package org.hibernate.secure.internal;

import fr.inra.agrosyst.api.services.managementmode.ManagementModeService;
import java.security.AccessController;
import java.security.Policy;
import java.security.Principal;
import java.security.PrivilegedAction;
import java.security.ProtectionDomain;
import java.util.Map;
import java.util.Set;
import javax.security.auth.Subject;
import javax.security.jacc.EJBMethodPermission;
import javax.security.jacc.PolicyConfiguration;
import javax.security.jacc.PolicyConfigurationFactory;
import javax.security.jacc.PolicyContext;
import javax.security.jacc.PolicyContextException;
import org.hibernate.HibernateException;
import org.hibernate.cfg.AvailableSettings;
import org.hibernate.secure.spi.GrantedPermission;
import org.hibernate.secure.spi.IntegrationException;
import org.hibernate.secure.spi.JaccService;
import org.hibernate.secure.spi.PermissibleAction;
import org.hibernate.secure.spi.PermissionCheckEntityInformation;
import org.hibernate.service.spi.Configurable;
import org.jboss.logging.Logger;

/* loaded from: input_file:WEB-INF/lib/hibernate-core-4.3.11.Final.jar:org/hibernate/secure/internal/StandardJaccServiceImpl.class */
public class StandardJaccServiceImpl implements JaccService, Configurable {
    private static final Logger log = Logger.getLogger((Class<?>) StandardJaccServiceImpl.class);
    private String contextId;
    private PolicyConfiguration policyConfiguration;

    /* loaded from: input_file:WEB-INF/lib/hibernate-core-4.3.11.Final.jar:org/hibernate/secure/internal/StandardJaccServiceImpl$ContextIdSetAction.class */
    private static class ContextIdSetAction implements PrivilegedAction<String> {
        private final String contextId;

        private ContextIdSetAction(String str) {
            this.contextId = str;
        }

        /* JADX WARN: Can't rename method to resolve collision */
        @Override // java.security.PrivilegedAction
        public String run() {
            String contextID = PolicyContext.getContextID();
            PolicyContext.setContextID(this.contextId);
            return contextID;
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    /* loaded from: input_file:WEB-INF/lib/hibernate-core-4.3.11.Final.jar:org/hibernate/secure/internal/StandardJaccServiceImpl$ContextSubjectAccess.class */
    public interface ContextSubjectAccess {
        public static final String SUBJECT_CONTEXT_KEY = "javax.security.auth.Subject.container";

        Subject getContextSubject();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    /* loaded from: input_file:WEB-INF/lib/hibernate-core-4.3.11.Final.jar:org/hibernate/secure/internal/StandardJaccServiceImpl$NonPrivilegedContextSubjectAccess.class */
    public static class NonPrivilegedContextSubjectAccess implements ContextSubjectAccess {
        public static final NonPrivilegedContextSubjectAccess INSTANCE = new NonPrivilegedContextSubjectAccess();

        protected NonPrivilegedContextSubjectAccess() {
        }

        @Override // org.hibernate.secure.internal.StandardJaccServiceImpl.ContextSubjectAccess
        public Subject getContextSubject() {
            try {
                return (Subject) PolicyContext.getContext(ContextSubjectAccess.SUBJECT_CONTEXT_KEY);
            } catch (PolicyContextException e) {
                throw new HibernateException("Unable to access JACC PolicyContext in order to locate calling Subject", e);
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    /* loaded from: input_file:WEB-INF/lib/hibernate-core-4.3.11.Final.jar:org/hibernate/secure/internal/StandardJaccServiceImpl$PrivilegedContextSubjectAccess.class */
    public static class PrivilegedContextSubjectAccess implements ContextSubjectAccess {
        public static final PrivilegedContextSubjectAccess INSTANCE = new PrivilegedContextSubjectAccess();
        private final PrivilegedAction<Subject> privilegedAction = new PrivilegedAction<Subject>() { // from class: org.hibernate.secure.internal.StandardJaccServiceImpl.PrivilegedContextSubjectAccess.1
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedAction
            public Subject run() {
                return NonPrivilegedContextSubjectAccess.INSTANCE.getContextSubject();
            }
        };

        protected PrivilegedContextSubjectAccess() {
        }

        @Override // org.hibernate.secure.internal.StandardJaccServiceImpl.ContextSubjectAccess
        public Subject getContextSubject() {
            return (Subject) AccessController.doPrivileged(this.privilegedAction);
        }
    }

    @Override // org.hibernate.service.spi.Configurable
    public void configure(Map map) {
        this.contextId = (String) map.get(AvailableSettings.JACC_CONTEXT_ID);
    }

    @Override // org.hibernate.secure.spi.JaccService
    public void addPermission(GrantedPermission grantedPermission) {
        if (this.policyConfiguration == null) {
            this.policyConfiguration = locatePolicyConfiguration(this.contextId);
        }
        for (String str : grantedPermission.getPermissibleAction().getImpliedActions()) {
            EJBMethodPermission eJBMethodPermission = new EJBMethodPermission(grantedPermission.getEntityName(), str, (String) null, (String[]) null);
            log.debugf("Adding permission [%s] to role [%s]", str, grantedPermission.getRole());
            try {
                this.policyConfiguration.addToRole(grantedPermission.getRole(), eJBMethodPermission);
            } catch (PolicyContextException e) {
                throw new HibernateException("policy context exception occurred", e);
            }
        }
    }

    private PolicyConfiguration locatePolicyConfiguration(String str) {
        try {
            return PolicyConfigurationFactory.getPolicyConfigurationFactory().getPolicyConfiguration(str, false);
        } catch (Exception e) {
            throw new IntegrationException("Unable to access JACC PolicyConfiguration");
        }
    }

    @Override // org.hibernate.secure.spi.JaccService
    public void checkPermission(PermissionCheckEntityInformation permissionCheckEntityInformation, PermissibleAction permissibleAction) {
        if (permissibleAction == PermissibleAction.ANY) {
            throw new HibernateException("ANY action (*) is not legal for permission check, only for configuration");
        }
        String str = (String) AccessController.doPrivileged(new ContextIdSetAction(this.contextId));
        try {
            doPermissionCheckInContext(permissionCheckEntityInformation, permissibleAction);
            AccessController.doPrivileged(new ContextIdSetAction(str));
        } catch (Throwable th) {
            AccessController.doPrivileged(new ContextIdSetAction(str));
            throw th;
        }
    }

    private void doPermissionCheckInContext(PermissionCheckEntityInformation permissionCheckEntityInformation, PermissibleAction permissibleAction) {
        Policy policy = Policy.getPolicy();
        Principal[] callerPrincipals = getCallerPrincipals();
        if (!policy.implies(new ProtectionDomain(permissionCheckEntityInformation.getEntity().getClass().getProtectionDomain().getCodeSource(), null, null, callerPrincipals), new EJBMethodPermission(permissionCheckEntityInformation.getEntityName(), permissibleAction.getImpliedActions()[0], (String) null, (String[]) null))) {
            throw new SecurityException(String.format("JACC denied permission to [%s.%s] for [%s]", permissionCheckEntityInformation.getEntityName(), permissibleAction.getImpliedActions()[0], join(callerPrincipals)));
        }
    }

    private String join(Principal[] principalArr) {
        String str = "";
        StringBuilder sb = new StringBuilder();
        for (Principal principal : principalArr) {
            sb.append(str).append(principal.getName());
            str = ManagementModeService.HISTORY_CROP_IDS_SEPARATOR;
        }
        return sb.toString();
    }

    protected Principal[] getCallerPrincipals() {
        Subject contextSubject = getContextSubjectAccess().getContextSubject();
        if (contextSubject == null) {
            return new Principal[0];
        }
        Set<Principal> principals = contextSubject.getPrincipals();
        return (Principal[]) principals.toArray(new Principal[principals.size()]);
    }

    private ContextSubjectAccess getContextSubjectAccess() {
        return System.getSecurityManager() == null ? NonPrivilegedContextSubjectAccess.INSTANCE : PrivilegedContextSubjectAccess.INSTANCE;
    }
}
