package cz.integsoft.mule.security.internal;

import cz.integsoft.mule.security.api.OrderedProperties;
import cz.integsoft.mule.security.api.SecurityErrorCode;
import cz.integsoft.mule.security.api.error.SecurityModuleError;
import cz.integsoft.mule.security.api.exception.GenericSecurityException;
import cz.integsoft.mule.security.api.exception.NotPermittedException;
import cz.integsoft.mule.security.internal.config.AuthorizationConfig;
import cz.integsoft.mule.security.internal.parameter.AuthorizationParameters;
import cz.integsoft.mule.security.internal.spring.SpringAuthenticationAdapter;
import java.text.MessageFormat;
import java.util.Arrays;
import java.util.Enumeration;
import java.util.HashSet;
import java.util.Optional;
import java.util.Set;
import org.mule.extension.http.api.HttpListenerResponseAttributes;
import org.mule.extension.http.api.HttpRequestAttributes;
import org.mule.runtime.api.message.Message;
import org.mule.runtime.api.security.Authentication;
import org.mule.runtime.api.util.MultiMap;
import org.mule.runtime.extension.api.security.AuthenticationHandler;
import org.mule.runtime.http.api.HttpConstants;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.util.AntPathMatcher;

/* loaded from: input_file:cz/integsoft/mule/security/internal/AuthorizationFilter.class */
public class AuthorizationFilter {
    private static final Logger D = LoggerFactory.getLogger("SECURITY_AUDIT");
    private static final Logger a = LoggerFactory.getLogger(AuthorizationFilter.class);
    private final AuthorizationConfig E;
    private AuthorizationParameters F;

    public AuthorizationFilter(AuthorizationConfig authorizationConfig, AuthorizationParameters authorizationParameters) {
        this.E = authorizationConfig;
        this.F = authorizationParameters;
    }

    public void authorize(HttpRequestAttributes httpRequestAttributes, AuthenticationHandler authenticationHandler) {
        if (httpRequestAttributes == null) {
            throw new GenericSecurityException(SecurityModuleError.GENERIC_SECURITY, SecurityErrorCode.SEC_ANY_003, "Missing request attributes in the incoming message. Do you have http:listener before?");
        }
        if (HttpConstants.Method.OPTIONS.name().equalsIgnoreCase(httpRequestAttributes.getMethod())) {
            return;
        }
        Optional authentication = authenticationHandler.getAuthentication();
        if (!authentication.isPresent()) {
            throw new NotPermittedException(SecurityErrorCode.SEC_ANY_003, "Missing authentication object. Do you have authentication element before?", c());
        }
        if (!(authentication.get() instanceof SpringAuthenticationAdapter)) {
            throw new NotPermittedException(SecurityErrorCode.SEC_ANY_003, "Wrong authentication type. User must be authenticated via Spring Security to use this filter. Do you have authentication element before? Expected: " + SpringAuthenticationAdapter.class + " Found: " + ((Authentication) authentication.get()).getClass().getName(), c());
        }
        SpringAuthenticationAdapter springAuthenticationAdapter = (SpringAuthenticationAdapter) authentication.get();
        String name = springAuthenticationAdapter.getName();
        GrantedAuthority[] authorities = springAuthenticationAdapter.getAuthorities();
        boolean z = false;
        Set<String> a2 = a(httpRequestAttributes.getRequestPath(), this.E.getAuthorizationProperties());
        if (authorities != null) {
            if (a.isDebugEnabled()) {
                a.debug("Found authorities '" + Arrays.toString(authorities) + "' for principal '" + name + "'.");
            }
            for (GrantedAuthority grantedAuthority : authorities) {
                if (a2.contains(grantedAuthority.getAuthority())) {
                    z = true;
                }
            }
        }
        if (!z && !a2.isEmpty()) {
            a.info(MessageFormat.format("Could not find required authorities for {0}. Required authorities: {1}. Authorities found: {2}.", name, Arrays.toString(a2.toArray()), Arrays.toString(authorities)));
            D.error("Authorization failure for request {}: user {} remote {}", new Object[]{httpRequestAttributes.getRequestUri(), name, httpRequestAttributes.getRemoteAddress()});
            throw new NotPermittedException(SecurityErrorCode.SEC_ANY_003, MessageFormat.format("Could not find required GrantedAuthority for principal \"{0}\". Access denied.", name), c());
        }
        D.info("Authorization success for request {}: user {} remote {}", new Object[]{httpRequestAttributes.getRequestUri(), name, httpRequestAttributes.getRemoteAddress()});
    }

    private Set<String> a(String str, OrderedProperties orderedProperties) {
        if (this.F.getRequiredAuthorities() != null && !this.F.getRequiredAuthorities().isEmpty()) {
            return this.F.getRequiredAuthorities();
        }
        HashSet hashSet = new HashSet();
        AntPathMatcher antPathMatcher = new AntPathMatcher();
        Enumeration<String> propertyNames = orderedProperties.propertyNames();
        while (propertyNames.hasMoreElements()) {
            String nextElement = propertyNames.nextElement();
            if (antPathMatcher.match(nextElement, str)) {
                String[] split = orderedProperties.getProperty(nextElement) == null ? null : orderedProperties.getProperty(nextElement).split(",");
                if (a.isDebugEnabled()) {
                    a.debug("Matches pattern: " + nextElement + " required roles: " + Arrays.asList(split));
                }
                if (split != null) {
                    hashSet.addAll(Arrays.asList(split));
                }
            }
        }
        return hashSet;
    }

    private Message c() {
        return Message.builder().nullValue().attributesValue(new HttpListenerResponseAttributes(HttpConstants.HttpStatus.FORBIDDEN.getStatusCode(), HttpConstants.HttpStatus.FORBIDDEN.getReasonPhrase(), new MultiMap())).build();
    }
}
