.RoleMapping> roleMappings;
        HashSet hashSet = new HashSet();
        boolean isTraceEnabled = ControllerLogger.ACCESS_LOGGER.isTraceEnabled();
        if (caller.hasSubject()) {
            if (this.authorizerConfiguration.isMapUsingRealmRoles()) {
                roleMappings = new HashMap(this.authorizerConfiguration.getRoleMappings());
                Iterator<String> it = caller.getAssociatedRoles().iterator();
                while (it.hasNext()) {
                    String upperCase = it.next().toUpperCase();
                    if (roleMappings.containsKey(upperCase)) {
                        AuthorizerConfiguration.MappingPrincipal isExcluded = roleMappings.remove(upperCase).isExcluded(caller);
                        if (isExcluded == null) {
                            if (isTraceEnabled) {
                                ControllerLogger.ACCESS_LOGGER.tracef("User '%s' assigned role '%s' due to realm assignment and no exclusion in role mapping definition.", caller.getName(), upperCase);
                            }
                            hashSet.add(upperCase);
                        } else if (isTraceEnabled) {
                            ControllerLogger.ACCESS_LOGGER.tracef("User '%s' NOT assigned role '%s' despite realm assignment due to exclusion match against %s.", caller.getName(), upperCase, isExcluded);
                        }
                    } else {
                        if (isTraceEnabled) {
                            ControllerLogger.ACCESS_LOGGER.tracef("User '%s' assigned role '%s' due to realm assignment and no role mapping to check for exclusion.", caller.getName(), upperCase);
                        }
                        hashSet.add(upperCase);
                    }
                }
            } else {
                roleMappings = this.authorizerConfiguration.getRoleMappings();
            }
            for (AuthorizerConfiguration.RoleMapping roleMapping : roleMappings.values()) {
                boolean includeAllAuthedUsers = roleMapping.includeAllAuthedUsers();
                AuthorizerConfiguration.MappingPrincipal isIncluded = !includeAllAuthedUsers ? roleMapping.isIncluded(caller) : null;
                if (includeAllAuthedUsers || isIncluded != null) {
                    AuthorizerConfiguration.MappingPrincipal isExcluded2 = roleMapping.isExcluded(caller);
                    if (isExcluded2 == null) {
                        if (isTraceEnabled) {
                            if (includeAllAuthedUsers) {
                                ControllerLogger.ACCESS_LOGGER.tracef("User '%s' assiged role '%s' due to include-all set on role.", caller.getName(), roleMapping.getName());
                            } else {
                                ControllerLogger.ACCESS_LOGGER.tracef("User '%s' assiged role '%s' due to match on inclusion %s", caller.getName(), roleMapping.getName(), isIncluded);
                            }
                        }
                        hashSet.add(roleMapping.getName());
                    } else if (isTraceEnabled) {
                        ControllerLogger.ACCESS_LOGGER.tracef("User '%s' denied membership of role '%s' due to exclusion %s", caller.getName(), roleMapping.getName(), isExcluded2);
                    }
                } else if (isTraceEnabled) {
                    ControllerLogger.ACCESS_LOGGER.tracef("User '%s' not assigned role '%s' as no match on the include definition of the role mapping.", caller.getName(), roleMapping.getName());
                }
            }
        } else {
            checkPermission(RUN_AS_IN_VM_ROLE);
            ControllerLogger.ACCESS_LOGGER.tracef("Assigning role '%s' for call with no assigned Subject (An IN-VM Call).", IN_VM_ROLE);
            hashSet.add(IN_VM_ROLE);
        }
        if (isTraceEnabled) {
            StringBuilder append = new StringBuilder("User '").append(caller.getName()).append("' Assigned Roles { ");
            Iterator it2 = hashSet.iterator();
            while (it2.hasNext()) {
                append.append("'").append((String) it2.next()).append("' ");
            }
            append.append("}");
            ControllerLogger.ACCESS_LOGGER.trace(append.toString());
        }
        return Collections.unmodifiableSet(hashSet);
    }

    private static void checkPermission(Permission permission) {
        SecurityManager securityManager = System.getSecurityManager();
        if (securityManager != null) {
            securityManager.checkPermission(permission);
        }
    }
}
