package com.logitags.cibet.actuator.springsecurity;

import com.logitags.cibet.actuator.AbstractActuator;
import com.logitags.cibet.actuator.DeniedException;
import com.logitags.cibet.context.Context;
import com.logitags.cibet.context.InternalSessionScope;
import com.logitags.cibet.core.EventMetadata;
import com.logitags.cibet.core.ExecutionStatus;
import com.logitags.cibet.resource.Resource;
import com.logitags.cibet.sensor.http.HttpRequestResourceHandler;
import java.lang.reflect.InvocationTargetException;
import java.util.Iterator;
import java.util.StringTokenizer;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.beans.BeansException;
import org.springframework.beans.factory.NoSuchBeanDefinitionException;
import org.springframework.context.ApplicationContext;
import org.springframework.context.ApplicationContextAware;
import org.springframework.security.access.AccessDecisionVoter;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor;
import org.springframework.security.access.method.MethodSecurityMetadataSource;
import org.springframework.security.access.vote.AbstractAccessDecisionManager;
import org.springframework.security.authentication.AuthenticationCredentialsNotFoundException;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.web.access.expression.WebExpressionVoter;
import org.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource;
import org.springframework.security.web.access.intercept.FilterSecurityInterceptor;
import org.springframework.stereotype.Component;

@Component
/* loaded from: input_file:com/logitags/cibet/actuator/springsecurity/SpringSecurityActuator.class */
public class SpringSecurityActuator extends AbstractActuator implements ApplicationContextAware {
    private static final long serialVersionUID = 6164954567965544101L;
    private static Log log = LogFactory.getLog(SpringSecurityActuator.class);
    private static Pattern hasRolePattern = Pattern.compile("hasRole\\s*\\(\\s*'?\"?(.*?)\"?'?\\s*\\)", 2);
    private static Pattern hasAnyRolePattern = Pattern.compile("hasAnyRole\\s*\\((\\s*'?\"?.*?\"?'?\\s*)\\)", 2);
    private static ApplicationContext context;
    private Class<? extends DeniedException> deniedExceptionType;
    private String preAuthorize;
    private String preFilter;
    private String postAuthorize;
    private String postFilter;
    private String secured;
    private String rolesAllowed;
    private String urlAccess;
    private boolean urlAccessExpression;
    public static final String DEFAULTNAME = "SPRING_SECURITY";
    private boolean throwDeniedException = false;
    private Boolean denyAll = false;
    private Boolean permitAll = false;
    private boolean secondPrincipal = false;

    public SpringSecurityActuator() {
        setName(DEFAULTNAME);
    }

    public SpringSecurityActuator(String str) {
        setName(str);
    }

    @Override // com.logitags.cibet.actuator.AbstractActuator, com.logitags.cibet.actuator.Actuator
    public void beforeEvent(EventMetadata eventMetadata) {
        if (eventMetadata.getResource().getResourceHandler() instanceof HttpRequestResourceHandler) {
            beforeHttp(eventMetadata, eventMetadata.getResource());
            return;
        }
        Object[] objArr = new Object[eventMetadata.getResource().getParameters().size()];
        for (int i = 0; i < eventMetadata.getResource().getParameters().size(); i++) {
            objArr[i] = eventMetadata.getResource().getParameters().get(i).getUnencodedValue();
        }
        before(eventMetadata, new CibetMethodInvocation(eventMetadata.getResource().getObject(), eventMetadata.getResource().getMethodObject(), objArr, eventMetadata.getConfig().getSetpointIds() + getName(), null));
    }

    @Override // com.logitags.cibet.actuator.AbstractActuator, com.logitags.cibet.actuator.Actuator
    public void afterEvent(EventMetadata eventMetadata) {
        if (eventMetadata.getExecutionStatus() == ExecutionStatus.ERROR) {
            log.info("ERROR detected. Skip afterEvent of " + getClass().getSimpleName());
            return;
        }
        switch (eventMetadata.getControlEvent()) {
            case INVOKE:
            case RELEASE_INVOKE:
            case FIRST_RELEASE_INVOKE:
            case REJECT_INVOKE:
            case REDO:
            case SUBMIT_INVOKE:
            case PASSBACK_INVOKE:
                afterInvoke(eventMetadata);
                return;
            default:
                return;
        }
    }

    public void afterInvoke(EventMetadata eventMetadata) {
        if (eventMetadata.getResource().getResourceHandler() instanceof HttpRequestResourceHandler) {
            return;
        }
        if (this.postAuthorize == null && this.postFilter == null) {
            log.debug("no post-invocation rules defined");
            return;
        }
        Object[] objArr = new Object[eventMetadata.getResource().getParameters().size()];
        for (int i = 0; i < eventMetadata.getResource().getParameters().size(); i++) {
            objArr[i] = eventMetadata.getResource().getParameters().get(i).getUnencodedValue();
        }
        CibetMethodInvocation cibetMethodInvocation = new CibetMethodInvocation(eventMetadata.getResource().getTarget(), eventMetadata.getResource().getMethodObject(), objArr, eventMetadata.getConfig().getSetpointIds() + getName(), eventMetadata.getResource().getResultObject());
        if (this.preAuthorize != null) {
            cibetMethodInvocation.addRule(CibetMethodInvocation.PREAUTHORIZE_RULE, this.preAuthorize);
        }
        if (this.preFilter != null) {
            cibetMethodInvocation.addRule(CibetMethodInvocation.PREFILTER_RULE, this.preFilter);
        }
        if (this.postAuthorize != null) {
            cibetMethodInvocation.addRule(CibetMethodInvocation.POSTAUTHORIZE_RULE, this.postAuthorize);
        }
        if (this.postFilter != null) {
            cibetMethodInvocation.addRule(CibetMethodInvocation.POSTFILTER_RULE, this.postFilter);
        }
        try {
            MethodSecurityInterceptor methodSecurityInterceptor = (MethodSecurityInterceptor) context.getBean(MethodSecurityInterceptor.class);
            initInterceptor(methodSecurityInterceptor);
            Authentication authentication = null;
            try {
                try {
                    authentication = swapAuthentication();
                    eventMetadata.getResource().setResultObject(null);
                    eventMetadata.getResource().setResultObject(methodSecurityInterceptor.invoke(cibetMethodInvocation));
                    log.debug("Access granted after method");
                    if (authentication != null) {
                        SecurityContextHolder.getContext().setAuthentication(authentication);
                    }
                } catch (AccessDeniedException e) {
                    handleDeniedException(eventMetadata, e);
                    if (authentication != null) {
                        SecurityContextHolder.getContext().setAuthentication(authentication);
                    }
                } catch (AuthenticationCredentialsNotFoundException e2) {
                    handleDeniedException(eventMetadata, e2);
                    if (authentication != null) {
                        SecurityContextHolder.getContext().setAuthentication(authentication);
                    }
                } catch (Throwable th) {
                    log.error(th.getMessage(), th);
                    throw new RuntimeException(th.getMessage());
                }
            } catch (Throwable th2) {
                if (authentication != null) {
                    SecurityContextHolder.getContext().setAuthentication(authentication);
                }
                throw th2;
            }
        } catch (NoSuchBeanDefinitionException e3) {
            String str = "Failed to find a MethodSecurityInterceptor bean in Spring context. Configure Spring context correctly: " + e3.getMessage();
            log.error(str);
            throw new RuntimeException(str, e3);
        }
    }

    protected void initInterceptor(MethodSecurityInterceptor methodSecurityInterceptor) {
        MethodSecurityMetadataSource securityMetadataSource = methodSecurityInterceptor.getSecurityMetadataSource();
        if (securityMetadataSource == null) {
            log.error("Configuration error: MethodSecurityInterceptor bean has not set an instance SecurityMetadataSource");
            throw new RuntimeException("Configuration error: MethodSecurityInterceptor bean has not set an instance SecurityMetadataSource");
        }
        if (securityMetadataSource instanceof CibetDelegatingMethodSecurityMetadataSource) {
            return;
        }
        CibetDelegatingMethodSecurityMetadataSource cibetDelegatingMethodSecurityMetadataSource = new CibetDelegatingMethodSecurityMetadataSource();
        cibetDelegatingMethodSecurityMetadataSource.setOriginalMetadataSource(securityMetadataSource);
        methodSecurityInterceptor.setSecurityMetadataSource(cibetDelegatingMethodSecurityMetadataSource);
        log.debug("replace existing " + securityMetadataSource.getClass().getName() + " against CibetDelegatingMethodSecurityMetadataSource");
    }

    protected void initInterceptor(FilterSecurityInterceptor filterSecurityInterceptor) {
        FilterInvocationSecurityMetadataSource securityMetadataSource = filterSecurityInterceptor.getSecurityMetadataSource();
        if (securityMetadataSource == null) {
            log.error("Configuration error: FilterSecurityInterceptor bean has not set an instance SecurityMetadataSource");
            throw new RuntimeException("Configuration error: FilterSecurityInterceptor bean has not set an instance SecurityMetadataSource");
        }
        if (securityMetadataSource instanceof CibetFilterInvocationSecurityMetadataSource) {
            return;
        }
        filterSecurityInterceptor.setSecurityMetadataSource(new CibetFilterInvocationSecurityMetadataSource(securityMetadataSource));
        log.debug("replace existing " + securityMetadataSource.getClass().getName() + " against CibetFilterInvocationSecurityMetadataSource");
    }

    protected String fixRule(String str) {
        if (str == null || str.length() == 0) {
            return str;
        }
        String trim = str.trim();
        Matcher matcher = hasAnyRolePattern.matcher(trim);
        int i = 0;
        StringBuffer stringBuffer = new StringBuffer();
        while (matcher.find()) {
            String replaceAll = matcher.group(1).replaceAll("[\"']", "");
            stringBuffer.append(trim.substring(i, matcher.start(1)));
            StringBuffer stringBuffer2 = new StringBuffer();
            boolean z = true;
            StringTokenizer stringTokenizer = new StringTokenizer(replaceAll, ",");
            while (stringTokenizer.hasMoreTokens()) {
                String trim2 = stringTokenizer.nextToken().trim();
                if (z) {
                    z = false;
                } else {
                    stringBuffer2.append(", ");
                }
                stringBuffer2.append("'");
                stringBuffer2.append(trim2);
                stringBuffer2.append("'");
            }
            stringBuffer.append(stringBuffer2);
            i = matcher.end(1);
        }
        stringBuffer.append(trim.substring(i));
        String replaceAll2 = hasRolePattern.matcher(stringBuffer.toString()).replaceAll("hasRole('$1')");
        log.debug(replaceAll2);
        return replaceAll2;
    }

    public void setApplicationContext(ApplicationContext applicationContext) throws BeansException {
        log.debug("setting context " + applicationContext);
        context = applicationContext;
    }

    public boolean isThrowDeniedException() {
        return this.throwDeniedException;
    }

    public void setThrowDeniedException(boolean z) {
        this.throwDeniedException = z;
        if (this.throwDeniedException) {
            this.deniedExceptionType = resolveDeniedExceptionType();
        }
    }

    protected void before(EventMetadata eventMetadata, CibetMethodInvocation cibetMethodInvocation) {
        if (this.preAuthorize == null && this.preFilter == null && this.secured == null && !this.denyAll.booleanValue() && !this.permitAll.booleanValue() && this.rolesAllowed == null) {
            log.warn("no before access rules defined");
            return;
        }
        if (log.isDebugEnabled()) {
            log.debug("[secondPrincipal: " + this.secondPrincipal + "]\n" + CibetMethodInvocation.PREAUTHORIZE_RULE + ": " + this.preAuthorize + ", " + CibetMethodInvocation.PREFILTER_RULE + ": " + this.preFilter + ", " + CibetMethodInvocation.SECURED_RULE + ": " + this.secured + ", " + CibetMethodInvocation.JSR250_DENYALL_RULE + ": " + this.denyAll + ", " + CibetMethodInvocation.JSR250_PERMITALL_RULE + ": " + this.permitAll + ", " + CibetMethodInvocation.JSR250_ROLESALLOWED_RULE + ": " + this.rolesAllowed);
        }
        if (this.preAuthorize != null) {
            cibetMethodInvocation.addRule(CibetMethodInvocation.PREAUTHORIZE_RULE, this.preAuthorize);
        }
        if (this.preFilter != null) {
            cibetMethodInvocation.addRule(CibetMethodInvocation.PREFILTER_RULE, this.preFilter);
        }
        if (this.secured != null) {
            cibetMethodInvocation.addRule(CibetMethodInvocation.SECURED_RULE, this.secured);
        }
        if (this.denyAll.booleanValue()) {
            cibetMethodInvocation.addRule(CibetMethodInvocation.JSR250_DENYALL_RULE, "true");
        }
        if (this.permitAll.booleanValue()) {
            cibetMethodInvocation.addRule(CibetMethodInvocation.JSR250_PERMITALL_RULE, "true");
        }
        if (this.rolesAllowed != null) {
            cibetMethodInvocation.addRule(CibetMethodInvocation.JSR250_ROLESALLOWED_RULE, this.rolesAllowed);
        }
        try {
            MethodSecurityInterceptor methodSecurityInterceptor = (MethodSecurityInterceptor) context.getBean(MethodSecurityInterceptor.class);
            initInterceptor(methodSecurityInterceptor);
            Authentication authentication = null;
            try {
                try {
                    try {
                        authentication = swapAuthentication();
                        log.debug("before interceptor invoke");
                        methodSecurityInterceptor.invoke(cibetMethodInvocation);
                        log.debug("Access granted");
                        if (authentication != null) {
                            SecurityContextHolder.getContext().setAuthentication(authentication);
                        }
                    } catch (Throwable th) {
                        if (authentication != null) {
                            SecurityContextHolder.getContext().setAuthentication(authentication);
                        }
                        throw th;
                    }
                } catch (AuthenticationCredentialsNotFoundException e) {
                    handleDeniedException(eventMetadata, e);
                    if (authentication != null) {
                        SecurityContextHolder.getContext().setAuthentication(authentication);
                    }
                }
            } catch (AccessDeniedException e2) {
                handleDeniedException(eventMetadata, e2);
                if (authentication != null) {
                    SecurityContextHolder.getContext().setAuthentication(authentication);
                }
            } catch (Throwable th2) {
                log.error(th2.getMessage(), th2);
                throw new RuntimeException(th2.getMessage());
            }
        } catch (NoSuchBeanDefinitionException e3) {
            String str = "Failed to find a MethodSecurityInterceptor bean in Spring context. Configure Spring context correctly: " + e3.getMessage();
            log.error(str);
            throw new RuntimeException(str, e3);
        }
    }

    private void handleDeniedException(EventMetadata eventMetadata, RuntimeException runtimeException) {
        String user;
        eventMetadata.setExecutionStatus(ExecutionStatus.DENIED);
        if (this.secondPrincipal) {
            log.warn("Access denied for user " + Context.internalSessionScope().getSecondUser() + ": " + runtimeException.getMessage());
            user = Context.internalSessionScope().getSecondUser();
        } else {
            log.warn("Access denied for user " + Context.internalSessionScope().getUser() + ": " + runtimeException.getMessage());
            user = Context.internalSessionScope().getUser();
        }
        if (this.throwDeniedException) {
            try {
                eventMetadata.setException(this.deniedExceptionType.getConstructor(String.class, Throwable.class, String.class).newInstance(runtimeException.getMessage(), runtimeException, user));
            } catch (IllegalAccessException e) {
                throw new RuntimeException(e);
            } catch (InstantiationException e2) {
                throw new RuntimeException(e2);
            } catch (NoSuchMethodException e3) {
                throw new RuntimeException(e3);
            } catch (InvocationTargetException e4) {
                throw new RuntimeException(e4);
            }
        }
    }

    protected void beforeHttp(EventMetadata eventMetadata, Resource resource) {
        log.debug(this + ", context=" + context);
        if (this.urlAccess == null) {
            log.debug("no access rules defined");
            return;
        }
        CibetFilterInvocation cibetFilterInvocation = new CibetFilterInvocation(new DummyServletRequest(resource.getHttpRequest()), new DummyServletResponse(), new DummyFilterChain());
        if (this.urlAccessExpression) {
            log.debug("create CibetFilterInvocation with access expression rule: " + this.urlAccess);
            cibetFilterInvocation.setAccessRuleExpression(this.urlAccess);
        } else {
            log.debug("create CibetFilterInvocation with simple access rule: " + this.urlAccess);
            cibetFilterInvocation.setAccessRule(this.urlAccess);
        }
        try {
            FilterSecurityInterceptor filterSecurityInterceptor = (FilterSecurityInterceptor) context.getBean(FilterSecurityInterceptor.class);
            initInterceptor(filterSecurityInterceptor);
            Authentication authentication = null;
            try {
                try {
                    authentication = swapAuthentication();
                    log.debug("before interceptor invoke");
                    filterSecurityInterceptor.invoke(cibetFilterInvocation);
                    log.debug("Access granted");
                    if (authentication != null) {
                        SecurityContextHolder.getContext().setAuthentication(authentication);
                    }
                } catch (AccessDeniedException e) {
                    handleDeniedException(eventMetadata, e);
                    if (authentication != null) {
                        SecurityContextHolder.getContext().setAuthentication(authentication);
                    }
                } catch (AuthenticationCredentialsNotFoundException e2) {
                    handleDeniedException(eventMetadata, e2);
                    if (authentication != null) {
                        SecurityContextHolder.getContext().setAuthentication(authentication);
                    }
                } catch (Throwable th) {
                    log.error(th.getMessage(), th);
                    throw new RuntimeException(th.getMessage());
                }
            } catch (Throwable th2) {
                if (authentication != null) {
                    SecurityContextHolder.getContext().setAuthentication(authentication);
                }
                throw th2;
            }
        } catch (NoSuchBeanDefinitionException e3) {
            String str = "Failed to find a FilterSecurityInterceptor bean in Spring context. Configure Spring context correctly: " + e3.getMessage();
            log.error(str);
            throw new RuntimeException(str, e3);
        }
    }

    public String getPreAuthorize() {
        return this.preAuthorize;
    }

    public void setPreAuthorize(String str) {
        this.preAuthorize = fixRule(str);
    }

    public String getPreFilter() {
        return this.preFilter;
    }

    public void setPreFilter(String str) {
        this.preFilter = fixRule(str);
    }

    public String getPostAuthorize() {
        return this.postAuthorize;
    }

    public void setPostAuthorize(String str) {
        this.postAuthorize = fixRule(str);
    }

    public String getPostFilter() {
        return this.postFilter;
    }

    public void setPostFilter(String str) {
        this.postFilter = fixRule(str);
    }

    public String getSecured() {
        return this.secured;
    }

    public void setSecured(String str) {
        this.secured = str;
    }

    public Boolean getDenyAll() {
        return this.denyAll;
    }

    public void setDenyAll(Boolean bool) {
        if (bool == null) {
            this.denyAll = true;
        } else {
            this.denyAll = bool;
        }
        if (this.denyAll.booleanValue()) {
            this.permitAll = false;
        }
    }

    public Boolean getPermitAll() {
        return this.permitAll;
    }

    public void setPermitAll(Boolean bool) {
        if (bool == null) {
            this.permitAll = true;
        } else {
            this.permitAll = bool;
        }
        if (this.permitAll.booleanValue()) {
            this.denyAll = false;
        }
    }

    public String getRolesAllowed() {
        return this.rolesAllowed;
    }

    public void setRolesAllowed(String str) {
        this.rolesAllowed = str;
    }

    public String getUrlAccess() {
        return this.urlAccess;
    }

    public void setUrlAccess(String str) {
        this.urlAccess = fixRule(str);
        checkUrlAccessExpression();
    }

    public Class<? extends DeniedException> getDeniedExceptionType() {
        return this.deniedExceptionType;
    }

    private void checkUrlAccessExpression() {
        log.debug("check if URL access expressions are allowed");
        for (String str : context.getBeanDefinitionNames()) {
            if (context.getBean(str) instanceof AbstractAccessDecisionManager) {
                Iterator it = ((AbstractAccessDecisionManager) context.getBean(str)).getDecisionVoters().iterator();
                while (it.hasNext()) {
                    if (((AccessDecisionVoter) it.next()) instanceof WebExpressionVoter) {
                        log.debug("parse urlAccess as EL expression");
                        this.urlAccessExpression = true;
                        return;
                    }
                }
            }
        }
        log.debug("parse urlAccess as simple expression");
        this.urlAccessExpression = false;
    }

    private Authentication swapAuthentication() {
        if (!this.secondPrincipal) {
            return null;
        }
        Object property = Context.internalSessionScope().getProperty(InternalSessionScope.SECOND_PRINCIPAL);
        if (property == null) {
            throw new AuthenticationCredentialsNotFoundException("No Authentication object found in CibetContext.getSecondPrincipal()");
        }
        if (!(property instanceof Authentication)) {
            throw new AccessDeniedException("CibetContext.getSecondPrincipal() is expected to be of type " + Authentication.class.getName() + " but is of type " + property.getClass().getName());
        }
        log.debug("SpringSecurity actuator for second principal " + property);
        Authentication authentication = (Authentication) property;
        Authentication authentication2 = SecurityContextHolder.getContext().getAuthentication();
        SecurityContextHolder.getContext().setAuthentication(authentication);
        return authentication2;
    }

    public boolean isSecondPrincipal() {
        return this.secondPrincipal;
    }

    public void setSecondPrincipal(boolean z) {
        this.secondPrincipal = z;
    }
}
