package org.jboss.ejb3.security;

import java.lang.reflect.Method;
import java.security.CodeSource;
import java.security.Principal;
import java.util.HashSet;
import java.util.Set;
import javax.annotation.security.DenyAll;
import javax.annotation.security.PermitAll;
import javax.annotation.security.RolesAllowed;
import javax.ejb.EJBAccessException;
import org.jboss.aop.advice.Interceptor;
import org.jboss.aop.joinpoint.Invocation;
import org.jboss.aop.joinpoint.MethodInvocation;
import org.jboss.ejb3.Container;
import org.jboss.ejb3.EJBContainer;
import org.jboss.ejb3.annotation.SecurityDomain;
import org.jboss.logging.Logger;
import org.jboss.metadata.QueryMetaData;
import org.jboss.metadata.ejb.jboss.JBossAssemblyDescriptorMetaData;
import org.jboss.remoting.InvokerLocator;
import org.jboss.security.AnybodyPrincipal;
import org.jboss.security.NobodyPrincipal;
import org.jboss.security.SecurityContext;
import org.jboss.security.SecurityRolesAssociation;
import org.jboss.security.SimplePrincipal;
import org.jboss.security.identity.plugins.SimpleRoleGroup;
import org.jboss.security.javaee.SecurityHelperFactory;

/* loaded from: input_file:jboss-ejb3-core.jar:org/jboss/ejb3/security/RoleBasedAuthorizationInterceptorv2.class */
public final class RoleBasedAuthorizationInterceptorv2 implements Interceptor {
    private static final Logger log = Logger.getLogger(RoleBasedAuthorizationInterceptorv2.class);
    private EJBContainer container;
    private CodeSource ejbCS;
    private String ejbName;

    public RoleBasedAuthorizationInterceptorv2(Container container, CodeSource codeSource, String str) {
        this.container = (EJBContainer) container;
        this.ejbCS = codeSource;
        this.ejbName = str;
    }

    protected Set<Principal> getRoleSet(Invocation invocation) {
        Class[] clsArr = {DenyAll.class, PermitAll.class, RolesAllowed.class};
        Object resolveAnnotation = this.container.resolveAnnotation(((MethodInvocation) invocation).getActualMethod(), clsArr);
        int i = 0;
        while (resolveAnnotation == null && i < 3) {
            int i2 = i;
            i++;
            resolveAnnotation = this.container.resolveAnnotation(clsArr[i2]);
        }
        HashSet hashSet = new HashSet();
        if (resolveAnnotation == null) {
            hashSet.add(AnybodyPrincipal.ANYBODY_PRINCIPAL);
        } else if (resolveAnnotation instanceof DenyAll) {
            hashSet.add(NobodyPrincipal.NOBODY_PRINCIPAL);
        } else if (resolveAnnotation instanceof PermitAll) {
            hashSet.add(AnybodyPrincipal.ANYBODY_PRINCIPAL);
        } else if (resolveAnnotation instanceof RolesAllowed) {
            RolesAllowed rolesAllowed = (RolesAllowed) resolveAnnotation;
            for (int i3 = 0; i3 < rolesAllowed.value().length; i3++) {
                hashSet.add(new SimplePrincipal(rolesAllowed.value()[i3]));
            }
        } else {
            hashSet.add(AnybodyPrincipal.ANYBODY_PRINCIPAL);
        }
        return hashSet;
    }

    public Object invoke(Invocation invocation) throws Throwable {
        String jaccContextId = this.container.getJaccContextId();
        SecurityActions.setContextID(jaccContextId);
        MethodInvocation methodInvocation = (MethodInvocation) invocation;
        SecurityHelper securityHelper = new SecurityHelper();
        Method method = methodInvocation.getMethod();
        if (!securityHelper.isEJBTimeOutCallback(method) && !securityHelper.containsTimeoutAnnotation(this.container, method)) {
            if (!securityHelper.isMDB(this.container)) {
                try {
                    SecurityDomain annotation = this.container.getAnnotation(SecurityDomain.class);
                    if ((annotation == null || annotation.value() == null || annotation.value().length() <= 0) ? false : true) {
                        SecurityContext securityContext = SecurityActions.getSecurityContext();
                        if (securityContext == null) {
                            throw new IllegalStateException("Security Context has not been set");
                        }
                        Set<Principal> roleSet = getRoleSet(invocation);
                        if (roleSet == null) {
                            log.error("No method permissions assigned.");
                            throw new SecurityException("No method permissions assigned.");
                        }
                        JBossAssemblyDescriptorMetaData assemblyDescriptor = this.container.getAssemblyDescriptor();
                        if (assemblyDescriptor != null) {
                            SecurityRolesAssociation.setSecurityRoles(assemblyDescriptor.getPrincipalVersusRolesMap());
                        }
                        try {
                            if (!SecurityHelperFactory.getEJBAuthorizationHelper(securityContext).authorize(this.ejbName, methodInvocation.getMethod(), securityContext.getUtil().getUserPrincipal(), ((InvokerLocator) invocation.getMetaData("REMOTING", "INVOKER_LOCATOR")) != null ? QueryMetaData.REMOTE : QueryMetaData.LOCAL, this.ejbCS, securityContext.getUtil().getSubject(), SecurityActions.peekRunAs(), jaccContextId, new SimpleRoleGroup(roleSet))) {
                                throw new EJBAccessException("Caller unauthorized");
                            }
                        } catch (Exception e) {
                            throw new RuntimeException(e);
                        }
                    }
                    return invocation.invokeNext();
                } catch (SecurityException e2) {
                    log.debug("Authorization failure", e2);
                    throw new EJBAccessException("Authorization failure");
                }
            }
        }
        return invocation.invokeNext();
    }

    public String getName() {
        return getClass().getName();
    }
}
