package org.hippoecm.hst.jaxrs.cxf;

import java.lang.reflect.Method;
import javax.annotation.security.DenyAll;
import javax.annotation.security.PermitAll;
import javax.annotation.security.RolesAllowed;
import javax.ws.rs.core.Response;
import org.apache.commons.lang.StringUtils;
import org.apache.cxf.jaxrs.impl.SecurityContextImpl;
import org.apache.cxf.jaxrs.model.OperationResourceInfo;
import org.apache.cxf.message.Exchange;
import org.apache.cxf.message.MessageContentsList;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/hst-jaxrs-2.28.06.jar:org/hippoecm/hst/jaxrs/cxf/SecurityAnnotationInvokerPreprocessor.class */
public class SecurityAnnotationInvokerPreprocessor implements InvokerPreprocessor {
    private static Logger log = LoggerFactory.getLogger(SecurityAnnotationInvokerPreprocessor.class);

    @Override // org.hippoecm.hst.jaxrs.cxf.InvokerPreprocessor
    public Object preprocoess(Exchange exchange, Object obj) {
        if (isForbiddenOperation(exchange)) {
            return new MessageContentsList(Response.status(Response.Status.FORBIDDEN).build());
        }
        return null;
    }

    protected boolean isForbiddenOperation(Exchange exchange) {
        SecurityContextImpl securityContextImpl = new SecurityContextImpl(exchange.getInMessage());
        Method methodToInvoke = ((OperationResourceInfo) exchange.get(OperationResourceInfo.class)).getMethodToInvoke();
        if (((DenyAll) methodToInvoke.getAnnotation(DenyAll.class)) != null) {
            log.debug("The operation is denied to all.");
            return true;
        }
        RolesAllowed rolesAllowed = (RolesAllowed) methodToInvoke.getAnnotation(RolesAllowed.class);
        if (rolesAllowed != null) {
            String[] value = rolesAllowed.value();
            if (value != null) {
                for (String str : value) {
                    if (securityContextImpl.isUserInRole(str)) {
                        log.debug("The user is in role: " + str);
                        return false;
                    }
                }
            }
            log.debug("The user is not in any role: " + StringUtils.join(value, ", "));
            return true;
        }
        if (((PermitAll) methodToInvoke.getAnnotation(PermitAll.class)) != null) {
            log.debug("The operation is permitted to all.");
            return false;
        }
        RolesAllowed rolesAllowed2 = (RolesAllowed) methodToInvoke.getDeclaringClass().getAnnotation(RolesAllowed.class);
        if (rolesAllowed2 == null) {
            if (((PermitAll) methodToInvoke.getDeclaringClass().getAnnotation(PermitAll.class)) == null) {
                return false;
            }
            log.debug("The type is permitted to all.");
            return false;
        }
        String[] value2 = rolesAllowed2.value();
        if (value2 != null) {
            for (String str2 : value2) {
                if (securityContextImpl.isUserInRole(str2)) {
                    log.debug("The user is in role: " + str2);
                    return false;
                }
            }
        }
        log.debug("The user is not in any role defined in the type: " + StringUtils.join(value2, ", "));
        return true;
    }
}
