package org.apache.archiva.redback.rest.services.interceptors;

import javax.inject.Inject;
import javax.inject.Named;
import javax.ws.rs.core.Response;
import org.apache.archiva.redback.authentication.AuthenticationResult;
import org.apache.archiva.redback.authorization.AuthorizationException;
import org.apache.archiva.redback.authorization.RedbackAuthorization;
import org.apache.archiva.redback.integration.filter.authentication.basic.HttpBasicAuthentication;
import org.apache.archiva.redback.system.SecuritySession;
import org.apache.archiva.redback.system.SecuritySystem;
import org.apache.commons.lang.StringUtils;
import org.apache.cxf.jaxrs.ext.RequestHandler;
import org.apache.cxf.jaxrs.model.ClassResourceInfo;
import org.apache.cxf.message.Message;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.stereotype.Service;

@Service("permissionInterceptor#rest")
/* loaded from: input_file:WEB-INF/lib/redback-rest-services-2.0.jar:org/apache/archiva/redback/rest/services/interceptors/PermissionsInterceptor.class */
public class PermissionsInterceptor extends AbstractInterceptor implements RequestHandler {

    @Inject
    @Named("securitySystem")
    private SecuritySystem securitySystem;

    @Inject
    @Named("httpAuthenticator#basic")
    private HttpBasicAuthentication httpAuthenticator;
    private Logger log = LoggerFactory.getLogger(getClass());

    @Override // org.apache.cxf.jaxrs.ext.RequestHandler
    public Response handleRequest(Message message, ClassResourceInfo classResourceInfo) {
        RedbackAuthorization redbackAuthorization = getRedbackAuthorization(message);
        if (redbackAuthorization != null) {
            if (redbackAuthorization.noRestriction()) {
                return null;
            }
            String[] permissions = redbackAuthorization.permissions();
            if (permissions == null || permissions.length <= 0 || (permissions.length == 1 && StringUtils.isEmpty(permissions[0]))) {
                if (!redbackAuthorization.noPermission()) {
                    return Response.status(Response.Status.FORBIDDEN).build();
                }
                this.log.debug("path {} doesn't need special permission", message.get(Message.REQUEST_URI));
                return null;
            }
            SecuritySession securitySession = this.httpAuthenticator.getSecuritySession(getHttpServletRequest(message).getSession());
            AuthenticationResult authenticationResult = (AuthenticationResult) message.get(AuthenticationResult.class);
            if (authenticationResult == null || !authenticationResult.isAuthenticated()) {
                this.log.debug("user {} not authenticated", securitySession.getUser().getUsername());
            } else {
                for (String str : permissions) {
                    if (!StringUtils.isBlank(str)) {
                        try {
                            if (this.securitySystem.isAuthorized(securitySession, str, StringUtils.isBlank(redbackAuthorization.resource()) ? null : redbackAuthorization.resource())) {
                                return null;
                            }
                            this.log.debug("user {} not authorized for permission {}", securitySession.getUser().getPrincipal(), str);
                        } catch (AuthorizationException e) {
                            this.log.debug(e.getMessage(), (Throwable) e);
                            return Response.status(Response.Status.FORBIDDEN).build();
                        }
                    }
                }
            }
        }
        this.log.warn("http path {} doesn't contain any informations regarding permissions ", message.get(Message.REQUEST_URI));
        return Response.status(Response.Status.FORBIDDEN).build();
    }
}
