package org.ow2.petals.microkernel.jbi.messaging.routing.module;

import java.io.IOException;
import java.net.URISyntaxException;
import java.net.URL;
import java.security.Principal;
import java.util.ArrayList;
import java.util.Map;
import java.util.Set;
import java.util.logging.Logger;
import javax.jbi.messaging.ExchangeStatus;
import javax.jbi.messaging.MessageExchange;
import javax.security.auth.Subject;
import org.objectweb.fractal.fraclet.annotations.Component;
import org.objectweb.fractal.fraclet.annotations.Interface;
import org.objectweb.fractal.fraclet.annotations.Lifecycle;
import org.objectweb.fractal.fraclet.types.Step;
import org.ow2.petals.jaas.GroupPrincipal;
import org.ow2.petals.jbi.messaging.exchange.MessageExchangeWrapper;
import org.ow2.petals.microkernel.api.jbi.ComponentContext;
import org.ow2.petals.microkernel.api.jbi.messaging.RoutingException;
import org.ow2.petals.microkernel.api.jbi.messaging.ServiceEndpoint;
import org.ow2.petals.microkernel.api.util.LoggingUtil;
import org.ow2.petals.microkernel.jbi.security.AuthorizationException;
import org.ow2.petals.microkernel.jbi.security.AuthorizationMap;
import org.ow2.petals.microkernel.jbi.security.DefaultAuthorizationMap;
import org.ow2.petals.microkernel.jbi.security.DefaultAuthorizationParser;
import org.ow2.petals.microkernel.transport.util.TransportSendContext;

@Component(provides = {@Interface(name = "service", signature = SenderModule.class)})
/* loaded from: input_file:org/ow2/petals/microkernel/jbi/messaging/routing/module/AuthorizationModule.class */
public class AuthorizationModule implements SenderModule {
    protected final LoggingUtil log = new LoggingUtil(Logger.getLogger(Constants.FRACTAL_COMPONENT_LOGGER_NAME_AUTHORIZATION));
    public static final String CONFIGURATION = "authorization.cfg";
    private AuthorizationMap authorizationMap;

    @Lifecycle(step = Step.START)
    public void start() throws IOException, URISyntaxException, AuthorizationException {
        this.log.call();
        URL resource = getClass().getResource("/authorization.cfg");
        if (resource == null) {
            IOException iOException = new IOException("Can not load the authorization resource from classpath");
            this.log.error("Failed to start Authorization Module", iOException);
            throw iOException;
        }
        try {
            this.authorizationMap = new DefaultAuthorizationParser(resource.toURI()).parse();
            if (this.authorizationMap == null) {
                this.authorizationMap = new DefaultAuthorizationMap(new ArrayList(0));
            }
        } catch (URISyntaxException e) {
            this.log.error("Failed to start Authorization Module", e);
            throw e;
        } catch (AuthorizationException e2) {
            this.log.error("Failed to start Authorization Module", e2);
            throw e2;
        }
    }

    @Lifecycle(step = Step.STOP)
    public void stop() {
        this.log.call();
    }

    @Override // org.ow2.petals.microkernel.jbi.messaging.routing.module.SenderModule
    public void electEndpoints(Map<ServiceEndpoint, TransportSendContext> map, ComponentContext componentContext, MessageExchangeWrapper messageExchangeWrapper) throws RoutingException {
        authorizeSend(messageExchangeWrapper);
    }

    protected void authorizeSend(MessageExchangeWrapper messageExchangeWrapper) throws RoutingException {
        javax.jbi.servicedesc.ServiceEndpoint endpoint;
        if (messageExchangeWrapper.getRole() != MessageExchange.Role.PROVIDER || messageExchangeWrapper.getStatus() == ExchangeStatus.DONE || (endpoint = messageExchangeWrapper.getEndpoint()) == null) {
            return;
        }
        Set<Principal> accessControlList = this.authorizationMap.getAccessControlList(endpoint, messageExchangeWrapper.getOperation());
        if (this.log.isDebugEnabled()) {
            for (Principal principal : accessControlList) {
                this.log.debug("Server defined ACL for operation : " + messageExchangeWrapper.getOperation().toString());
                this.log.debug(principal.getName() + "(" + principal.getClass().getName() + ")");
            }
        }
        if (accessControlList.contains(GroupPrincipal.ALL)) {
            return;
        }
        Subject securitySubject = messageExchangeWrapper.getMessage("in").getSecuritySubject();
        if (securitySubject == null) {
            throw new SecurityException("User not authenticated (security subject is null)");
        }
        accessControlList.retainAll(securitySubject.getPrincipals());
        this.log.debug("ACLS size after retain is : " + accessControlList.size());
        if (accessControlList.size() == 0) {
            throw new SecurityException("Endpoint '" + endpoint.getEndpointName() + "' / Operation '" + messageExchangeWrapper.getOperation() + "' is not authorized for this user");
        }
    }
}
