package fish.payara.appserver.cdi.auth.roles;

import fish.payara.cdi.auth.roles.CallerAccessException;
import fish.payara.cdi.auth.roles.LogicalOperator;
import fish.payara.cdi.auth.roles.RolesPermitted;
import java.lang.annotation.Annotation;
import java.lang.reflect.Method;
import java.lang.reflect.Parameter;
import java.util.Arrays;
import java.util.LinkedList;
import java.util.List;
import java.util.Optional;
import java.util.Set;
import javax.annotation.Priority;
import javax.el.ELProcessor;
import javax.enterprise.inject.Intercepted;
import javax.enterprise.inject.spi.Bean;
import javax.enterprise.inject.spi.BeanManager;
import javax.enterprise.inject.spi.CDI;
import javax.inject.Inject;
import javax.inject.Named;
import javax.interceptor.AroundInvoke;
import javax.interceptor.Interceptor;
import javax.interceptor.InvocationContext;
import javax.security.enterprise.AuthenticationStatus;
import javax.security.enterprise.SecurityContext;
import javax.security.enterprise.authentication.mechanism.http.AuthenticationParameters;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.ws.rs.NotAuthorizedException;
import javax.ws.rs.core.Context;
import org.eclipse.persistence.jpa.rs.ReservedWords;
import org.glassfish.soteria.cdi.AnnotationELPProcessor;
import org.glassfish.soteria.cdi.CdiUtils;
import org.jboss.weld.interceptor.WeldInvocationContext;

@RolesPermitted
@Priority(5000)
@Interceptor
/* loaded from: input_file:MICRO-INF/runtime/cdi-auth-roles.jar:fish/payara/appserver/cdi/auth/roles/RolesPermittedInterceptor.class */
public class RolesPermittedInterceptor {
    private final SecurityContext securityContext = (SecurityContext) CDI.current().select(SecurityContext.class, new Annotation[0]).get2();
    private BeanManager beanManager;
    private Bean<?> interceptedBean;

    @Context
    private HttpServletRequest request;

    @Context
    private HttpServletResponse response;

    @Inject
    public RolesPermittedInterceptor(@Intercepted Bean<?> bean, BeanManager beanManager) {
        this.interceptedBean = bean;
        this.beanManager = beanManager;
    }

    @AroundInvoke
    public Object method(InvocationContext invocationContext) throws Exception {
        if (checkAccessPermitted(getRolesPermitted(invocationContext), invocationContext)) {
            return invocationContext.proceed();
        }
        throw new CallerAccessException("Caller was not permitted access to a protected resource");
    }

    public boolean checkAccessPermitted(RolesPermitted rolesPermitted, InvocationContext invocationContext) {
        List<String> asList = Arrays.asList(rolesPermitted.value());
        authenticate(rolesPermitted.value());
        ELProcessor elProcessor = AnnotationELPProcessor.hasAnyELExpression(rolesPermitted.value()) ? getElProcessor(invocationContext) : null;
        if (rolesPermitted.semantics().equals(LogicalOperator.OR)) {
            for (String str : asList) {
                if (elProcessor != null && AnnotationELPProcessor.hasAnyELExpression(str)) {
                    str = AnnotationELPProcessor.evalELExpression(elProcessor, str);
                }
                if (this.securityContext.isCallerInRole(str)) {
                    return true;
                }
            }
            return false;
        }
        if (!rolesPermitted.semantics().equals(LogicalOperator.AND)) {
            return false;
        }
        for (String str2 : asList) {
            if (elProcessor != null && AnnotationELPProcessor.hasAnyELExpression(str2)) {
                str2 = AnnotationELPProcessor.evalELExpression(elProcessor, str2);
            }
            if (!this.securityContext.isCallerInRole(str2)) {
                return false;
            }
        }
        return true;
    }

    private RolesPermitted getRolesPermitted(InvocationContext invocationContext) {
        Set set = (Set) invocationContext.getContextData().get(WeldInvocationContext.INTERCEPTOR_BINDINGS_KEY);
        if (set != null) {
            Optional map = set.stream().filter(annotation -> {
                return annotation.annotationType().equals(RolesPermitted.class);
            }).findAny().map(annotation2 -> {
                return (RolesPermitted) RolesPermitted.class.cast(annotation2);
            });
            if (map.isPresent()) {
                return (RolesPermitted) map.get();
            }
        }
        Optional annotationFromMethod = getAnnotationFromMethod(this.beanManager, invocationContext.getMethod(), RolesPermitted.class);
        if (annotationFromMethod.isPresent()) {
            return (RolesPermitted) annotationFromMethod.get();
        }
        Optional annotation3 = CdiUtils.getAnnotation(this.beanManager, this.interceptedBean.getBeanClass(), RolesPermitted.class);
        if (annotation3.isPresent()) {
            return (RolesPermitted) annotation3.get();
        }
        throw new IllegalStateException("@RolesPermitted not found on " + this.interceptedBean.getBeanClass());
    }

    public static <A extends Annotation> Optional<A> getAnnotationFromMethod(BeanManager beanManager, Method method, Class<A> cls) {
        if (method.isAnnotationPresent(cls)) {
            return Optional.of(method.getAnnotation(cls));
        }
        LinkedList linkedList = new LinkedList(Arrays.asList(method.getAnnotations()));
        while (!linkedList.isEmpty()) {
            Annotation annotation = (Annotation) linkedList.remove();
            if (annotation.annotationType().equals(cls)) {
                return Optional.of(cls.cast(annotation));
            }
            if (beanManager.isStereotype(annotation.annotationType())) {
                linkedList.addAll(beanManager.getStereotypeDefinition(annotation.annotationType()));
            }
        }
        return Optional.empty();
    }

    private ELProcessor getElProcessor(InvocationContext invocationContext) {
        ELProcessor eLProcessor = new ELProcessor();
        eLProcessor.getELManager().addELResolver(this.beanManager.getELResolver());
        eLProcessor.defineBean(ReservedWords.JPARS_REL_SELF, invocationContext.getTarget());
        Parameter[] parameters = invocationContext.getMethod().getParameters();
        Object[] parameters2 = invocationContext.getParameters();
        boolean z = false;
        for (int i = 0; i < parameters.length; i++) {
            Named named = (Named) parameters[i].getAnnotation(Named.class);
            if (named != null) {
                String trim = named.value().trim();
                if (!trim.isEmpty()) {
                    eLProcessor.defineBean(trim, parameters2[i]);
                    z = true;
                }
            }
        }
        if (!z && parameters.length == 1) {
            eLProcessor.defineBean("param", parameters2[0]);
        }
        return eLProcessor;
    }

    private void authenticate(String[] strArr) {
        if (this.request == null || this.response == null || strArr.length <= 0 || isAuthenticated()) {
            return;
        }
        AuthenticationStatus authenticate = this.securityContext.authenticate(this.request, this.response, AuthenticationParameters.withParams());
        if (authenticate == AuthenticationStatus.NOT_DONE || authenticate == AuthenticationStatus.SEND_FAILURE) {
            throw new NotAuthorizedException("Authentication resulted in " + authenticate, new Object[0]);
        }
        if (authenticate == AuthenticationStatus.SUCCESS && !isAuthenticated()) {
            throw new NotAuthorizedException("Authentication not done (i.e. no credential found)", new Object[0]);
        }
    }

    private boolean isAuthenticated() {
        return this.securityContext.getCallerPrincipal() != null;
    }
}
