package org.geoserver.geofence.services.rest.auth;

import java.lang.reflect.Method;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import org.apache.cxf.interceptor.Fault;
import org.apache.cxf.interceptor.security.AccessDeniedException;
import org.apache.cxf.message.Message;
import org.apache.cxf.phase.AbstractPhaseInterceptor;
import org.apache.cxf.security.SecurityContext;
import org.apache.cxf.service.Service;
import org.apache.cxf.service.invoker.MethodDispatcher;
import org.apache.cxf.service.model.BindingOperationInfo;
import org.apache.log4j.LogManager;
import org.apache.log4j.Logger;

/* loaded from: input_file:org/geoserver/geofence/services/rest/auth/AuthorizationHandler.class */
public class AuthorizationHandler extends AbstractPhaseInterceptor<Message> {
    private static final Logger LOGGER = LogManager.getLogger(AuthorizationHandler.class);
    private Map<String, List<String>> methodRolesMap;
    private Map<String, List<String>> userRolesMap;
    private List<String> globalRoles;

    private static Map<String, List<String>> parseRolesMap(Map<String, String> map) {
        HashMap hashMap = new HashMap();
        for (Map.Entry<String, String> entry : map.entrySet()) {
            hashMap.put(entry.getKey(), Arrays.asList(entry.getValue().split(" ")));
        }
        return hashMap;
    }

    public AuthorizationHandler() {
        super("pre-invoke");
        this.methodRolesMap = new HashMap();
        this.userRolesMap = Collections.emptyMap();
        this.globalRoles = Collections.emptyList();
    }

    public void handleMessage(Message message) throws Fault {
        SecurityContext securityContext = (SecurityContext) message.get(SecurityContext.class);
        if (securityContext != null && !authorize(securityContext, getTargetMethod(message))) {
            throw new AccessDeniedException("Unauthorized");
        }
    }

    protected Method getTargetMethod(Message message) {
        BindingOperationInfo bindingOperationInfo = (BindingOperationInfo) message.getExchange().get(BindingOperationInfo.class);
        if (bindingOperationInfo != null) {
            return ((MethodDispatcher) ((Service) message.getExchange().get(Service.class)).get(MethodDispatcher.class.getName())).getMethod(bindingOperationInfo);
        }
        Method method = (Method) message.get("org.apache.cxf.resource.method");
        if (method != null) {
            return method;
        }
        throw new AccessDeniedException("Method is not available : Unauthorized");
    }

    protected boolean authorize(SecurityContext securityContext, Method method) {
        List<String> expectedRoles = getExpectedRoles(method);
        if (expectedRoles.isEmpty()) {
            List<String> denyRoles = getDenyRoles(method);
            if (denyRoles.isEmpty()) {
                return true;
            }
            return isUserInRole(securityContext, denyRoles, true);
        }
        if (isUserInRole(securityContext, expectedRoles, false)) {
            return true;
        }
        if (securityContext.getUserPrincipal() == null) {
            return false;
        }
        LOGGER.error(securityContext.getUserPrincipal().getName() + " is not authorized");
        return false;
    }

    protected boolean isUserInRole(SecurityContext securityContext, List<String> list, boolean z) {
        if (this.userRolesMap.isEmpty()) {
            return true;
        }
        List<String> list2 = this.userRolesMap.get(securityContext.getUserPrincipal().getName());
        if (list2 == null) {
            return false;
        }
        Iterator<String> it = list.iterator();
        while (it.hasNext()) {
            if (list2.contains(it.next())) {
                return true;
            }
        }
        return false;
    }

    protected List<String> getExpectedRoles(Method method) {
        List<String> list = this.methodRolesMap.get(method.getName());
        return list != null ? list : this.globalRoles;
    }

    public void setMethodRolesMap(Map<String, String> map) {
        this.methodRolesMap.putAll(parseRolesMap(map));
    }

    public void setUserRolesMap(Map<String, String> map) {
        this.userRolesMap = parseRolesMap(map);
    }

    public void setGlobalRoles(String str) {
        this.globalRoles = Arrays.asList(str.split(" "));
    }

    protected List<String> getDenyRoles(Method method) {
        return Collections.emptyList();
    }
}
