package com.ibm.ws.jaxrs21.security;

import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.websphere.ras.annotation.TraceOptions;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.ffdc.annotation.FFDCIgnore;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.security.authentication.UnauthenticatedSubjectService;
import com.ibm.ws.security.authorization.util.RoleMethodAuthUtil;
import com.ibm.ws.security.authorization.util.UnauthenticatedException;
import com.ibm.ws.security.context.SubjectManager;
import java.io.IOException;
import java.lang.reflect.Method;
import java.security.Principal;
import java.util.function.Supplier;
import javax.annotation.Priority;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.container.ContainerRequestFilter;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.SecurityContext;
import org.apache.cxf.interceptor.security.AccessDeniedException;
import org.apache.cxf.jaxrs.utils.JAXRSUtils;
import org.apache.cxf.message.Message;
import org.apache.cxf.message.MessageUtils;
import org.apache.cxf.service.invoker.MethodDispatcher;
import org.apache.cxf.service.model.BindingOperationInfo;
import org.osgi.framework.BundleContext;
import org.osgi.framework.FrameworkUtil;

@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
@Priority(2001)
@TraceOptions
/* loaded from: input_file:com/ibm/ws/jaxrs21/security/LibertyAuthFilter.class */
public class LibertyAuthFilter implements ContainerRequestFilter {
    private static final TraceComponent tc = Tr.register(LibertyAuthFilter.class, "JAXRS", (String) null);
    private UnauthenticatedSubjectService unauthenticatedSubjectService;
    static final long serialVersionUID = 7585454365622569792L;

    @FFDCIgnore({UnauthenticatedException.class, UnauthenticatedException.class, AccessDeniedException.class})
    public void filter(ContainerRequestContext containerRequestContext) {
        Message currentMessage = JAXRSUtils.getCurrentMessage();
        try {
            try {
                handleMessage(currentMessage);
            } catch (UnauthenticatedException e) {
                if (authenticate(currentMessage)) {
                    handleMessage(currentMessage);
                    return;
                }
                containerRequestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).build());
            }
        } catch (AccessDeniedException e2) {
            containerRequestContext.abortWith(Response.status(Response.Status.FORBIDDEN).build());
        }
    }

    private boolean authenticate(Message message) {
        try {
            return ((HttpServletRequest) message.get("HTTP.REQUEST")).authenticate((HttpServletResponse) message.get("HTTP.RESPONSE"));
        } catch (IOException | ServletException e) {
            FFDCFilter.processException(e, "com.ibm.ws.jaxrs21.security.LibertyAuthFilter", "89", this, new Object[]{message});
            return false;
        }
    }

    private void handleMessage(Message message) throws UnauthenticatedException {
        final SecurityContext securityContext = (SecurityContext) message.get(SecurityContext.class);
        if (securityContext == null || !(securityContext instanceof SecurityContext)) {
            final HttpServletRequest httpServletRequest = (HttpServletRequest) message.get("HTTP.REQUEST");
            Method method = (Method) MessageUtils.getTargetMethod(message).orElseThrow(() -> {
                return new AccessDeniedException("Method is not available : Unauthorized");
            });
            setUnauthenticatedSubjectIfNeeded();
            if (RoleMethodAuthUtil.parseMethodSecurity(method, new Supplier<Principal>() { // from class: com.ibm.ws.jaxrs21.security.LibertyAuthFilter.2
                static final long serialVersionUID = 2832362894973094282L;
                private static final /* synthetic */ TraceComponent $$$tc$$$ = Tr.register("com.ibm.ws.jaxrs21.security.LibertyAuthFilter$2", AnonymousClass2.class, "JAXRS", (String) null);

                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.util.function.Supplier
                public Principal get() {
                    return httpServletRequest.getUserPrincipal();
                }
            }, str -> {
                return httpServletRequest.isUserInRole(str);
            })) {
                return;
            }
        } else if (RoleMethodAuthUtil.parseMethodSecurity(getTargetMethod(message), new Supplier<Principal>() { // from class: com.ibm.ws.jaxrs21.security.LibertyAuthFilter.1
            static final long serialVersionUID = 1592887904243677541L;
            private static final /* synthetic */ TraceComponent $$$tc$$$ = Tr.register("com.ibm.ws.jaxrs21.security.LibertyAuthFilter$1", AnonymousClass1.class, "JAXRS", (String) null);

            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.util.function.Supplier
            public Principal get() {
                return securityContext.getUserPrincipal();
            }
        }, str2 -> {
            return securityContext.isUserInRole(str2);
        })) {
            return;
        }
        throw new AccessDeniedException("Unauthorized");
    }

    protected Method getTargetMethod(Message message) {
        BindingOperationInfo bindingOperationInfo = message.getExchange().getBindingOperationInfo();
        if (bindingOperationInfo != null) {
            return ((MethodDispatcher) message.getExchange().getService().get(MethodDispatcher.class.getName())).getMethod(bindingOperationInfo);
        }
        Method method = (Method) message.get("org.apache.cxf.resource.method");
        if (method != null) {
            return method;
        }
        throw new AccessDeniedException("Method is not available : Unauthorized");
    }

    private void setUnauthenticatedSubjectIfNeeded() {
        getUnauthenticatedSubjectService();
        SubjectManager subjectManager = new SubjectManager();
        if (subjectManager.getInvocationSubject() == null) {
            subjectManager.setInvocationSubject(this.unauthenticatedSubjectService.getUnauthenticatedSubject());
        }
        if (subjectManager.getCallerSubject() == null) {
            subjectManager.setCallerSubject(this.unauthenticatedSubjectService.getUnauthenticatedSubject());
        }
    }

    private void getUnauthenticatedSubjectService() {
        if (this.unauthenticatedSubjectService == null) {
            BundleContext bundleContext = FrameworkUtil.getBundle(UnauthenticatedSubjectService.class).getBundleContext();
            this.unauthenticatedSubjectService = (UnauthenticatedSubjectService) bundleContext.getService(bundleContext.getServiceReference(UnauthenticatedSubjectService.class));
        }
    }
}
