package org.jboss.security.authorization.modules.ejb;

import java.lang.reflect.Method;
import java.security.Principal;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import javax.security.auth.Subject;
import org.jboss.logging.Logger;
import org.jboss.security.RunAs;
import org.jboss.security.RunAsIdentity;
import org.jboss.security.authorization.PolicyRegistration;
import org.jboss.security.authorization.Resource;
import org.jboss.security.authorization.ResourceKeys;
import org.jboss.security.authorization.modules.AuthorizationModuleDelegate;
import org.jboss.security.authorization.resources.EJBResource;
import org.jboss.security.identity.Role;
import org.jboss.security.identity.RoleGroup;
import org.jboss.security.identity.plugins.SimpleRole;
import org.jboss.security.identity.plugins.SimpleRoleGroup;
import org.jboss.security.javaee.SecurityRoleRef;

/* loaded from: input_file:WEB-INF/lib/jbosssx-2.0.4.jar:org/jboss/security/authorization/modules/ejb/EJBPolicyModuleDelegate.class */
public class EJBPolicyModuleDelegate extends AuthorizationModuleDelegate {
    protected String ejbName = null;
    protected Method ejbMethod = null;
    protected Principal ejbPrincipal = null;
    private RoleGroup methodRoles = null;
    private String methodInterface = null;
    protected RunAs callerRunAs = null;
    protected String roleName = null;
    private Boolean roleRefCheck = Boolean.FALSE;
    protected Set<SecurityRoleRef> securityRoleReferences = null;
    private final Role ANYBODY_ROLE = new SimpleRole("<ANYBODY>");
    protected boolean ejbRestrictions = false;

    public EJBPolicyModuleDelegate() {
        log = Logger.getLogger(getClass());
        this.trace = log.isTraceEnabled();
    }

    @Override // org.jboss.security.authorization.modules.AuthorizationModuleDelegate
    public int authorize(Resource resource, Subject subject, RoleGroup roleGroup) {
        if (!(resource instanceof EJBResource)) {
            throw new IllegalArgumentException("resource is not an EJBResource");
        }
        EJBResource eJBResource = (EJBResource) resource;
        Map<String, Object> map = resource.getMap();
        if (map == null) {
            throw new IllegalStateException("Map from the Resource is null");
        }
        this.policyRegistration = (PolicyRegistration) map.get(ResourceKeys.POLICY_REGISTRATION);
        this.roleName = (String) map.get(ResourceKeys.ROLENAME);
        this.roleRefCheck = (Boolean) map.get(ResourceKeys.ROLEREF_PERM_CHECK);
        this.callerRunAs = eJBResource.getCallerRunAsIdentity();
        this.ejbMethod = eJBResource.getEjbMethod();
        this.ejbName = eJBResource.getEjbName();
        this.ejbPrincipal = eJBResource.getPrincipal();
        this.methodInterface = eJBResource.getEjbMethodInterface();
        this.methodRoles = eJBResource.getEjbMethodRoles();
        this.securityRoleReferences = eJBResource.getSecurityRoleReferences();
        this.ejbRestrictions = eJBResource.isEnforceEJBRestrictions();
        return this.roleRefCheck == Boolean.TRUE ? checkRoleRef(roleGroup) : process(roleGroup);
    }

    private int process(RoleGroup roleGroup) {
        boolean z = true;
        if (this.methodRoles == null) {
            if (this.ejbMethod == null) {
                throw new IllegalStateException("ejbMethod is null");
            }
            String str = "No method permissions assigned to method=" + this.ejbMethod.getName() + ", interface=" + this.methodInterface;
            if (!this.trace) {
                return -1;
            }
            log.trace("Exception:" + str);
            return -1;
        }
        if (this.trace) {
            log.trace("method=" + this.ejbMethod + ", interface=" + this.methodInterface + ", requiredRoles=" + this.methodRoles);
        }
        if (!this.methodRoles.containsAll(this.ANYBODY_ROLE)) {
            if (this.callerRunAs == null) {
                if (roleGroup == null) {
                    throw new IllegalStateException("Principal Role is null");
                }
                if (!this.methodRoles.containsAtleastOneRole(roleGroup)) {
                    if (this.ejbMethod == null) {
                        throw new IllegalStateException("ejbMethod is null");
                    }
                    String str2 = "Insufficient method permissions, principal=" + this.ejbPrincipal + ", ejbName=" + this.ejbName + ", method=" + this.ejbMethod.getName() + ", interface=" + this.methodInterface + ", requiredRoles=" + this.methodRoles + ", principalRoles=" + roleGroup;
                    if (this.trace) {
                        log.trace("Exception:" + str2);
                    }
                    z = false;
                }
            } else if (this.callerRunAs instanceof RunAsIdentity) {
                RunAsIdentity runAsIdentity = (RunAsIdentity) this.callerRunAs;
                if (!new SimpleRoleGroup(runAsIdentity.getRunAsRoles()).containsAtleastOneRole(this.methodRoles)) {
                    String str3 = "Insufficient method permissions, principal=" + this.ejbPrincipal + ", ejbName=" + this.ejbName + ", method=" + this.ejbMethod.getName() + ", interface=" + this.methodInterface + ", requiredRoles=" + this.methodRoles + ", runAsRoles=" + runAsIdentity.getRunAsRoles();
                    if (this.trace) {
                        log.trace("Exception:" + str3);
                    }
                    z = false;
                }
            }
        }
        return z ? 1 : -1;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public int checkRoleRef(RoleGroup roleGroup) {
        if (this.ejbPrincipal == null && this.callerRunAs == null) {
            if (!this.trace) {
                return -1;
            }
            log.trace("ejbPrincipal = null,callerRunAsIdentity = null => DENY");
            return -1;
        }
        boolean z = false;
        Iterator<SecurityRoleRef> it = this.securityRoleReferences.iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            SecurityRoleRef next = it.next();
            if (next.getName().equals(this.roleName)) {
                this.roleName = next.getLink();
                z = true;
                break;
            }
        }
        if (!z) {
            if (this.ejbRestrictions) {
                throw new RuntimeException("No matching role found in the deployment descriptor for " + this.roleName);
            }
            log.trace("no match found for security role " + this.roleName + " in the deployment descriptor for ejb " + this.ejbName);
        }
        SimpleRole simpleRole = new SimpleRole(this.roleName);
        boolean z2 = false;
        if (this.callerRunAs == null) {
            z2 = roleGroup.containsRole(simpleRole);
        } else if (this.callerRunAs instanceof RunAsIdentity) {
            z2 = new SimpleRoleGroup(((RunAsIdentity) this.callerRunAs).getRunAsRoles()).containsRole(simpleRole);
        }
        return z2 ? 1 : -1;
    }
}
