package org.picketlink.trust.jbossws.handler;

import java.io.InputStream;
import java.security.Principal;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.security.auth.Subject;
import javax.servlet.ServletContext;
import javax.xml.namespace.QName;
import javax.xml.soap.SOAPException;
import javax.xml.ws.handler.MessageContext;
import javax.xml.ws.handler.soap.SOAPMessageContext;
import org.jboss.security.AuthorizationManager;
import org.jboss.security.SecurityContext;
import org.jboss.security.SimplePrincipal;
import org.jboss.security.callbacks.SecurityContextCallbackHandler;
import org.picketlink.common.exceptions.ConfigurationException;
import org.picketlink.common.exceptions.ProcessingException;
import org.picketlink.trust.jbossws.util.JBossWSNativeStackUtil;
import org.picketlink.trust.jbossws.util.JBossWSSERoleExtractor;
import org.w3c.dom.Node;

/* loaded from: input_file:org/picketlink/trust/jbossws/handler/AbstractWSAuthorizationHandler.class */
public abstract class AbstractWSAuthorizationHandler extends AbstractPicketLinkTrustHandler {
    public static final String UNCHECKED = "unchecked";
    protected Map<String, List<String>> cache = new HashMap();

    @Override // org.picketlink.trust.jbossws.handler.AbstractPicketLinkTrustHandler
    protected boolean handleInbound(MessageContext messageContext) {
        List<String> roles;
        logger.trace("Handling Inbound Message");
        trace(messageContext);
        InputStream wsse = getWSSE(getServletContext(messageContext));
        if (wsse == null) {
            throw logger.jbossWSUnableToLoadJBossWSSEConfigError();
        }
        QName qName = (QName) messageContext.get("javax.xml.ws.wsdl.port");
        QName qName2 = (QName) messageContext.get("javax.xml.ws.wsdl.operation");
        if (qName == null) {
            qName = JBossWSNativeStackUtil.getPortNameViaReflection(getClass(), messageContext);
        }
        if (qName == null) {
            throw logger.nullValueError("port name from the message context");
        }
        if (qName2 == null) {
            qName2 = getOperationName(messageContext);
        }
        if (qName2 == null) {
            throw logger.nullValueError("operation name from the message context");
        }
        String str = qName.getLocalPart() + "_" + qName2.toString();
        if (this.cache.containsKey(str)) {
            roles = this.cache.get(str);
        } else {
            try {
                roles = JBossWSSERoleExtractor.getRoles(wsse, qName.getLocalPart(), qName2.toString());
                this.cache.put(str, roles);
            } catch (ProcessingException e) {
                throw new RuntimeException((Throwable) e);
            }
        }
        if (roles.contains("unchecked")) {
            return true;
        }
        try {
            AuthorizationManager authorizationManager = getAuthorizationManager(messageContext);
            Subject authenticatedSubject = SecurityActions.getAuthenticatedSubject();
            Set<Principal> rolesSet = rolesSet(roles);
            if (authorizationManager.doesUserHaveRole((Principal) null, rolesSet)) {
                return true;
            }
            SecurityContext securityContext = SecurityActions.getSecurityContext();
            StringBuilder sb = new StringBuilder("Authorization Failed:Subject=");
            sb.append(authenticatedSubject).append(":Expected Roles=").append(rolesSet);
            sb.append("::Actual Roles=").append(authorizationManager.getSubjectRoles(authenticatedSubject, new SecurityContextCallbackHandler(securityContext)));
            logger.error(sb.toString());
            throw logger.jbossWSAuthorizationFailed();
        } catch (ConfigurationException e2) {
            logger.authorizationManagerError(e2);
            throw new RuntimeException((Throwable) e2);
        }
    }

    protected Set<Principal> rolesSet(List<String> list) {
        HashSet hashSet = new HashSet();
        Iterator<String> it = list.iterator();
        while (it.hasNext()) {
            hashSet.add(new SimplePrincipal(it.next()));
        }
        return hashSet;
    }

    protected InputStream getWSSE(ServletContext servletContext) {
        if (servletContext == null) {
            throw logger.nullValueError("Servlet Context");
        }
        return servletContext.getResourceAsStream("/WEB-INF/jboss-wsse.xml");
    }

    protected InputStream load(ClassLoader classLoader) {
        InputStream resourceAsStream = classLoader.getResourceAsStream("WEB-INF/jboss-wsse.xml");
        if (resourceAsStream == null) {
            resourceAsStream = classLoader.getResourceAsStream("/WEB-INF/jboss-wsse.xml");
        }
        return resourceAsStream;
    }

    private QName getOperationName(MessageContext messageContext) {
        try {
            Node firstChild = ((SOAPMessageContext) messageContext).getMessage().getSOAPBody().getFirstChild();
            return new QName(firstChild.getNamespaceURI(), firstChild.getLocalName());
        } catch (SOAPException e) {
            logger.jbossWSErrorGettingOperationName(e);
            return null;
        }
    }

    protected AuthorizationManager getAuthorizationManager(MessageContext messageContext) throws ConfigurationException {
        return (AuthorizationManager) lookupJNDI("java:jboss/jaas/" + getSecurityDomainName(messageContext) + "/authorizationMgr");
    }
}
