package com.ibm.ws.jaxrs20.security;

import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import java.lang.reflect.Method;
import java.security.Principal;
import java.util.Arrays;
import java.util.List;
import javax.annotation.security.DenyAll;
import javax.annotation.security.PermitAll;
import javax.annotation.security.RolesAllowed;
import org.apache.cxf.interceptor.Fault;
import org.apache.cxf.interceptor.security.AbstractAuthorizingInInterceptor;
import org.apache.cxf.interceptor.security.AccessDeniedException;
import org.apache.cxf.interceptor.security.AuthenticationException;
import org.apache.cxf.message.Message;
import org.apache.cxf.security.SecurityContext;

@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
/* loaded from: input_file:com/ibm/ws/jaxrs20/security/LibertySimpleAuthorizingInterceptor.class */
public class LibertySimpleAuthorizingInterceptor extends AbstractAuthorizingInInterceptor {
    private static final TraceComponent tc = Tr.register(LibertySimpleAuthorizingInterceptor.class);
    static final long serialVersionUID = 3077822115520915884L;

    @Override // org.apache.cxf.interceptor.security.AbstractAuthorizingInInterceptor, org.apache.cxf.interceptor.Interceptor
    public void handleMessage(Message message) throws Fault {
        SecurityContext securityContext = (SecurityContext) message.get(SecurityContext.class);
        if (securityContext == null || !parseMethodSecurity(getTargetMethod(message), securityContext)) {
            throw new AccessDeniedException("Unauthorized");
        }
    }

    private boolean ensureAuthentication(SecurityContext securityContext) {
        Principal userPrincipal = securityContext.getUserPrincipal();
        if (userPrincipal == null || "UNAUTHENTICATED".equals(userPrincipal.getName())) {
            throw new AuthenticationException();
        }
        return true;
    }

    private boolean parseMethodSecurity(Method method, SecurityContext securityContext) {
        if (getDenyAll(method)) {
            if (!TraceComponent.isAnyTracingEnabled() || !tc.isDebugEnabled()) {
                return false;
            }
            Tr.debug(tc, "Found DenyAll for method: {} " + method.getName() + ", Injection Processing for web service is ignored", new Object[0]);
            return false;
        }
        RolesAllowed rolesAllowed = getRolesAllowed(method);
        if (rolesAllowed != null) {
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "found RolesAllowed in method: {} " + method.getName(), new Object[]{rolesAllowed.value()});
            }
            return ensureAuthentication(securityContext) && isUserInRole(securityContext, Arrays.asList(rolesAllowed.value()), false);
        }
        if (!getPermitAll(method)) {
            return parseClassSecurity(method.getDeclaringClass(), securityContext);
        }
        if (!TraceComponent.isAnyTracingEnabled() || !tc.isDebugEnabled()) {
            return true;
        }
        Tr.debug(tc, "Found PermitAll for method: {}" + method.getName(), new Object[0]);
        return true;
    }

    private boolean parseClassSecurity(Class<?> cls, SecurityContext securityContext) {
        if (cls.getAnnotation(DenyAll.class) != null) {
            if (!TraceComponent.isAnyTracingEnabled() || !tc.isDebugEnabled()) {
                return false;
            }
            Tr.debug(tc, "Found class level @DenyAll - authorization denied for " + cls.getName(), new Object[0]);
            return false;
        }
        RolesAllowed annotation = cls.getAnnotation(RolesAllowed.class);
        if (annotation == null) {
            return true;
        }
        String[] value = annotation.value();
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "found RolesAllowed in class level: {} " + cls.getName(), new Object[]{value});
        }
        return ensureAuthentication(securityContext) && isUserInRole(securityContext, Arrays.asList(value), false);
    }

    private RolesAllowed getRolesAllowed(Method method) {
        return method.getAnnotation(RolesAllowed.class);
    }

    private boolean getPermitAll(Method method) {
        return method.isAnnotationPresent(PermitAll.class);
    }

    private boolean getDenyAll(Method method) {
        return method.isAnnotationPresent(DenyAll.class);
    }

    @Override // org.apache.cxf.interceptor.security.AbstractAuthorizingInInterceptor
    protected List<String> getExpectedRoles(Method method) {
        return null;
    }
}
