package org.rhq.enterprise.server.authz;

import java.lang.reflect.Method;
import java.util.HashMap;
import java.util.Set;
import javax.interceptor.AroundInvoke;
import javax.interceptor.InvocationContext;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.rhq.core.domain.auth.Subject;
import org.rhq.core.domain.authz.Permission;
import org.rhq.enterprise.server.util.LookupUtil;

/* loaded from: input_file:lib/rhq-enterprise-server.jar:org/rhq/enterprise/server/authz/RequiredPermissionsInterceptor.class */
public class RequiredPermissionsInterceptor {
    private static Log LOG = LogFactory.getLog(RequiredPermissionsInterceptor.class);

    @AroundInvoke
    public Object checkRequiredPermissions(InvocationContext invocationContext) throws Exception {
        try {
            HashMap hashMap = new HashMap();
            Method method = invocationContext.getMethod();
            RequiredPermissions requiredPermissions = (RequiredPermissions) method.getAnnotation(RequiredPermissions.class);
            RequiredPermission requiredPermission = (RequiredPermission) method.getAnnotation(RequiredPermission.class);
            if (requiredPermissions != null && requiredPermissions.value().length > 0) {
                for (RequiredPermission requiredPermission2 : requiredPermissions.value()) {
                    hashMap.put(requiredPermission2.value(), requiredPermission2.error());
                }
            }
            if (requiredPermission != null && requiredPermission.value() != null) {
                hashMap.put(requiredPermission.value(), requiredPermission.error());
            }
            Subject subject = null;
            Object[] parameters = invocationContext.getParameters();
            if (parameters != null && parameters.length > 0 && (parameters[0] instanceof Subject)) {
                subject = (Subject) parameters[0];
            }
            if (subject != null) {
                if (subject.getSessionId() == null) {
                    throw buildPermissionException("The subject [" + subject.getName() + "] did not have a session", invocationContext);
                }
                if (!LookupUtil.getSubjectManager().isValidSessionId(subject.getSessionId().intValue(), subject.getName())) {
                    throw buildPermissionException("The session ID for user [" + subject.getName() + "] is invalid!", invocationContext);
                }
            }
            if (hashMap.size() > 0) {
                if (subject == null) {
                    throw buildPermissionException("Method requires permissions but does not have a subject parameter", invocationContext);
                }
                AuthorizationManagerLocal authorizationManager = LookupUtil.getAuthorizationManager();
                Set<Permission> keySet = hashMap.keySet();
                Set<Permission> explicitGlobalPermissions = authorizationManager.getExplicitGlobalPermissions(subject);
                for (Permission permission : keySet) {
                    if (!Permission.Target.GLOBAL.equals(permission.getTarget())) {
                        throw buildPermissionException("@RequiredPermissions must be Permission.Target.GLOBAL: [" + permission + "]", invocationContext);
                    }
                    if (!explicitGlobalPermissions.contains(permission)) {
                        String str = (String) hashMap.get(permission);
                        String str2 = "Subject [" + subject.getName() + "] is not authorized for [" + permission + "]";
                        if (str != null && str.length() > 0) {
                            str2 = str + ": " + str2;
                        }
                        throw buildPermissionException(str2, invocationContext);
                    }
                }
            }
            return invocationContext.proceed();
        } catch (PermissionException e) {
            LOG.debug("Interceptor detected a permission exception", e);
            throw e;
        } catch (Exception e2) {
            PermissionException buildPermissionException = buildPermissionException("Failed to check required permissions to invoke: ", invocationContext, e2);
            LOG.debug("Permission Exception", buildPermissionException);
            throw buildPermissionException;
        }
    }

    private PermissionException buildPermissionException(String str, InvocationContext invocationContext) {
        return buildPermissionException(str, invocationContext, null);
    }

    private PermissionException buildPermissionException(String str, InvocationContext invocationContext, Exception exc) {
        return new PermissionException(str + ": " + getInvocationString(invocationContext), exc);
    }

    private String getInvocationString(InvocationContext invocationContext) {
        StringBuffer stringBuffer = new StringBuffer("invocation: ");
        stringBuffer.append("method=" + invocationContext.getMethod().toGenericString());
        stringBuffer.append(",context-data=" + invocationContext.getContextData());
        return stringBuffer.toString();
    }
}
