package com.ibm.ws.microprofile.graphql.authorization.component;

import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.websphere.ras.annotation.TraceOptions;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.ffdc.annotation.FFDCIgnore;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.security.authorization.util.RoleMethodAuthUtil;
import com.ibm.ws.security.authorization.util.UnauthenticatedException;
import java.lang.reflect.Method;
import java.security.Principal;
import java.util.Objects;
import java.util.function.Supplier;
import javax.annotation.Priority;
import javax.enterprise.context.Dependent;
import javax.interceptor.AroundInvoke;
import javax.interceptor.Interceptor;
import javax.interceptor.InvocationContext;
import org.eclipse.microprofile.graphql.GraphQLApi;
import org.eclipse.microprofile.graphql.GraphQLException;

@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
@GraphQLApi
@Priority(0)
@Dependent
@Interceptor
@TraceOptions
/* loaded from: input_file:com/ibm/ws/microprofile/graphql/authorization/component/AuthorizationInterceptor.class */
public class AuthorizationInterceptor {
    private static final TraceComponent tc = Tr.register(AuthorizationInterceptor.class, "GraphQL", (String) null);
    private static final AuthorizationFilter AUTH_FILTER = AuthorizationFilter.getInstance();
    private static final Supplier<Principal> AUTH_FILTER_PRINCIPAL = new Supplier<Principal>() { // from class: com.ibm.ws.microprofile.graphql.authorization.component.AuthorizationInterceptor.1
        static final long serialVersionUID = 1189940229752762096L;
        private static final /* synthetic */ TraceComponent $$$tc$$$ = Tr.register("com.ibm.ws.microprofile.graphql.authorization.component.AuthorizationInterceptor$1", AnonymousClass1.class, "GraphQL", (String) null);

        /* JADX WARN: Can't rename method to resolve collision */
        @Override // java.util.function.Supplier
        public Principal get() {
            return AuthorizationInterceptor.AUTH_FILTER.getUserPrincipal();
        }
    };
    static final long serialVersionUID = 8633130029121305110L;

    @AroundInvoke
    public Object checkAuthorized(InvocationContext invocationContext) throws Exception {
        if (isAuthorized(invocationContext.getMethod())) {
            return invocationContext.proceed();
        }
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "Unauthorized", new Object[0]);
        }
        throw new GraphQLException("Unauthorized");
    }

    @FFDCIgnore({UnauthenticatedException.class})
    private boolean isAuthorized(Method method) {
        try {
            Supplier<Principal> supplier = AUTH_FILTER_PRINCIPAL;
            AuthorizationFilter authorizationFilter = AUTH_FILTER;
            Objects.requireNonNull(authorizationFilter);
            return RoleMethodAuthUtil.parseMethodSecurity(method, supplier, authorizationFilter::isUserInRole);
        } catch (UnauthenticatedException e) {
            try {
                if (AUTH_FILTER.authenticate()) {
                    Supplier<Principal> supplier2 = AUTH_FILTER_PRINCIPAL;
                    AuthorizationFilter authorizationFilter2 = AUTH_FILTER;
                    Objects.requireNonNull(authorizationFilter2);
                    if (RoleMethodAuthUtil.parseMethodSecurity(method, supplier2, authorizationFilter2::isUserInRole)) {
                        return true;
                    }
                }
                return false;
            } catch (Throwable th) {
                FFDCFilter.processException(th, "com.ibm.ws.microprofile.graphql.authorization.component.AuthorizationInterceptor", "74", this, new Object[]{method});
                if (!TraceComponent.isAnyTracingEnabled() || !tc.isDebugEnabled()) {
                    return false;
                }
                Tr.debug(tc, "Failed to authenticate or failed auth check", new Object[]{th});
                return false;
            }
        }
    }
}
