package org.omnifaces.exousia;

import java.net.URL;
import java.security.CodeSource;
import java.security.Permission;
import java.security.Permissions;
import java.security.Policy;
import java.security.Principal;
import java.security.ProtectionDomain;
import java.security.cert.Certificate;
import java.util.Collection;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.function.Supplier;
import javax.security.auth.Subject;
import javax.security.jacc.PolicyConfiguration;
import javax.security.jacc.PolicyConfigurationFactory;
import javax.security.jacc.PolicyContext;
import javax.security.jacc.PolicyContextException;
import javax.security.jacc.WebResourcePermission;
import javax.security.jacc.WebUserDataPermission;
import javax.servlet.http.HttpServletRequest;
import org.jboss.shrinkwrap.impl.base.asset.AssetUtil;
import org.omnifaces.exousia.constraints.SecurityConstraint;
import org.omnifaces.exousia.constraints.transformer.ConstraintsToPermissionsTransformer;
import org.omnifaces.exousia.permissions.JakartaPermissions;
import org.omnifaces.exousia.permissions.RolesToPermissionsTransformer;
import org.omnifaces.exousia.spi.PrincipalMapper;

/* loaded from: input_file:org/omnifaces/exousia/AuthorizationService.class */
public class AuthorizationService {
    public static final String HTTP_SERVLET_REQUEST = "javax.servlet.http.HttpServletRequest";
    public static final String SUBJECT = "javax.security.auth.Subject.container";
    public static final String FACTORY = "javax.security.jacc.PolicyConfigurationFactory.provider";
    public static final String PRINCIPAL_MAPPER = "jakarta.authorization.PrincipalMapper.provider";
    private final Policy policy;
    private final PolicyConfigurationFactory factory;
    private final PolicyConfiguration policyConfiguration;
    private final CodeSource emptyCodeSource;
    private final ProtectionDomain emptyProtectionDomain;

    public AuthorizationService(Class<?> cls, Class<? extends Policy> cls2, String str, Supplier<HttpServletRequest> supplier, Supplier<Subject> supplier2) {
        this(cls, cls2, str, supplier, supplier2, null);
    }

    public AuthorizationService(Class<?> cls, Class<? extends Policy> cls2, String str, Supplier<HttpServletRequest> supplier, Supplier<Subject> supplier2, PrincipalMapper principalMapper) {
        this.emptyCodeSource = new CodeSource((URL) null, (Certificate[]) null);
        this.emptyProtectionDomain = newProtectionDomain(null);
        try {
            System.setProperty(FACTORY, cls.getName());
            this.factory = PolicyConfigurationFactory.getPolicyConfigurationFactory();
            this.policyConfiguration = this.factory.getPolicyConfiguration(str, false);
            Policy.setPolicy(cls2.newInstance());
            this.policy = Policy.getPolicy();
            PolicyContext.setContextID(str);
            PolicyContext.registerHandler(HTTP_SERVLET_REQUEST, new DefaultPolicyContextHandler(HTTP_SERVLET_REQUEST, supplier), true);
            PolicyContext.registerHandler(SUBJECT, new DefaultPolicyContextHandler(SUBJECT, supplier2), true);
            PolicyContext.registerHandler(PRINCIPAL_MAPPER, new DefaultPolicyContextHandler(PRINCIPAL_MAPPER, () -> {
                return principalMapper;
            }), true);
        } catch (ClassNotFoundException | IllegalAccessException | InstantiationException | PolicyContextException e) {
            throw new IllegalStateException(e);
        }
    }

    public void addConstraintsToPolicy(List<SecurityConstraint> list, Set<String> set, boolean z, Collection<String> collection) {
        try {
            JakartaPermissions createResourceAndDataPermissions = ConstraintsToPermissionsTransformer.createResourceAndDataPermissions(set, z, list);
            this.policyConfiguration.addToExcludedPolicy(createResourceAndDataPermissions.getExcluded());
            this.policyConfiguration.addToUncheckedPolicy(createResourceAndDataPermissions.getUnchecked());
            for (Map.Entry<String, Permissions> entry : createResourceAndDataPermissions.getPerRole().entrySet()) {
                this.policyConfiguration.addToRole(entry.getKey(), entry.getValue());
            }
            for (Map.Entry<String, Permissions> entry2 : RolesToPermissionsTransformer.createWebRoleRefPermission(set, collection).entrySet()) {
                this.policyConfiguration.addToRole(entry2.getKey(), entry2.getValue());
            }
            this.policyConfiguration.commit();
        } catch (PolicyContextException e) {
            throw new IllegalStateException(e);
        }
    }

    public PolicyConfiguration getPolicyConfiguration() {
        return this.policyConfiguration;
    }

    public boolean checkWebUserDataPermission(HttpServletRequest httpServletRequest) {
        return checkPermission(new WebUserDataPermission(httpServletRequest));
    }

    public boolean checkPublicWebResourcePermission(HttpServletRequest httpServletRequest) {
        return checkPermission(new WebResourcePermission(getConstrainedURI(httpServletRequest), httpServletRequest.getMethod()));
    }

    public boolean checkWebResourcePermission(HttpServletRequest httpServletRequest) {
        try {
            return checkPermission(new WebResourcePermission(getConstrainedURI(httpServletRequest), httpServletRequest.getMethod()), ((Subject) PolicyContext.getContext(SUBJECT)).getPrincipals());
        } catch (PolicyContextException e) {
            throw new IllegalStateException(e);
        }
    }

    boolean checkPermission(Permission permission) {
        return this.policy.implies(this.emptyProtectionDomain, permission);
    }

    boolean checkPermission(Permission permission, Set<Principal> set) {
        return this.policy.implies(newProtectionDomain(set), permission);
    }

    private ProtectionDomain newProtectionDomain(Set<Principal> set) {
        return new ProtectionDomain(this.emptyCodeSource, null, null, set == null ? null : (Principal[]) set.toArray(new Principal[0]));
    }

    private String getConstrainedURI(HttpServletRequest httpServletRequest) {
        String requestRelativeURI = getRequestRelativeURI(httpServletRequest);
        return requestRelativeURI.equals(AssetUtil.DELIMITER_RESOURCE_PATH) ? "" : requestRelativeURI.replaceAll(":", "%3A");
    }

    private String getRequestRelativeURI(HttpServletRequest httpServletRequest) {
        return httpServletRequest.getRequestURI().substring(httpServletRequest.getContextPath().length());
    }
}
