package com.github.kaizen4j.shiro.authz.handler;

import com.github.kaizen4j.common.authz.AuthDefinition;
import com.github.kaizen4j.common.authz.annotation.Logical;
import com.github.kaizen4j.common.authz.annotation.RequiresAuthorize;
import java.lang.annotation.Annotation;
import java.util.Arrays;
import java.util.Objects;
import org.apache.commons.lang3.ArrayUtils;
import org.apache.shiro.authz.AuthorizationException;
import org.apache.shiro.authz.UnauthenticatedException;
import org.apache.shiro.authz.aop.AuthorizingAnnotationHandler;
import org.apache.shiro.subject.Subject;

/* loaded from: input_file:com/github/kaizen4j/shiro/authz/handler/AuthorizationAnnotationHandler.class */
public class AuthorizationAnnotationHandler extends AuthorizingAnnotationHandler {
    public AuthorizationAnnotationHandler() {
        super(RequiresAuthorize.class);
    }

    public void assertAuthorized(Annotation annotation) throws AuthorizationException {
        if (annotation instanceof RequiresAuthorize) {
            RequiresAuthorize requiresAuthorize = (RequiresAuthorize) annotation;
            AuthDefinition authDefinition = new AuthDefinition();
            authDefinition.setPermissions(requiresAuthorize.permissions());
            authDefinition.setRoles(requiresAuthorize.roles());
            authDefinition.setAuthenticated(requiresAuthorize.isAuthenticated());
            authDefinition.setLogical(requiresAuthorize.logical());
            checkAuthorization(authDefinition);
        }
    }

    public void checkAuthorization(AuthDefinition authDefinition) {
        if (ArrayUtils.isNotEmpty(authDefinition.getPermissions())) {
            checkPermissions(authDefinition);
        } else if (ArrayUtils.isNotEmpty(authDefinition.getRoles())) {
            checkRoles(authDefinition);
        } else if (authDefinition.isAuthenticated()) {
            checkAuthenticated();
        }
    }

    private void checkPermissions(AuthDefinition authDefinition) {
        String[] permissions = authDefinition.getPermissions();
        Subject subject = getSubject();
        if (permissions.length == 1) {
            subject.checkPermission(permissions[0]);
            return;
        }
        if (Logical.AND.equals(authDefinition.getLogical())) {
            subject.checkPermissions(permissions);
            return;
        }
        if (Logical.OR.equals(authDefinition.getLogical())) {
            boolean z = false;
            int length = permissions.length;
            int i = 0;
            while (true) {
                if (i >= length) {
                    break;
                }
                if (subject.isPermitted(permissions[i])) {
                    z = true;
                    break;
                }
                i++;
            }
            if (z) {
                return;
            }
            subject.checkPermission(permissions[0]);
        }
    }

    private void checkRoles(AuthDefinition authDefinition) {
        String[] roles = authDefinition.getRoles();
        Subject subject = getSubject();
        if (roles.length == 1) {
            subject.checkRole(roles[0]);
            return;
        }
        if (Logical.AND.equals(authDefinition.getLogical())) {
            subject.hasRoles(Arrays.asList(roles));
            return;
        }
        if (Logical.OR.equals(authDefinition.getLogical())) {
            boolean z = false;
            int length = roles.length;
            int i = 0;
            while (true) {
                if (i >= length) {
                    break;
                }
                if (subject.hasRole(roles[i])) {
                    z = true;
                    break;
                }
                i++;
            }
            if (z) {
                return;
            }
            subject.checkRole(roles[0]);
        }
    }

    private void checkAuthenticated() {
        if (Objects.isNull(getSubject().getPrincipal())) {
            throw new UnauthenticatedException("Attempting to perform a user-only operation.  The current Subject is not a user (they haven't been authenticated or remembered from a previous login).  Access denied.");
        }
    }
}
