package org.apache.geronimo.security.deployment;

import java.net.URL;
import java.security.Principal;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Map;
import java.util.Set;
import java.util.jar.JarFile;
import javax.xml.namespace.QName;
import org.apache.geronimo.common.DeploymentException;
import org.apache.geronimo.deployment.DeploymentContext;
import org.apache.geronimo.deployment.ModuleIDBuilder;
import org.apache.geronimo.deployment.NamespaceDrivenBuilder;
import org.apache.geronimo.deployment.service.EnvironmentBuilder;
import org.apache.geronimo.deployment.service.SingleGBeanBuilder;
import org.apache.geronimo.deployment.xmlbeans.XmlBeansUtil;
import org.apache.geronimo.gbean.AbstractName;
import org.apache.geronimo.gbean.AbstractNameQuery;
import org.apache.geronimo.gbean.GBeanData;
import org.apache.geronimo.gbean.GBeanLifecycle;
import org.apache.geronimo.gbean.annotation.GBean;
import org.apache.geronimo.gbean.annotation.ParamAttribute;
import org.apache.geronimo.j2ee.deployment.EARContext;
import org.apache.geronimo.j2ee.deployment.Module;
import org.apache.geronimo.j2ee.deployment.ModuleBuilderExtension;
import org.apache.geronimo.kernel.GBeanAlreadyExistsException;
import org.apache.geronimo.kernel.Naming;
import org.apache.geronimo.kernel.config.ConfigurationStore;
import org.apache.geronimo.kernel.repository.Artifact;
import org.apache.geronimo.kernel.repository.Environment;
import org.apache.geronimo.schema.ElementConverter;
import org.apache.geronimo.schema.NamespaceElementConverter;
import org.apache.geronimo.schema.SchemaConversionUtils;
import org.apache.geronimo.schema.SecurityElementConverter;
import org.apache.geronimo.security.credentialstore.CredentialStore;
import org.apache.geronimo.security.deploy.PrincipalInfo;
import org.apache.geronimo.security.deploy.SubjectInfo;
import org.apache.geronimo.security.jacc.ApplicationPolicyConfigurationManager;
import org.apache.geronimo.security.jacc.ComponentPermissions;
import org.apache.geronimo.security.jacc.PrincipalRoleMapper;
import org.apache.geronimo.security.jacc.mappingprovider.ApplicationPrincipalRoleConfigurationManager;
import org.apache.geronimo.security.util.ConfigurationUtil;
import org.apache.geronimo.xbeans.geronimo.j2ee.GerSecurityDocument;
import org.apache.geronimo.xbeans.geronimo.security.GerLoginDomainPrincipalType;
import org.apache.geronimo.xbeans.geronimo.security.GerPrincipalType;
import org.apache.geronimo.xbeans.geronimo.security.GerRealmPrincipalType;
import org.apache.geronimo.xbeans.geronimo.security.GerRoleMappingsType;
import org.apache.geronimo.xbeans.geronimo.security.GerRoleType;
import org.apache.geronimo.xbeans.geronimo.security.GerSecurityRefDocument;
import org.apache.geronimo.xbeans.geronimo.security.GerSecurityRefType;
import org.apache.geronimo.xbeans.geronimo.security.GerSecurityType;
import org.apache.geronimo.xbeans.geronimo.security.GerSubjectInfoType;
import org.apache.xmlbeans.QNameSet;
import org.apache.xmlbeans.XmlException;
import org.apache.xmlbeans.XmlObject;

@GBean(j2eeType = "ModuleBuilder")
/* loaded from: input_file:org/apache/geronimo/security/deployment/GeronimoSecurityBuilderImpl.class */
public class GeronimoSecurityBuilderImpl implements NamespaceDrivenBuilder, ModuleBuilderExtension, GBeanLifecycle {
    public static final String GERONIMO_SECURITY_NAMESPACE = "http://geronimo.apache.org/xml/ns/security-2.0";
    private static final String ROLE_MAPPER_DATA_NAME = "roleMapperDataName";
    private static final Map<String, ElementConverter> GERONIMO_SCHEMA_CONVERSIONS;
    private final AbstractNameQuery defaultCredentialStoreName;
    private final AbstractNameQuery defaultRoleMappingName;
    private final Environment defaultEnvironment;
    private static final QName BASE_SECURITY_QNAME = GerSecurityDocument.type.getDocumentElementName();
    private static final QName SECURITY_QNAME = org.apache.geronimo.xbeans.geronimo.security.GerSecurityDocument.type.getDocumentElementName();
    private static final QName SECURITY_REF_QNAME = GerSecurityRefDocument.type.getDocumentElementName();
    private static final QNameSet SECURITY_QNAME_SET = QNameSet.forArray(new QName[]{SECURITY_QNAME, SECURITY_REF_QNAME});
    private static final Map<String, String> NAMESPACE_UPDATES = new HashMap();

    public GeronimoSecurityBuilderImpl(@ParamAttribute(name = "credentialStoreName") AbstractNameQuery abstractNameQuery, @ParamAttribute(name = "defaultRoleMappingName") AbstractNameQuery abstractNameQuery2, @ParamAttribute(name = "defaultEnvironment") Environment environment) {
        this.defaultCredentialStoreName = abstractNameQuery;
        this.defaultRoleMappingName = abstractNameQuery2;
        this.defaultEnvironment = environment;
    }

    public void doStart() {
        XmlBeansUtil.registerNamespaceUpdates(NAMESPACE_UPDATES);
        SchemaConversionUtils.registerNamespaceConversions(GERONIMO_SCHEMA_CONVERSIONS);
    }

    public void doStop() {
        XmlBeansUtil.unregisterNamespaceUpdates(NAMESPACE_UPDATES);
        SchemaConversionUtils.unregisterNamespaceConversions(GERONIMO_SCHEMA_CONVERSIONS);
    }

    public void doFail() {
        doStop();
    }

    public void createModule(Module module, Object obj, JarFile jarFile, String str, URL url, Environment environment, Object obj2, AbstractName abstractName, Naming naming, ModuleIDBuilder moduleIDBuilder) throws DeploymentException {
    }

    public void installModule(JarFile jarFile, EARContext eARContext, Module module, Collection collection, ConfigurationStore configurationStore, Collection collection2) throws DeploymentException {
    }

    public void initContext(EARContext eARContext, Module module, ClassLoader classLoader) throws DeploymentException {
    }

    public void addGBeans(EARContext eARContext, Module module, ClassLoader classLoader, Collection collection) throws DeploymentException {
        buildJaccManager(eARContext);
    }

    public void buildEnvironment(XmlObject xmlObject, Environment environment) throws DeploymentException {
    }

    public void build(XmlObject xmlObject, DeploymentContext deploymentContext, DeploymentContext deploymentContext2) throws DeploymentException {
        for (XmlObject xmlObject2 : xmlObject.selectChildren(SECURITY_QNAME)) {
            try {
                GerSecurityType gerSecurityType = (GerSecurityType) XmlBeansUtil.typedCopy(xmlObject2, GerSecurityType.type);
                ClassLoader classLoader = deploymentContext.getClassLoader();
                if (deploymentContext instanceof EARContext) {
                    ((EARContext) deploymentContext).setSecurityConfiguration(buildSecurityConfig(gerSecurityType));
                }
                AbstractNameQuery configureRoleMapper = configureRoleMapper(deploymentContext, gerSecurityType, classLoader);
                if (deploymentContext instanceof EARContext) {
                    setRoleMapperName(deploymentContext, configureRoleMapper);
                }
            } catch (XmlException e) {
                throw new DeploymentException("Could not validate security element", e);
            }
        }
        XmlObject[] selectChildren = xmlObject.selectChildren(SECURITY_REF_QNAME);
        if (selectChildren.length > 1) {
            throw new DeploymentException("Unexpected count of security-ref elements in geronimo plan " + selectChildren.length + " qname: " + SECURITY_REF_QNAME);
        }
        if (selectChildren.length == 1) {
            try {
                GerSecurityRefType typedCopy = XmlBeansUtil.typedCopy(selectChildren[0], GerSecurityRefType.type);
                if (typedCopy.isSetName()) {
                    setRoleMapperName(deploymentContext, new AbstractNameQuery((Artifact) null, Collections.singletonMap("name", typedCopy.getName().trim()), PrincipalRoleMapper.class.getName()));
                } else {
                    setRoleMapperName(deploymentContext, SingleGBeanBuilder.buildAbstractNameQuery(typedCopy.getRef(), "GBean", Collections.singleton(CredentialStore.class.getName())));
                }
            } catch (XmlException e2) {
                throw new DeploymentException("Could not validate security element", e2);
            }
        }
    }

    private void setRoleMapperName(DeploymentContext deploymentContext, AbstractNameQuery abstractNameQuery) throws DeploymentException {
        if (((EARContext) deploymentContext).getGeneralData().put(ROLE_MAPPER_DATA_NAME, abstractNameQuery) != null) {
            throw new DeploymentException("Only one role mapping or role mapping reference can be present in an ear");
        }
    }

    private void buildJaccManager(EARContext eARContext) throws DeploymentException {
        if (eARContext.isHasSecurity()) {
            eARContext.setHasSecurity(false);
            AbstractNameQuery abstractNameQuery = (AbstractNameQuery) eARContext.getGeneralData().get(ROLE_MAPPER_DATA_NAME);
            if (abstractNameQuery == null) {
                abstractNameQuery = this.defaultRoleMappingName;
                EnvironmentBuilder.mergeEnvironments(eARContext.getConfiguration().getEnvironment(), this.defaultEnvironment);
            }
            GBeanData configureApplicationPolicyManager = configureApplicationPolicyManager(eARContext.getNaming(), eARContext.getModuleName(), eARContext.getContextIDToPermissionsMap());
            configureApplicationPolicyManager.setReferencePattern("PrincipalRoleMapper", abstractNameQuery);
            try {
                eARContext.addGBean(configureApplicationPolicyManager);
            } catch (GBeanAlreadyExistsException e) {
                throw new DeploymentException("JACC manager gbean already present", e);
            }
        }
    }

    private SecurityConfiguration buildSecurityConfig(GerSecurityType gerSecurityType) {
        if (gerSecurityType == null) {
            return null;
        }
        return new SecurityConfiguration(gerSecurityType.isSetDefaultRole() ? gerSecurityType.getDefaultRole().trim() : null, gerSecurityType.getDoasCurrentCaller(), gerSecurityType.getUseContextHandler());
    }

    private void add(String str, Principal principal, Map<Principal, Set<String>> map) {
        Set<String> set = map.get(principal);
        if (set == null) {
            set = new HashSet();
            map.put(principal, set);
        }
        set.add(str);
    }

    private SubjectInfo buildSubjectInfo(GerSubjectInfoType gerSubjectInfoType) {
        if (gerSubjectInfoType == null) {
            return null;
        }
        return new SubjectInfo(gerSubjectInfoType.getRealm().trim(), gerSubjectInfoType.getId().trim());
    }

    private static Principal buildRealmPrincipal(GerRealmPrincipalType gerRealmPrincipalType, ClassLoader classLoader) {
        return ConfigurationUtil.generateRealmPrincipal(gerRealmPrincipalType.getRealmName().trim(), gerRealmPrincipalType.getDomainName().trim(), gerRealmPrincipalType.getClass1().trim(), gerRealmPrincipalType.getName().trim(), classLoader);
    }

    private static Principal buildDomainPrincipal(GerLoginDomainPrincipalType gerLoginDomainPrincipalType, ClassLoader classLoader) {
        return ConfigurationUtil.generateDomainPrincipal(gerLoginDomainPrincipalType.getDomainName().trim(), gerLoginDomainPrincipalType.getClass1().trim(), gerLoginDomainPrincipalType.getName().trim(), classLoader);
    }

    private static Principal buildPrincipal(GerPrincipalType gerPrincipalType, ClassLoader classLoader) {
        return ConfigurationUtil.generatePrincipal(gerPrincipalType.getClass1().trim(), gerPrincipalType.getName().trim(), classLoader);
    }

    public PrincipalInfo buildPrincipal(XmlObject xmlObject) {
        GerPrincipalType gerPrincipalType = (GerPrincipalType) xmlObject;
        return new PrincipalInfo(gerPrincipalType.getClass1().trim(), gerPrincipalType.getName().trim());
    }

    protected AbstractNameQuery configureRoleMapper(DeploymentContext deploymentContext, GerSecurityType gerSecurityType, ClassLoader classLoader) throws DeploymentException {
        HashMap hashMap = new HashMap();
        HashMap hashMap2 = new HashMap();
        if (gerSecurityType.isSetRoleMappings()) {
            GerRoleMappingsType roleMappings = gerSecurityType.getRoleMappings();
            for (int i = 0; i < roleMappings.sizeOfRoleArray(); i++) {
                GerRoleType roleArray = roleMappings.getRoleArray(i);
                String trim = roleArray.getRoleName().trim();
                if (roleArray.isSetRunAsSubject()) {
                    hashMap.put(trim, buildSubjectInfo(roleArray.getRunAsSubject()));
                }
                for (int i2 = 0; i2 < roleArray.sizeOfRealmPrincipalArray(); i2++) {
                    add(trim, buildRealmPrincipal(roleArray.getRealmPrincipalArray(i2), classLoader), hashMap2);
                }
                for (int i3 = 0; i3 < roleArray.sizeOfLoginDomainPrincipalArray(); i3++) {
                    add(trim, buildDomainPrincipal(roleArray.getLoginDomainPrincipalArray(i3), classLoader), hashMap2);
                }
                for (int i4 = 0; i4 < roleArray.sizeOfPrincipalArray(); i4++) {
                    add(trim, buildPrincipal(roleArray.getPrincipalArray(i4), classLoader), hashMap2);
                }
            }
        }
        SubjectInfo buildSubjectInfo = buildSubjectInfo(gerSecurityType.getDefaultSubject());
        AbstractNameQuery buildAbstractNameQuery = gerSecurityType.isSetCredentialStoreRef() ? SingleGBeanBuilder.buildAbstractNameQuery(gerSecurityType.getCredentialStoreRef(), "GBean", Collections.singleton(CredentialStore.class.getName())) : this.defaultCredentialStoreName;
        GBeanData gBeanData = new GBeanData(deploymentContext.getNaming().createChildName(deploymentContext.getModuleName(), "RoleMapper", gerSecurityType.isSetName() ? gerSecurityType.getName() : "RoleMapper"), ApplicationPrincipalRoleConfigurationManager.GBEAN_INFO);
        gBeanData.setAttribute("principalRoleMap", hashMap2);
        gBeanData.setAttribute("roleDesignates", hashMap);
        gBeanData.setAttribute("defaultSubjectInfo", buildSubjectInfo);
        if ((hashMap != null && !hashMap.isEmpty()) || buildSubjectInfo != null) {
            gBeanData.setReferencePattern("CredentialStore", buildAbstractNameQuery);
        }
        try {
            deploymentContext.addGBean(gBeanData);
            return new AbstractNameQuery(gBeanData.getAbstractName());
        } catch (GBeanAlreadyExistsException e) {
            throw new DeploymentException("Role mapper gbean already present", e);
        }
    }

    protected GBeanData configureApplicationPolicyManager(Naming naming, AbstractName abstractName, Map<String, ComponentPermissions> map) {
        GBeanData gBeanData = new GBeanData(naming.createChildName(abstractName, "JACCManager", "JACCManager"), ApplicationPolicyConfigurationManager.GBEAN_INFO);
        gBeanData.setAttribute("contextIdToPermissionsMap", map);
        return gBeanData;
    }

    public QNameSet getSpecQNameSet() {
        return QNameSet.EMPTY;
    }

    public QNameSet getPlanQNameSet() {
        return SECURITY_QNAME_SET;
    }

    public QName getBaseQName() {
        return BASE_SECURITY_QNAME;
    }

    static {
        NAMESPACE_UPDATES.put("http://geronimo.apache.org/xml/ns/loginconfig", "http://geronimo.apache.org/xml/ns/loginconfig-2.0");
        NAMESPACE_UPDATES.put("http://geronimo.apache.org/xml/ns/loginconfig-1.1", "http://geronimo.apache.org/xml/ns/loginconfig-2.0");
        NAMESPACE_UPDATES.put("http://geronimo.apache.org/xml/ns/loginconfig-1.2", "http://geronimo.apache.org/xml/ns/loginconfig-2.0");
        NAMESPACE_UPDATES.put("http://geronimo.apache.org/xml/ns/security", "http://geronimo.apache.org/xml/ns/security-1.2");
        NAMESPACE_UPDATES.put("http://geronimo.apache.org/xml/ns/security-1.1", GERONIMO_SECURITY_NAMESPACE);
        NAMESPACE_UPDATES.put("http://geronimo.apache.org/xml/ns/security-1.2", GERONIMO_SECURITY_NAMESPACE);
        GERONIMO_SCHEMA_CONVERSIONS = new HashMap();
        GERONIMO_SCHEMA_CONVERSIONS.put("security", new SecurityElementConverter());
        GERONIMO_SCHEMA_CONVERSIONS.put("security-ref", new NamespaceElementConverter(GERONIMO_SECURITY_NAMESPACE));
        GERONIMO_SCHEMA_CONVERSIONS.put("default-subject", new NamespaceElementConverter(GERONIMO_SECURITY_NAMESPACE));
    }
}
