package org.springframework.security.afterinvocation;

import java.util.Iterator;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.beans.factory.InitializingBean;
import org.springframework.context.MessageSource;
import org.springframework.context.MessageSourceAware;
import org.springframework.context.i18n.LocaleContextHolder;
import org.springframework.context.support.MessageSourceAccessor;
import org.springframework.security.AccessDeniedException;
import org.springframework.security.Authentication;
import org.springframework.security.ConfigAttribute;
import org.springframework.security.ConfigAttributeDefinition;
import org.springframework.security.SpringSecurityMessageSource;
import org.springframework.security.acl.AclEntry;
import org.springframework.security.acl.AclManager;
import org.springframework.security.acl.basic.BasicAclEntry;
import org.springframework.security.acl.basic.SimpleAclEntry;
import org.springframework.util.Assert;

/* loaded from: input_file:jnlp/spring-security-core-2.0.5.RELEASE.jar:org/springframework/security/afterinvocation/BasicAclEntryAfterInvocationProvider.class */
public class BasicAclEntryAfterInvocationProvider implements AfterInvocationProvider, InitializingBean, MessageSourceAware {
    protected static final Log logger;
    private AclManager aclManager;
    private Class processDomainObjectClass;
    protected MessageSourceAccessor messages;
    private String processConfigAttribute;
    private int[] requirePermission;
    static Class class$org$springframework$security$afterinvocation$BasicAclEntryAfterInvocationProvider;
    static Class class$java$lang$Object;

    public BasicAclEntryAfterInvocationProvider() {
        Class cls;
        if (class$java$lang$Object == null) {
            cls = class$("java.lang.Object");
            class$java$lang$Object = cls;
        } else {
            cls = class$java$lang$Object;
        }
        this.processDomainObjectClass = cls;
        this.messages = SpringSecurityMessageSource.getAccessor();
        this.processConfigAttribute = "AFTER_ACL_READ";
        this.requirePermission = new int[]{SimpleAclEntry.READ};
    }

    @Override // org.springframework.beans.factory.InitializingBean
    public void afterPropertiesSet() throws Exception {
        Assert.notNull(this.processConfigAttribute, "A processConfigAttribute is mandatory");
        Assert.notNull(this.aclManager, "An aclManager is mandatory");
        Assert.notNull(this.messages, "A message source must be set");
        if (this.requirePermission == null || this.requirePermission.length == 0) {
            throw new IllegalArgumentException("One or more requirePermission entries is mandatory");
        }
    }

    @Override // org.springframework.security.afterinvocation.AfterInvocationProvider
    public Object decide(Authentication authentication, Object obj, ConfigAttributeDefinition configAttributeDefinition, Object obj2) throws AccessDeniedException {
        Iterator it = configAttributeDefinition.getConfigAttributes().iterator();
        while (it.hasNext()) {
            if (supports((ConfigAttribute) it.next())) {
                if (obj2 == null) {
                    if (!logger.isDebugEnabled()) {
                        return null;
                    }
                    logger.debug("Return object is null, skipping");
                    return null;
                }
                if (!this.processDomainObjectClass.isAssignableFrom(obj2.getClass())) {
                    if (!logger.isDebugEnabled()) {
                        return null;
                    }
                    logger.debug("Return object is not applicable for this provider, skipping");
                    return null;
                }
                AclEntry[] acls = this.aclManager.getAcls(obj2, authentication);
                if (acls == null || acls.length == 0) {
                    throw new AccessDeniedException(this.messages.getMessage("BasicAclEntryAfterInvocationProvider.noPermission", new Object[]{authentication.getName(), obj2}, "Authentication {0} has NO permissions at all to the domain object {1}", LocaleContextHolder.getLocale()));
                }
                for (int i = 0; i < acls.length; i++) {
                    if (acls[i] instanceof BasicAclEntry) {
                        BasicAclEntry basicAclEntry = (BasicAclEntry) acls[i];
                        for (int i2 = 0; i2 < this.requirePermission.length; i2++) {
                            if (basicAclEntry.isPermitted(this.requirePermission[i2])) {
                                if (logger.isDebugEnabled()) {
                                    logger.debug(new StringBuffer().append("Principal DOES have permission to return object: ").append(obj2).append(" due to ACL: ").append(basicAclEntry.toString()).toString());
                                }
                                return obj2;
                            }
                        }
                    }
                }
                throw new AccessDeniedException(this.messages.getMessage("BasicAclEntryAfterInvocationProvider.insufficientPermission", new Object[]{authentication.getName(), obj2}, "Authentication {0} has ACL permissions to the domain object, but not the required ACL permission to the domain object {1}", LocaleContextHolder.getLocale()));
            }
        }
        return obj2;
    }

    public AclManager getAclManager() {
        return this.aclManager;
    }

    public String getProcessConfigAttribute() {
        return this.processConfigAttribute;
    }

    public int[] getRequirePermission() {
        return this.requirePermission;
    }

    public void setAclManager(AclManager aclManager) {
        this.aclManager = aclManager;
    }

    @Override // org.springframework.context.MessageSourceAware
    public void setMessageSource(MessageSource messageSource) {
        this.messages = new MessageSourceAccessor(messageSource);
    }

    public void setProcessConfigAttribute(String str) {
        this.processConfigAttribute = str;
    }

    public void setProcessDomainObjectClass(Class cls) {
        Assert.notNull(cls, "processDomainObjectClass cannot be set to null");
        this.processDomainObjectClass = cls;
    }

    public void setRequirePermission(int[] iArr) {
        this.requirePermission = iArr;
    }

    public void setRequirePermissionFromString(String[] strArr) {
        setRequirePermission(SimpleAclEntry.parsePermissions(strArr));
    }

    @Override // org.springframework.security.afterinvocation.AfterInvocationProvider
    public boolean supports(ConfigAttribute configAttribute) {
        return configAttribute.getAttribute() != null && configAttribute.getAttribute().equals(getProcessConfigAttribute());
    }

    @Override // org.springframework.security.afterinvocation.AfterInvocationProvider
    public boolean supports(Class cls) {
        return true;
    }

    static Class class$(String str) {
        try {
            return Class.forName(str);
        } catch (ClassNotFoundException e) {
            throw new NoClassDefFoundError(e.getMessage());
        }
    }

    static {
        Class cls;
        if (class$org$springframework$security$afterinvocation$BasicAclEntryAfterInvocationProvider == null) {
            cls = class$("org.springframework.security.afterinvocation.BasicAclEntryAfterInvocationProvider");
            class$org$springframework$security$afterinvocation$BasicAclEntryAfterInvocationProvider = cls;
        } else {
            cls = class$org$springframework$security$afterinvocation$BasicAclEntryAfterInvocationProvider;
        }
        logger = LogFactory.getLog(cls);
    }
}
