package org.jboss.wsf.stack.cxf.interceptor;

import java.security.Principal;
import java.util.Iterator;
import java.util.List;
import javax.xml.ws.handler.Handler;
import javax.xml.ws.handler.LogicalMessageContext;
import javax.xml.ws.handler.MessageContext;
import org.apache.cxf.interceptor.Fault;
import org.apache.cxf.jaxws.context.WrappedMessageContext;
import org.apache.cxf.jaxws.handler.HandlerChainInvoker;
import org.apache.cxf.jaxws.handler.logical.LogicalHandlerInInterceptor;
import org.apache.cxf.jaxws.handler.soap.SOAPHandlerInterceptor;
import org.apache.cxf.jaxws.support.JaxWsEndpointImpl;
import org.apache.cxf.message.Exchange;
import org.apache.cxf.message.Message;
import org.apache.cxf.phase.AbstractPhaseInterceptor;
import org.apache.cxf.security.SecurityContext;
import org.apache.cxf.service.invoker.MethodDispatcher;
import org.apache.cxf.service.model.BindingOperationInfo;
import org.jboss.wsf.spi.deployment.Endpoint;
import org.jboss.wsf.spi.security.EJBMethodSecurityAttribute;
import org.jboss.wsf.spi.security.EJBMethodSecurityAttributeProvider;
import org.jboss.wsf.stack.cxf.i18n.Messages;

/* loaded from: input_file:org/jboss/wsf/stack/cxf/interceptor/HandlerAuthInterceptor.class */
public class HandlerAuthInterceptor extends AbstractPhaseInterceptor<Message> {
    private static final String KEY = HandlerAuthInterceptor.class.getName() + ".SECURITY_EXCEPTION";

    /* loaded from: input_file:org/jboss/wsf/stack/cxf/interceptor/HandlerAuthInterceptor$JBossWSHandlerChainInvoker.class */
    private static class JBossWSHandlerChainInvoker extends HandlerChainInvoker {
        public JBossWSHandlerChainInvoker(List<Handler> list, boolean z) {
            super(list, z);
        }

        public boolean invokeLogicalHandlers(boolean z, LogicalMessageContext logicalMessageContext) {
            checkAuthorization(logicalMessageContext);
            return super.invokeLogicalHandlers(z, logicalMessageContext);
        }

        public boolean invokeProtocolHandlers(boolean z, MessageContext messageContext) {
            checkAuthorization(messageContext);
            return super.invokeProtocolHandlers(z, messageContext);
        }

        public boolean invokeLogicalHandlersHandleFault(boolean z, LogicalMessageContext logicalMessageContext) {
            if (logicalMessageContext.containsKey(HandlerAuthInterceptor.KEY)) {
                return true;
            }
            return super.invokeLogicalHandlersHandleFault(z, logicalMessageContext);
        }

        public boolean invokeProtocolHandlersHandleFault(boolean z, MessageContext messageContext) {
            if (messageContext.containsKey(HandlerAuthInterceptor.KEY)) {
                return true;
            }
            return super.invokeProtocolHandlersHandleFault(z, messageContext);
        }

        protected void checkAuthorization(MessageContext messageContext) {
            if (((Boolean) messageContext.get("javax.xml.ws.handler.message.outbound")).booleanValue()) {
                return;
            }
            Message wrappedMessage = ((WrappedMessageContext) messageContext).getWrappedMessage();
            Exchange exchange = wrappedMessage.getExchange();
            EJBMethodSecurityAttributeProvider eJBMethodSecurityAttributeProvider = (EJBMethodSecurityAttributeProvider) ((Endpoint) exchange.get(Endpoint.class)).getAttachment(EJBMethodSecurityAttributeProvider.class);
            if (eJBMethodSecurityAttributeProvider != null) {
                SecurityContext securityContext = (SecurityContext) wrappedMessage.get(SecurityContext.class);
                BindingOperationInfo bindingOperationInfo = exchange.getBindingOperationInfo();
                if (bindingOperationInfo == null) {
                    throw Messages.MESSAGES.missingBindingOperationForAuthorization();
                }
                EJBMethodSecurityAttribute securityAttributes = eJBMethodSecurityAttributeProvider.getSecurityAttributes(((MethodDispatcher) exchange.getService().get(MethodDispatcher.class.getName())).getMethod(bindingOperationInfo));
                if (securityAttributes == null || securityAttributes.isPermitAll()) {
                    return;
                }
                if (!securityAttributes.isDenyAll() && securityAttributes.getRolesAllowed() != null) {
                    Iterator it = securityAttributes.getRolesAllowed().iterator();
                    while (it.hasNext()) {
                        if (securityContext.isUserInRole((String) it.next())) {
                            return;
                        }
                    }
                }
                Principal userPrincipal = securityContext.getUserPrincipal();
                messageContext.put(HandlerAuthInterceptor.KEY, true);
                throw Messages.MESSAGES.authorizationFailed(userPrincipal != null ? userPrincipal.getName() : null);
            }
        }
    }

    public HandlerAuthInterceptor() {
        super("pre-protocol-frontend");
        addBefore(SOAPHandlerInterceptor.class.getName());
        addBefore(LogicalHandlerInInterceptor.class.getName());
    }

    public void handleMessage(Message message) throws Fault {
        List handlerChain;
        Exchange exchange = message.getExchange();
        if (null == ((HandlerChainInvoker) exchange.get(HandlerChainInvoker.class))) {
            JaxWsEndpointImpl endpoint = exchange.getEndpoint();
            if (!(endpoint instanceof JaxWsEndpointImpl) || (handlerChain = endpoint.getJaxwsBinding().getHandlerChain()) == null || handlerChain.isEmpty()) {
                return;
            }
            exchange.put(HandlerChainInvoker.class, new JBossWSHandlerChainInvoker(handlerChain, isOutbound(message, exchange)));
        }
    }

    private boolean isOutbound(Message message, Exchange exchange) {
        return message == exchange.getOutMessage() || message == exchange.getOutFaultMessage();
    }
}
