package org.switchyard.handlers;

import java.util.Iterator;
import java.util.concurrent.atomic.AtomicInteger;
import org.jboss.logging.Logger;
import org.switchyard.BaseHandler;
import org.switchyard.Exchange;
import org.switchyard.SecurityFailureException;
import org.switchyard.ServiceDomain;
import org.switchyard.ServiceSecurity;
import org.switchyard.policy.PolicyUtil;
import org.switchyard.policy.SecurityPolicy;
import org.switchyard.security.SecurityMetadata;
import org.switchyard.security.SecurityServices;
import org.switchyard.security.context.SecurityContext;
import org.switchyard.security.context.SecurityContextManager;
import org.switchyard.security.credential.ConfidentialityCredential;
import org.switchyard.security.credential.PrincipalCredential;
import org.switchyard.security.provider.SecurityProvider;

/* loaded from: input_file:META-INF/repository/fuse-eap-distro-6.3.0.redhat-371-04.zip:modules/system/layers/soa/org/switchyard/runtime/main/switchyard-runtime-2.1.0.redhat-630371-04.jar:org/switchyard/handlers/SecurityHandler.class */
public class SecurityHandler extends BaseHandler {
    private static final Logger LOGGER = Logger.getLogger((Class<?>) SecurityHandler.class);
    private static final ThreadLocal<AtomicInteger> PROCESS_COUNT = new InheritableThreadLocal();
    private final SecurityContextManager _securityContextManager;
    private final SecurityProvider _securityProvider = SecurityServices.getSecurityProvider();
    private final SecurityAction _securityAction;

    /* loaded from: input_file:META-INF/repository/fuse-eap-distro-6.3.0.redhat-371-04.zip:modules/system/layers/soa/org/switchyard/runtime/main/switchyard-runtime-2.1.0.redhat-630371-04.jar:org/switchyard/handlers/SecurityHandler$SecurityAction.class */
    public enum SecurityAction {
        PROCESS,
        CLEANUP
    }

    public SecurityHandler(ServiceDomain serviceDomain, SecurityAction securityAction) {
        this._securityContextManager = new SecurityContextManager(serviceDomain);
        this._securityAction = securityAction;
    }

    @Override // org.switchyard.BaseHandler, org.switchyard.ExchangeHandler
    public void handleMessage(Exchange exchange) throws SecurityFailureException {
        ServiceSecurity serviceSecurity = SecurityMetadata.getServiceSecurity(exchange);
        if (serviceSecurity == null) {
            return;
        }
        switch (this._securityAction) {
            case PROCESS:
                process(exchange, serviceSecurity);
                return;
            case CLEANUP:
                cleanup(exchange, serviceSecurity);
                return;
            default:
                return;
        }
    }

    @Override // org.switchyard.BaseHandler, org.switchyard.ExchangeHandler
    public void handleFault(Exchange exchange) {
        ServiceSecurity serviceSecurity = SecurityMetadata.getServiceSecurity(exchange);
        if (serviceSecurity == null) {
            return;
        }
        try {
            cleanup(exchange, serviceSecurity);
        } catch (Exception e) {
            LOGGER.error(e);
        }
    }

    private void process(Exchange exchange, ServiceSecurity serviceSecurity) throws SecurityFailureException {
        processCount().incrementAndGet();
        SecurityContext context = this._securityContextManager.getContext(exchange);
        if (PolicyUtil.isRequired(exchange, SecurityPolicy.CONFIDENTIALITY) && !PolicyUtil.isProvided(exchange, SecurityPolicy.CONFIDENTIALITY) && isConfidentialityProvided(context)) {
            PolicyUtil.provide(exchange, SecurityPolicy.CONFIDENTIALITY);
        }
        boolean z = false;
        if (!PolicyUtil.isRequired(exchange, SecurityPolicy.CLIENT_AUTHENTICATION) || PolicyUtil.isProvided(exchange, SecurityPolicy.CLIENT_AUTHENTICATION)) {
            z = true;
        } else if (isClientAuthenticationProvided(context)) {
            PolicyUtil.provide(exchange, SecurityPolicy.CLIENT_AUTHENTICATION);
            z = true;
        } else if (this._securityProvider.authenticate(serviceSecurity, context)) {
            PolicyUtil.provide(exchange, SecurityPolicy.CLIENT_AUTHENTICATION);
            z = true;
        }
        if (z) {
            this._securityProvider.populate(serviceSecurity, context);
        }
        if (PolicyUtil.isRequired(exchange, SecurityPolicy.AUTHORIZATION) && !PolicyUtil.isProvided(exchange, SecurityPolicy.AUTHORIZATION) && isAuthorizationProvided(serviceSecurity, context)) {
            PolicyUtil.provide(exchange, SecurityPolicy.AUTHORIZATION);
        }
        this._securityContextManager.setContext(exchange, context);
    }

    private void cleanup(Exchange exchange, ServiceSecurity serviceSecurity) {
        if (processCount().decrementAndGet() < 1) {
            this._securityContextManager.setContext(exchange, null);
            processCount().set(0);
        }
    }

    private boolean isConfidentialityProvided(SecurityContext securityContext) {
        Iterator it = securityContext.getCredentials(ConfidentialityCredential.class).iterator();
        while (it.hasNext()) {
            if (((ConfidentialityCredential) it.next()).isConfidential()) {
                return true;
            }
        }
        return false;
    }

    private boolean isClientAuthenticationProvided(SecurityContext securityContext) {
        for (PrincipalCredential principalCredential : securityContext.getCredentials(PrincipalCredential.class)) {
            if (principalCredential.getPrincipal() != null && principalCredential.isTrusted()) {
                return true;
            }
        }
        return false;
    }

    private boolean isAuthorizationProvided(ServiceSecurity serviceSecurity, SecurityContext securityContext) {
        return this._securityProvider.checkRolesAllowed(serviceSecurity, securityContext);
    }

    private static synchronized AtomicInteger processCount() {
        AtomicInteger atomicInteger = PROCESS_COUNT.get();
        if (atomicInteger == null) {
            atomicInteger = new AtomicInteger(0);
            PROCESS_COUNT.set(atomicInteger);
        }
        return atomicInteger;
    }
}
