package org.apache.deltaspike.security.impl.extension;

import java.lang.annotation.Annotation;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import javax.enterprise.context.spi.CreationalContext;
import javax.enterprise.inject.Stereotype;
import javax.enterprise.inject.Typed;
import javax.enterprise.inject.spi.AnnotatedMethod;
import javax.enterprise.inject.spi.AnnotatedParameter;
import javax.enterprise.inject.spi.Bean;
import javax.enterprise.inject.spi.BeanManager;
import javax.enterprise.util.Nonbinding;
import javax.interceptor.InvocationContext;
import org.apache.deltaspike.core.util.metadata.builder.InjectableMethod;
import org.apache.deltaspike.security.api.authorization.AccessDeniedException;
import org.apache.deltaspike.security.api.authorization.SecuredReturn;
import org.apache.deltaspike.security.api.authorization.SecurityBindingType;
import org.apache.deltaspike.security.api.authorization.SecurityDefinitionException;
import org.apache.deltaspike.security.api.authorization.SecurityViolation;
import org.apache.deltaspike.security.impl.authorization.SecurityParameterValueRedefiner;
import org.apache.deltaspike.security.impl.util.SecurityUtils;
import org.hibernate.validator.internal.engine.NodeImpl;
import org.hibernate.validator.internal.engine.PathImpl;

@Typed
/* loaded from: input_file:WEB-INF/lib/deltaspike-security-module-impl-1.9.3.jar:org/apache/deltaspike/security/impl/extension/Authorizer.class */
class Authorizer {
    private Annotation bindingAnnotation;
    private Map<Method, Object> bindingSecurityBindingMembers = new HashMap();
    private Set<AuthorizationParameter> authorizationParameters = new HashSet();
    private Class<?> securedReturnType;
    private volatile AnnotatedMethod<?> boundAuthorizerMethod;
    private volatile Bean<?> boundAuthorizerBean;
    private volatile InjectableMethod<?> boundAuthorizerMethodProxy;

    /* JADX INFO: Access modifiers changed from: package-private */
    public Authorizer(Annotation annotation, AnnotatedMethod<?> annotatedMethod) {
        this.bindingAnnotation = annotation;
        this.boundAuthorizerMethod = annotatedMethod;
        try {
            for (Method method : annotation.annotationType().getDeclaredMethods()) {
                if (!method.isAnnotationPresent(Nonbinding.class)) {
                    this.bindingSecurityBindingMembers.put(method, method.invoke(annotation, new Object[0]));
                }
            }
            for (AnnotatedParameter<?> annotatedParameter : annotatedMethod.getParameters()) {
                HashSet<Annotation> hashSet = null;
                Class<?> cls = null;
                for (Annotation annotation2 : annotatedParameter.getAnnotations()) {
                    if (SecurityUtils.isMetaAnnotatedWithSecurityParameterBinding(annotation2)) {
                        hashSet = hashSet == null ? new HashSet() : hashSet;
                        hashSet.add(annotation2);
                    }
                    if (annotation2.annotationType().equals(SecuredReturn.class)) {
                        cls = annotatedMethod.getJavaMember().getParameterTypes()[annotatedParameter.getPosition()];
                    }
                }
                if (hashSet != null && cls != null) {
                    StringBuilder sb = new StringBuilder();
                    sb.append("@SecurityParameterBinding annotations must not occure ");
                    sb.append("at the same parameter with @Result annotation, but parameter ");
                    sb.append(annotatedParameter.getPosition()).append(" of method ");
                    sb.append(annotatedMethod.getJavaMember()).append(" is annotated with @Result and ");
                    boolean z = true;
                    for (Annotation annotation3 : hashSet) {
                        if (z) {
                            z = false;
                        } else {
                            sb.append(" and ");
                        }
                        sb.append(annotation3);
                    }
                    if (hashSet.size() == 1) {
                        sb.append(", which is a @SecurityParameterBinding annotation");
                    } else {
                        sb.append(", which are @SecurityParameterBinding annotations");
                    }
                    throw new SecurityDefinitionException(sb.toString());
                }
                if (hashSet != null) {
                    this.authorizationParameters.add(new AuthorizationParameter(annotatedParameter.getBaseType(), hashSet));
                } else if (cls == null) {
                    continue;
                } else {
                    if (this.securedReturnType != null && !this.securedReturnType.equals(cls)) {
                        throw new SecurityDefinitionException("More than one parameter of " + annotatedMethod.getJavaMember() + " is annotated with @Result");
                    }
                    this.securedReturnType = cls;
                }
            }
        } catch (IllegalAccessException e) {
            throw new SecurityDefinitionException("Error reading security binding members", e);
        } catch (InvocationTargetException e2) {
            throw new SecurityDefinitionException("Error reading security binding members", e2);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean isBeforeMethodInvocationAuthorizer() {
        return this.securedReturnType == null;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean isAfterMethodInvocationAuthorizer() {
        return this.securedReturnType != null;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void authorize(InvocationContext invocationContext, Object obj, BeanManager beanManager) throws IllegalAccessException, IllegalArgumentException {
        if (this.boundAuthorizerBean == null) {
            lazyInitTargetBean(beanManager);
        }
        CreationalContext<?> createCreationalContext = beanManager.createCreationalContext(this.boundAuthorizerBean);
        if (Boolean.FALSE.equals(this.boundAuthorizerMethodProxy.invoke(beanManager.getReference(this.boundAuthorizerBean, this.boundAuthorizerMethod.getJavaMember().getDeclaringClass(), createCreationalContext), createCreationalContext, new SecurityParameterValueRedefiner(createCreationalContext, invocationContext, obj)))) {
            HashSet hashSet = new HashSet();
            hashSet.add(new SecurityViolation() { // from class: org.apache.deltaspike.security.impl.extension.Authorizer.1
                private static final long serialVersionUID = 2358753444038521129L;

                @Override // org.apache.deltaspike.security.api.authorization.SecurityViolation
                public String getReason() {
                    return "Authorization check failed";
                }
            });
            throw new AccessDeniedException(hashSet);
        }
    }

    private synchronized void lazyInitTargetBean(BeanManager beanManager) {
        if (this.boundAuthorizerBean == null) {
            Method javaMember = this.boundAuthorizerMethod.getJavaMember();
            Bean<?> resolve = beanManager.resolve(beanManager.getBeans(javaMember.getDeclaringClass(), new Annotation[0]));
            if (resolve == null) {
                throw new IllegalStateException("Exception looking up authorizer method bean - no beans found for method [" + javaMember.getDeclaringClass() + PathImpl.PROPERTY_PATH_SEPARATOR + javaMember.getName() + NodeImpl.INDEX_CLOSE);
            }
            this.boundAuthorizerMethodProxy = new InjectableMethod<>(this.boundAuthorizerMethod, resolve, beanManager);
            this.boundAuthorizerBean = resolve;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean matchesBindings(Annotation annotation, Set<AuthorizationParameter> set, Class<?> cls) {
        if (!annotation.annotationType().isAnnotationPresent(SecurityBindingType.class) && annotation.annotationType().isAnnotationPresent(Stereotype.class)) {
            annotation = SecurityUtils.resolveSecurityBindingType(annotation);
        }
        if (!annotation.annotationType().equals(this.bindingAnnotation.annotationType())) {
            return false;
        }
        for (Method method : annotation.annotationType().getDeclaredMethods()) {
            if (!method.isAnnotationPresent(Nonbinding.class)) {
                if (!this.bindingSecurityBindingMembers.containsKey(method)) {
                    return false;
                }
                try {
                    if (!this.bindingSecurityBindingMembers.get(method).equals(method.invoke(annotation, new Object[0]))) {
                        return false;
                    }
                } catch (IllegalAccessException e) {
                    throw new SecurityDefinitionException("Error reading security binding members", e);
                } catch (InvocationTargetException e2) {
                    throw new SecurityDefinitionException("Error reading security binding members", e2);
                }
            }
        }
        for (AuthorizationParameter authorizationParameter : this.authorizationParameters) {
            boolean z = false;
            Iterator<AuthorizationParameter> it = set.iterator();
            while (it.hasNext()) {
                if (it.next().matches(authorizationParameter)) {
                    z = true;
                }
            }
            if (!z) {
                return false;
            }
        }
        return matches(cls);
    }

    private boolean matches(Class<?> cls) {
        if (this.securedReturnType == null || this.securedReturnType.isAssignableFrom(cls)) {
            return true;
        }
        return this.securedReturnType.equals(Void.class) && cls.equals(Void.TYPE);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public Method getBoundAuthorizerMethod() {
        return this.boundAuthorizerMethod.getJavaMember();
    }
}
