package org.apache.cxf.interceptor.security;

import java.lang.reflect.Method;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.logging.Level;
import java.util.logging.Logger;
import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.message.Message;
import org.apache.cxf.message.MessageUtils;
import org.apache.cxf.phase.AbstractPhaseInterceptor;
import org.apache.cxf.phase.Phase;
import org.apache.cxf.security.SecurityContext;

/* loaded from: input_file:WEB-INF/lib/cxf-core-3.4.9.jar:org/apache/cxf/interceptor/security/AbstractAuthorizingInInterceptor.class */
public abstract class AbstractAuthorizingInInterceptor extends AbstractPhaseInterceptor<Message> {
    private static final Logger LOG = LogUtils.getL7dLogger(AbstractAuthorizingInInterceptor.class);
    private static final String ALL_ROLES = "*";
    private boolean allowAnonymousUsers;

    public AbstractAuthorizingInInterceptor() {
        this(true);
    }

    public AbstractAuthorizingInInterceptor(boolean z) {
        super(null, Phase.PRE_INVOKE, z);
        this.allowAnonymousUsers = true;
    }

    @Override // org.apache.cxf.interceptor.Interceptor
    public void handleMessage(Message message) {
        Method orElseThrow = MessageUtils.getTargetMethod(message).orElseThrow(() -> {
            return new AccessDeniedException("Method is not available : Unauthorized");
        });
        SecurityContext securityContext = (SecurityContext) message.get(SecurityContext.class);
        if (securityContext == null || securityContext.getUserPrincipal() == null) {
            if (!isMethodProtected(orElseThrow) && isAllowAnonymousUsers()) {
                return;
            }
        } else if (authorize(securityContext, orElseThrow)) {
            return;
        }
        throw new AccessDeniedException("Unauthorized");
    }

    protected boolean authorize(SecurityContext securityContext, Method method) {
        List<String> expectedRoles = getExpectedRoles(method);
        if (expectedRoles.isEmpty()) {
            List<String> denyRoles = getDenyRoles(method);
            return denyRoles.isEmpty() || isUserInRole(securityContext, denyRoles, true);
        }
        if (isUserInRole(securityContext, expectedRoles, false)) {
            return true;
        }
        if (!LOG.isLoggable(Level.FINE)) {
            return false;
        }
        LOG.fine(securityContext.getUserPrincipal().getName() + " is not authorized");
        return false;
    }

    protected boolean isMethodProtected(Method method) {
        return (getExpectedRoles(method).isEmpty() && getDenyRoles(method).isEmpty()) ? false : true;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean isUserInRole(SecurityContext securityContext, List<String> list, boolean z) {
        if (list.size() == 1 && "*".equals(list.get(0))) {
            return !z;
        }
        Iterator<String> it = list.iterator();
        while (it.hasNext()) {
            if (securityContext.isUserInRole(it.next())) {
                return !z;
            }
        }
        return z;
    }

    protected abstract List<String> getExpectedRoles(Method method);

    protected List<String> getDenyRoles(Method method) {
        return Collections.emptyList();
    }

    public boolean isAllowAnonymousUsers() {
        return this.allowAnonymousUsers;
    }

    public void setAllowAnonymousUsers(boolean z) {
        this.allowAnonymousUsers = z;
    }
}
