package org.jboss.seam.security.permission;

import java.io.Serializable;
import java.security.Principal;
import java.security.acl.Group;
import java.util.ArrayList;
import java.util.Enumeration;
import java.util.Iterator;
import java.util.Set;
import org.drools.ClassObjectFilter;
import org.drools.FactHandle;
import org.drools.RuleBase;
import org.drools.StatefulSession;
import org.jboss.seam.Component;
import org.jboss.seam.ScopeType;
import org.jboss.seam.Seam;
import org.jboss.seam.annotations.Create;
import org.jboss.seam.annotations.Install;
import org.jboss.seam.annotations.Name;
import org.jboss.seam.annotations.Observer;
import org.jboss.seam.annotations.Scope;
import org.jboss.seam.annotations.Startup;
import org.jboss.seam.annotations.intercept.BypassInterceptors;
import org.jboss.seam.contexts.Contexts;
import org.jboss.seam.drools.SeamGlobalResolver;
import org.jboss.seam.log.LogProvider;
import org.jboss.seam.log.Logging;
import org.jboss.seam.security.Identity;
import org.jboss.seam.security.Role;
import org.jboss.seam.security.management.JpaIdentityStore;

@Name("org.jboss.seam.security.ruleBasedPermissionResolver")
@Scope(ScopeType.SESSION)
@BypassInterceptors
@Install(precedence = 0, classDependencies = {"org.drools.WorkingMemory"})
@Startup
/* loaded from: input_file:WEB-INF/lib/jboss-seam-2.3.2-SNAPSHOT.jar:org/jboss/seam/security/permission/RuleBasedPermissionResolver.class */
public class RuleBasedPermissionResolver implements PermissionResolver, Serializable {
    public static final String RULES_COMPONENT_NAME = "securityRules";
    private static final LogProvider log = Logging.getLogProvider(RuleBasedPermissionResolver.class);
    private StatefulSession securityContext;
    private RuleBase securityRules;

    @Create
    public boolean create() {
        initSecurityContext();
        return getSecurityContext() != null;
    }

    protected void initSecurityContext() {
        if (getSecurityRules() == null) {
            setSecurityRules((RuleBase) Component.getInstance(RULES_COMPONENT_NAME, true));
        }
        if (getSecurityRules() != null) {
            setSecurityContext(getSecurityRules().newStatefulSession(false));
            getSecurityContext().setGlobalResolver(new SeamGlobalResolver(getSecurityContext().getGlobalResolver()));
        }
        if (getSecurityContext() == null) {
            log.debug("no security rule base available - please install a RuleBase with the name 'securityRules' if permission checks are required.");
        }
    }

    @Override // org.jboss.seam.security.permission.PermissionResolver
    public boolean hasPermission(Object obj, String str) {
        PermissionCheck permissionCheck;
        StatefulSession securityContext = getSecurityContext();
        if (securityContext == null) {
            return false;
        }
        ArrayList arrayList = new ArrayList();
        synchronized (securityContext) {
            if (!(obj instanceof String) && !(obj instanceof Class)) {
                arrayList.add(securityContext.insert(obj));
            } else if (obj instanceof Class) {
                String componentName = Seam.getComponentName((Class) obj);
                obj = componentName != null ? componentName : ((Class) obj).getName();
            }
            permissionCheck = new PermissionCheck(obj, str);
            try {
                synchronizeContext();
                arrayList.add(securityContext.insert(permissionCheck));
                securityContext.fireAllRules();
                Iterator it = arrayList.iterator();
                while (it.hasNext()) {
                    securityContext.retract((FactHandle) it.next());
                }
            } catch (Throwable th) {
                Iterator it2 = arrayList.iterator();
                while (it2.hasNext()) {
                    securityContext.retract((FactHandle) it2.next());
                }
                throw th;
            }
        }
        return permissionCheck.isGranted();
    }

    @Override // org.jboss.seam.security.permission.PermissionResolver
    public void filterSetByAction(Set<Object> set, String str) {
        Iterator<Object> it = set.iterator();
        while (it.hasNext()) {
            if (hasPermission(it.next(), str)) {
                it.remove();
            }
        }
    }

    public boolean checkConditionalRole(String str, Object obj, String str2) {
        StatefulSession securityContext = getSecurityContext();
        if (securityContext == null) {
            return false;
        }
        RoleCheck roleCheck = new RoleCheck(str);
        ArrayList arrayList = new ArrayList();
        PermissionCheck permissionCheck = new PermissionCheck(obj, str2);
        synchronized (securityContext) {
            if (!(obj instanceof String) && !(obj instanceof Class)) {
                arrayList.add(securityContext.insert(obj));
            } else if (obj instanceof Class) {
                String componentName = Seam.getComponentName((Class) obj);
                String name = componentName != null ? componentName : ((Class) obj).getName();
            }
            try {
                arrayList.add(securityContext.insert(permissionCheck));
                securityContext.fireAllRules();
                if (permissionCheck.hasRequirements()) {
                    Iterator<String> it = permissionCheck.getRequirements().iterator();
                    while (it.hasNext()) {
                        Object lookupInStatefulContexts = Contexts.lookupInStatefulContexts(it.next());
                        if (lookupInStatefulContexts != null) {
                            arrayList.add(securityContext.insert(lookupInStatefulContexts));
                        }
                    }
                }
                synchronizeContext();
                arrayList.add(securityContext.insert(roleCheck));
                arrayList.add(securityContext.insert(permissionCheck));
                securityContext.fireAllRules();
                Iterator it2 = arrayList.iterator();
                while (it2.hasNext()) {
                    securityContext.retract((FactHandle) it2.next());
                }
            } catch (Throwable th) {
                Iterator it3 = arrayList.iterator();
                while (it3.hasNext()) {
                    securityContext.retract((FactHandle) it3.next());
                }
                throw th;
            }
        }
        return roleCheck.isGranted();
    }

    @Observer({Identity.EVENT_LOGGED_OUT})
    public void unAuthenticate() {
        if (getSecurityContext() != null) {
            getSecurityContext().dispose();
            setSecurityContext(null);
        }
        initSecurityContext();
    }

    private void synchronizeContext() {
        Identity instance = Identity.instance();
        if (getSecurityContext() != null) {
            getSecurityContext().insert(instance.getPrincipal());
            for (Group group : instance.getSubject().getPrincipals(Group.class)) {
                if (Identity.ROLES_GROUP.equals(group.getName())) {
                    Enumeration<? extends Principal> members = group.members();
                    while (members.hasMoreElements()) {
                        Principal nextElement = members.nextElement();
                        boolean z = false;
                        Iterator iterateObjects = getSecurityContext().iterateObjects(new ClassObjectFilter(Role.class));
                        while (true) {
                            if (iterateObjects.hasNext()) {
                                if (((Role) iterateObjects.next()).getName().equals(nextElement.getName())) {
                                    z = true;
                                    break;
                                }
                            } else {
                                break;
                            }
                        }
                        if (!z) {
                            getSecurityContext().insert(new Role(nextElement.getName()));
                        }
                    }
                }
            }
            Iterator iterateObjects2 = getSecurityContext().iterateObjects(new ClassObjectFilter(Role.class));
            while (iterateObjects2.hasNext()) {
                Role role = (Role) iterateObjects2.next();
                if (!instance.hasRole(role.getName())) {
                    getSecurityContext().retract(getSecurityContext().getFactHandle(role));
                }
            }
        }
    }

    public StatefulSession getSecurityContext() {
        return this.securityContext;
    }

    public void setSecurityContext(StatefulSession statefulSession) {
        this.securityContext = statefulSession;
    }

    public RuleBase getSecurityRules() {
        return this.securityRules;
    }

    public void setSecurityRules(RuleBase ruleBase) {
        this.securityRules = ruleBase;
    }

    public static RuleBasedPermissionResolver instance() {
        if (!Contexts.isSessionContextActive()) {
            throw new IllegalStateException("No active session context");
        }
        RuleBasedPermissionResolver ruleBasedPermissionResolver = (RuleBasedPermissionResolver) Component.getInstance((Class<?>) RuleBasedPermissionResolver.class, ScopeType.SESSION);
        if (ruleBasedPermissionResolver == null) {
            throw new IllegalStateException("No RuleBasedPermissionResolver could be created");
        }
        return ruleBasedPermissionResolver;
    }

    @Observer({Identity.EVENT_POST_AUTHENTICATE})
    public void setUserAccountInSecurityContext() {
        if (getSecurityContext() != null) {
            getSecurityContext().insert(Identity.instance().getPrincipal());
            if (Contexts.isEventContextActive() && Contexts.isSessionContextActive() && Contexts.getEventContext().isSet(JpaIdentityStore.AUTHENTICATED_USER)) {
                getSecurityContext().insert(Contexts.getEventContext().get(JpaIdentityStore.AUTHENTICATED_USER));
            }
        }
    }
}
