package org.eclipse.stardust.engine.core.runtime.beans.interceptors;

import org.eclipse.stardust.common.error.AccessForbiddenException;
import org.eclipse.stardust.engine.api.runtime.BpmRuntimeError;
import org.eclipse.stardust.engine.api.runtime.PublicPermission;
import org.eclipse.stardust.engine.core.runtime.beans.BpmRuntimeEnvironment;
import org.eclipse.stardust.engine.core.runtime.beans.IUser;
import org.eclipse.stardust.engine.core.runtime.beans.PublicUser;
import org.eclipse.stardust.engine.core.runtime.beans.removethis.SecurityProperties;
import org.eclipse.stardust.engine.core.runtime.interceptor.MethodInterceptor;
import org.eclipse.stardust.engine.core.runtime.interceptor.MethodInvocation;
import org.eclipse.stardust.engine.core.runtime.utils.Authorization2;
import org.eclipse.stardust.engine.core.runtime.utils.AuthorizationContext;
import org.eclipse.stardust.engine.core.security.utils.SecurityUtils;

/* loaded from: input_file:lib/carnot-engine.jar:org/eclipse/stardust/engine/core/runtime/beans/interceptors/GuardingInterceptor.class */
public class GuardingInterceptor implements MethodInterceptor {
    private static final long serialVersionUID = -2252311619932405039L;
    private final String paramName;

    public GuardingInterceptor(String str) {
        this.paramName = str.substring(str.lastIndexOf(46) + 1) + ".Guarded";
    }

    @Override // org.eclipse.stardust.engine.core.runtime.interceptor.MethodInterceptor
    public Object invoke(MethodInvocation methodInvocation) throws Throwable {
        if (SecurityProperties.getUser() == null) {
            throw new AccessForbiddenException(BpmRuntimeError.AUTHx_NOT_LOGGED_IN.raise());
        }
        try {
            IUser user = SecurityProperties.getUser();
            if (user instanceof PublicUser) {
                if (methodInvocation.getMethod().getAnnotation(PublicPermission.class) == null && !SecurityUtils.acceptPublicMethod(methodInvocation.getMethod())) {
                    throw new AccessForbiddenException(BpmRuntimeError.AUTHx_AUTH_MISSING_GRANTS.raise(Long.valueOf(user.getOID()), String.valueOf(AuthorizationContext.create(methodInvocation.getMethod()).getPermission()), user.getAccount()));
                }
                if (!SecurityUtils.acceptPublicMethod(methodInvocation.getMethod()) && !SecurityUtils.evaluatePublicMethod(methodInvocation)) {
                    throw new AccessForbiddenException("Not allowed to access this resource");
                }
            } else if (!methodInvocation.getMethod().getDeclaringClass().getName().equals("java.lang.Object")) {
                SecurityUtils.checkPasswordExpired(SecurityProperties.getUser(), methodInvocation);
                if (methodInvocation.getParameters().getBoolean(this.paramName, true)) {
                    Authorization2.checkPermission(methodInvocation.getMethod(), methodInvocation.getArguments());
                }
            }
            Object proceed = methodInvocation.proceed();
            BpmRuntimeEnvironment current = PropertyLayerProviderInterceptor.getCurrent();
            current.setAuthorizationPredicate(null);
            current.setSecureContext(false);
            return proceed;
        } catch (Throwable th) {
            BpmRuntimeEnvironment current2 = PropertyLayerProviderInterceptor.getCurrent();
            current2.setAuthorizationPredicate(null);
            current2.setSecureContext(false);
            throw th;
        }
    }
}
