package org.codehaus.plexus.redback.xwork.interceptor;

import com.opensymphony.webwork.ServletActionContext;
import com.opensymphony.xwork.Action;
import com.opensymphony.xwork.ActionContext;
import com.opensymphony.xwork.ActionInvocation;
import java.util.List;
import javax.servlet.http.HttpSession;
import org.codehaus.plexus.component.repository.exception.ComponentLookupException;
import org.codehaus.plexus.redback.authorization.AuthorizationResult;
import org.codehaus.plexus.redback.system.SecuritySession;
import org.codehaus.plexus.redback.system.SecuritySystem;
import org.codehaus.plexus.redback.system.SecuritySystemConstants;
import org.codehaus.plexus.redback.xwork.interceptor.SecureActionBundle;
import org.codehaus.plexus.xwork.interceptor.AbstractHttpRequestTrackerInterceptor;

/* loaded from: input_file:WEB-INF/lib/redback-xwork-integration-1.1.2.jar:org/codehaus/plexus/redback/xwork/interceptor/SecureActionInterceptor.class */
public class SecureActionInterceptor extends AbstractHttpRequestTrackerInterceptor {
    private static final String REQUIRES_AUTHORIZATION = "requires-authorization";
    private static final String REQUIRES_AUTHENTICATION = "requires-authentication";
    private SecuritySystem securitySystem;
    private String trackerName;

    @Override // com.opensymphony.xwork.interceptor.Interceptor
    public void destroy() {
    }

    @Override // com.opensymphony.xwork.interceptor.Interceptor
    public void init() {
        getLogger().info(getClass().getName() + " initialized!");
    }

    @Override // org.codehaus.plexus.xwork.interceptor.AbstractHttpRequestTrackerInterceptor
    protected String getTrackerName() {
        return this.trackerName;
    }

    @Override // com.opensymphony.xwork.interceptor.Interceptor
    public String intercept(ActionInvocation actionInvocation) throws Exception {
        ActionContext context = ActionContext.getContext();
        Action action = (Action) context.getActionInvocation().getAction();
        getLogger().debug("SecureActionInterceptor: processing " + action.getClass().getName());
        try {
            if (action instanceof SecureAction) {
                SecureAction secureAction = (SecureAction) action;
                SecureActionBundle secureActionBundle = secureAction.getSecureActionBundle();
                if (secureActionBundle == null) {
                    getLogger().error("Null bundle detected.");
                    return actionInvocation.invoke();
                }
                if (secureActionBundle == SecureActionBundle.OPEN) {
                    getLogger().debug("Bundle.OPEN detected.");
                    return actionInvocation.invoke();
                }
                SecuritySession securitySession = (SecuritySession) context.getSession().get(SecuritySystemConstants.SECURITY_SESSION_KEY);
                if (secureActionBundle.requiresAuthentication() && (securitySession == null || !securitySession.isAuthenticated())) {
                    getLogger().debug("not authenticated, need to authenticate for this action");
                    return processRequiresAuthentication(actionInvocation);
                }
                List<SecureActionBundle.AuthorizationTuple> authorizationTuples = secureActionBundle.getAuthorizationTuples();
                if (authorizationTuples != null && authorizationTuples.size() > 0) {
                    if (securitySession == null) {
                        getLogger().debug("session required for authorization to run");
                        return processRequiresAuthentication(actionInvocation);
                    }
                    for (SecureActionBundle.AuthorizationTuple authorizationTuple : authorizationTuples) {
                        getLogger().debug("checking authz for " + authorizationTuple.toString());
                        AuthorizationResult authorize = this.securitySystem.authorize(securitySession, authorizationTuple.getOperation(), authorizationTuple.getResource());
                        getLogger().debug("checking the interceptor authz " + authorize.isAuthorized() + " for " + authorizationTuple.toString());
                        if (authorize.isAuthorized()) {
                            getLogger().debug(securitySession.getUser().getPrincipal() + " is authorized for action " + secureAction.getClass().getName() + " by " + authorizationTuple.toString());
                            return actionInvocation.invoke();
                        }
                    }
                    return processRequiresAuthorization(actionInvocation);
                }
            } else {
                getLogger().debug("SecureActionInterceptor: " + action.getClass().getName() + " not a secure action");
            }
            getLogger().debug("not a secure action " + action.getClass().getName());
            String invoke = actionInvocation.invoke();
            getLogger().debug("Passing invocation up, result is [" + invoke + "] on call " + actionInvocation.getAction().getClass().getName());
            return invoke;
        } catch (SecureActionException e) {
            getLogger().error("can't generate the SecureActionBundle, deny access: " + e.getMessage());
            return processRequiresAuthentication(actionInvocation);
        }
    }

    protected String processRequiresAuthorization(ActionInvocation actionInvocation) throws ComponentLookupException {
        addActionInvocation(actionInvocation).setBackTrack();
        return REQUIRES_AUTHORIZATION;
    }

    protected String processRequiresAuthentication(ActionInvocation actionInvocation) throws ComponentLookupException {
        HttpSession session = ServletActionContext.getRequest().getSession();
        if (session != null) {
            session.removeAttribute(SecuritySystemConstants.SECURITY_SESSION_KEY);
        }
        addActionInvocation(actionInvocation).setBackTrack();
        return REQUIRES_AUTHENTICATION;
    }
}
