package org.apache.geronimo.microprofile.impl.jwtauth.jaxrs;

import java.io.IOException;
import java.util.Collection;
import java.util.Collections;
import java.util.stream.Stream;
import javax.json.Json;
import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.container.ContainerRequestFilter;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.SecurityContext;

/* loaded from: input_file:org/apache/geronimo/microprofile/impl/jwtauth/jaxrs/RolesAllowedRequestFilter.class */
class RolesAllowedRequestFilter implements ContainerRequestFilter {
    private final Response forbidden = Response.status(Response.Status.FORBIDDEN).entity(Json.createObjectBuilder(Collections.emptyMap()).add("message", "you are not allowed to access that endpoint").build()).build();
    private final boolean denyAll;
    private final boolean permitAll;
    private final Collection<String> roles;

    /* JADX INFO: Access modifiers changed from: package-private */
    public RolesAllowedRequestFilter(boolean z, boolean z2, Collection<String> collection) {
        this.denyAll = z;
        this.permitAll = z2;
        this.roles = collection;
    }

    public void filter(ContainerRequestContext containerRequestContext) throws IOException {
        if (this.denyAll) {
            containerRequestContext.abortWith(this.forbidden);
            return;
        }
        if (this.permitAll) {
            return;
        }
        SecurityContext securityContext = containerRequestContext.getSecurityContext();
        if (securityContext != null) {
            Stream<String> stream = this.roles.stream();
            securityContext.getClass();
            if (!stream.noneMatch(securityContext::isUserInRole)) {
                return;
            }
        }
        containerRequestContext.abortWith(this.forbidden);
    }
}
