package org.jboss.ejb.plugins;

import java.security.Principal;
import java.util.Map;
import java.util.Set;
import javax.security.auth.Subject;
import org.jboss.ejb.Container;
import org.jboss.invocation.Invocation;
import org.jboss.invocation.InvocationType;
import org.jboss.metadata.AssemblyDescriptorMetaData;
import org.jboss.metadata.BeanMetaData;
import org.jboss.metadata.SecurityIdentityMetaData;
import org.jboss.security.AnybodyPrincipal;
import org.jboss.security.AuthenticationManager;
import org.jboss.security.RealmMapping;
import org.jboss.security.RunAsIdentity;
import org.jboss.system.Registry;

/* loaded from: input_file:org/jboss/ejb/plugins/SecurityInterceptor.class */
public class SecurityInterceptor extends AbstractInterceptor {
    protected AuthenticationManager securityManager;
    protected RealmMapping realmMapping;
    protected RunAsIdentity runAsIdentity;
    protected Map securityRoles;
    protected AuthenticationObserver authenticationObserver;

    /* loaded from: input_file:org/jboss/ejb/plugins/SecurityInterceptor$AuthenticationObserver.class */
    public interface AuthenticationObserver {
        public static final String KEY = "SecurityInterceptor.AuthenticationObserver";

        void authenticationFailed();
    }

    @Override // org.jboss.ejb.plugins.AbstractInterceptor, org.jboss.ejb.ContainerPlugin
    public void setContainer(Container container) {
        super.setContainer(container);
        if (container != null) {
            BeanMetaData beanMetaData = container.getBeanMetaData();
            AssemblyDescriptorMetaData assemblyDescriptor = beanMetaData.getApplicationMetaData().getAssemblyDescriptor();
            this.securityRoles = assemblyDescriptor.getSecurityRoles();
            SecurityIdentityMetaData securityIdentityMetaData = beanMetaData.getSecurityIdentityMetaData();
            if (securityIdentityMetaData != null && !securityIdentityMetaData.getUseCallerIdentity()) {
                String runAsRoleName = securityIdentityMetaData.getRunAsRoleName();
                String runAsPrincipalName = securityIdentityMetaData.getRunAsPrincipalName();
                this.runAsIdentity = new RunAsIdentity(runAsRoleName, runAsPrincipalName, assemblyDescriptor.getSecurityRoleNamesByPrincipal(runAsPrincipalName));
            }
            this.securityManager = container.getSecurityManager();
            this.realmMapping = container.getRealmMapping();
        }
    }

    @Override // org.jboss.ejb.plugins.AbstractInterceptor
    public void start() throws Exception {
        super.start();
        this.authenticationObserver = (AuthenticationObserver) Registry.lookup(AuthenticationObserver.KEY);
    }

    @Override // org.jboss.ejb.plugins.AbstractInterceptor, org.jboss.ejb.Interceptor
    public Object invokeHome(Invocation invocation) throws Exception {
        checkSecurityAssociation(invocation);
        SecurityActions.pushRunAsIdentity(this.runAsIdentity);
        try {
            Object invokeHome = getNext().invokeHome(invocation);
            SecurityActions.popRunAsIdentity();
            SecurityActions.popSubjectContext();
            return invokeHome;
        } catch (Throwable th) {
            SecurityActions.popRunAsIdentity();
            SecurityActions.popSubjectContext();
            throw th;
        }
    }

    @Override // org.jboss.ejb.plugins.AbstractInterceptor, org.jboss.ejb.Interceptor
    public Object invoke(Invocation invocation) throws Exception {
        checkSecurityAssociation(invocation);
        SecurityActions.pushRunAsIdentity(this.runAsIdentity);
        try {
            Object invoke = getNext().invoke(invocation);
            SecurityActions.popRunAsIdentity();
            SecurityActions.popSubjectContext();
            return invoke;
        } catch (Throwable th) {
            SecurityActions.popRunAsIdentity();
            SecurityActions.popSubjectContext();
            throw th;
        }
    }

    private void checkSecurityAssociation(Invocation invocation) throws Exception {
        Principal principal = invocation.getPrincipal();
        Object credential = invocation.getCredential();
        boolean isInfoEnabled = this.log.isInfoEnabled();
        if (invocation.getMethod() == null || this.securityManager == null || this.container == null) {
            SecurityActions.pushSubjectContext(principal, credential, null);
            return;
        }
        if (this.realmMapping == null) {
            throw new SecurityException("Role mapping manager has not been set");
        }
        RunAsIdentity peekRunAsIdentity = SecurityActions.peekRunAsIdentity();
        if (peekRunAsIdentity == null) {
            Subject subject = new Subject();
            if (!this.securityManager.isValid(principal, credential, subject)) {
                if (this.authenticationObserver != null) {
                    this.authenticationObserver.authenticationFailed();
                }
                Exception contextException = SecurityActions.getContextException();
                if (contextException == null) {
                    throw new SecurityException(new StringBuffer().append("Authentication exception, principal=").append(principal).toString());
                }
                throw contextException;
            }
            SecurityActions.pushSubjectContext(principal, credential, subject);
            if (isInfoEnabled) {
                this.log.trace(new StringBuffer().append("Authenticated  principal=").append(principal).toString());
            }
        }
        InvocationType type = invocation.getType();
        Set methodPermissions = this.container.getMethodPermissions(invocation.getMethod(), type);
        if (methodPermissions == null) {
            throw new SecurityException(new StringBuffer().append("No method permissions assigned to method=").append(invocation.getMethod().getName()).append(", interface=").append(type).toString());
        }
        if (isInfoEnabled) {
            this.log.trace(new StringBuffer().append("method=").append(invocation.getMethod()).append(", interface=").append(type).append(", requiredRoles=").append(methodPermissions).toString());
        }
        if (methodPermissions.contains(AnybodyPrincipal.ANYBODY_PRINCIPAL)) {
            return;
        }
        if (peekRunAsIdentity != null) {
            if (peekRunAsIdentity.doesUserHaveRole(methodPermissions)) {
                return;
            }
            throw new SecurityException(new StringBuffer().append("Insufficient method permissions, principal=").append(principal).append(", ejbName=").append(this.container.getBeanMetaData().getEjbName()).append(", method=").append(invocation.getMethod().getName()).append(", interface=").append(type).append(", requiredRoles=").append(methodPermissions).append(", runAsRoles=").append(peekRunAsIdentity.getRunAsRoles()).toString());
        }
        if (this.realmMapping.doesUserHaveRole(principal, methodPermissions)) {
            return;
        }
        throw new SecurityException(new StringBuffer().append("Insufficient method permissions, principal=").append(principal).append(", ejbName=").append(this.container.getBeanMetaData().getEjbName()).append(", method=").append(invocation.getMethod().getName()).append(", interface=").append(type).append(", requiredRoles=").append(methodPermissions).append(", principalRoles=").append(this.realmMapping.getUserRoles(principal)).toString());
    }
}
