package org.jboss.ejb.plugins;

import java.security.Principal;
import java.util.Map;
import java.util.Set;
import javax.ejb.EJBException;
import org.jboss.ejb.Container;
import org.jboss.invocation.Invocation;
import org.jboss.invocation.InvocationType;
import org.jboss.security.AnybodyPrincipal;
import org.jboss.security.RealmMapping;
import org.jboss.security.RunAsIdentity;
import org.jboss.security.SecurityAssociation;

/* loaded from: input_file:org/jboss/ejb/plugins/SecurityRolesInterceptor.class */
public class SecurityRolesInterceptor extends AbstractInterceptor {
    protected RealmMapping realmMapping;
    protected Map securityRoles;

    @Override // org.jboss.ejb.plugins.AbstractInterceptor, org.jboss.ejb.ContainerPlugin
    public void setContainer(Container container) {
        super.setContainer(container);
        if (container != null) {
            this.securityRoles = container.getBeanMetaData().getApplicationMetaData().getAssemblyDescriptor().getSecurityRoles();
            this.realmMapping = container.getRealmMapping();
        }
    }

    @Override // org.jboss.ejb.plugins.AbstractInterceptor, org.jboss.system.Service
    public void start() throws Exception {
        super.start();
    }

    @Override // org.jboss.ejb.plugins.AbstractInterceptor, org.jboss.ejb.Interceptor
    public Object invokeHome(Invocation invocation) throws Exception {
        checkSecurityAssociation(invocation);
        return getNext().invokeHome(invocation);
    }

    @Override // org.jboss.ejb.plugins.AbstractInterceptor, org.jboss.ejb.Interceptor
    public Object invoke(Invocation invocation) throws Exception {
        checkSecurityAssociation(invocation);
        return getNext().invoke(invocation);
    }

    private void checkSecurityAssociation(Invocation invocation) throws Exception {
        Principal principal = invocation.getPrincipal();
        boolean isTraceEnabled = this.log.isTraceEnabled();
        if (this.realmMapping == null) {
            throw new EJBException("checkSecurityAssociation", new SecurityException("Role mapping manager has not been set"));
        }
        InvocationType type = invocation.getType();
        Set methodPermissions = this.container.getMethodPermissions(invocation.getMethod(), type);
        if (methodPermissions == null) {
            String str = "No method permissions assigned to method=" + invocation.getMethod().getName() + ", interface=" + type;
            this.log.error(str);
            throw new EJBException("checkSecurityAssociation", new SecurityException(str));
        }
        if (isTraceEnabled) {
            this.log.trace("method=" + invocation.getMethod() + ", interface=" + type + ", requiredRoles=" + methodPermissions);
        }
        RunAsIdentity peekRunAsIdentity = SecurityAssociation.peekRunAsIdentity();
        if (methodPermissions.contains(AnybodyPrincipal.ANYBODY_PRINCIPAL)) {
            return;
        }
        if (peekRunAsIdentity != null) {
            if (peekRunAsIdentity.doesUserHaveRole(methodPermissions)) {
                return;
            }
            String str2 = "Insufficient method permissions, runAsPrincipal=" + peekRunAsIdentity.getName() + ", method=" + invocation.getMethod().getName() + ", interface=" + type + ", requiredRoles=" + methodPermissions + ", runAsRoles=" + peekRunAsIdentity.getRunAsRoles();
            this.log.error(str2);
            throw new EJBException("checkSecurityAssociation", new SecurityException(str2));
        }
        if (this.realmMapping.doesUserHaveRole(principal, methodPermissions)) {
            return;
        }
        String str3 = "Insufficient method permissions, principal=" + principal + ", method=" + invocation.getMethod().getName() + ", interface=" + type + ", requiredRoles=" + methodPermissions + ", principalRoles=" + this.realmMapping.getUserRoles(principal);
        this.log.error(str3);
        throw new EJBException("checkSecurityAssociation", new SecurityException(str3));
    }
}
