package org.switchyard.handlers;

import java.util.Iterator;
import org.switchyard.BaseHandler;
import org.switchyard.Exchange;
import org.switchyard.ExchangePhase;
import org.switchyard.HandlerException;
import org.switchyard.Service;
import org.switchyard.ServiceReference;
import org.switchyard.ServiceSecurity;
import org.switchyard.policy.PolicyUtil;
import org.switchyard.policy.SecurityPolicy;
import org.switchyard.security.SecurityContext;
import org.switchyard.security.credential.ConfidentialityCredential;
import org.switchyard.security.credential.PrincipalCredential;
import org.switchyard.security.spi.SecurityProvider;

/* loaded from: input_file:WEB-INF/lib/switchyard-runtime-1.0.0.Final.jar:org/switchyard/handlers/SecurityHandler.class */
public class SecurityHandler extends BaseHandler {
    private final SecurityProvider _securityProvider = SecurityProvider.instance();

    @Override // org.switchyard.BaseHandler, org.switchyard.ExchangeHandler
    public void handleMessage(Exchange exchange) throws HandlerException {
        ServiceSecurity serviceSecurity = getServiceSecurity(exchange);
        if (serviceSecurity != null) {
            SecurityContext securityContext = SecurityContext.get(exchange);
            if (!ExchangePhase.IN.equals(exchange.getPhase())) {
                securityContext.clearCredentials();
                this._securityProvider.clear(serviceSecurity, securityContext);
                return;
            }
            if (PolicyUtil.isRequired(exchange, SecurityPolicy.CONFIDENTIALITY) && !PolicyUtil.isProvided(exchange, SecurityPolicy.CONFIDENTIALITY) && isConfidentialityProvided(securityContext)) {
                PolicyUtil.provide(exchange, SecurityPolicy.CONFIDENTIALITY);
            }
            boolean z = false;
            if (!PolicyUtil.isRequired(exchange, SecurityPolicy.CLIENT_AUTHENTICATION) || PolicyUtil.isProvided(exchange, SecurityPolicy.CLIENT_AUTHENTICATION)) {
                z = true;
            } else if (isClientAuthenticationProvided(securityContext)) {
                PolicyUtil.provide(exchange, SecurityPolicy.CLIENT_AUTHENTICATION);
                z = true;
            } else if (this._securityProvider.authenticate(serviceSecurity, securityContext)) {
                PolicyUtil.provide(exchange, SecurityPolicy.CLIENT_AUTHENTICATION);
                z = true;
            }
            if (z) {
                this._securityProvider.propagate(serviceSecurity, securityContext);
                this._securityProvider.addRunAs(serviceSecurity, securityContext);
            }
            if (PolicyUtil.isRequired(exchange, SecurityPolicy.AUTHORIZATION) && !PolicyUtil.isProvided(exchange, SecurityPolicy.AUTHORIZATION) && isAuthorizationProvided(serviceSecurity, securityContext)) {
                PolicyUtil.provide(exchange, SecurityPolicy.AUTHORIZATION);
            }
        }
    }

    @Override // org.switchyard.BaseHandler, org.switchyard.ExchangeHandler
    public void handleFault(Exchange exchange) {
        ServiceSecurity serviceSecurity = getServiceSecurity(exchange);
        if (serviceSecurity != null) {
            SecurityContext securityContext = SecurityContext.get(exchange);
            securityContext.clearCredentials();
            this._securityProvider.clear(serviceSecurity, securityContext);
        }
    }

    private boolean isConfidentialityProvided(SecurityContext securityContext) {
        Iterator it = securityContext.getCredentials(ConfidentialityCredential.class).iterator();
        while (it.hasNext()) {
            if (((ConfidentialityCredential) it.next()).isConfidential()) {
                return true;
            }
        }
        return false;
    }

    private boolean isClientAuthenticationProvided(SecurityContext securityContext) {
        for (PrincipalCredential principalCredential : securityContext.getCredentials(PrincipalCredential.class)) {
            if (principalCredential.getPrincipal() != null && principalCredential.isTrusted()) {
                return true;
            }
        }
        return false;
    }

    private boolean isAuthorizationProvided(ServiceSecurity serviceSecurity, SecurityContext securityContext) {
        return this._securityProvider.checkRolesAllowed(serviceSecurity, securityContext);
    }

    private ServiceSecurity getServiceSecurity(Exchange exchange) {
        ServiceReference consumer;
        ServiceSecurity serviceSecurity = null;
        Service provider = exchange.getProvider();
        if (provider != null) {
            serviceSecurity = provider.getServiceMetadata().getSecurity();
        }
        if (serviceSecurity == null && (consumer = exchange.getConsumer()) != null) {
            serviceSecurity = consumer.getServiceMetadata().getSecurity();
        }
        return serviceSecurity;
    }
}
