package org.jboss.aspects.security;

import java.security.Principal;
import java.util.HashSet;
import java.util.Set;
import org.jboss.aop.advice.Interceptor;
import org.jboss.aop.joinpoint.Invocation;
import org.jboss.logging.Logger;
import org.jboss.security.AnybodyPrincipal;
import org.jboss.security.AuthenticationManager;
import org.jboss.security.NobodyPrincipal;
import org.jboss.security.RealmMapping;
import org.jboss.security.RunAsIdentity;
import org.jboss.security.SimplePrincipal;

/* loaded from: input_file:org/jboss/aspects/security/RoleBasedAuthorizationInterceptor.class */
public class RoleBasedAuthorizationInterceptor implements Interceptor {
    protected Logger log = Logger.getLogger(getClass());
    protected AuthenticationManager securityManager;
    protected RealmMapping realmMapping;

    public RoleBasedAuthorizationInterceptor(AuthenticationManager authenticationManager, RealmMapping realmMapping) {
        this.securityManager = authenticationManager;
        this.realmMapping = realmMapping;
    }

    public String getName() {
        return "RoleBasedAuthorizationInterceptor";
    }

    protected Set getRoleSet(Invocation invocation) {
        Set set = (Set) invocation.getMetaData("security", "roles");
        if (set == null) {
            set = getAnnotationRoleSet(invocation);
        }
        return set;
    }

    protected Set getAnnotationRoleSet(Invocation invocation) {
        HashSet hashSet = new HashSet();
        if (((Exclude) invocation.resolveAnnotation(Exclude.class)) != null) {
            hashSet.add(NobodyPrincipal.NOBODY_PRINCIPAL);
            return hashSet;
        }
        if (((Unchecked) invocation.resolveAnnotation(Unchecked.class)) != null) {
            hashSet.add(AnybodyPrincipal.ANYBODY_PRINCIPAL);
            return hashSet;
        }
        Permissions permissions = (Permissions) invocation.resolveAnnotation(Permissions.class);
        if (permissions == null) {
            hashSet.add(AnybodyPrincipal.ANYBODY_PRINCIPAL);
            return hashSet;
        }
        for (int i = 0; i < permissions.value().length; i++) {
            hashSet.add(new SimplePrincipal(permissions.value()[i]));
        }
        return hashSet;
    }

    public Object invoke(Invocation invocation) throws Throwable {
        if (this.securityManager == null) {
            return invocation.invokeNext();
        }
        if (this.realmMapping == null) {
            throw new SecurityException("Role mapping manager has not been set");
        }
        Set roleSet = getRoleSet(invocation);
        if (roleSet == null) {
            this.log.error("No method permissions assigned.");
            throw new SecurityException("No method permissions assigned.");
        }
        RunAsIdentity peekRunAsIdentity = SecurityActions.peekRunAsIdentity();
        if (!roleSet.contains(AnybodyPrincipal.ANYBODY_PRINCIPAL)) {
            if (peekRunAsIdentity == null) {
                Principal principal = SecurityActions.getPrincipal();
                if (!this.realmMapping.doesUserHaveRole(principal, roleSet)) {
                    String str = "Insufficient permissions, principal=" + principal + ", requiredRoles=" + roleSet + ", principalRoles=" + this.realmMapping.getUserRoles(principal);
                    this.log.error(str);
                    throw new SecurityException(str);
                }
            } else {
                if (!(peekRunAsIdentity instanceof RunAsIdentity)) {
                    throw new RuntimeException("Unknown RunAs type");
                }
                RunAsIdentity runAsIdentity = peekRunAsIdentity;
                if (!runAsIdentity.doesUserHaveRole(roleSet)) {
                    String str2 = "Insufficient permissions, runAsPrincipal=" + runAsIdentity.getName() + ", requiredRoles=" + roleSet + ", runAsRoles=" + runAsIdentity.getRunAsRoles();
                    this.log.error(str2);
                    throw new SecurityException(str2);
                }
            }
        }
        return invocation.invokeNext();
    }
}
