package io.openliberty.restfulWS30.appSecurity;

import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.websphere.ras.annotation.TraceOptions;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.ffdc.annotation.FFDCIgnore;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.security.authentication.UnauthenticatedSubjectService;
import com.ibm.ws.security.authorization.util.RoleMethodAuthUtil;
import com.ibm.ws.security.authorization.util.UnauthenticatedException;
import com.ibm.ws.security.context.SubjectManager;
import jakarta.annotation.Priority;
import jakarta.servlet.ServletException;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import jakarta.ws.rs.ForbiddenException;
import jakarta.ws.rs.container.ContainerRequestContext;
import jakarta.ws.rs.container.ContainerRequestFilter;
import jakarta.ws.rs.container.ResourceInfo;
import jakarta.ws.rs.core.Context;
import jakarta.ws.rs.core.Response;
import jakarta.ws.rs.core.SecurityContext;
import jakarta.ws.rs.ext.Provider;
import java.io.IOException;
import java.lang.reflect.Method;
import org.osgi.framework.BundleContext;
import org.osgi.framework.FrameworkUtil;

@Priority(2001)
@InjectedFFDC
@TraceObjectField(fieldName = "$$$tc$$$", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
@Provider
@TraceOptions
/* loaded from: input_file:io/openliberty/restfulWS30/appSecurity/LibertyAuthFilter.class */
public class LibertyAuthFilter implements ContainerRequestFilter {

    @Context
    HttpServletRequest req;

    @Context
    HttpServletResponse resp;

    @Context
    SecurityContext securityContext;

    @Context
    ResourceInfo resourceInfo;
    private UnauthenticatedSubjectService unauthenticatedSubjectService;
    static final long serialVersionUID = -1343346582864679496L;
    private static final /* synthetic */ TraceComponent $$$tc$$$ = Tr.register("io.openliberty.restfulWS30.appSecurity.LibertyAuthFilter", LibertyAuthFilter.class, "RESTfulWS", (String) null);

    @FFDCIgnore({UnauthenticatedException.class, UnauthenticatedException.class})
    public void filter(ContainerRequestContext containerRequestContext) {
        try {
            handleMessage();
        } catch (UnauthenticatedException e) {
            try {
                if (authenticate()) {
                    handleMessage();
                    return;
                }
            } catch (UnauthenticatedException e2) {
            }
            containerRequestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).build());
        }
    }

    private boolean authenticate() {
        try {
            return this.req.authenticate(this.resp);
        } catch (IOException | ServletException e) {
            FFDCFilter.processException(e, "io.openliberty.restfulWS30.appSecurity.LibertyAuthFilter", "86", this, new Object[0]);
            return false;
        }
    }

    private void handleMessage() throws UnauthenticatedException, ForbiddenException {
        Method resourceMethod = this.resourceInfo.getResourceMethod();
        if (resourceMethod == null) {
            throw new ForbiddenException("Method is not available : Unauthorized");
        }
        setUnauthenticatedSubjectIfNeeded();
        if ((this.securityContext == null || !RoleMethodAuthUtil.parseMethodSecurity(resourceMethod, this.securityContext.getUserPrincipal(), str -> {
            return this.securityContext.isUserInRole(str);
        })) && !RoleMethodAuthUtil.parseMethodSecurity(resourceMethod, this.req.getUserPrincipal(), str2 -> {
            return this.req.isUserInRole(str2);
        })) {
            throw new ForbiddenException("Unauthorized");
        }
    }

    private void setUnauthenticatedSubjectIfNeeded() {
        getUnauthenticatedSubjectService();
        SubjectManager subjectManager = new SubjectManager();
        if (subjectManager.getInvocationSubject() == null) {
            subjectManager.setInvocationSubject(this.unauthenticatedSubjectService.getUnauthenticatedSubject());
        }
        if (subjectManager.getCallerSubject() == null) {
            subjectManager.setCallerSubject(this.unauthenticatedSubjectService.getUnauthenticatedSubject());
        }
    }

    private void getUnauthenticatedSubjectService() {
        if (this.unauthenticatedSubjectService == null) {
            BundleContext bundleContext = FrameworkUtil.getBundle(UnauthenticatedSubjectService.class).getBundleContext();
            this.unauthenticatedSubjectService = (UnauthenticatedSubjectService) bundleContext.getService(bundleContext.getServiceReference(UnauthenticatedSubjectService.class));
        }
    }
}
