package org.craftercms.commons.security.permissions.impl;

import java.util.Iterator;
import java.util.List;
import java.util.Map;
import org.apache.commons.collections4.CollectionUtils;
import org.apache.commons.lang3.StringUtils;
import org.craftercms.commons.security.exception.InvalidSubjectConditionException;
import org.craftercms.commons.security.exception.PermissionException;
import org.craftercms.commons.security.permissions.Permission;
import org.craftercms.commons.security.permissions.PermissionService;
import org.craftercms.commons.security.permissions.PermissionSource;
import org.springframework.expression.ExpressionParser;
import org.springframework.expression.spel.standard.SpelExpressionParser;

/* loaded from: input_file:org/craftercms/commons/security/permissions/impl/PermissionServiceImpl.class */
public class PermissionServiceImpl implements PermissionService {
    public static final String ANY_WILDCARD = "*";
    public static final String URI_SEPARATOR = "/";
    protected PermissionSource permissionSource;

    public void setPermissionSource(PermissionSource permissionSource) {
        this.permissionSource = permissionSource;
    }

    @Override // org.craftercms.commons.security.permissions.PermissionService
    public boolean allow(Object obj, String str, String str2, Map<String, String> map) throws PermissionException {
        String stripEnd = StringUtils.stripEnd(str, URI_SEPARATOR);
        Iterable<Permission> permissions = this.permissionSource.getPermissions(stripEnd);
        if (permissions == null) {
            return false;
        }
        SpelExpressionParser spelExpressionParser = new SpelExpressionParser();
        Iterator<Permission> it = permissions.iterator();
        while (it.hasNext()) {
            Boolean checkPermission = checkPermission(it.next(), obj, str2, spelExpressionParser, map);
            if (checkPermission != null) {
                return checkPermission.booleanValue();
            }
            String parentResourceUri = getParentResourceUri(stripEnd);
            if (StringUtils.isNotEmpty(parentResourceUri)) {
                return allow(obj, parentResourceUri, str2, map);
            }
        }
        return false;
    }

    protected Boolean checkPermission(Permission permission, Object obj, String str, ExpressionParser expressionParser, Map<String, String> map) throws InvalidSubjectConditionException {
        if (!subjectMatchesCondition(obj, permission.getSubjectCondition(), expressionParser, map)) {
            return null;
        }
        List<String> allowedActions = permission.getAllowedActions();
        List<String> deniedActions = permission.getDeniedActions();
        if (CollectionUtils.isNotEmpty(allowedActions) && (allowedActions.contains(ANY_WILDCARD) || allowedActions.contains(str))) {
            return true;
        }
        if (CollectionUtils.isNotEmpty(deniedActions)) {
            return (deniedActions.contains(ANY_WILDCARD) || deniedActions.contains(str)) ? false : null;
        }
        return null;
    }

    protected boolean subjectMatchesCondition(Object obj, String str, ExpressionParser expressionParser, Map<String, String> map) throws InvalidSubjectConditionException {
        if (str.equals(ANY_WILDCARD)) {
            return true;
        }
        for (Map.Entry<String, String> entry : map.entrySet()) {
            str = str.replace("{" + entry.getKey() + "}", entry.getValue());
        }
        Object value = expressionParser.parseExpression(str).getValue(obj);
        if (value instanceof Boolean) {
            return ((Boolean) value).booleanValue();
        }
        throw new InvalidSubjectConditionException("Expression " + str + " should return a boolean value");
    }

    protected String getParentResourceUri(String str) {
        int lastIndexOf = str.lastIndexOf(URI_SEPARATOR);
        if (lastIndexOf > 0) {
            return str.substring(0, lastIndexOf);
        }
        return null;
    }
}
