package org.jboss.security.authorization.modules.ejb;

import java.lang.reflect.Method;
import java.security.Principal;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import org.jboss.logging.Logger;
import org.jboss.security.AnybodyPrincipal;
import org.jboss.security.AuthorizationManager;
import org.jboss.security.RunAsIdentity;
import org.jboss.security.SecurityRoleRef;
import org.jboss.security.SimplePrincipal;
import org.jboss.security.authorization.PolicyRegistration;
import org.jboss.security.authorization.Resource;
import org.jboss.security.authorization.modules.AuthorizationModuleDelegate;

/* loaded from: input_file:org/jboss/security/authorization/modules/ejb/EJBPolicyModuleDelegate.class */
public class EJBPolicyModuleDelegate extends AuthorizationModuleDelegate {
    private String ejbName = null;
    private Method ejbMethod = null;
    private Principal ejbPrincipal = null;
    private Set methodRoles = null;
    private String methodInterface = null;
    private RunAsIdentity callerRunAsIdentity = null;
    private String roleName = null;
    private Boolean roleRefCheck = Boolean.FALSE;
    private Set securityRoleReferences = null;

    public EJBPolicyModuleDelegate() {
        log = Logger.getLogger(getClass());
        this.trace = log.isTraceEnabled();
    }

    @Override // org.jboss.security.authorization.modules.AuthorizationModuleDelegate
    public int authorize(Resource resource) {
        Map map = resource.getMap();
        if (map == null) {
            throw new IllegalStateException("Map from the Resource is null");
        }
        if (map.size() == 0) {
            throw new IllegalStateException("Map from the Resource is size zero");
        }
        PolicyRegistration policyRegistration = (PolicyRegistration) map.get("authorizationManager");
        if (policyRegistration != null) {
            this.authzManager = policyRegistration;
        }
        this.ejbMethod = (Method) map.get("ejb.method");
        this.ejbName = (String) map.get("ejb.name");
        this.ejbPrincipal = (Principal) map.get("ejb.principal");
        this.methodInterface = (String) map.get("ejb.methodInterface");
        this.methodRoles = (Set) map.get("ejb.methodRoles");
        this.callerRunAsIdentity = (RunAsIdentity) map.get("runAsIdentity");
        this.roleName = (String) map.get("roleName");
        this.roleRefCheck = (Boolean) map.get("roleRefPermissionCheck");
        this.securityRoleReferences = (Set) map.get("securityRoleReferences");
        return this.roleRefCheck == Boolean.TRUE ? checkRoleRef() : process();
    }

    @Override // org.jboss.security.authorization.modules.AuthorizationModuleDelegate
    public void setPolicyRegistrationManager(PolicyRegistration policyRegistration) {
        this.authzManager = policyRegistration;
        if (!(this.authzManager instanceof AuthorizationManager)) {
            throw new IllegalStateException(this.authzManager + " is not an instanceof AuthorizationManager");
        }
    }

    private int process() {
        boolean z = true;
        if (this.methodRoles == null) {
            String str = "No method permissions assigned to method=" + this.ejbMethod.getName() + ", interface=" + this.methodInterface;
            if (this.trace) {
                log.trace("Exception:" + str);
            }
            z = false;
        } else if (this.trace) {
            log.trace("method=" + this.ejbMethod + ", interface=" + this.methodInterface + ", requiredRoles=" + this.methodRoles);
        }
        if (!this.methodRoles.contains(AnybodyPrincipal.ANYBODY_PRINCIPAL)) {
            if (this.callerRunAsIdentity == null) {
                PolicyRegistration policyRegistration = this.authzManager;
                if (!policyRegistration.doesUserHaveRole(this.ejbPrincipal, this.methodRoles)) {
                    String str2 = "Insufficient method permissions, principal=" + this.ejbPrincipal + ", ejbName=" + this.ejbName + ", method=" + this.ejbMethod.getName() + ", interface=" + this.methodInterface + ", requiredRoles=" + this.methodRoles + ", principalRoles=" + policyRegistration.getUserRoles(this.ejbPrincipal);
                    if (this.trace) {
                        log.trace("Exception:" + str2);
                    }
                    z = false;
                }
            } else if (!this.callerRunAsIdentity.doesUserHaveRole(this.methodRoles)) {
                String str3 = "Insufficient method permissions, principal=" + this.ejbPrincipal + ", ejbName=" + this.ejbName + ", method=" + this.ejbMethod.getName() + ", interface=" + this.methodInterface + ", requiredRoles=" + this.methodRoles + ", runAsRoles=" + this.callerRunAsIdentity.getRunAsRoles();
                if (this.trace) {
                    log.trace("Exception:" + str3);
                }
                z = false;
            }
        }
        return z ? 1 : -1;
    }

    private int checkRoleRef() {
        PolicyRegistration policyRegistration = this.authzManager;
        if (this.ejbPrincipal == null && this.callerRunAsIdentity == null) {
            if (!this.trace) {
                return -1;
            }
            log.trace("ejbPrincipal = null,callerRunAsIdentity = null => DENY");
            return -1;
        }
        boolean z = false;
        Iterator it = this.securityRoleReferences.iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            SecurityRoleRef securityRoleRef = (SecurityRoleRef) it.next();
            if (securityRoleRef.getName().equals(this.roleName)) {
                this.roleName = securityRoleRef.getLink();
                z = true;
                break;
            }
        }
        if (!z) {
            log.warn("no match found for security role " + this.roleName + " in the deployment descriptor for ejb " + this.ejbName);
        }
        HashSet hashSet = new HashSet();
        hashSet.add(new SimplePrincipal(this.roleName));
        return this.callerRunAsIdentity == null ? policyRegistration.doesUserHaveRole(this.ejbPrincipal, hashSet) : this.callerRunAsIdentity.doesUserHaveRole(hashSet) ? 1 : -1;
    }
}
