package com.sun.enterprise.security.acl;

import com.sun.enterprise.config.serverbeans.SecurityService;
import com.sun.enterprise.deployment.Application;
import com.sun.enterprise.security.common.AppservAccessController;
import com.sun.logging.LogDomains;
import java.io.Serializable;
import java.lang.annotation.Annotation;
import java.security.Principal;
import java.security.PrivilegedAction;
import java.util.Collections;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.security.auth.Subject;
import org.glassfish.api.admin.ServerEnvironment;
import org.glassfish.deployment.common.RootDeploymentDescriptor;
import org.glassfish.deployment.common.SecurityRoleMapper;
import org.glassfish.internal.api.Globals;
import org.glassfish.internal.data.ApplicationInfo;
import org.glassfish.internal.data.ApplicationRegistry;
import org.glassfish.security.common.Group;
import org.glassfish.security.common.PrincipalImpl;
import org.glassfish.security.common.Role;
import org.jboss.weld.metadata.Selectors;

/* loaded from: input_file:MICRO-INF/runtime/security-ee.jar:com/sun/enterprise/security/acl/RoleMapper.class */
public class RoleMapper implements Serializable, SecurityRoleMapper {
    private static final long serialVersionUID = -4455830942007736853L;
    private static final String DEFAULT_ROLE_NAME = "ANYONE";
    private Role defaultRole;
    private String defaultRoleName;
    private String appName;
    private final Map<String, Subject> roleToSubject;
    private String defaultP2RMappingClassName;
    private DefaultRoleToSubjectMapping defaultRTSM;
    private final Map<String, Set<Principal>> roleToPrincipal;
    private final Map<String, Set<Group>> roleToGroup;
    private Mapping currentMapping;
    private Set<Role> topLevelRoles;
    private static final String TOP_LEVEL = "sun-application.xml mapping file";
    private boolean conflictLogged;
    private Set<Role> conflictedRoles;
    private Boolean appDefaultMapping;
    private static final Logger _logger;
    private transient SecurityService secService;
    static final /* synthetic */ boolean $assertionsDisabled;

    /* loaded from: input_file:MICRO-INF/runtime/security-ee.jar:com/sun/enterprise/security/acl/RoleMapper$DefaultRoleToSubjectMapping.class */
    class DefaultRoleToSubjectMapping extends HashMap<String, Subject> {
        private static final long serialVersionUID = 3074733840327132690L;
        private final HashMap<String, Subject> roleMap = new HashMap<>();

        DefaultRoleToSubjectMapping() {
        }

        Principal getSameNamedPrincipal(String str) {
            try {
                return (Principal) Class.forName(RoleMapper.this.defaultP2RMappingClassName).getConstructor(String.class).newInstance(str);
            } catch (Exception e) {
                RoleMapper._logger.log(Level.SEVERE, "rm.getSameNamedPrincipal", new Object[]{str, e});
                throw new RuntimeException("Unable to get principal by default p2r mapping");
            }
        }

        @Override // java.util.HashMap, java.util.AbstractMap, java.util.Map
        public Subject get(Object obj) {
            Subject subject;
            synchronized (this.roleMap) {
                Subject subject2 = this.roleMap.get((String) obj);
                if (subject2 == null && (obj instanceof String) && !Selectors.DEEP_TREE_MATCH.equals((String) obj)) {
                    final Subject subject3 = new Subject();
                    final String str = (String) obj;
                    AppservAccessController.doPrivileged(new PrivilegedAction<Object>() { // from class: com.sun.enterprise.security.acl.RoleMapper.DefaultRoleToSubjectMapping.1
                        @Override // java.security.PrivilegedAction
                        public Object run() {
                            subject3.getPrincipals().add(DefaultRoleToSubjectMapping.this.getSameNamedPrincipal(str));
                            return null;
                        }
                    });
                    this.roleMap.put((String) obj, subject3);
                    subject2 = subject3;
                }
                subject = subject2;
            }
            return subject;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:MICRO-INF/runtime/security-ee.jar:com/sun/enterprise/security/acl/RoleMapper$Mapping.class */
    public static class Mapping implements Serializable {
        private static final long serialVersionUID = 5863982599500877228L;
        private final String owner;
        private final Map<Role, Set<Principal>> roleMap = new HashMap();

        Mapping(String str) {
            this.owner = str;
        }

        void addMapping(Principal principal, Role role) {
            Set<Principal> set = this.roleMap.get(role);
            if (set == null) {
                set = new HashSet();
                this.roleMap.put(role, set);
            }
            set.add(principal);
        }

        Set<Role> getRoles() {
            return this.roleMap.keySet();
        }

        Set<Principal> getPrincipals(Role role) {
            return this.roleMap.get(role);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public RoleMapper(String str) {
        this.defaultRole = null;
        this.defaultRoleName = null;
        this.roleToSubject = new HashMap();
        this.defaultP2RMappingClassName = null;
        this.defaultRTSM = new DefaultRoleToSubjectMapping();
        this.roleToPrincipal = new HashMap();
        this.roleToGroup = new HashMap();
        this.conflictLogged = false;
        this.secService = null;
        this.appName = str;
        this.secService = (SecurityService) Globals.getDefaultHabitat().getService(SecurityService.class, ServerEnvironment.DEFAULT_INSTANCE_NAME, new Annotation[0]);
        this.defaultP2RMappingClassName = getDefaultP2RMappingClassName();
        postConstruct();
    }

    private synchronized void initDefaultRole() {
        if (this.defaultRole == null) {
            this.defaultRoleName = DEFAULT_ROLE_NAME;
            try {
            } catch (Exception e) {
                _logger.log(Level.WARNING, "java_security.anonymous_role_reading_exception", (Throwable) e);
            }
            if (!$assertionsDisabled && this.secService == null) {
                throw new AssertionError();
            }
            this.defaultRoleName = this.secService.getAnonymousRole();
            if (_logger.isLoggable(Level.FINE)) {
                _logger.log(Level.FINE, "Default role is: " + this.defaultRoleName);
            }
            this.defaultRole = new Role(this.defaultRoleName);
        }
    }

    private boolean getAppDefaultRoleMapping() {
        if (this.appDefaultMapping != null) {
            return this.appDefaultMapping.booleanValue();
        }
        this.appDefaultMapping = false;
        if (this.secService != null) {
            this.appDefaultMapping = Boolean.valueOf(Boolean.parseBoolean(this.secService.getActivateDefaultPrincipalToRoleMapping()));
            if (this.appDefaultMapping.booleanValue()) {
                return this.appDefaultMapping.booleanValue();
            }
        }
        ApplicationInfo applicationInfo = ((ApplicationRegistry) Globals.getDefaultHabitat().getService(ApplicationRegistry.class, new Annotation[0])).get(this.appName);
        if (applicationInfo == null) {
            return this.appDefaultMapping.booleanValue();
        }
        Application application = (Application) applicationInfo.getMetaData(Application.class);
        this.appDefaultMapping = Boolean.valueOf(application.getModuleByUri(this.appName) == null ? application.isDefaultGroupPrincipalMapping() : application.getModuleByUri(this.appName).isDefaultGroupPrincipalMapping());
        return this.appDefaultMapping.booleanValue();
    }

    @Override // org.glassfish.deployment.common.SecurityRoleMapper
    public String getName() {
        return this.appName;
    }

    @Override // org.glassfish.deployment.common.SecurityRoleMapper
    public void setName(String str) {
        this.appName = str;
    }

    private void addRoleToPrincipal(final Principal principal, String str) {
        if (!$assertionsDisabled && this.roleToSubject == null) {
            throw new AssertionError();
        }
        Subject subject = this.roleToSubject.get(str);
        final Subject subject2 = subject == null ? new Subject() : subject;
        AppservAccessController.doPrivileged(new PrivilegedAction<Object>() { // from class: com.sun.enterprise.security.acl.RoleMapper.1
            @Override // java.security.PrivilegedAction
            public Object run() {
                subject2.getPrincipals().add(principal);
                return null;
            }
        });
        this.roleToSubject.put(str, subject2);
    }

    @Override // org.glassfish.deployment.common.SecurityRoleMapper
    public void unassignPrincipalFromRole(Role role, final Principal principal) {
        if (!$assertionsDisabled && this.roleToSubject == null) {
            throw new AssertionError();
        }
        String name = role.getName();
        final Subject subject = this.roleToSubject.get(name);
        if (subject != null) {
            AppservAccessController.doPrivileged(new PrivilegedAction<Object>() { // from class: com.sun.enterprise.security.acl.RoleMapper.2
                @Override // java.security.PrivilegedAction
                public Object run() {
                    subject.getPrincipals().remove(principal);
                    return null;
                }
            });
            this.roleToSubject.put(name, subject);
        }
        if (principal instanceof Group) {
            Set<Group> set = this.roleToGroup.get(name);
            if (set != null) {
                set.remove((Group) principal);
                this.roleToGroup.put(name, set);
                return;
            }
            return;
        }
        Set<Principal> set2 = this.roleToPrincipal.get(name);
        if (set2 != null) {
            set2.remove(principal);
            this.roleToPrincipal.put(name, set2);
        }
    }

    boolean isDefaultRTSMActivated() {
        return this.defaultP2RMappingClassName != null && getAppDefaultRoleMapping();
    }

    @Override // org.glassfish.deployment.common.SecurityRoleMapper
    public Map<String, Subject> getRoleToSubjectMapping() {
        checkAndAddMappings();
        if ($assertionsDisabled || this.roleToSubject != null) {
            return (this.roleToSubject.isEmpty() && isDefaultRTSMActivated()) ? this.defaultRTSM : this.roleToSubject;
        }
        throw new AssertionError();
    }

    private void internalAssignRole(Principal principal, Role role) {
        String name = role.getName();
        if (_logger.isLoggable(Level.FINE)) {
            _logger.log(Level.FINE, "SECURITY:RoleMapper Assigning Role " + name + " to  " + principal.getName());
        }
        addRoleToPrincipal(principal, name);
        if (principal instanceof Group) {
            Set<Group> set = this.roleToGroup.get(name);
            if (set == null) {
                set = new HashSet();
            }
            set.add((Group) principal);
            this.roleToGroup.put(name, set);
            return;
        }
        Set<Principal> set2 = this.roleToPrincipal.get(name);
        if (set2 == null) {
            set2 = new HashSet();
        }
        set2.add(principal);
        this.roleToPrincipal.put(name, set2);
    }

    @Override // org.glassfish.deployment.common.SecurityRoleMapper
    public void assignRole(Principal principal, Role role, RootDeploymentDescriptor rootDeploymentDescriptor) {
        if (!$assertionsDisabled && rootDeploymentDescriptor == null) {
            throw new AssertionError();
        }
        String moduleID = getModuleID(rootDeploymentDescriptor);
        if (this.currentMapping == null) {
            this.currentMapping = new Mapping(moduleID);
        } else if (!moduleID.equals(this.currentMapping.owner)) {
            checkAndAddMappings();
            this.currentMapping = new Mapping(moduleID);
        }
        if (moduleID.equals(TOP_LEVEL) && this.topLevelRoles == null) {
            this.topLevelRoles = new HashSet();
        }
        this.currentMapping.addMapping(principal, role);
    }

    @Override // org.glassfish.deployment.common.SecurityRoleMapper
    public Iterator<String> getRoles() {
        if ($assertionsDisabled || this.roleToSubject != null) {
            return this.roleToSubject.keySet().iterator();
        }
        throw new AssertionError();
    }

    @Override // org.glassfish.deployment.common.SecurityRoleMapper
    public Enumeration<Group> getGroupsAssignedTo(Role role) {
        if (!$assertionsDisabled && this.roleToGroup == null) {
            throw new AssertionError();
        }
        Set<Group> set = this.roleToGroup.get(role.getName());
        return set == null ? Collections.enumeration(Collections.EMPTY_SET) : Collections.enumeration(set);
    }

    @Override // org.glassfish.deployment.common.SecurityRoleMapper
    public Enumeration<Principal> getUsersAssignedTo(Role role) {
        if (!$assertionsDisabled && this.roleToPrincipal == null) {
            throw new AssertionError();
        }
        Set<Principal> set = this.roleToPrincipal.get(role.getName());
        return set == null ? Collections.enumeration(Collections.EMPTY_SET) : Collections.enumeration(set);
    }

    @Override // org.glassfish.deployment.common.SecurityRoleMapper
    public void unassignRole(Role role) {
        if (role != null) {
            String name = role.getName();
            this.roleToSubject.remove(name);
            this.roleToPrincipal.remove(name);
            this.roleToGroup.remove(name);
        }
    }

    public String toString() {
        StringBuilder sb = new StringBuilder("RoleMapper:");
        Iterator<String> roles = getRoles();
        while (roles.hasNext()) {
            String next = roles.next();
            sb.append("\n\tRole (").append(next).append(") has Principals(");
            Iterator<Principal> it = this.roleToSubject.get(next).getPrincipals().iterator();
            while (it.hasNext()) {
                sb.append(it.next().getName()).append(" ");
            }
            sb.append(")");
        }
        if (_logger.isLoggable(Level.FINER)) {
            _logger.log(Level.FINER, sb.toString());
        }
        return sb.toString();
    }

    public RoleMapper(RoleMapper roleMapper) {
        this.defaultRole = null;
        this.defaultRoleName = null;
        this.roleToSubject = new HashMap();
        this.defaultP2RMappingClassName = null;
        this.defaultRTSM = new DefaultRoleToSubjectMapping();
        this.roleToPrincipal = new HashMap();
        this.roleToGroup = new HashMap();
        this.conflictLogged = false;
        this.secService = null;
        this.appName = roleMapper.getName();
        Iterator<String> roles = roleMapper.getRoles();
        while (roles.hasNext()) {
            String next = roles.next();
            Enumeration<Group> groupsAssignedTo = roleMapper.getGroupsAssignedTo(new Role(next));
            HashSet hashSet = new HashSet();
            while (groupsAssignedTo.hasMoreElements()) {
                Group nextElement = groupsAssignedTo.nextElement();
                hashSet.add(new Group(nextElement.getName()));
                addRoleToPrincipal(nextElement, next);
            }
            this.roleToGroup.put(next, hashSet);
            Enumeration<Principal> usersAssignedTo = roleMapper.getUsersAssignedTo(new Role(next));
            HashSet hashSet2 = new HashSet();
            while (usersAssignedTo.hasMoreElements()) {
                PrincipalImpl principalImpl = (PrincipalImpl) usersAssignedTo.nextElement();
                hashSet2.add(new PrincipalImpl(principalImpl.getName()));
                addRoleToPrincipal(principalImpl, next);
            }
            this.roleToPrincipal.put(next, hashSet2);
        }
    }

    private String getDefaultP2RMappingClassName() {
        String str = null;
        try {
            if (this.secService != null) {
                str = this.secService.getMappedPrincipalClass();
            }
            if (str == null || "".equals(str)) {
                str = Group.class.getName();
            }
            if (str == null) {
                return null;
            }
            return str;
        } catch (Exception e) {
            _logger.log(Level.SEVERE, "pc.getDefaultP2RMappingClass: " + e);
            return null;
        }
    }

    private String getModuleID(RootDeploymentDescriptor rootDeploymentDescriptor) {
        if (rootDeploymentDescriptor.isApplication()) {
            return TOP_LEVEL;
        }
        if (rootDeploymentDescriptor.getModuleDescriptor() != null) {
            return rootDeploymentDescriptor.getModuleDescriptor().getArchiveUri();
        }
        throw new AssertionError(rootDeploymentDescriptor.getClass() + " is not a known descriptor type");
    }

    private void checkAndAddMappings() {
        if (this.currentMapping == null) {
            return;
        }
        for (Role role : this.currentMapping.getRoles()) {
            if (this.topLevelRoles == null || !this.topLevelRoles.contains(role)) {
                if (this.currentMapping.owner.equals(TOP_LEVEL)) {
                    this.topLevelRoles.add(role);
                    if (this.roleToSubject.keySet().contains(role.getName())) {
                        logConflictWarning();
                        if (_logger.isLoggable(Level.FINE)) {
                            _logger.log(Level.FINE, "Role " + role + " from top-level mapping descriptor is overriding existing role in sub module.");
                        }
                        unassignRole(role);
                    }
                } else if (roleConflicts(role, this.currentMapping.getPrincipals(role))) {
                    logConflictWarning();
                    unassignRole(role);
                }
                Iterator<Principal> it = this.currentMapping.getPrincipals(role).iterator();
                while (it.hasNext()) {
                    internalAssignRole(it.next(), role);
                }
            } else {
                logConflictWarning();
                if (_logger.isLoggable(Level.FINE)) {
                    _logger.log(Level.FINE, "Role " + role + " from module " + this.currentMapping.owner + " is being overridden by top-level mapping.");
                }
            }
        }
        this.currentMapping = null;
    }

    private boolean roleConflicts(Role role, Set<Principal> set) {
        if (this.conflictedRoles != null && this.conflictedRoles.contains(role)) {
            if (!_logger.isLoggable(Level.FINE)) {
                return true;
            }
            _logger.log(Level.FINE, "Role " + role + " from module " + this.currentMapping.owner + " has already had a conflict with other modules.");
            return true;
        }
        if (!this.roleToSubject.keySet().contains(role.getName())) {
            return false;
        }
        int size = set.size();
        Set<Principal> set2 = this.roleToPrincipal.get(role.getName());
        Set<Group> set3 = this.roleToGroup.get(role.getName());
        if (size != 0 + (set2 == null ? 0 : set2.size()) + (set3 == null ? 0 : set3.size())) {
            if (_logger.isLoggable(Level.FINE)) {
                _logger.log(Level.FINE, "Module " + this.currentMapping.owner + " has different number of mappings for role " + role.getName() + " than other mapping files");
            }
            if (this.conflictedRoles == null) {
                this.conflictedRoles = new HashSet();
            }
            this.conflictedRoles.add(role);
            return true;
        }
        boolean z = false;
        for (Principal principal : set) {
            if (principal instanceof Group) {
                if (set3 != null && !set3.contains((Group) principal)) {
                    z = true;
                }
            } else if (set2 != null && !set2.contains(principal)) {
                z = true;
            }
            if (z) {
                if (_logger.isLoggable(Level.FINE)) {
                    _logger.log(Level.FINE, "Role " + role + " in module " + this.currentMapping.owner + " is not included in other modules.");
                }
                if (this.conflictedRoles == null) {
                    this.conflictedRoles = new HashSet();
                }
                this.conflictedRoles.add(role);
                return true;
            }
        }
        return false;
    }

    private void logConflictWarning() {
        if (this.conflictLogged) {
            return;
        }
        _logger.log(Level.WARNING, "java_security.role_mapping_conflict", getName());
        this.conflictLogged = true;
    }

    private void postConstruct() {
    }

    static {
        $assertionsDisabled = !RoleMapper.class.desiredAssertionStatus();
        _logger = LogDomains.getLogger(RoleMapper.class, "javax.enterprise.system.core.security");
    }
}
