package org.apache.geode.internal.protocol.state;

import org.apache.geode.internal.protocol.MessageExecutionContext;
import org.apache.geode.internal.protocol.OperationContext;
import org.apache.geode.internal.protocol.ProtocolErrorCode;
import org.apache.geode.internal.protocol.state.exception.ConnectionStateException;
import org.apache.geode.internal.protocol.state.exception.OperationNotAuthorizedException;
import org.apache.geode.internal.security.SecurityService;
import org.apache.geode.security.NotAuthorizedException;
import org.apache.shiro.subject.Subject;
import org.apache.shiro.util.ThreadState;

/* loaded from: input_file:org/apache/geode/internal/protocol/state/ConnectionShiroAuthorizingStateProcessor.class */
public class ConnectionShiroAuthorizingStateProcessor implements ConnectionStateProcessor {
    private final SecurityService securityService;
    private final Subject subject;

    public ConnectionShiroAuthorizingStateProcessor(SecurityService securityService, Subject subject) {
        this.securityService = securityService;
        this.subject = subject;
    }

    @Override // org.apache.geode.internal.protocol.state.ConnectionStateProcessor
    public void validateOperation(MessageExecutionContext messageExecutionContext, OperationContext operationContext) throws ConnectionStateException {
        ThreadState bindSubject = this.securityService.bindSubject(this.subject);
        try {
            try {
                this.securityService.authorize(operationContext.getAccessPermissionRequired());
                bindSubject.restore();
            } catch (NotAuthorizedException e) {
                messageExecutionContext.getStatistics().incAuthorizationViolations();
                throw new OperationNotAuthorizedException(ProtocolErrorCode.AUTHORIZATION_FAILED, "The user is not authorized to complete this operation");
            }
        } catch (Throwable th) {
            bindSubject.restore();
            throw th;
        }
    }

    @Override // org.apache.geode.internal.protocol.state.ConnectionStateProcessor
    public ConnectionAuthenticatingStateProcessor allowAuthentication() throws ConnectionStateException {
        throw new ConnectionStateException(ProtocolErrorCode.ALREADY_AUTHENTICATED, "The user has already been authenticated for this connection. Re-authentication is not supported at this time.");
    }
}
