package org.jboss.ws.extensions.security.operation;

import java.security.Principal;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import javax.naming.InitialContext;
import javax.naming.NamingException;
import javax.security.auth.Subject;
import org.jboss.logging.Logger;
import org.jboss.security.AuthenticationManager;
import org.jboss.security.RealmMapping;
import org.jboss.security.SimplePrincipal;
import org.jboss.ws.WSException;
import org.jboss.ws.extensions.security.exception.FailedAuthenticationException;
import org.jboss.ws.extensions.security.exception.WSSecurityException;
import org.jboss.ws.metadata.wsse.Authorize;
import org.jboss.ws.metadata.wsse.Role;
import org.jboss.wsf.spi.SPIProviderResolver;
import org.jboss.wsf.spi.invocation.SecurityAdaptor;
import org.jboss.wsf.spi.invocation.SecurityAdaptorFactory;

/* loaded from: input_file:org/jboss/ws/extensions/security/operation/AuthorizeOperation.class */
public class AuthorizeOperation {
    private static final Logger log = Logger.getLogger((Class<?>) AuthorizeOperation.class);
    private Authorize authorize;
    private AuthenticationManager am;
    private RealmMapping rm;
    private SecurityAdaptorFactory secAdapterfactory;

    public AuthorizeOperation(Authorize authorize) {
        this.authorize = authorize;
        try {
            this.am = (AuthenticationManager) new InitialContext().lookup("java:comp/env/security/securityMgr");
            this.rm = (RealmMapping) this.am;
            this.secAdapterfactory = (SecurityAdaptorFactory) SPIProviderResolver.getInstance().getProvider().getSPI(SecurityAdaptorFactory.class);
        } catch (NamingException e) {
            throw new WSException("Unable to lookup AuthenticationManager", e);
        }
    }

    public void process() throws WSSecurityException {
        boolean isTraceEnabled = log.isTraceEnabled();
        if (isTraceEnabled) {
            log.trace("About to check authorization, using security domain '" + this.am.getSecurityDomain() + "'");
        }
        SecurityAdaptor newSecurityAdapter = this.secAdapterfactory.newSecurityAdapter();
        Principal principal = newSecurityAdapter.getPrincipal();
        Object credential = newSecurityAdapter.getCredential();
        Subject subject = new Subject();
        if (!this.am.isValid(principal, credential, subject)) {
            String str = "Authentication failed, principal=" + principal;
            log.error(str);
            throw new FailedAuthenticationException(new SecurityException(str));
        }
        newSecurityAdapter.pushSubjectContext(subject, principal, credential);
        if (isTraceEnabled) {
            log.trace("Authenticated, principal=" + principal);
        }
        if (this.authorize.isUnchecked()) {
            if (isTraceEnabled) {
                log.trace("authorize.isUnchecked()==true skipping roles check.");
                return;
            }
            return;
        }
        Set<Principal> expectedRoles = expectedRoles();
        if (isTraceEnabled) {
            log.trace("expectedRoles=" + expectedRoles);
        }
        if (this.rm.doesUserHaveRole(principal, expectedRoles)) {
            if (isTraceEnabled) {
                log.trace("Roles check complete, principal=" + principal + ", requiredRoles=" + expectedRoles);
            }
        } else {
            String str2 = "Insufficient method permissions, principal=" + principal + ", requiredRoles=" + expectedRoles + ", principalRoles=" + this.rm.getUserRoles(principal);
            log.error(str2);
            throw new FailedAuthenticationException(new SecurityException(str2));
        }
    }

    private Set<Principal> expectedRoles() {
        List<Role> roles = this.authorize.getRoles();
        HashSet hashSet = new HashSet(roles != null ? roles.size() : 0);
        if (roles != null) {
            Iterator<Role> it = roles.iterator();
            while (it.hasNext()) {
                hashSet.add(new SimplePrincipal(it.next().getName()));
            }
        }
        return hashSet;
    }
}
