package org.appfuse.service;

import java.lang.reflect.Method;
import java.util.Collection;
import java.util.HashSet;
import java.util.Iterator;
import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.appfuse.Constants;
import org.appfuse.model.Role;
import org.appfuse.model.User;
import org.springframework.aop.AfterReturningAdvice;
import org.springframework.aop.MethodBeforeAdvice;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.authentication.AuthenticationTrustResolverImpl;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.context.SecurityContext;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.UserDetails;

/* loaded from: input_file:WEB-INF/lib/appfuse-service-2.2.1.jar:org/appfuse/service/UserSecurityAdvice.class */
public class UserSecurityAdvice implements MethodBeforeAdvice, AfterReturningAdvice {
    public static final String ACCESS_DENIED = "Access Denied: Only administrators are allowed to modify other users.";
    private final Log log = LogFactory.getLog(UserSecurityAdvice.class);

    @Override // org.springframework.aop.MethodBeforeAdvice
    public void before(Method method, Object[] objArr, Object obj) throws Throwable {
        SecurityContext context = SecurityContextHolder.getContext();
        if (context.getAuthentication() != null) {
            Authentication authentication = context.getAuthentication();
            boolean z = false;
            Collection<? extends GrantedAuthority> authorities = authentication.getAuthorities();
            Iterator<? extends GrantedAuthority> it = authorities.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                } else if (it.next().getAuthority().equals(Constants.ADMIN_ROLE)) {
                    z = true;
                    break;
                }
            }
            User user = (User) objArr[0];
            if (new AuthenticationTrustResolverImpl().isAnonymous(authentication)) {
                if (this.log.isDebugEnabled()) {
                    this.log.debug("Registering new user '" + user.getUsername() + "'");
                    return;
                }
                return;
            }
            User currentUser = getCurrentUser(authentication);
            if (user.getId() != null && !user.getId().equals(currentUser.getId()) && !z) {
                this.log.warn("Access Denied: '" + currentUser.getUsername() + "' tried to modify '" + user.getUsername() + "'!");
                throw new AccessDeniedException(ACCESS_DENIED);
            }
            if (user.getId() == null || !user.getId().equals(currentUser.getId()) || z) {
                return;
            }
            HashSet hashSet = new HashSet();
            if (user.getRoles() != null) {
                Iterator<Role> it2 = user.getRoles().iterator();
                while (it2.hasNext()) {
                    hashSet.add(it2.next().getName());
                }
            }
            HashSet hashSet2 = new HashSet();
            Iterator<? extends GrantedAuthority> it3 = authorities.iterator();
            while (it3.hasNext()) {
                hashSet2.add(it3.next().getAuthority());
            }
            if (CollectionUtils.isEqualCollection(hashSet, hashSet2)) {
                return;
            }
            this.log.warn("Access Denied: '" + currentUser.getUsername() + "' tried to change their role(s)!");
            throw new AccessDeniedException(ACCESS_DENIED);
        }
    }

    @Override // org.springframework.aop.AfterReturningAdvice
    public void afterReturning(Object obj, Method method, Object[] objArr, Object obj2) throws Throwable {
        User user = (User) objArr[0];
        if (user.getVersion() != null) {
            Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
            boolean isAnonymous = new AuthenticationTrustResolverImpl().isAnonymous(authentication);
            if (authentication == null || isAnonymous || !getCurrentUser(authentication).getId().equals(user.getId())) {
                return;
            }
            SecurityContextHolder.getContext().setAuthentication(new UsernamePasswordAuthenticationToken(user, user.getPassword(), user.getAuthorities()));
        }
    }

    private User getCurrentUser(Authentication authentication) {
        User user;
        if (authentication.getPrincipal() instanceof UserDetails) {
            user = (User) authentication.getPrincipal();
        } else {
            if (!(authentication.getDetails() instanceof UserDetails)) {
                throw new AccessDeniedException("User not properly authenticated.");
            }
            user = (User) authentication.getDetails();
        }
        return user;
    }
}
