package org.apache.cxf.interceptor.security;

import java.util.Collections;
import java.util.List;
import java.util.logging.Level;
import java.util.logging.Logger;
import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.interceptor.Fault;
import org.apache.cxf.message.Message;
import org.apache.cxf.security.SecurityContext;
import org.apache.cxf.service.model.BindingOperationInfo;
import org.apache.cxf.service.model.OperationInfo;

/* loaded from: input_file:META-INF/repository/fuse-eap-distro-6.3.0.redhat-329-09.zip:modules/system/layers/fuse/org/apache/cxf/3.1/cxf-core-3.1.5.redhat-630329-09.jar:org/apache/cxf/interceptor/security/OperationInfoAuthorizingInterceptor.class */
public class OperationInfoAuthorizingInterceptor extends SimpleAuthorizingInterceptor {
    private static final Logger LOG = LogUtils.getL7dLogger(OperationInfoAuthorizingInterceptor.class);

    @Override // org.apache.cxf.interceptor.security.AbstractAuthorizingInInterceptor, org.apache.cxf.interceptor.Interceptor
    public void handleMessage(Message message) throws Fault {
        OperationInfo targetOperationInfo = getTargetOperationInfo(message);
        SecurityContext securityContext = (SecurityContext) message.get(SecurityContext.class);
        if (securityContext == null || securityContext.getUserPrincipal() == null) {
            if (!isMethodProtected(targetOperationInfo.getName().getLocalPart()) && isAllowAnonymousUsers()) {
                return;
            }
        } else if (targetOperationInfo.getName() != null && authorize(securityContext, targetOperationInfo.getName().getLocalPart())) {
            return;
        }
        throw new AccessDeniedException("Unauthorized");
    }

    protected boolean authorize(SecurityContext securityContext, String str) {
        List<String> expectedRoles = getExpectedRoles(str);
        if (expectedRoles.isEmpty()) {
            List<String> denyRoles = getDenyRoles(str);
            if (denyRoles.isEmpty()) {
                return true;
            }
            return isUserInRole(securityContext, denyRoles, true);
        }
        if (isUserInRole(securityContext, expectedRoles, false)) {
            return true;
        }
        if (!LOG.isLoggable(Level.FINE)) {
            return false;
        }
        LOG.fine(securityContext.getUserPrincipal().getName() + " is not authorized");
        return false;
    }

    protected OperationInfo getTargetOperationInfo(Message message) {
        BindingOperationInfo bindingOperationInfo = message.getExchange().getBindingOperationInfo();
        if (bindingOperationInfo != null) {
            return bindingOperationInfo.getOperationInfo();
        }
        throw new AccessDeniedException("OperationInfo is not available : Unauthorized");
    }

    protected List<String> getExpectedRoles(String str) {
        List<String> list = this.methodRolesMap.get(str);
        return list != null ? list : this.globalRoles;
    }

    protected List<String> getDenyRoles(String str) {
        return Collections.emptyList();
    }

    protected boolean isMethodProtected(String str) {
        return (getExpectedRoles(str).isEmpty() && getDenyRoles(str).isEmpty()) ? false : true;
    }
}
