package org.jboss.seam.faces.security;

import java.lang.annotation.Annotation;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
import javax.enterprise.event.Event;
import javax.enterprise.event.Observes;
import javax.enterprise.inject.spi.BeanManager;
import javax.faces.component.UIViewRoot;
import javax.faces.context.FacesContext;
import javax.faces.event.PhaseEvent;
import javax.inject.Inject;
import org.jboss.seam.faces.event.PhaseIdType;
import org.jboss.seam.faces.event.PostLoginEvent;
import org.jboss.seam.faces.event.PreLoginEvent;
import org.jboss.seam.faces.event.PreNavigateEvent;
import org.jboss.seam.faces.event.qualifier.After;
import org.jboss.seam.faces.event.qualifier.ApplyRequestValues;
import org.jboss.seam.faces.event.qualifier.Before;
import org.jboss.seam.faces.event.qualifier.InvokeApplication;
import org.jboss.seam.faces.event.qualifier.ProcessValidations;
import org.jboss.seam.faces.event.qualifier.RenderResponse;
import org.jboss.seam.faces.event.qualifier.RestoreView;
import org.jboss.seam.faces.event.qualifier.UpdateModelValues;
import org.jboss.seam.faces.view.config.ViewConfigStore;
import org.jboss.seam.security.Identity;
import org.jboss.seam.security.annotations.SecurityBindingType;
import org.jboss.seam.security.events.AuthorizationCheckEvent;
import org.jboss.seam.security.events.NotAuthorizedEvent;
import org.jboss.solder.core.Requires;
import org.jboss.solder.logging.Logger;
import org.jboss.solder.reflection.AnnotationInspector;

@Requires({"org.jboss.seam.security.SecurityExtension"})
/* loaded from: input_file:WEB-INF/lib/seam-faces-3.1.0.Beta5.jar:org/jboss/seam/faces/security/SecurityPhaseListener.class */
public class SecurityPhaseListener {
    private final transient Logger log = Logger.getLogger((Class<?>) SecurityPhaseListener.class);

    @Inject
    private ViewConfigStore viewConfigStore;

    @Inject
    private Event<AuthorizationCheckEvent> authorizationCheckEvent;

    @Inject
    private Event<PreLoginEvent> preLoginEvent;

    @Inject
    private Event<PostLoginEvent> postLoginEvent;

    @Inject
    private Event<NotAuthorizedEvent> notAuthorizedEventEvent;

    @Inject
    private BeanManager beanManager;

    @Inject
    private Identity identity;

    public void observeRestoreView(@Observes @After @RestoreView PhaseEvent phaseEvent) {
        this.log.debug("After Restore View event");
        performObservation(phaseEvent, PhaseIdType.RESTORE_VIEW);
    }

    public void observeApplyRequestValues(@Observes @ApplyRequestValues @Before PhaseEvent phaseEvent) {
        this.log.debug("After Apply Request Values event");
        performObservation(phaseEvent, PhaseIdType.APPLY_REQUEST_VALUES);
    }

    public void observeProcessValidations(@Observes @Before @ProcessValidations PhaseEvent phaseEvent) {
        this.log.debug("After Process Validations event");
        performObservation(phaseEvent, PhaseIdType.PROCESS_VALIDATIONS);
    }

    public void observeUpdateModelValues(@Observes @Before @UpdateModelValues PhaseEvent phaseEvent) {
        this.log.debug("After Update Model Values event");
        performObservation(phaseEvent, PhaseIdType.UPDATE_MODEL_VALUES);
    }

    public void observeInvokeApplication(@Observes @InvokeApplication @Before PhaseEvent phaseEvent) {
        this.log.debug("Before Render Response event");
        performObservation(phaseEvent, PhaseIdType.INVOKE_APPLICATION);
    }

    public void observeRenderResponse(@Observes @Before @RenderResponse PhaseEvent phaseEvent) {
        this.log.debug("Before Render Response event");
        performObservation(phaseEvent, PhaseIdType.RENDER_RESPONSE);
    }

    private void performObservation(PhaseEvent phaseEvent, PhaseIdType phaseIdType) {
        UIViewRoot viewRoot = phaseEvent.getFacesContext().getViewRoot();
        List<? extends Annotation> restrictionsForPhase = getRestrictionsForPhase(phaseIdType, viewRoot.getViewId());
        if (restrictionsForPhase != null) {
            this.log.debugf("Enforcing on phase %s", phaseIdType);
            enforce(phaseEvent.getFacesContext(), viewRoot, restrictionsForPhase);
        }
    }

    public List<? extends Annotation> getRestrictionsForPhase(PhaseIdType phaseIdType, String str) {
        ArrayList arrayList = null;
        for (Annotation annotation : this.viewConfigStore.getAllQualifierData(str, SecurityBindingType.class)) {
            if (isAnnotationApplicableToPhase(annotation, phaseIdType, getDefaultPhases(str))) {
                if (arrayList == null) {
                    arrayList = new ArrayList();
                }
                arrayList.add(annotation);
            }
        }
        return arrayList;
    }

    public boolean isAnnotationApplicableToPhase(Annotation annotation, PhaseIdType phaseIdType, PhaseIdType[] phaseIdTypeArr) {
        Method restrictAtViewMethod = getRestrictAtViewMethod(annotation);
        PhaseIdType[] phaseIdTypeArr2 = null;
        if (restrictAtViewMethod != null) {
            this.log.warnf("Annotation %s is using the restrictAtViewMethod. Use a @RestrictAtPhase qualifier on the annotation instead.", new Object[0]);
            phaseIdTypeArr2 = getRestrictedPhaseIds(restrictAtViewMethod, annotation);
        }
        RestrictAtPhase restrictAtPhase = (RestrictAtPhase) AnnotationInspector.getAnnotation(annotation.annotationType(), RestrictAtPhase.class, this.beanManager);
        if (restrictAtPhase != null) {
            this.log.debug("Using Phases found in @RestrictAtView qualifier on the annotation.");
            phaseIdTypeArr2 = restrictAtPhase.value();
        }
        if (phaseIdTypeArr2 == null) {
            this.log.debug("Falling back on default phase ids");
            phaseIdTypeArr2 = phaseIdTypeArr;
        }
        return Arrays.binarySearch(phaseIdTypeArr2, phaseIdType) >= 0;
    }

    public PhaseIdType[] getDefaultPhases(String str) {
        PhaseIdType[] phaseIdTypeArr = null;
        RestrictAtPhase restrictAtPhase = (RestrictAtPhase) this.viewConfigStore.getAnnotationData(str, RestrictAtPhase.class);
        if (restrictAtPhase != null) {
            phaseIdTypeArr = restrictAtPhase.value();
        }
        if (phaseIdTypeArr == null) {
            phaseIdTypeArr = RestrictAtPhaseDefault.DEFAULT_PHASES;
        }
        return phaseIdTypeArr;
    }

    public Method getRestrictAtViewMethod(Annotation annotation) {
        Method method;
        try {
            method = annotation.annotationType().getDeclaredMethod("restrictAtPhase", new Class[0]);
        } catch (NoSuchMethodException e) {
            method = null;
        } catch (SecurityException e2) {
            throw new IllegalArgumentException("restrictAtView method must be accessible", e2);
        }
        return method;
    }

    public PhaseIdType[] getRestrictedPhaseIds(Method method, Annotation annotation) {
        try {
            return (PhaseIdType[]) method.invoke(annotation, new Object[0]);
        } catch (IllegalAccessException e) {
            throw new IllegalArgumentException("restrictAtView method must be accessible", e);
        } catch (InvocationTargetException e2) {
            throw new RuntimeException(e2);
        }
    }

    private void enforce(FacesContext facesContext, UIViewRoot uIViewRoot, List<? extends Annotation> list) {
        if (list == null || list.isEmpty()) {
            this.log.debug("Annotations is null/empty");
            return;
        }
        AuthorizationCheckEvent authorizationCheckEvent = new AuthorizationCheckEvent(list);
        this.authorizationCheckEvent.fire(authorizationCheckEvent);
        if (authorizationCheckEvent.isPassed()) {
            this.log.debug("Access granted");
            return;
        }
        if (!this.identity.isLoggedIn()) {
            this.log.debug("Access denied - not logged in");
            redirectToLoginPage(facesContext, uIViewRoot);
        } else {
            this.log.debug("Access denied - not authorized");
            this.notAuthorizedEventEvent.fire(new NotAuthorizedEvent());
            redirectToAccessDeniedView(facesContext, uIViewRoot);
        }
    }

    private void redirectToLoginPage(FacesContext facesContext, UIViewRoot uIViewRoot) {
        this.preLoginEvent.fire(new PreLoginEvent(facesContext, facesContext.getExternalContext().getSessionMap()));
        LoginView loginView = (LoginView) this.viewConfigStore.getAnnotationData(uIViewRoot.getViewId(), LoginView.class);
        if (loginView == null || loginView.value() == null || loginView.value().isEmpty()) {
            this.log.debug("Returning 401 response (login required)");
            facesContext.getExternalContext().setResponseStatus(401);
            facesContext.responseComplete();
        } else {
            String value = loginView.value();
            this.log.debugf("Redirecting to configured LoginView %s", value);
            facesContext.getApplication().getNavigationHandler().handleNavigation(facesContext, "", value);
            facesContext.renderResponse();
        }
    }

    private void redirectToAccessDeniedView(FacesContext facesContext, UIViewRoot uIViewRoot) {
        if (facesContext.getResponseComplete() || facesContext.getRenderResponse()) {
            return;
        }
        AccessDeniedView accessDeniedView = (AccessDeniedView) this.viewConfigStore.getAnnotationData(uIViewRoot.getViewId(), AccessDeniedView.class);
        if (accessDeniedView == null || accessDeniedView.value() == null || accessDeniedView.value().isEmpty()) {
            this.log.warn("No AccessDeniedView is configured, returning 401 response (access denied). Please configure an AccessDeniedView in the ViewConfig.");
            facesContext.getExternalContext().setResponseStatus(401);
            facesContext.responseComplete();
        } else {
            String value = accessDeniedView.value();
            this.log.debugf("Redirecting to configured AccessDenied %s", value);
            facesContext.getApplication().getNavigationHandler().handleNavigation(facesContext, "", value);
            facesContext.renderResponse();
        }
    }

    public void observePreNavigateEvent(@Observes PreNavigateEvent preNavigateEvent) {
        this.log.debugf("PreNavigateEvent observed %s, %s", preNavigateEvent.getOutcome(), preNavigateEvent.getFromAction());
        if (Identity.RESPONSE_LOGIN_SUCCESS.equals(preNavigateEvent.getOutcome()) && "#{identity.login}".equals(preNavigateEvent.getFromAction())) {
            FacesContext context = preNavigateEvent.getContext();
            this.postLoginEvent.fire(new PostLoginEvent(context, context.getExternalContext().getSessionMap()));
        }
    }
}
