package org.apache.cxf.rt.security.saml.xacml2;

import java.security.Principal;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import java.util.logging.Level;
import java.util.logging.Logger;
import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.helpers.DOMUtils;
import org.apache.cxf.interceptor.Fault;
import org.apache.cxf.interceptor.security.AccessDeniedException;
import org.apache.cxf.message.Message;
import org.apache.cxf.phase.AbstractPhaseInterceptor;
import org.apache.cxf.phase.Phase;
import org.apache.cxf.security.LoginSecurityContext;
import org.apache.cxf.security.SecurityContext;
import org.apache.wss4j.common.saml.OpenSAMLUtil;
import org.apache.wss4j.common.util.DOM2Writer;
import org.opensaml.xacml.ctx.DecisionType;
import org.opensaml.xacml.ctx.RequestType;
import org.opensaml.xacml.ctx.ResponseType;
import org.opensaml.xacml.ctx.ResultType;
import org.opensaml.xacml.ctx.StatusType;

/* loaded from: input_file:lib/cxf-rt-security-saml-3.4.5.jar:org/apache/cxf/rt/security/saml/xacml2/AbstractXACMLAuthorizingInterceptor.class */
public abstract class AbstractXACMLAuthorizingInterceptor extends AbstractPhaseInterceptor<Message> {
    private static final Logger LOG = LogUtils.getL7dLogger(AbstractXACMLAuthorizingInterceptor.class);
    private XACMLRequestBuilder requestBuilder;

    public AbstractXACMLAuthorizingInterceptor() {
        super(Phase.PRE_INVOKE);
        this.requestBuilder = new DefaultXACMLRequestBuilder();
        OpenSAMLUtil.initSamlEngine();
    }

    @Override // org.apache.cxf.interceptor.Interceptor
    public void handleMessage(Message message) throws Fault {
        SecurityContext securityContext = (SecurityContext) message.get(SecurityContext.class);
        if (securityContext instanceof LoginSecurityContext) {
            Principal userPrincipal = securityContext.getUserPrincipal();
            String name = userPrincipal != null ? userPrincipal.getName() : null;
            Set<Principal> userRoles = ((LoginSecurityContext) securityContext).getUserRoles();
            ArrayList arrayList = new ArrayList();
            if (userRoles != null) {
                for (Principal principal : userRoles) {
                    if (principal != null && principal.getName() != null && !principal.getName().equals(name)) {
                        arrayList.add(principal.getName());
                    }
                }
            }
            try {
                if (authorize(userPrincipal, arrayList, message)) {
                    return;
                }
            } catch (Exception e) {
                LOG.log(Level.FINE, "Unauthorized: " + e.getMessage(), (Throwable) e);
                throw new AccessDeniedException("Unauthorized");
            }
        } else {
            LOG.log(Level.FINE, "The SecurityContext was not an instance of LoginSecurityContext. No authorization is possible as a result");
        }
        throw new AccessDeniedException("Unauthorized");
    }

    public XACMLRequestBuilder getRequestBuilder() {
        return this.requestBuilder;
    }

    public void setRequestBuilder(XACMLRequestBuilder xACMLRequestBuilder) {
        this.requestBuilder = xACMLRequestBuilder;
    }

    protected boolean authorize(Principal principal, List<String> list, Message message) throws Exception {
        RequestType createRequest = this.requestBuilder.createRequest(principal, list, message);
        if (LOG.isLoggable(Level.FINE)) {
            LOG.log(Level.FINE, DOM2Writer.nodeToString(OpenSAMLUtil.toDom(createRequest, DOMUtils.createDocument())));
        }
        List<ResultType> results = performRequest(createRequest, message).getResults();
        if (results == null) {
            return false;
        }
        Iterator<ResultType> it = results.iterator();
        if (!it.hasNext()) {
            return false;
        }
        ResultType next = it.next();
        handleObligations(createRequest, principal, message, next);
        DecisionType.DECISION decision = next.getDecision() != null ? next.getDecision().getDecision() : DecisionType.DECISION.Deny;
        String str = "";
        String str2 = "";
        if (next.getStatus() != null) {
            StatusType status = next.getStatus();
            str = status.getStatusCode() != null ? status.getStatusCode().getValue() : "";
            str2 = status.getStatusMessage() != null ? status.getStatusMessage().getValue() : "";
        }
        if (LOG.isLoggable(Level.FINE)) {
            LOG.fine("XACML authorization result: " + decision + ", code: " + str + ", message: " + str2);
        }
        return decision == DecisionType.DECISION.Permit;
    }

    protected void handleObligations(RequestType requestType, Principal principal, Message message, ResultType resultType) throws Exception {
    }

    protected abstract ResponseType performRequest(RequestType requestType, Message message) throws Exception;
}
