package fish.payara.appserver.cdi.auth.roles;

import fish.payara.cdi.auth.roles.CallerAccessException;
import fish.payara.cdi.auth.roles.LogicalOperator;
import fish.payara.cdi.auth.roles.RolesPermitted;
import jakarta.annotation.Priority;
import jakarta.el.ELProcessor;
import jakarta.enterprise.inject.Intercepted;
import jakarta.enterprise.inject.spi.Bean;
import jakarta.enterprise.inject.spi.BeanManager;
import jakarta.inject.Inject;
import jakarta.inject.Named;
import jakarta.interceptor.AroundInvoke;
import jakarta.interceptor.Interceptor;
import jakarta.interceptor.InvocationContext;
import jakarta.security.enterprise.AuthenticationStatus;
import jakarta.security.enterprise.SecurityContext;
import jakarta.security.enterprise.authentication.mechanism.http.AuthenticationParameters;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import jakarta.ws.rs.NotAuthorizedException;
import jakarta.ws.rs.core.Context;
import jakarta.ws.rs.core.Response;
import java.io.Serializable;
import java.lang.annotation.Annotation;
import java.lang.reflect.Method;
import java.lang.reflect.Parameter;
import java.util.Arrays;
import java.util.LinkedList;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import org.glassfish.soteria.cdi.AnnotationELPProcessor;
import org.glassfish.soteria.cdi.CdiUtils;
import org.jboss.weld.interceptor.WeldInvocationContext;

@RolesPermitted
@Interceptor
@Priority(5000)
/* loaded from: input_file:MICRO-INF/runtime/cdi-auth-roles.jar:fish/payara/appserver/cdi/auth/roles/RolesPermittedInterceptor.class */
public class RolesPermittedInterceptor implements Serializable {
    private static final long serialVersionUID = 1;
    private final Bean<?> interceptedBean;
    private final NonSerializableProperties lazyProperties = new NonSerializableProperties();

    @Context
    private transient HttpServletRequest request;

    @Context
    private transient HttpServletResponse response;

    @Inject
    public RolesPermittedInterceptor(@Intercepted Bean<?> bean) {
        this.interceptedBean = bean;
    }

    @AroundInvoke
    public Object method(InvocationContext invocationContext) throws Exception {
        if (checkAccessPermitted(getRolesPermitted(invocationContext), invocationContext)) {
            return invocationContext.proceed();
        }
        throw new CallerAccessException("Caller was not permitted access to a protected resource");
    }

    public boolean checkAccessPermitted(RolesPermitted rolesPermitted, InvocationContext invocationContext) {
        authenticate(rolesPermitted.value());
        ELProcessor elProcessor = AnnotationELPProcessor.hasAnyELExpression(rolesPermitted.value()) ? getElProcessor(invocationContext) : null;
        List<String> asList = Arrays.asList(rolesPermitted.value());
        SecurityContext securityContext = this.lazyProperties.getSecurityContext();
        if (LogicalOperator.OR.equals(rolesPermitted.semantics())) {
            for (String str : asList) {
                if (elProcessor != null && AnnotationELPProcessor.hasAnyELExpression(str)) {
                    str = AnnotationELPProcessor.evalELExpression(elProcessor, str);
                }
                if (securityContext.isCallerInRole(str)) {
                    return true;
                }
            }
            return false;
        }
        if (!LogicalOperator.AND.equals(rolesPermitted.semantics())) {
            return false;
        }
        for (String str2 : asList) {
            if (elProcessor != null && AnnotationELPProcessor.hasAnyELExpression(str2)) {
                str2 = AnnotationELPProcessor.evalELExpression(elProcessor, str2);
            }
            if (!securityContext.isCallerInRole(str2)) {
                return false;
            }
        }
        return true;
    }

    private RolesPermitted getRolesPermitted(InvocationContext invocationContext) {
        Set set = (Set) invocationContext.getContextData().get(WeldInvocationContext.INTERCEPTOR_BINDINGS_KEY);
        if (set != null) {
            Optional findAny = set.stream().filter(annotation -> {
                return annotation.annotationType().equals(RolesPermitted.class);
            }).findAny();
            Class<RolesPermitted> cls = RolesPermitted.class;
            Objects.requireNonNull(RolesPermitted.class);
            Optional map = findAny.map((v1) -> {
                return r1.cast(v1);
            });
            if (map.isPresent()) {
                return (RolesPermitted) map.get();
            }
        }
        BeanManager beanManager = this.lazyProperties.getBeanManager();
        Optional annotationFromMethod = getAnnotationFromMethod(beanManager, invocationContext.getMethod(), RolesPermitted.class);
        if (annotationFromMethod.isPresent()) {
            return (RolesPermitted) annotationFromMethod.get();
        }
        Optional annotation2 = CdiUtils.getAnnotation(beanManager, this.interceptedBean.getBeanClass(), RolesPermitted.class);
        if (annotation2.isPresent()) {
            return (RolesPermitted) annotation2.get();
        }
        throw new IllegalStateException("@RolesPermitted not found on " + this.interceptedBean.getBeanClass());
    }

    public static <A extends Annotation> Optional<A> getAnnotationFromMethod(BeanManager beanManager, Method method, Class<A> cls) {
        if (method.isAnnotationPresent(cls)) {
            return Optional.of(method.getAnnotation(cls));
        }
        LinkedList linkedList = new LinkedList(Arrays.asList(method.getAnnotations()));
        while (!linkedList.isEmpty()) {
            Annotation annotation = (Annotation) linkedList.remove();
            if (annotation.annotationType().equals(cls)) {
                return Optional.of(cls.cast(annotation));
            }
            if (beanManager.isStereotype(annotation.annotationType())) {
                linkedList.addAll(beanManager.getStereotypeDefinition(annotation.annotationType()));
            }
        }
        return Optional.empty();
    }

    private ELProcessor getElProcessor(InvocationContext invocationContext) {
        BeanManager beanManager = this.lazyProperties.getBeanManager();
        ELProcessor eLProcessor = new ELProcessor();
        eLProcessor.getELManager().addELResolver(beanManager.getELResolver());
        eLProcessor.defineBean("self", invocationContext.getTarget());
        Parameter[] parameters = invocationContext.getMethod().getParameters();
        Object[] parameters2 = invocationContext.getParameters();
        boolean z = false;
        for (int i = 0; i < parameters.length; i++) {
            Named named = (Named) parameters[i].getAnnotation(Named.class);
            if (named != null) {
                String trim = named.value().trim();
                if (!trim.isEmpty()) {
                    eLProcessor.defineBean(trim, parameters2[i]);
                    z = true;
                }
            }
        }
        if (!z && parameters.length == 1) {
            eLProcessor.defineBean("param", parameters2[0]);
        }
        return eLProcessor;
    }

    private void authenticate(String[] strArr) {
        SecurityContext securityContext = this.lazyProperties.getSecurityContext();
        if (this.request == null || this.response == null || strArr.length <= 0 || isAuthenticated(securityContext)) {
            return;
        }
        AuthenticationStatus authenticate = securityContext.authenticate(this.request, this.response, AuthenticationParameters.withParams());
        if (authenticate == AuthenticationStatus.NOT_DONE || authenticate == AuthenticationStatus.SEND_FAILURE) {
            throw new NotAuthorizedException("Authentication resulted in " + authenticate, Response.status(Response.Status.UNAUTHORIZED).build());
        }
        if (authenticate == AuthenticationStatus.SUCCESS && !isAuthenticated(securityContext)) {
            throw new NotAuthorizedException("Authentication not done (i.e. no credential found)", Response.status(Response.Status.UNAUTHORIZED).build());
        }
    }

    private static boolean isAuthenticated(SecurityContext securityContext) {
        return securityContext.getCallerPrincipal() != null;
    }
}
