package nl.nn.adapterframework.webcontrol.api;

import java.io.IOException;
import java.lang.reflect.Method;
import java.util.Arrays;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Set;
import javax.annotation.Priority;
import javax.annotation.security.DenyAll;
import javax.annotation.security.PermitAll;
import javax.annotation.security.RolesAllowed;
import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.Path;
import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.container.ContainerRequestFilter;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.SecurityContext;
import javax.ws.rs.ext.Provider;
import nl.nn.adapterframework.util.LogUtil;
import org.apache.cxf.jaxrs.utils.JAXRSUtils;
import org.apache.logging.log4j.Logger;

@Provider
@Priority(2000)
/* loaded from: input_file:adapterframework.war:WEB-INF/lib/ibis-adapterframework-core-7.6.5.jar:nl/nn/adapterframework/webcontrol/api/AuthorizationFilter.class */
public class AuthorizationFilter implements ContainerRequestFilter {
    private static final Response FORBIDDEN = Response.status(Response.Status.FORBIDDEN).build();
    private static final Response SERVER_ERROR = Response.status(Response.Status.INTERNAL_SERVER_ERROR).build();
    protected Logger log = LogUtil.getLogger(this);

    @Context
    private HttpServletRequest request;

    @Override // javax.ws.rs.container.ContainerRequestFilter
    public void filter(ContainerRequestContext containerRequestContext) throws IOException {
        SecurityContext securityContext = containerRequestContext.getSecurityContext();
        if (securityContext.getUserPrincipal() == null || containerRequestContext.getMethod().equalsIgnoreCase("OPTIONS")) {
            return;
        }
        Method method = (Method) JAXRSUtils.getCurrentMessage().get("org.apache.cxf.resource.method");
        if (method == null) {
            this.log.error("unable to fetch resource method from CXF Message");
            containerRequestContext.abortWith(SERVER_ERROR);
            return;
        }
        if (method.isAnnotationPresent(DenyAll.class)) {
            containerRequestContext.abortWith(FORBIDDEN);
            return;
        }
        if (!method.isAnnotationPresent(PermitAll.class) && method.isAnnotationPresent(RolesAllowed.class)) {
            HashSet hashSet = new HashSet(Arrays.asList(((RolesAllowed) method.getAnnotation(RolesAllowed.class)).value()));
            this.log.info("checking authorisation for user [" + securityContext.getUserPrincipal().getName() + "] on uri [" + ((Path) method.getAnnotation(Path.class)).value() + "] required roles " + hashSet.toString());
            if (doAuth(securityContext, hashSet)) {
                return;
            }
            containerRequestContext.abortWith(FORBIDDEN);
        }
    }

    private boolean doAuth(SecurityContext securityContext, Set<String> set) {
        Iterator<String> it = set.iterator();
        while (it.hasNext()) {
            if (securityContext.isUserInRole(it.next())) {
                return true;
            }
        }
        return false;
    }
}
