package org.jboss.as.remoting;

import java.io.IOException;
import java.util.Collection;
import java.util.HashSet;
import java.util.LinkedList;
import javax.net.ssl.SSLContext;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.sasl.AuthorizeCallback;
import javax.security.sasl.RealmCallback;
import javax.security.sasl.SaslException;
import org.jboss.as.domain.management.SecurityRealm;
import org.jboss.as.domain.management.security.DomainCallbackHandler;
import org.jboss.remoting3.Remoting;
import org.jboss.remoting3.security.ServerAuthenticationProvider;
import org.jboss.sasl.callback.DigestHashCallback;
import org.jboss.sasl.callback.VerifyPasswordCallback;
import org.xnio.Option;
import org.xnio.OptionMap;
import org.xnio.Options;
import org.xnio.Property;
import org.xnio.Sequence;
import org.xnio.SslClientAuthMode;
import org.xnio.Xnio;
import org.xnio.ssl.JsseXnioSsl;
import org.xnio.ssl.XnioSsl;

/* loaded from: input_file:org/jboss/as/remoting/RealmSecurityProvider.class */
public class RealmSecurityProvider implements RemotingSecurityProvider {
    static final String REALM_PROPERTY = "com.sun.security.sasl.digest.realm";
    static final String PRE_DIGESTED_PROPERTY = "org.jboss.sasl.digest.pre_digested";
    static final String LOCAL_DEFAULT_USER = "jboss.sasl.local-user.default-user";
    static final String LOCAL_USER_CHALLENGE_PATH = "jboss.sasl.local-user.challenge-path";
    static final String ANONYMOUS = "ANONYMOUS";
    static final String DIGEST_MD5 = "DIGEST-MD5";
    static final String EXTERNAL = "EXTERNAL";
    static final String JBOSS_LOCAL_USER = "JBOSS-LOCAL-USER";
    static final String PLAIN = "PLAIN";
    private static final String DOLLAR_LOCAL = "$local";
    private final SecurityRealm realm;
    private final CallbackHandler serverCallbackHandler;
    private final String tokensDir;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/jboss/as/remoting/RealmSecurityProvider$SslMode.class */
    public enum SslMode {
        OFF,
        TRANSPORT_ONLY,
        CLIENT_AUTH_REQUESTED
    }

    public RealmSecurityProvider(SecurityRealm securityRealm, CallbackHandler callbackHandler, String str) {
        this.realm = securityRealm;
        this.serverCallbackHandler = callbackHandler;
        this.tokensDir = str;
    }

    @Override // org.jboss.as.remoting.RemotingSecurityProvider
    public OptionMap getOptionMap() {
        LinkedList linkedList = new LinkedList();
        HashSet hashSet = new HashSet();
        OptionMap.Builder builder = OptionMap.builder();
        linkedList.add("JBOSS-LOCAL-USER");
        builder.set(Options.SASL_POLICY_NOPLAINTEXT, false);
        hashSet.add(Property.of("jboss.sasl.local-user.default-user", DOLLAR_LOCAL));
        if (this.tokensDir != null) {
            hashSet.add(Property.of("jboss.sasl.local-user.challenge-path", this.tokensDir));
        }
        if (digestMd5Supported()) {
            linkedList.add("DIGEST-MD5");
            hashSet.add(Property.of(REALM_PROPERTY, this.realm.getName()));
            if (contains(DigestHashCallback.class, this.realm.getCallbackHandler().getSupportedCallbacks())) {
                hashSet.add(Property.of(PRE_DIGESTED_PROPERTY, Boolean.TRUE.toString()));
            }
        } else if (plainSupported()) {
            linkedList.add("PLAIN");
        } else {
            if (this.realm != null) {
                throw new IllegalStateException("A security realm has been specified but no supported mechanism identified.");
            }
            linkedList.add("ANONYMOUS");
            builder.set(Options.SASL_POLICY_NOANONYMOUS, false);
        }
        switch (getSslMode()) {
            case OFF:
                builder.set(Options.SSL_ENABLED, false);
                break;
            case TRANSPORT_ONLY:
                builder.set(Options.SSL_ENABLED, true);
                builder.set(Options.SSL_STARTTLS, true);
                break;
            case CLIENT_AUTH_REQUESTED:
                builder.set(Options.SSL_ENABLED, true);
                builder.set(Options.SSL_STARTTLS, true);
                linkedList.add(0, EXTERNAL);
                builder.set((Option<Option<SslClientAuthMode>>) Options.SSL_CLIENT_AUTH_MODE, (Option<SslClientAuthMode>) SslClientAuthMode.REQUESTED);
                break;
        }
        builder.set((Option<Option<Sequence<String>>>) Options.SASL_MECHANISMS, (Option<Sequence<String>>) Sequence.of((Collection) linkedList));
        builder.set((Option<Option<Sequence<Property>>>) Options.SASL_PROPERTIES, (Option<Sequence<Property>>) Sequence.of((Collection) hashSet));
        return builder.getMap();
    }

    @Override // org.jboss.as.remoting.RemotingSecurityProvider
    public ServerAuthenticationProvider getServerAuthenticationProvider() {
        return new ServerAuthenticationProvider() { // from class: org.jboss.as.remoting.RealmSecurityProvider.1
            @Override // org.jboss.remoting3.security.ServerAuthenticationProvider
            public CallbackHandler getCallbackHandler(String str) {
                return RealmSecurityProvider.this.getCallbackHandler(str);
            }
        };
    }

    @Override // org.jboss.as.remoting.RemotingSecurityProvider
    public XnioSsl getXnioSsl() {
        SSLContext sSLContext;
        if (this.realm == null || (sSLContext = this.realm.getSSLContext()) == null) {
            return null;
        }
        return new JsseXnioSsl(Xnio.getInstance(Remoting.class.getClassLoader()), OptionMap.EMPTY, sSLContext);
    }

    public CallbackHandler getCallbackHandler(String str) {
        if ("ANONYMOUS".equals(str) && this.realm == null) {
            return new CallbackHandler() { // from class: org.jboss.as.remoting.RealmSecurityProvider.2
                @Override // javax.security.auth.callback.CallbackHandler
                public void handle(Callback[] callbackArr) throws IOException, UnsupportedCallbackException {
                    if (0 < callbackArr.length) {
                        throw new UnsupportedCallbackException(callbackArr[0], "ANONYMOUS mechanism so not expecting a callback");
                    }
                }
            };
        }
        if ("JBOSS-LOCAL-USER".equals(str)) {
            return new CallbackHandler() { // from class: org.jboss.as.remoting.RealmSecurityProvider.3
                @Override // javax.security.auth.callback.CallbackHandler
                public void handle(Callback[] callbackArr) throws IOException, UnsupportedCallbackException {
                    for (Callback callback : callbackArr) {
                        if (callback instanceof NameCallback) {
                            if (!RealmSecurityProvider.DOLLAR_LOCAL.equals(((NameCallback) callback).getDefaultName())) {
                                throw new SaslException("Only $local user is acceptable.");
                            }
                        } else {
                            if (!(callback instanceof AuthorizeCallback)) {
                                throw new UnsupportedCallbackException(callback);
                            }
                            AuthorizeCallback authorizeCallback = (AuthorizeCallback) callback;
                            authorizeCallback.setAuthorized(authorizeCallback.getAuthenticationID().equals(authorizeCallback.getAuthorizationID()));
                        }
                    }
                }
            };
        }
        if (EXTERNAL.equals(str)) {
            return new CallbackHandler() { // from class: org.jboss.as.remoting.RealmSecurityProvider.4
                @Override // javax.security.auth.callback.CallbackHandler
                public void handle(Callback[] callbackArr) throws IOException, UnsupportedCallbackException {
                    for (Callback callback : callbackArr) {
                        if (!(callback instanceof AuthorizeCallback)) {
                            throw new UnsupportedCallbackException(callback);
                        }
                        AuthorizeCallback authorizeCallback = (AuthorizeCallback) callback;
                        authorizeCallback.setAuthorized(authorizeCallback.getAuthenticationID().equals(authorizeCallback.getAuthorizationID()));
                    }
                }
            };
        }
        if ((!"DIGEST-MD5".equals(str) || !digestMd5Supported()) && (!"PLAIN".equals(str) || !plainSupported())) {
            return null;
        }
        final DomainCallbackHandler callbackHandler = this.realm.getCallbackHandler();
        return this.serverCallbackHandler == null ? callbackHandler : new CallbackHandler() { // from class: org.jboss.as.remoting.RealmSecurityProvider.5
            @Override // javax.security.auth.callback.CallbackHandler
            public void handle(Callback[] callbackArr) throws IOException, UnsupportedCallbackException {
                RealmSecurityProvider.this.serverCallbackHandler.handle(callbackArr);
                if (handled(callbackArr)) {
                    return;
                }
                callbackHandler.handle(callbackArr);
            }

            private boolean handled(Callback[] callbackArr) {
                for (Callback callback : callbackArr) {
                    if (callback instanceof PasswordCallback) {
                        char[] password = ((PasswordCallback) callback).getPassword();
                        return password != null && password.length > 0;
                    }
                    if (callback instanceof VerifyPasswordCallback) {
                        return ((VerifyPasswordCallback) callback).isVerified();
                    }
                    if (callback instanceof DigestHashCallback) {
                        return ((DigestHashCallback) callback).getHash() != null;
                    }
                }
                return false;
            }
        };
    }

    private SslMode getSslMode() {
        return (this.realm == null || this.realm.getSSLContext() == null) ? SslMode.OFF : this.realm.hasTrustStore() ? SslMode.CLIENT_AUTH_REQUESTED : SslMode.TRANSPORT_ONLY;
    }

    private boolean digestMd5Supported() {
        if (this.realm == null) {
            return false;
        }
        Class[] supportedCallbacks = this.realm.getCallbackHandler().getSupportedCallbacks();
        if (contains(NameCallback.class, supportedCallbacks) && contains(RealmCallback.class, supportedCallbacks)) {
            return (contains(PasswordCallback.class, supportedCallbacks) || contains(DigestHashCallback.class, supportedCallbacks)) && contains(AuthorizeCallback.class, supportedCallbacks);
        }
        return false;
    }

    private boolean plainSupported() {
        if (this.realm == null) {
            return false;
        }
        Class[] supportedCallbacks = this.realm.getCallbackHandler().getSupportedCallbacks();
        return contains(NameCallback.class, supportedCallbacks) && contains(VerifyPasswordCallback.class, supportedCallbacks) && contains(AuthorizeCallback.class, supportedCallbacks);
    }

    private static boolean contains(Class cls, Class[] clsArr) {
        for (Class cls2 : clsArr) {
            if (cls2.equals(cls)) {
                return true;
            }
        }
        return false;
    }
}
