package org.jboss.security.authorization.modules.ejb;

import java.lang.reflect.Method;
import java.security.CodeSource;
import java.security.Permission;
import java.security.Policy;
import java.security.Principal;
import java.security.ProtectionDomain;
import java.util.Map;
import java.util.Set;
import javax.security.auth.Subject;
import javax.security.jacc.EJBMethodPermission;
import javax.security.jacc.EJBRoleRefPermission;
import org.jboss.security.PicketBoxLogger;
import org.jboss.security.PicketBoxMessages;
import org.jboss.security.RunAs;
import org.jboss.security.RunAsIdentity;
import org.jboss.security.authorization.PolicyRegistration;
import org.jboss.security.authorization.Resource;
import org.jboss.security.authorization.modules.AbstractJACCModuleDelegate;
import org.jboss.security.authorization.resources.EJBResource;
import org.jboss.security.identity.Role;
import org.jboss.security.identity.RoleGroup;

/* loaded from: input_file:org/jboss/security/authorization/modules/ejb/EJBJACCPolicyModuleDelegate.class */
public class EJBJACCPolicyModuleDelegate extends AbstractJACCModuleDelegate {
    private String ejbName = null;
    private Method ejbMethod = null;
    private String methodInterface = null;
    private CodeSource ejbCS = null;
    private String roleName = null;
    private Boolean roleRefCheck = Boolean.FALSE;
    private RunAsIdentity callerRunAs;

    @Override // org.jboss.security.authorization.modules.AbstractJACCModuleDelegate, org.jboss.security.authorization.modules.AuthorizationModuleDelegate
    public int authorize(Resource resource, Subject subject, RoleGroup roleGroup) {
        if (!(resource instanceof EJBResource)) {
            throw PicketBoxMessages.MESSAGES.invalidType(EJBResource.class.getName());
        }
        EJBResource eJBResource = (EJBResource) resource;
        Map map = resource.getMap();
        if (map == null) {
            throw PicketBoxMessages.MESSAGES.invalidNullProperty("resourceMap");
        }
        this.policyRegistration = (PolicyRegistration) map.get("policyRegistration");
        this.ejbCS = eJBResource.getCodeSource();
        this.ejbMethod = eJBResource.getEjbMethod();
        this.ejbName = eJBResource.getEjbName();
        this.methodInterface = eJBResource.getEjbMethodInterface();
        RunAs callerRunAsIdentity = eJBResource.getCallerRunAsIdentity();
        if (callerRunAsIdentity instanceof RunAsIdentity) {
            this.callerRunAs = (RunAsIdentity) RunAsIdentity.class.cast(callerRunAsIdentity);
        }
        this.roleName = (String) map.get("roleName");
        this.roleRefCheck = (Boolean) map.get("roleRefPermissionCheck");
        return this.roleRefCheck == Boolean.TRUE ? checkRoleRef(subject, roleGroup) : process(subject, roleGroup);
    }

    private int process(Subject subject, Role role) {
        EJBMethodPermission eJBMethodPermission = new EJBMethodPermission(this.ejbName, this.methodInterface, this.ejbMethod);
        boolean checkWithPolicy = checkWithPolicy(eJBMethodPermission, subject, role);
        if (!checkWithPolicy) {
            PicketBoxLogger.LOGGER.debugJACCDeniedAccess(eJBMethodPermission.toString(), subject, role != null ? role.toString() : null);
        }
        return checkWithPolicy ? 1 : -1;
    }

    private int checkRoleRef(Subject subject, RoleGroup roleGroup) {
        EJBRoleRefPermission eJBRoleRefPermission = new EJBRoleRefPermission(this.ejbName, this.roleName);
        boolean checkWithPolicy = checkWithPolicy(eJBRoleRefPermission, subject, roleGroup);
        if (!checkWithPolicy) {
            PicketBoxLogger.LOGGER.debugJACCDeniedAccess(eJBRoleRefPermission.toString(), subject, roleGroup != null ? roleGroup.toString() : null);
        }
        return checkWithPolicy ? 1 : -1;
    }

    private boolean checkWithPolicy(Permission permission, Subject subject, Role role) {
        if (this.callerRunAs == null) {
            return Policy.getPolicy().implies(new ProtectionDomain(this.ejbCS, null, null, getPrincipals(subject, role)), permission);
        }
        Set<Principal> runAsRoles = this.callerRunAs.getRunAsRoles();
        return Policy.getPolicy().implies(new ProtectionDomain(this.ejbCS, null, null, (Principal[]) runAsRoles.toArray(new Principal[runAsRoles.size()])), permission);
    }
}
