package org.apache.syncope.core.misc.security;

import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import org.apache.commons.collections4.IterableUtils;
import org.apache.commons.collections4.Predicate;
import org.apache.commons.lang3.ArrayUtils;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestWrapper;

/* loaded from: input_file:org/apache/syncope/core/misc/security/MustChangePasswordFilter.class */
public class MustChangePasswordFilter implements Filter {
    private static final String[] ALLOWED = {"/users/self", "/users/self/changePassword"};

    public void init(FilterConfig filterConfig) throws ServletException {
    }

    public void destroy() {
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        if (servletRequest instanceof SecurityContextHolderAwareRequestWrapper) {
            boolean matchesAny = IterableUtils.matchesAny(SecurityContextHolder.getContext().getAuthentication().getAuthorities(), new Predicate<GrantedAuthority>() { // from class: org.apache.syncope.core.misc.security.MustChangePasswordFilter.1
                public boolean evaluate(GrantedAuthority grantedAuthority) {
                    return "MUST_CHANGE_PASSWORD".equals(grantedAuthority.getAuthority());
                }
            });
            SecurityContextHolderAwareRequestWrapper securityContextHolderAwareRequestWrapper = (SecurityContextHolderAwareRequestWrapper) SecurityContextHolderAwareRequestWrapper.class.cast(servletRequest);
            if (matchesAny && "GET".equalsIgnoreCase(securityContextHolderAwareRequestWrapper.getMethod()) && !ArrayUtils.contains(ALLOWED, securityContextHolderAwareRequestWrapper.getPathInfo())) {
                throw new AccessDeniedException("Please change your password first");
            }
        }
        filterChain.doFilter(servletRequest, servletResponse);
    }
}
