package org.geoserver.security.filter;

import java.io.IOException;
import java.util.Collection;
import java.util.Collections;
import java.util.Iterator;
import java.util.Optional;
import java.util.function.Supplier;
import javax.servlet.http.HttpServletRequest;
import org.geoserver.platform.GeoServerExtensions;
import org.geoserver.security.config.SecurityInterceptorFilterConfig;
import org.geoserver.security.config.SecurityNamedServiceConfig;
import org.springframework.security.access.ConfigAttribute;
import org.springframework.security.access.SecurityMetadataSource;
import org.springframework.security.authentication.AuthenticationTrustResolver;
import org.springframework.security.authentication.AuthenticationTrustResolverImpl;
import org.springframework.security.authorization.AuthorizationDecision;
import org.springframework.security.authorization.AuthorizationManager;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.web.access.intercept.AuthorizationFilter;

/* loaded from: input_file:org/geoserver/security/filter/GeoServerSecurityInterceptorFilter.class */
public class GeoServerSecurityInterceptorFilter extends GeoServerCompositeFilter {
    private static final AuthorizationDecision ACCESS_GRANTED = new AuthorizationDecision(true);
    private static final AuthorizationDecision ACCESS_DENIED = new AuthorizationDecision(false);
    private static final AuthorizationDecision ACCESS_ABSTAIN = null;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/geoserver/security/filter/GeoServerSecurityInterceptorFilter$AffirmativeAuthorizationManager.class */
    public static final class AffirmativeAuthorizationManager implements AuthorizationManager<HttpServletRequest> {
        private AuthorizationManager<HttpServletRequest> delegate1;
        private AuthorizationManager<HttpServletRequest> delegate2;
        private boolean allowIfAllAbstainDecisions;

        public AffirmativeAuthorizationManager(AuthorizationManager<HttpServletRequest> authorizationManager, AuthorizationManager<HttpServletRequest> authorizationManager2, boolean z) {
            this.delegate1 = authorizationManager;
            this.delegate2 = authorizationManager2;
            this.allowIfAllAbstainDecisions = z;
        }

        public AuthorizationDecision check(Supplier<Authentication> supplier, HttpServletRequest httpServletRequest) {
            AuthorizationDecision check = this.delegate1.check(supplier, httpServletRequest);
            AuthorizationDecision check2 = this.delegate2.check(supplier, httpServletRequest);
            return (check == null && check2 == null) ? this.allowIfAllAbstainDecisions ? GeoServerSecurityInterceptorFilter.ACCESS_GRANTED : GeoServerSecurityInterceptorFilter.ACCESS_DENIED : (check == null || !check.isGranted()) ? (check2 == null || !check2.isGranted()) ? GeoServerSecurityInterceptorFilter.ACCESS_DENIED : GeoServerSecurityInterceptorFilter.ACCESS_GRANTED : GeoServerSecurityInterceptorFilter.ACCESS_GRANTED;
        }

        public /* bridge */ /* synthetic */ AuthorizationDecision check(Supplier supplier, Object obj) {
            return check((Supplier<Authentication>) supplier, (HttpServletRequest) obj);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/geoserver/security/filter/GeoServerSecurityInterceptorFilter$AuthenticatedAuthorizationManager.class */
    public static final class AuthenticatedAuthorizationManager implements AuthorizationManager<HttpServletRequest> {
        public static final String IS_AUTHENTICATED_FULLY = "IS_AUTHENTICATED_FULLY";
        public static final String IS_AUTHENTICATED_REMEMBERED = "IS_AUTHENTICATED_REMEMBERED";
        public static final String IS_AUTHENTICATED_ANONYMOUSLY = "IS_AUTHENTICATED_ANONYMOUSLY";
        private SecurityMetadataSource metadata;
        private AuthenticationTrustResolver authenticationTrustResolver = new AuthenticationTrustResolverImpl();

        public AuthenticatedAuthorizationManager(SecurityMetadataSource securityMetadataSource) {
            this.metadata = securityMetadataSource;
        }

        private boolean isFullyAuthenticated(Authentication authentication) {
            return (this.authenticationTrustResolver.isAnonymous(authentication) || this.authenticationTrustResolver.isRememberMe(authentication)) ? false : true;
        }

        private boolean supports(ConfigAttribute configAttribute) {
            return configAttribute.getAttribute() != null && (IS_AUTHENTICATED_FULLY.equals(configAttribute.getAttribute()) || IS_AUTHENTICATED_REMEMBERED.equals(configAttribute.getAttribute()) || IS_AUTHENTICATED_ANONYMOUSLY.equals(configAttribute.getAttribute()));
        }

        private AuthorizationDecision vote(Authentication authentication, Object obj, Collection<ConfigAttribute> collection) {
            AuthorizationDecision authorizationDecision = GeoServerSecurityInterceptorFilter.ACCESS_ABSTAIN;
            for (ConfigAttribute configAttribute : collection) {
                if (supports(configAttribute)) {
                    authorizationDecision = GeoServerSecurityInterceptorFilter.ACCESS_DENIED;
                    if (IS_AUTHENTICATED_FULLY.equals(configAttribute.getAttribute()) && isFullyAuthenticated(authentication)) {
                        return GeoServerSecurityInterceptorFilter.ACCESS_GRANTED;
                    }
                    if (IS_AUTHENTICATED_REMEMBERED.equals(configAttribute.getAttribute()) && (this.authenticationTrustResolver.isRememberMe(authentication) || isFullyAuthenticated(authentication))) {
                        return GeoServerSecurityInterceptorFilter.ACCESS_GRANTED;
                    }
                    if (IS_AUTHENTICATED_ANONYMOUSLY.equals(configAttribute.getAttribute()) && (this.authenticationTrustResolver.isAnonymous(authentication) || isFullyAuthenticated(authentication) || this.authenticationTrustResolver.isRememberMe(authentication))) {
                        return GeoServerSecurityInterceptorFilter.ACCESS_GRANTED;
                    }
                }
            }
            return authorizationDecision;
        }

        public AuthorizationDecision check(Supplier<Authentication> supplier, HttpServletRequest httpServletRequest) {
            return vote(supplier.get(), httpServletRequest, (Collection) Optional.ofNullable(this.metadata.getAttributes(httpServletRequest)).orElse(Collections.emptySet()));
        }

        public /* bridge */ /* synthetic */ AuthorizationDecision check(Supplier supplier, Object obj) {
            return check((Supplier<Authentication>) supplier, (HttpServletRequest) obj);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/geoserver/security/filter/GeoServerSecurityInterceptorFilter$RoleAuthorizationManager.class */
    public static final class RoleAuthorizationManager implements AuthorizationManager<HttpServletRequest> {
        private SecurityMetadataSource metadata;

        public RoleAuthorizationManager(SecurityMetadataSource securityMetadataSource) {
            this.metadata = securityMetadataSource;
        }

        private AuthorizationDecision vote(Authentication authentication, Object obj, Collection<ConfigAttribute> collection) {
            if (authentication == null) {
                return GeoServerSecurityInterceptorFilter.ACCESS_DENIED;
            }
            AuthorizationDecision authorizationDecision = GeoServerSecurityInterceptorFilter.ACCESS_ABSTAIN;
            Collection authorities = authentication.getAuthorities();
            for (ConfigAttribute configAttribute : collection) {
                if (configAttribute.getAttribute() != null) {
                    authorizationDecision = GeoServerSecurityInterceptorFilter.ACCESS_DENIED;
                    Iterator it = authorities.iterator();
                    while (it.hasNext()) {
                        if (configAttribute.getAttribute().equals(((GrantedAuthority) it.next()).getAuthority())) {
                            return GeoServerSecurityInterceptorFilter.ACCESS_GRANTED;
                        }
                    }
                }
            }
            return authorizationDecision;
        }

        public AuthorizationDecision check(Supplier<Authentication> supplier, HttpServletRequest httpServletRequest) {
            return vote(supplier.get(), httpServletRequest, (Collection) Optional.ofNullable(this.metadata.getAttributes(httpServletRequest)).orElse(Collections.emptySet()));
        }

        public /* bridge */ /* synthetic */ AuthorizationDecision check(Supplier supplier, Object obj) {
            return check((Supplier<Authentication>) supplier, (HttpServletRequest) obj);
        }
    }

    public void initializeFromConfig(SecurityNamedServiceConfig securityNamedServiceConfig, SecurityMetadataSource securityMetadataSource) throws IOException {
        super.initializeFromConfig(securityNamedServiceConfig);
        getNestedFilters().add(new AuthorizationFilter(new AffirmativeAuthorizationManager(new AuthenticatedAuthorizationManager(securityMetadataSource), new RoleAuthorizationManager(securityMetadataSource), ((SecurityInterceptorFilterConfig) securityNamedServiceConfig).isAllowIfAllAbstainDecisions())));
    }

    @Override // org.geoserver.security.impl.AbstractGeoServerSecurityService, org.geoserver.security.GeoServerSecurityService
    public void initializeFromConfig(SecurityNamedServiceConfig securityNamedServiceConfig) throws IOException {
        initializeFromConfig(securityNamedServiceConfig, (SecurityMetadataSource) GeoServerExtensions.bean(((SecurityInterceptorFilterConfig) securityNamedServiceConfig).getSecurityMetadataSource()));
    }
}
