package ch.vd.shared.iam.web.filter.autorization;

import java.io.IOException;
import java.util.Collection;
import java.util.Objects;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.InitializingBean;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.access.ConfigAttribute;
import org.springframework.security.authentication.AuthenticationCredentialsNotFoundException;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.web.FilterInvocation;
import org.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource;

/* loaded from: input_file:ch/vd/shared/iam/web/filter/autorization/ByRoleUrlAutorizationSpringFilter.class */
public class ByRoleUrlAutorizationSpringFilter implements Filter, InitializingBean {
    private static final Logger LOGGER = LoggerFactory.getLogger(ByRoleUrlAutorizationSpringFilter.class);
    private static final int ACCESS_GRANTED = 1;
    private static final int ACCESS_DENIED = -1;
    public static final String IS_AUTHENTICATED_FULLY = "IS_AUTHENTICATED_FULLY";
    public static final String IS_ANONYMOUS = "IS_ANONYMOUS";
    public static final String IS_DENIED = "IS_DENIED";
    private FilterInvocationSecurityMetadataSource securityMetadataSource;

    public void init(FilterConfig filterConfig) throws ServletException {
    }

    public void destroy() {
    }

    public void afterPropertiesSet() {
        Objects.requireNonNull(this.securityMetadataSource, "An SecurityMetadataSource is required");
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        checkAutorization(new FilterInvocation(servletRequest, servletResponse, filterChain));
        filterChain.doFilter(servletRequest, servletResponse);
    }

    protected void checkAutorization(FilterInvocation filterInvocation) {
        Objects.requireNonNull(filterInvocation, "Object was null");
        boolean isDebugEnabled = LOGGER.isDebugEnabled();
        Collection<ConfigAttribute> attributes = this.securityMetadataSource.getAttributes(filterInvocation);
        if (attributes == null) {
            throw new IllegalArgumentException("Secure object invocation " + filterInvocation + " was denied as public invocations are not allowed via this interceptor");
        }
        if (isDebugEnabled) {
            LOGGER.debug("Secure object: " + filterInvocation + "; Attributes: " + attributes);
        }
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        if (authentication == null) {
            credentialsNotFound("An Authentication object was not found in the SecurityContext", filterInvocation, attributes);
        }
        authorize(filterInvocation, authentication, attributes);
        if (isDebugEnabled) {
            LOGGER.debug("Authorization successful");
        }
    }

    private void authorize(FilterInvocation filterInvocation, Authentication authentication, Collection<ConfigAttribute> collection) {
        Objects.requireNonNull(authentication, "auth cannot be null");
        for (ConfigAttribute configAttribute : collection) {
            if (IS_DENIED.equals(configAttribute.getAttribute())) {
                throw new AccessDeniedException("Access is denied");
            }
            if ((IS_AUTHENTICATED_FULLY.equals(configAttribute.getAttribute()) && authentication.isAuthenticated()) || IS_ANONYMOUS.equals(configAttribute.getAttribute())) {
                return;
            }
        }
        if (authorizeOnRoles(filterInvocation, authentication, collection) == ACCESS_DENIED) {
            throw new AccessDeniedException("Access is denied");
        }
    }

    private int authorizeOnRoles(FilterInvocation filterInvocation, Authentication authentication, Collection<ConfigAttribute> collection) {
        int i = ACCESS_DENIED;
        Collection<GrantedAuthority> authorities = authentication.getAuthorities();
        for (ConfigAttribute configAttribute : collection) {
            i = ACCESS_DENIED;
            for (GrantedAuthority grantedAuthority : authorities) {
                if (grantedAuthority.getAuthority() != null && configAttribute.getAttribute() != null && configAttribute.getAttribute().contains(grantedAuthority.getAuthority())) {
                    return ACCESS_GRANTED;
                }
            }
        }
        return i;
    }

    private void credentialsNotFound(String str, Object obj, Collection<ConfigAttribute> collection) {
        throw new AuthenticationCredentialsNotFoundException(str);
    }

    public void setSecurityMetadataSource(FilterInvocationSecurityMetadataSource filterInvocationSecurityMetadataSource) {
        this.securityMetadataSource = filterInvocationSecurityMetadataSource;
    }
}
