package org.craftercms.security.processors.impl;

import java.util.Iterator;
import java.util.LinkedHashMap;
import java.util.Map;
import javax.servlet.http.HttpServletRequest;
import org.apache.commons.collections4.MapUtils;
import org.craftercms.commons.http.HttpUtils;
import org.craftercms.commons.http.RequestContext;
import org.craftercms.security.authentication.Authentication;
import org.craftercms.security.exception.AccessDeniedException;
import org.craftercms.security.processors.RequestSecurityProcessor;
import org.craftercms.security.processors.RequestSecurityProcessorChain;
import org.craftercms.security.utils.SecurityUtils;
import org.craftercms.security.utils.spring.el.AccessRestrictionExpressionRoot;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Required;
import org.springframework.expression.Expression;
import org.springframework.expression.spel.standard.SpelExpressionParser;
import org.springframework.util.AntPathMatcher;
import org.springframework.util.PathMatcher;

/* loaded from: input_file:WEB-INF/lib/crafter-security-provider-3.0.26.jar:org/craftercms/security/processors/impl/UrlAccessRestrictionCheckingProcessor.class */
public class UrlAccessRestrictionCheckingProcessor implements RequestSecurityProcessor {
    public static final Logger logger = LoggerFactory.getLogger(UrlAccessRestrictionCheckingProcessor.class);
    protected PathMatcher pathMatcher = new AntPathMatcher();
    protected Map<String, Expression> urlRestrictions;

    public void setPathMatcher(PathMatcher pathMatcher) {
        this.pathMatcher = pathMatcher;
    }

    @Required
    public void setUrlRestrictions(Map<String, String> map) {
        this.urlRestrictions = new LinkedHashMap();
        SpelExpressionParser spelExpressionParser = new SpelExpressionParser();
        for (Map.Entry<String, String> entry : map.entrySet()) {
            this.urlRestrictions.put(entry.getKey(), spelExpressionParser.parseExpression(entry.getValue()));
        }
    }

    protected Map<String, Expression> getUrlRestrictions() {
        return this.urlRestrictions;
    }

    @Override // org.craftercms.security.processors.RequestSecurityProcessor
    public void processRequest(RequestContext requestContext, RequestSecurityProcessorChain requestSecurityProcessorChain) throws Exception {
        Map<String, Expression> urlRestrictions = getUrlRestrictions();
        if (MapUtils.isNotEmpty(urlRestrictions)) {
            HttpServletRequest request = requestContext.getRequest();
            String requestUrl = getRequestUrl(requestContext.getRequest());
            logger.debug("Checking access restrictions for URL {}", requestUrl);
            Iterator<Map.Entry<String, Expression>> it = urlRestrictions.entrySet().iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                Map.Entry<String, Expression> next = it.next();
                String key = next.getKey();
                Expression value = next.getValue();
                if (this.pathMatcher.match(key, requestUrl)) {
                    logger.debug("Checking restriction [{} => {}]", requestUrl, value.getExpressionString());
                    if (!isAccessAllowed(request, value)) {
                        throw new AccessDeniedException("Restriction ['" + requestUrl + "' => " + value.getExpressionString() + "] evaluated to false for user: access denied");
                    }
                    logger.debug("Restriction [{}' => {}] evaluated to true for user: access allowed", requestUrl, value.getExpressionString());
                }
            }
        }
        requestSecurityProcessorChain.processRequest(requestContext);
    }

    protected String getRequestUrl(HttpServletRequest httpServletRequest) {
        return HttpUtils.getRequestUriWithoutContextPath(httpServletRequest);
    }

    protected boolean isAccessAllowed(HttpServletRequest httpServletRequest, Expression expression) {
        Object value = expression.getValue(createExpressionRoot(httpServletRequest));
        if (value instanceof Boolean) {
            return ((Boolean) value).booleanValue();
        }
        throw new IllegalStateException("Expression " + expression.getExpressionString() + " should return a boolean value");
    }

    protected Object createExpressionRoot(HttpServletRequest httpServletRequest) {
        AccessRestrictionExpressionRoot accessRestrictionExpressionRoot = new AccessRestrictionExpressionRoot();
        Authentication authentication = SecurityUtils.getAuthentication(httpServletRequest);
        if (authentication != null) {
            accessRestrictionExpressionRoot.setProfile(authentication.getProfile());
        }
        return accessRestrictionExpressionRoot;
    }
}
