package org.craftercms.security.impl.processors;

import java.util.Iterator;
import java.util.LinkedHashMap;
import java.util.Map;
import javax.servlet.http.HttpServletRequest;
import org.apache.commons.collections.MapUtils;
import org.craftercms.security.api.RequestContext;
import org.craftercms.security.api.RequestSecurityProcessor;
import org.craftercms.security.api.RequestSecurityProcessorChain;
import org.craftercms.security.api.UserProfile;
import org.craftercms.security.exception.AccessDeniedException;
import org.craftercms.security.exception.CrafterSecurityException;
import org.craftercms.security.utils.spring.el.AccessRestrictionExpressionRoot;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Required;
import org.springframework.expression.Expression;
import org.springframework.expression.spel.standard.SpelExpressionParser;
import org.springframework.util.AntPathMatcher;
import org.springframework.util.PathMatcher;

/* loaded from: input_file:WEB-INF/lib/crafter-security-provider-2.4.4.jar:org/craftercms/security/impl/processors/UrlAccessRestrictionCheckingProcessor.class */
public class UrlAccessRestrictionCheckingProcessor implements RequestSecurityProcessor {
    public static final Logger logger = LoggerFactory.getLogger(UrlAccessRestrictionCheckingProcessor.class);
    protected PathMatcher pathMatcher = new AntPathMatcher();
    protected Map<String, Expression> urlRestrictions;

    public void setPathMatcher(PathMatcher pathMatcher) {
        this.pathMatcher = pathMatcher;
    }

    @Required
    public void setUrlRestrictions(Map<String, String> map) {
        this.urlRestrictions = new LinkedHashMap();
        SpelExpressionParser spelExpressionParser = new SpelExpressionParser();
        for (Map.Entry<String, String> entry : map.entrySet()) {
            this.urlRestrictions.put(entry.getKey(), spelExpressionParser.parseExpression(entry.getValue()));
        }
    }

    @Override // org.craftercms.security.api.RequestSecurityProcessor
    public void processRequest(RequestContext requestContext, RequestSecurityProcessorChain requestSecurityProcessorChain) throws Exception {
        if (MapUtils.isNotEmpty(this.urlRestrictions)) {
            if (logger.isDebugEnabled()) {
                logger.debug("Checking URL access restrictions");
            }
            if (requestContext.getAuthenticationToken() != null) {
                if (requestContext.getAuthenticationToken().getProfile() != null) {
                    String requestUrl = getRequestUrl(requestContext.getRequest());
                    UserProfile profile = requestContext.getAuthenticationToken().getProfile();
                    Iterator<Map.Entry<String, Expression>> it = this.urlRestrictions.entrySet().iterator();
                    while (true) {
                        if (!it.hasNext()) {
                            break;
                        }
                        Map.Entry<String, Expression> next = it.next();
                        String key = next.getKey();
                        Expression value = next.getValue();
                        if (this.pathMatcher.match(key, requestUrl)) {
                            if (logger.isDebugEnabled()) {
                                logger.debug("Checking restriction ['" + requestUrl + "' => " + value.getExpressionString() + "] for user " + profile.getUserName());
                            }
                            if (!isAccessAllowed(profile, value)) {
                                throw new AccessDeniedException("Restriction ['" + requestUrl + "' => " + value.getExpressionString() + "] evaluated to false for user " + profile.getUserName() + ": access denied");
                            }
                            if (logger.isDebugEnabled()) {
                                logger.debug("Restriction ['" + requestUrl + "' => " + value.getExpressionString() + "] evaluated to true for user " + profile.getUserName() + ": access allowed");
                            }
                        }
                    }
                } else {
                    throw new IllegalArgumentException("Authentication token of request context doesn't contain a user profile");
                }
            } else {
                throw new IllegalArgumentException("Request context doesn't contain an authentication token");
            }
        }
        requestSecurityProcessorChain.processRequest(requestContext);
    }

    protected String getRequestUrl(HttpServletRequest httpServletRequest) {
        return httpServletRequest.getRequestURI().substring(httpServletRequest.getContextPath().length());
    }

    protected boolean isAccessAllowed(UserProfile userProfile, Expression expression) {
        Object value = expression.getValue(createExpressionRoot(userProfile));
        if (value instanceof Boolean) {
            return ((Boolean) value).booleanValue();
        }
        throw new CrafterSecurityException("Expression " + expression.getExpressionString() + " should return a boolean value");
    }

    protected AccessRestrictionExpressionRoot createExpressionRoot(UserProfile userProfile) {
        return new AccessRestrictionExpressionRoot(userProfile);
    }
}
