package org.jboss.ejb.plugins;

import java.security.AccessController;
import java.security.Principal;
import java.security.PrivilegedAction;
import java.util.Set;
import org.jboss.ejb.Container;
import org.jboss.ejb.plugins.PrincipalInfoAction;
import org.jboss.invocation.Invocation;
import org.jboss.invocation.InvocationType;
import org.jboss.metadata.SecurityIdentityMetaData;
import org.jboss.security.AnybodyPrincipal;
import org.jboss.security.AuthenticationManager;
import org.jboss.security.RealmMapping;
import org.jboss.security.SecurityAssociation;
import org.jboss.security.SimplePrincipal;

/* loaded from: input_file:org/jboss/ejb/plugins/SecurityInterceptor.class */
public class SecurityInterceptor extends AbstractInterceptor {
    protected AuthenticationManager securityManager;
    protected RealmMapping realmMapping;
    protected Principal runAsRole;

    /* loaded from: input_file:org/jboss/ejb/plugins/SecurityInterceptor$PopRunAsRoleAction.class */
    private static class PopRunAsRoleAction implements PrivilegedAction {
        static PrivilegedAction ACTION = new PopRunAsRoleAction();

        private PopRunAsRoleAction() {
        }

        @Override // java.security.PrivilegedAction
        public Object run() {
            return SecurityAssociation.popRunAsRole();
        }

        static Principal popRunAsRole() {
            return (Principal) AccessController.doPrivileged(ACTION);
        }
    }

    /* loaded from: input_file:org/jboss/ejb/plugins/SecurityInterceptor$PushRunAsRoleAction.class */
    private static class PushRunAsRoleAction implements PrivilegedAction {
        Principal principal;

        PushRunAsRoleAction(Principal principal) {
            this.principal = principal;
        }

        @Override // java.security.PrivilegedAction
        public Object run() {
            SecurityAssociation.pushRunAsRole(this.principal);
            return null;
        }

        static void pushRunAsRole(Principal principal) {
            AccessController.doPrivileged(new PushRunAsRoleAction(principal));
        }
    }

    @Override // org.jboss.ejb.plugins.AbstractInterceptor, org.jboss.ejb.ContainerPlugin
    public void setContainer(Container container) {
        super.setContainer(container);
        if (container != null) {
            SecurityIdentityMetaData securityIdentityMetaData = container.getBeanMetaData().getSecurityIdentityMetaData();
            if (securityIdentityMetaData != null && !securityIdentityMetaData.getUseCallerIdentity()) {
                this.runAsRole = new SimplePrincipal(securityIdentityMetaData.getRunAsRoleName());
            }
            this.securityManager = container.getSecurityManager();
            this.realmMapping = container.getRealmMapping();
        }
    }

    @Override // org.jboss.ejb.plugins.AbstractInterceptor
    public void start() throws Exception {
        super.start();
    }

    @Override // org.jboss.ejb.plugins.AbstractInterceptor, org.jboss.ejb.Interceptor
    public Object invokeHome(Invocation invocation) throws Exception {
        checkSecurityAssociation(invocation);
        if (this.runAsRole != null) {
            PushRunAsRoleAction.pushRunAsRole(this.runAsRole);
        }
        try {
            Object invokeHome = getNext().invokeHome(invocation);
            if (this.runAsRole != null) {
                PopRunAsRoleAction.popRunAsRole();
            }
            return invokeHome;
        } catch (Throwable th) {
            if (this.runAsRole != null) {
                PopRunAsRoleAction.popRunAsRole();
            }
            throw th;
        }
    }

    @Override // org.jboss.ejb.plugins.AbstractInterceptor, org.jboss.ejb.Interceptor
    public Object invoke(Invocation invocation) throws Exception {
        checkSecurityAssociation(invocation);
        if (this.runAsRole != null) {
            PushRunAsRoleAction.pushRunAsRole(this.runAsRole);
        }
        try {
            Object invoke = getNext().invoke(invocation);
            if (this.runAsRole != null) {
                PopRunAsRoleAction.popRunAsRole();
            }
            return invoke;
        } catch (Throwable th) {
            if (this.runAsRole != null) {
                PopRunAsRoleAction.popRunAsRole();
            }
            throw th;
        }
    }

    private void checkSecurityAssociation(Invocation invocation) throws Exception {
        Principal principal = invocation.getPrincipal();
        Object credential = invocation.getCredential();
        boolean isInfoEnabled = this.log.isInfoEnabled();
        if (invocation.getMethod() == null || this.securityManager == null) {
            PrincipalInfoAction.UTIL.set(principal, credential);
            return;
        }
        if (this.realmMapping == null) {
            throw new SecurityException("Role mapping manager has not been set");
        }
        if (!this.securityManager.isValid(principal, credential)) {
            String stringBuffer = new StringBuffer().append("Authentication exception, principal=").append(principal).toString();
            this.log.error(stringBuffer);
            throw new SecurityException(stringBuffer);
        }
        PrincipalInfoAction.UTIL.set(principal, credential);
        if (isInfoEnabled) {
            this.log.trace(new StringBuffer().append("Authenticated  principal=").append(principal).toString());
        }
        InvocationType type = invocation.getType();
        Set methodPermissions = this.container.getMethodPermissions(invocation.getMethod(), type);
        if (methodPermissions == null) {
            String stringBuffer2 = new StringBuffer().append("No method permissions assigned to method=").append(invocation.getMethod().getName()).append(", interface=").append(type).toString();
            this.log.error(stringBuffer2);
            throw new SecurityException(stringBuffer2);
        }
        if (isInfoEnabled) {
            this.log.trace(new StringBuffer().append("method=").append(invocation.getMethod()).append(", interface=").append(type).append(", requiredRoles=").append(methodPermissions).toString());
        }
        Principal peekRunAsRole = SecurityAssociation.peekRunAsRole();
        if (peekRunAsRole == null) {
            if (this.realmMapping.doesUserHaveRole(principal, methodPermissions)) {
                return;
            }
            String name = invocation.getMethod().getName();
            String stringBuffer3 = new StringBuffer().append("Insufficient method permissions, principal=").append(principal).append(", method=").append(name).append(", interface=").append(type).append(", requiredRoles=").append(methodPermissions).append(", principalRoles=").append(this.realmMapping.getUserRoles(principal)).toString();
            this.log.error(stringBuffer3);
            throw new SecurityException(stringBuffer3);
        }
        if (isInfoEnabled) {
            this.log.trace(new StringBuffer().append("Checking runAsRole: ").append(peekRunAsRole).toString());
        }
        if (methodPermissions.contains(peekRunAsRole) || methodPermissions.contains(AnybodyPrincipal.ANYBODY_PRINCIPAL)) {
            return;
        }
        String stringBuffer4 = new StringBuffer().append("Insufficient method permissions, runAsRole=").append(peekRunAsRole).append(", method=").append(invocation.getMethod().getName()).append(", interface=").append(type).append(", requiredRoles=").append(methodPermissions).toString();
        this.log.error(stringBuffer4);
        throw new SecurityException(stringBuffer4);
    }
}
