package org.apache.cxf.rt.security.claims;

import java.lang.reflect.Method;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.logging.Logger;
import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.common.util.ClassHelper;
import org.apache.cxf.interceptor.Fault;
import org.apache.cxf.interceptor.security.AccessDeniedException;
import org.apache.cxf.message.Message;
import org.apache.cxf.phase.AbstractPhaseInterceptor;
import org.apache.cxf.phase.Phase;
import org.apache.cxf.rt.security.saml.SAMLSecurityContext;
import org.apache.cxf.security.SecurityContext;
import org.apache.cxf.security.claims.authorization.ClaimMode;
import org.apache.cxf.security.claims.authorization.Claims;
import org.apache.cxf.service.Service;
import org.apache.cxf.service.invoker.MethodDispatcher;
import org.apache.cxf.service.model.BindingOperationInfo;
import org.springframework.jmx.export.naming.IdentityNamingStrategy;

/* loaded from: input_file:lib/open/cxf/security/cxf-rt-security-3.0.14.jar:org/apache/cxf/rt/security/claims/ClaimsAuthorizingInterceptor.class */
public class ClaimsAuthorizingInterceptor extends AbstractPhaseInterceptor<Message> {
    private static final Logger LOG = LogUtils.getL7dLogger(ClaimsAuthorizingInterceptor.class);
    private static final Set<String> SKIP_METHODS = new HashSet();
    private Map<String, List<ClaimBean>> claims;
    private Map<String, String> nameAliases;
    private Map<String, String> formatAliases;

    public ClaimsAuthorizingInterceptor() {
        super(Phase.PRE_INVOKE);
        this.claims = new HashMap();
        this.nameAliases = Collections.emptyMap();
        this.formatAliases = Collections.emptyMap();
    }

    @Override // org.apache.cxf.interceptor.Interceptor
    public void handleMessage(Message message) throws Fault {
        SecurityContext securityContext = (SecurityContext) message.get(SecurityContext.class);
        if (!(securityContext instanceof SAMLSecurityContext)) {
            throw new AccessDeniedException("Security Context is unavailable or unrecognized");
        }
        if (!authorize((SAMLSecurityContext) securityContext, getTargetMethod(message))) {
            throw new AccessDeniedException("Unauthorized");
        }
    }

    public void setClaims(Map<String, List<ClaimBean>> map) {
        this.claims.putAll(map);
    }

    protected Method getTargetMethod(Message message) {
        BindingOperationInfo bindingOperationInfo = (BindingOperationInfo) message.getExchange().get(BindingOperationInfo.class);
        if (bindingOperationInfo != null) {
            return ((MethodDispatcher) ((Service) message.getExchange().get(Service.class)).get(MethodDispatcher.class.getName())).getMethod(bindingOperationInfo);
        }
        Method method = (Method) message.get("org.apache.cxf.resource.method");
        if (method != null) {
            return method;
        }
        throw new AccessDeniedException("Method is not available : Unauthorized");
    }

    protected boolean authorize(SAMLSecurityContext sAMLSecurityContext, Method method) {
        List<ClaimBean> list = this.claims.get(method.getName());
        ClaimCollection claims = sAMLSecurityContext.getClaims();
        for (ClaimBean claimBean : list) {
            SAMLClaim claim = claimBean.getClaim();
            Claim claim2 = null;
            Iterator<Claim> it = claims.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                Claim next = it.next();
                if ((next instanceof SAMLClaim) && ((SAMLClaim) next).getName().equals(claim.getName()) && ((SAMLClaim) next).getNameFormat().equals(claim.getNameFormat())) {
                    claim2 = next;
                    break;
                }
            }
            if (claim2 != null) {
                List<Object> values = claim.getValues();
                List<Object> values2 = claim2.getValues();
                if (claimBean.isMatchAll() && !values2.containsAll(values)) {
                    return false;
                }
                boolean z = false;
                Iterator<Object> it2 = values2.iterator();
                while (true) {
                    if (!it2.hasNext()) {
                        break;
                    }
                    if (values.contains(it2.next())) {
                        z = true;
                        break;
                    }
                }
                if (!z) {
                    return false;
                }
            } else if (claimBean.getClaimMode() == ClaimMode.STRICT) {
                return false;
            }
        }
        return true;
    }

    public void setSecuredObject(Object obj) {
        findClaims(ClassHelper.getRealClass(obj));
        if (this.claims.isEmpty()) {
            LOG.warning("The claims list is empty, the service object is not protected");
        }
    }

    protected void findClaims(Class<?> cls) {
        if (cls == null || cls == Object.class) {
            return;
        }
        List<ClaimBean> claims = getClaims((Claims) cls.getAnnotation(Claims.class), (org.apache.cxf.security.claims.authorization.Claim) cls.getAnnotation(org.apache.cxf.security.claims.authorization.Claim.class));
        for (Method method : cls.getMethods()) {
            if (!SKIP_METHODS.contains(method.getName())) {
                List<ClaimBean> claims2 = getClaims((Claims) method.getAnnotation(Claims.class), (org.apache.cxf.security.claims.authorization.Claim) method.getAnnotation(org.apache.cxf.security.claims.authorization.Claim.class));
                ArrayList arrayList = new ArrayList(claims2);
                for (ClaimBean claimBean : claims) {
                    if (!isClaimOverridden(claimBean, claims2)) {
                        arrayList.add(claimBean);
                    }
                }
                this.claims.put(method.getName(), arrayList);
            }
        }
        if (this.claims.isEmpty()) {
            findClaims(cls.getSuperclass());
            if (this.claims.isEmpty()) {
                for (Class<?> cls2 : cls.getInterfaces()) {
                    findClaims(cls2);
                }
            }
        }
    }

    private static boolean isClaimOverridden(ClaimBean claimBean, List<ClaimBean> list) {
        for (ClaimBean claimBean2 : list) {
            if (claimBean.getClaim().getName().equals(claimBean2.getClaim().getName()) && claimBean.getClaim().getNameFormat().equals(claimBean2.getClaim().getNameFormat())) {
                return true;
            }
        }
        return false;
    }

    private List<ClaimBean> getClaims(Claims claims, org.apache.cxf.security.claims.authorization.Claim claim) {
        ArrayList arrayList = new ArrayList();
        ArrayList<org.apache.cxf.security.claims.authorization.Claim> arrayList2 = new ArrayList();
        if (claims != null) {
            arrayList2.addAll(Arrays.asList(claims.value()));
        } else if (claim != null) {
            arrayList2.add(claim);
        }
        for (org.apache.cxf.security.claims.authorization.Claim claim2 : arrayList2) {
            SAMLClaim sAMLClaim = new SAMLClaim();
            String name = claim2.name();
            if (this.nameAliases.containsKey(name)) {
                name = this.nameAliases.get(name);
            }
            String format = claim2.format();
            if (this.formatAliases.containsKey(format)) {
                format = this.formatAliases.get(format);
            }
            sAMLClaim.setName(name);
            sAMLClaim.setNameFormat(format);
            for (String str : claim2.value()) {
                sAMLClaim.addValue(str);
            }
            arrayList.add(new ClaimBean(sAMLClaim, claim2.mode(), claim2.matchAll()));
        }
        return arrayList;
    }

    public void setNameAliases(Map<String, String> map) {
        this.nameAliases = map;
    }

    public void setFormatAliases(Map<String, String> map) {
        this.formatAliases = map;
    }

    static {
        SKIP_METHODS.addAll(Arrays.asList("wait", "notify", "notifyAll", "equals", "toString", IdentityNamingStrategy.HASH_CODE_KEY));
    }
}
