package fish.payara.microprofile.jwtauth.jaxrs;

import jakarta.annotation.Priority;
import jakarta.enterprise.inject.spi.CDI;
import jakarta.security.enterprise.AuthenticationStatus;
import jakarta.security.enterprise.SecurityContext;
import jakarta.security.enterprise.authentication.mechanism.http.AuthenticationParameters;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import jakarta.ws.rs.ForbiddenException;
import jakarta.ws.rs.NotAuthorizedException;
import jakarta.ws.rs.container.ContainerRequestContext;
import jakarta.ws.rs.container.ContainerRequestFilter;
import jakarta.ws.rs.core.Response;
import java.io.IOException;
import java.lang.annotation.Annotation;
import java.util.Arrays;

@Priority(2000)
/* loaded from: input_file:fish/payara/microprofile/jwtauth/jaxrs/RolesAllowedRequestFilter.class */
public class RolesAllowedRequestFilter implements ContainerRequestFilter {
    private final SecurityContext securityContext;
    private final String[] rolesAllowed;
    private final boolean permitAll;
    private final HttpServletRequest request;
    private final HttpServletResponse response;
    static final /* synthetic */ boolean $assertionsDisabled;

    /* JADX INFO: Access modifiers changed from: package-private */
    public RolesAllowedRequestFilter(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String[] strArr) {
        this(httpServletRequest, httpServletResponse, strArr, false);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public RolesAllowedRequestFilter(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        this(httpServletRequest, httpServletResponse, null, true);
    }

    private RolesAllowedRequestFilter(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String[] strArr, boolean z) {
        this.request = httpServletRequest;
        this.response = httpServletResponse;
        this.rolesAllowed = strArr;
        this.securityContext = (SecurityContext) CDI.current().select(SecurityContext.class, new Annotation[0]).get2();
        this.permitAll = z;
        if ($assertionsDisabled) {
            return;
        }
        if (z != (strArr == null)) {
            throw new AssertionError();
        }
    }

    @Override // jakarta.ws.rs.container.ContainerRequestFilter
    public void filter(ContainerRequestContext containerRequestContext) throws IOException {
        if (this.permitAll) {
            this.securityContext.authenticate(this.request, this.response, AuthenticationParameters.withParams());
            return;
        }
        if (this.rolesAllowed.length > 0 && !isAuthenticated()) {
            AuthenticationStatus authenticate = this.securityContext.authenticate(this.request, this.response, AuthenticationParameters.withParams());
            if (authenticate == AuthenticationStatus.NOT_DONE || authenticate == AuthenticationStatus.SEND_FAILURE) {
                throw new NotAuthorizedException("Authentication resulted in " + authenticate, Response.status(Response.Status.UNAUTHORIZED).build());
            }
            if (authenticate == AuthenticationStatus.SUCCESS && !isAuthenticated()) {
                throw new NotAuthorizedException("Authentication not done (i.e. no JWT credential found)", Response.status(Response.Status.UNAUTHORIZED).build());
            }
        }
        if (!Arrays.stream(this.rolesAllowed).anyMatch(str -> {
            return containerRequestContext.getSecurityContext().isUserInRole(str);
        })) {
            throw new ForbiddenException("Caller not in requested role");
        }
    }

    private boolean isAuthenticated() {
        return this.securityContext.getCallerPrincipal() != null;
    }

    static {
        $assertionsDisabled = !RolesAllowedRequestFilter.class.desiredAssertionStatus();
    }
}
