package org.thymeleaf.extras.springsecurity5.auth;

import java.io.IOException;
import java.util.Arrays;
import java.util.LinkedHashSet;
import java.util.Map;
import java.util.Set;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.BeanWrapperImpl;
import org.springframework.beans.BeansException;
import org.springframework.context.ApplicationContext;
import org.springframework.core.GenericTypeResolver;
import org.springframework.expression.ParseException;
import org.springframework.security.access.expression.ExpressionUtils;
import org.springframework.security.access.expression.SecurityExpressionHandler;
import org.springframework.security.authentication.AuthenticationTrustResolver;
import org.springframework.security.authentication.AuthenticationTrustResolverImpl;
import org.springframework.security.core.Authentication;
import org.springframework.security.web.FilterInvocation;
import org.springframework.security.web.WebAttributes;
import org.springframework.security.web.access.WebInvocationPrivilegeEvaluator;
import org.thymeleaf.TemplateEngine;
import org.thymeleaf.context.IContext;
import org.thymeleaf.context.IExpressionContext;
import org.thymeleaf.exceptions.TemplateProcessingException;
import org.thymeleaf.extras.springsecurity5.util.SpringSecurityContextUtils;
import org.thymeleaf.extras.springsecurity5.util.SpringVersionSpecificUtils;
import org.thymeleaf.util.Validate;

/* loaded from: input_file:org/thymeleaf/extras/springsecurity5/auth/AuthUtils.class */
public final class AuthUtils {
    private static final Logger logger = LoggerFactory.getLogger(AuthUtils.class);

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/thymeleaf/extras/springsecurity5/auth/AuthUtils$MinimalAuthenticationExpressionSupport.class */
    public static final class MinimalAuthenticationExpressionSupport {
        private static final AuthenticationTrustResolver trustResolver = new AuthenticationTrustResolverImpl();
        private static final String EXPR_ISAUTHENTICATED = "isAuthenticated()";
        private static final String EXPR_ISFULLYAUTHENTICATED = "isFullyAuthenticated()";
        private static final String EXPR_ISANONYMOUS = "isAnonymous()";
        private static final String EXPR_ISREMEMBERME = "isRememberMe()";
        private static final Set<String> HANDLED_EXPRESSIONS = new LinkedHashSet(Arrays.asList(EXPR_ISAUTHENTICATED, EXPR_ISFULLYAUTHENTICATED, EXPR_ISANONYMOUS, EXPR_ISREMEMBERME));

        private MinimalAuthenticationExpressionSupport() {
        }

        static boolean isMinimalHandledExpression(String str) {
            return HANDLED_EXPRESSIONS.contains(str);
        }

        static boolean evaluateMinimalExpression(String str, Authentication authentication) {
            if (EXPR_ISAUTHENTICATED.equals(str)) {
                return isAuthenticated(authentication);
            }
            if (EXPR_ISFULLYAUTHENTICATED.equals(str)) {
                return isFullyAuthenticated(authentication);
            }
            if (EXPR_ISANONYMOUS.equals(str)) {
                return isAnonymous(authentication);
            }
            if (EXPR_ISREMEMBERME.equals(str)) {
                return isRememberMe(authentication);
            }
            throw new IllegalArgumentException("Unknown minimal expression: \"" + str + "\". Supported expressions are: " + HANDLED_EXPRESSIONS);
        }

        private static boolean isAnonymous(Authentication authentication) {
            return trustResolver.isAnonymous(authentication);
        }

        private static boolean isAuthenticated(Authentication authentication) {
            return !isAnonymous(authentication);
        }

        private static boolean isRememberMe(Authentication authentication) {
            return trustResolver.isRememberMe(authentication);
        }

        private static boolean isFullyAuthenticated(Authentication authentication) {
            return (trustResolver.isAnonymous(authentication) || trustResolver.isRememberMe(authentication)) ? false : true;
        }
    }

    /* loaded from: input_file:org/thymeleaf/extras/springsecurity5/auth/AuthUtils$MvcAuthUtils.class */
    private static final class MvcAuthUtils {
        private MvcAuthUtils() {
        }

        /* JADX INFO: Access modifiers changed from: private */
        public static boolean authorizeUsingAccessExpressionMvc(IExpressionContext iExpressionContext, String str, Authentication authentication) {
            String substring = (str != null && str.startsWith("${") && str.endsWith("}")) ? str.substring(2, str.length() - 1) : str;
            SecurityExpressionHandler expressionHandler = AuthUtils.getExpressionHandler(iExpressionContext);
            try {
                return ExpressionUtils.evaluateAsBoolean(expressionHandler.getExpressionParser().parseExpression(substring), SpringVersionSpecificUtils.wrapEvaluationContext(expressionHandler.createEvaluationContext(authentication, new FilterInvocation(SpringVersionSpecificUtils.getHttpServletRequest(iExpressionContext), SpringVersionSpecificUtils.getHttpServletResponse(iExpressionContext), ServletFilterChainHolder.DUMMY_CHAIN)), iExpressionContext.getExpressionObjects()));
            } catch (ParseException e) {
                throw new TemplateProcessingException("An error happened trying to parse Spring Security access expression \"" + substring + "\"", e);
            }
        }

        /* JADX INFO: Access modifiers changed from: private */
        public static boolean authorizeUsingUrlCheckMvc(IExpressionContext iExpressionContext, String str, String str2, Authentication authentication) {
            return AuthUtils.getPrivilegeEvaluator(iExpressionContext).isAllowed(SpringSecurityContextUtils.getContextPath(iExpressionContext), str, str2, authentication);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/thymeleaf/extras/springsecurity5/auth/AuthUtils$ServletFilterChainHolder.class */
    public static class ServletFilterChainHolder {
        private static final FilterChain DUMMY_CHAIN = new FilterChain() { // from class: org.thymeleaf.extras.springsecurity5.auth.AuthUtils.ServletFilterChainHolder.1
            public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse) throws IOException, ServletException {
                throw new UnsupportedOperationException();
            }
        };

        private ServletFilterChainHolder() {
        }
    }

    /* loaded from: input_file:org/thymeleaf/extras/springsecurity5/auth/AuthUtils$WebFluxAuthUtils.class */
    private static final class WebFluxAuthUtils {
        private WebFluxAuthUtils() {
        }

        /* JADX INFO: Access modifiers changed from: private */
        public static boolean authorizeUsingAccessExpressionWebFlux(IExpressionContext iExpressionContext, String str, Authentication authentication) {
            if (MinimalAuthenticationExpressionSupport.isMinimalHandledExpression(str)) {
                return MinimalAuthenticationExpressionSupport.evaluateMinimalExpression(str, authentication);
            }
            throw new TemplateProcessingException("Authorization-oriented expressions (such as those in 'sec:authorize') are restricted in WebFlux applications due to a lack of support in the reactive side of Spring Security (as of Spring Security 5.1). Only a minimal set of security expressions is allowed: " + MinimalAuthenticationExpressionSupport.HANDLED_EXPRESSIONS);
        }

        /* JADX INFO: Access modifiers changed from: private */
        public static boolean authorizeUsingUrlCheckWebFlux(IExpressionContext iExpressionContext, String str, String str2, Authentication authentication) {
            throw new TemplateProcessingException("Authorization-oriented expressions (such as those in 'sec:authorize') are restricted in WebFlux applications due to a lack of support in the reactive side of Spring Security (as of Spring Security 5.1). Only a minimal set of security expressions is allowed: " + MinimalAuthenticationExpressionSupport.HANDLED_EXPRESSIONS);
        }
    }

    private AuthUtils() {
    }

    public static Authentication getAuthenticationObject(IExpressionContext iExpressionContext) {
        if (logger.isTraceEnabled()) {
            logger.trace("[THYMELEAF][{}] Obtaining authentication object.", new Object[]{TemplateEngine.threadIndex()});
        }
        Authentication authenticationObject = SpringSecurityContextUtils.getAuthenticationObject(iExpressionContext);
        if (authenticationObject != null && authenticationObject.getPrincipal() != null) {
            if (logger.isTraceEnabled()) {
                logger.trace("[THYMELEAF][{}] Authentication object of class {} found in context for user \"{}\".", new Object[]{TemplateEngine.threadIndex(), authenticationObject.getClass().getName(), authenticationObject.getName()});
            }
            return authenticationObject;
        }
        if (!logger.isTraceEnabled()) {
            return null;
        }
        logger.trace("[THYMELEAF][{}] No authentication object found in context.", new Object[]{TemplateEngine.threadIndex()});
        return null;
    }

    public static Object getAuthenticationProperty(Authentication authentication, String str) {
        if (logger.isTraceEnabled()) {
            logger.trace("[THYMELEAF][{}] Reading property \"{}\" from authentication object.", new Object[]{TemplateEngine.threadIndex(), str});
        }
        if (authentication == null) {
            return null;
        }
        try {
            Object propertyValue = new BeanWrapperImpl(authentication).getPropertyValue(str);
            if (logger.isTraceEnabled()) {
                Logger logger2 = logger;
                Object[] objArr = new Object[4];
                objArr[0] = TemplateEngine.threadIndex();
                objArr[1] = str;
                objArr[2] = authentication.getName();
                objArr[3] = propertyValue == null ? null : propertyValue.getClass().getName();
                logger2.trace("[THYMELEAF][{}] Property \"{}\" obtained from authentication object for user \"{}\". Returned value of class {}.", objArr);
            }
            return propertyValue;
        } catch (BeansException e) {
            throw new TemplateProcessingException("Error retrieving value for property \"" + str + "\" of authentication object of class " + authentication.getClass().getName(), e);
        }
    }

    public static boolean authorizeUsingAccessExpression(IExpressionContext iExpressionContext, String str, Authentication authentication) {
        Validate.notNull(iExpressionContext, "Context cannot be null");
        if (logger.isTraceEnabled()) {
            Logger logger2 = logger;
            Object[] objArr = new Object[3];
            objArr[0] = TemplateEngine.threadIndex();
            objArr[1] = str;
            objArr[2] = authentication == null ? null : authentication.getName();
            logger2.trace("[THYMELEAF][{}] Checking authorization using access expression \"{}\" for user \"{}\".", objArr);
        }
        if (SpringVersionSpecificUtils.isWebFluxContext(iExpressionContext) ? WebFluxAuthUtils.authorizeUsingAccessExpressionWebFlux(iExpressionContext, str, authentication) : MvcAuthUtils.authorizeUsingAccessExpressionMvc(iExpressionContext, str, authentication)) {
            if (!logger.isTraceEnabled()) {
                return true;
            }
            Logger logger3 = logger;
            Object[] objArr2 = new Object[3];
            objArr2[0] = TemplateEngine.threadIndex();
            objArr2[1] = str;
            objArr2[2] = authentication == null ? null : authentication.getName();
            logger3.trace("[THYMELEAF][{}] Checked authorization using access expression \"{}\" for user \"{}\". Access GRANTED.", objArr2);
            return true;
        }
        if (!logger.isTraceEnabled()) {
            return false;
        }
        Logger logger4 = logger;
        Object[] objArr3 = new Object[3];
        objArr3[0] = TemplateEngine.threadIndex();
        objArr3[1] = str;
        objArr3[2] = authentication == null ? null : authentication.getName();
        logger4.trace("[THYMELEAF][{}] Checked authorization using access expression \"{}\" for user \"{}\". Access DENIED.", objArr3);
        return false;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static SecurityExpressionHandler<FilterInvocation> getExpressionHandler(IExpressionContext iExpressionContext) {
        for (SecurityExpressionHandler<FilterInvocation> securityExpressionHandler : getContext(iExpressionContext).getBeansOfType(SecurityExpressionHandler.class).values()) {
            GenericTypeResolver.resolveTypeArgument(securityExpressionHandler.getClass(), SecurityExpressionHandler.class);
            if (FilterInvocation.class.equals(GenericTypeResolver.resolveTypeArgument(securityExpressionHandler.getClass(), SecurityExpressionHandler.class))) {
                return securityExpressionHandler;
            }
        }
        throw new TemplateProcessingException("No visible SecurityExpressionHandler instance could be found in the application context. There must be at least one in order to support expressions in Spring Security authorization queries.");
    }

    public static boolean authorizeUsingUrlCheck(IExpressionContext iExpressionContext, String str, String str2, Authentication authentication) {
        Validate.notNull(iExpressionContext, "Context cannot be null");
        if (logger.isTraceEnabled()) {
            Logger logger2 = logger;
            Object[] objArr = new Object[4];
            objArr[0] = TemplateEngine.threadIndex();
            objArr[1] = str;
            objArr[2] = str2;
            objArr[3] = authentication == null ? null : authentication.getName();
            logger2.trace("[THYMELEAF][{}] Checking authorization for URL \"{}\" and method \"{}\" for user \"{}\".", objArr);
        }
        boolean authorizeUsingUrlCheckWebFlux = SpringVersionSpecificUtils.isWebFluxContext(iExpressionContext) ? WebFluxAuthUtils.authorizeUsingUrlCheckWebFlux(iExpressionContext, str, str2, authentication) : MvcAuthUtils.authorizeUsingUrlCheckMvc(iExpressionContext, str, str2, authentication);
        if (logger.isTraceEnabled()) {
            Logger logger3 = logger;
            String str3 = "[THYMELEAF][{}] Checked authorization for URL \"{}\" and method \"{}\" for user \"{}\". " + (authorizeUsingUrlCheckWebFlux ? "Access GRANTED." : "Access DENIED.");
            Object[] objArr2 = new Object[4];
            objArr2[0] = TemplateEngine.threadIndex();
            objArr2[1] = str;
            objArr2[2] = str2;
            objArr2[3] = authentication == null ? null : authentication.getName();
            logger3.trace(str3, objArr2);
        }
        return authorizeUsingUrlCheckWebFlux;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static WebInvocationPrivilegeEvaluator getPrivilegeEvaluator(IExpressionContext iExpressionContext) {
        WebInvocationPrivilegeEvaluator webInvocationPrivilegeEvaluator = (WebInvocationPrivilegeEvaluator) SpringSecurityContextUtils.getRequestAttribute(iExpressionContext, WebAttributes.WEB_INVOCATION_PRIVILEGE_EVALUATOR_ATTRIBUTE);
        if (webInvocationPrivilegeEvaluator != null) {
            return webInvocationPrivilegeEvaluator;
        }
        Map beansOfType = getContext(iExpressionContext).getBeansOfType(WebInvocationPrivilegeEvaluator.class);
        if (beansOfType.size() == 0) {
            throw new TemplateProcessingException("No visible WebInvocationPrivilegeEvaluator instance could be found in the application context. There must be at least one in order to support URL access checks in Spring Security authorization queries.");
        }
        return (WebInvocationPrivilegeEvaluator) beansOfType.values().toArray()[0];
    }

    public static ApplicationContext getContext(IContext iContext) {
        return SpringSecurityContextUtils.getApplicationContext(iContext);
    }
}
