package com.evolveum.midpoint.web.security;

import com.evolveum.midpoint.prism.PrismObject;
import com.evolveum.midpoint.prism.delta.ObjectDelta;
import com.evolveum.midpoint.prism.query.ObjectFilter;
import com.evolveum.midpoint.schema.result.OperationResult;
import com.evolveum.midpoint.security.api.AuthorizationConstants;
import com.evolveum.midpoint.security.api.MidPointPrincipal;
import com.evolveum.midpoint.security.api.ObjectSecurityConstraints;
import com.evolveum.midpoint.security.api.OwnerResolver;
import com.evolveum.midpoint.security.api.SecurityEnforcer;
import com.evolveum.midpoint.security.api.UserProfileService;
import com.evolveum.midpoint.util.DisplayableValue;
import com.evolveum.midpoint.util.exception.SchemaException;
import com.evolveum.midpoint.util.exception.SecurityViolationException;
import com.evolveum.midpoint.util.logging.Trace;
import com.evolveum.midpoint.util.logging.TraceManager;
import com.evolveum.midpoint.web.application.DescriptorLoader;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AuthorizationPhaseType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.UserType;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Map;
import org.apache.commons.lang.StringUtils;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.access.ConfigAttribute;
import org.springframework.security.access.SecurityConfig;
import org.springframework.security.authentication.InsufficientAuthenticationException;
import org.springframework.security.core.Authentication;
import org.springframework.security.web.FilterInvocation;
import org.springframework.security.web.util.AntPathRequestMatcher;

/* loaded from: input_file:WEB-INF/classes/com/evolveum/midpoint/web/security/MidPointGuiAuthorizationEvaluator.class */
public class MidPointGuiAuthorizationEvaluator implements SecurityEnforcer {
    private static final Trace LOGGER = TraceManager.getTrace(MidPointGuiAuthorizationEvaluator.class);
    private SecurityEnforcer securityEnforcer;

    public MidPointGuiAuthorizationEvaluator(SecurityEnforcer securityEnforcer) {
        this.securityEnforcer = securityEnforcer;
    }

    @Override // com.evolveum.midpoint.security.api.SecurityEnforcer
    public UserProfileService getUserProfileService() {
        return this.securityEnforcer.getUserProfileService();
    }

    @Override // com.evolveum.midpoint.security.api.SecurityEnforcer
    public void setUserProfileService(UserProfileService userProfileService) {
        this.securityEnforcer.setUserProfileService(userProfileService);
    }

    @Override // com.evolveum.midpoint.security.api.SecurityEnforcer
    public void setupPreAuthenticatedSecurityContext(Authentication authentication) {
        this.securityEnforcer.setupPreAuthenticatedSecurityContext(authentication);
    }

    @Override // com.evolveum.midpoint.security.api.SecurityEnforcer
    public void setupPreAuthenticatedSecurityContext(PrismObject<UserType> prismObject) {
        this.securityEnforcer.setupPreAuthenticatedSecurityContext(prismObject);
    }

    @Override // com.evolveum.midpoint.security.api.SecurityEnforcer
    public boolean isAuthenticated() {
        return this.securityEnforcer.isAuthenticated();
    }

    @Override // com.evolveum.midpoint.security.api.SecurityEnforcer
    public MidPointPrincipal getPrincipal() throws SecurityViolationException {
        return this.securityEnforcer.getPrincipal();
    }

    @Override // com.evolveum.midpoint.security.api.SecurityEnforcer
    public <O extends ObjectType, T extends ObjectType> boolean isAuthorized(String str, AuthorizationPhaseType authorizationPhaseType, PrismObject<O> prismObject, ObjectDelta<O> objectDelta, PrismObject<T> prismObject2, OwnerResolver ownerResolver) throws SchemaException {
        return this.securityEnforcer.isAuthorized(str, authorizationPhaseType, prismObject, objectDelta, prismObject2, ownerResolver);
    }

    @Override // org.springframework.security.access.AccessDecisionManager
    public boolean supports(ConfigAttribute configAttribute) {
        return this.securityEnforcer.supports(configAttribute);
    }

    @Override // com.evolveum.midpoint.security.api.SecurityEnforcer
    public <O extends ObjectType, T extends ObjectType> void authorize(String str, AuthorizationPhaseType authorizationPhaseType, PrismObject<O> prismObject, ObjectDelta<O> objectDelta, PrismObject<T> prismObject2, OwnerResolver ownerResolver, OperationResult operationResult) throws SecurityViolationException, SchemaException {
        this.securityEnforcer.authorize(str, authorizationPhaseType, prismObject, objectDelta, prismObject2, ownerResolver, operationResult);
    }

    @Override // org.springframework.security.access.AccessDecisionManager
    public boolean supports(Class<?> cls) {
        return this.securityEnforcer.supports(cls);
    }

    @Override // org.springframework.security.access.AccessDecisionManager
    public void decide(Authentication authentication, Object obj, Collection<ConfigAttribute> collection) throws AccessDeniedException, InsufficientAuthenticationException {
        if (obj instanceof FilterInvocation) {
            FilterInvocation filterInvocation = (FilterInvocation) obj;
            ArrayList arrayList = new ArrayList();
            for (PageUrlMapping pageUrlMapping : PageUrlMapping.valuesCustom()) {
                addSecurityConfig(filterInvocation, arrayList, pageUrlMapping.getUrl(), pageUrlMapping.getAction());
            }
            for (Map.Entry<String, DisplayableValue<String>[]> entry : DescriptorLoader.getActions().entrySet()) {
                addSecurityConfig(filterInvocation, arrayList, entry.getKey(), entry.getValue());
            }
            if (collection == null || arrayList.isEmpty()) {
                return;
            }
            Collection<ConfigAttribute> collection2 = arrayList;
            if (arrayList.isEmpty()) {
                collection2 = collection;
            }
            this.securityEnforcer.decide(authentication, obj, collection2);
        }
    }

    private void addSecurityConfig(FilterInvocation filterInvocation, Collection<ConfigAttribute> collection, String str, DisplayableValue<String>[] displayableValueArr) {
        if (!new AntPathRequestMatcher(str).matches(filterInvocation.getRequest()) || displayableValueArr == null) {
            return;
        }
        for (DisplayableValue<String> displayableValue : displayableValueArr) {
            String value = displayableValue.getValue();
            if (!StringUtils.isBlank(value)) {
                if (displayableValue.equals(AuthorizationConstants.AUTZ_UI_PERMIT_ALL_URL)) {
                    return;
                } else {
                    collection.add(new SecurityConfig(value));
                }
            }
        }
    }

    @Override // com.evolveum.midpoint.security.api.SecurityEnforcer
    public <O extends ObjectType> ObjectSecurityConstraints compileSecurityConstraints(PrismObject<O> prismObject, OwnerResolver ownerResolver) throws SchemaException {
        return this.securityEnforcer.compileSecurityConstraints(prismObject, ownerResolver);
    }

    @Override // com.evolveum.midpoint.security.api.SecurityEnforcer
    public <T extends ObjectType, O extends ObjectType> ObjectFilter preProcessObjectFilter(String str, AuthorizationPhaseType authorizationPhaseType, Class<T> cls, PrismObject<O> prismObject, ObjectFilter objectFilter) throws SchemaException {
        return this.securityEnforcer.preProcessObjectFilter(str, authorizationPhaseType, cls, prismObject, objectFilter);
    }
}
