package org.craftercms.commons.security.permissions.annotations;

import java.beans.ConstructorProperties;
import java.lang.reflect.Method;
import java.util.Map;
import org.apache.commons.lang3.StringUtils;
import org.aspectj.lang.ProceedingJoinPoint;
import org.aspectj.lang.annotation.Around;
import org.aspectj.lang.annotation.Aspect;
import org.craftercms.commons.aop.AopUtils;
import org.craftercms.commons.http.RequestContext;
import org.craftercms.commons.i10n.I10nLogger;
import org.craftercms.commons.security.exception.ActionDeniedException;
import org.craftercms.commons.security.permissions.PermissionEvaluator;
import org.springframework.core.annotation.Order;

@Aspect
@Order(-1)
/* loaded from: input_file:WEB-INF/lib/crafter-commons-security-4.2.0.jar:org/craftercms/commons/security/permissions/annotations/HasPermissionAnnotationHandler.class */
public class HasPermissionAnnotationHandler extends AbstractPermissionAnnotationHandler {
    private static final String TOKEN_PARAMETER = "token";
    private static final I10nLogger logger = new I10nLogger((Class<?>) HasPermissionAnnotationHandler.class, "crafter.security.messages.logging");
    private static final String LOG_KEY_METHOD_INT = "security.permission.methodIntercepted";
    private static final String LOG_KEY_METHOD_INT_NO_SEC_OBJ = "security.permission.methodInterceptedNoSecObject";
    protected final String managementToken;

    @ConstructorProperties({"permissionEvaluators", "managementToken"})
    public HasPermissionAnnotationHandler(Map<Class<?>, PermissionEvaluator<?, ?>> map, String str) {
        super(map);
        this.managementToken = str;
    }

    @Around("@within(org.craftercms.commons.security.permissions.annotations.HasPermission) || @annotation(org.craftercms.commons.security.permissions.annotations.HasPermission)")
    public Object checkPermissions(ProceedingJoinPoint proceedingJoinPoint) throws Throwable {
        Method actualMethod = AopUtils.getActualMethod(proceedingJoinPoint);
        HasPermission hasPermission = (HasPermission) getHasPermissionAnnotation(actualMethod, proceedingJoinPoint, HasPermission.class);
        Object annotatedProtectedResource = getAnnotatedProtectedResource(actualMethod, proceedingJoinPoint.getArgs());
        if (annotatedProtectedResource == null) {
            annotatedProtectedResource = getAnnotatedProtectedResourceIds(actualMethod, proceedingJoinPoint.getArgs());
        }
        if (annotatedProtectedResource != null) {
            logger.debug(LOG_KEY_METHOD_INT, actualMethod, hasPermission, annotatedProtectedResource);
        } else {
            logger.debug(LOG_KEY_METHOD_INT_NO_SEC_OBJ, actualMethod, hasPermission);
        }
        if (!checkManagementToken(hasPermission) && !checkPermissions(actualMethod, hasPermission, annotatedProtectedResource)) {
            if (annotatedProtectedResource != null) {
                throw new ActionDeniedException(hasPermission.action(), annotatedProtectedResource);
            }
            throw new ActionDeniedException(hasPermission.action());
        }
        return proceedingJoinPoint.proceed();
    }

    protected boolean checkManagementToken(HasPermission hasPermission) {
        RequestContext current;
        if (!hasPermission.acceptManagementToken() || StringUtils.isEmpty(this.managementToken) || (current = RequestContext.getCurrent()) == null || current.getRequest() == null) {
            return false;
        }
        return StringUtils.equals(current.getRequest().getParameter(TOKEN_PARAMETER), this.managementToken);
    }
}
