package it.openutils.hibernate.security.aop;

import it.openutils.hibernate.security.dataobject.SecurityRule;
import it.openutils.hibernate.security.services.SecurityRuleManager;
import java.util.ArrayList;
import java.util.List;
import org.acegisecurity.Authentication;
import org.acegisecurity.GrantedAuthority;
import org.acegisecurity.context.SecurityContextHolder;
import org.aspectj.lang.ProceedingJoinPoint;
import org.aspectj.lang.annotation.Around;
import org.aspectj.lang.annotation.Aspect;
import org.hibernate.criterion.Criterion;
import org.hibernate.criterion.Restrictions;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Aspect
/* loaded from: input_file:it/openutils/hibernate/security/aop/AOPSecurity.class */
public class AOPSecurity {
    private Logger log = LoggerFactory.getLogger(AOPSecurity.class);
    private boolean denyIfNoRulesFound = true;
    private SecurityRuleManager securityRuleManager;
    private List<String> securedDAOs;
    private boolean enabled;

    @Around("execution(* it.openutils.dao.hibernate.*.*(Object, .., java.util.List<org.hibernate.criterion.Criterion>)) &&  args(filter, .., additionalCriteria)")
    public Object applySecurityRules(ProceedingJoinPoint proceedingJoinPoint, Object obj, List<Criterion> list) throws Throwable {
        if (!this.enabled) {
            this.log.debug("DAO security disabled, proceeding.");
            return proceedingJoinPoint.proceed();
        }
        if (!this.securedDAOs.contains(proceedingJoinPoint.getTarget().getClass().getCanonicalName())) {
            this.log.debug("The intercepted DAO {} is not secured, proceeding.", proceedingJoinPoint.getTarget().toString());
            return proceedingJoinPoint.proceed();
        }
        this.log.debug("applying security rules for {} with criteria {}", obj.toString(), list);
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        if (authentication == null) {
            throw new SecurityException("Authentication is not valid");
        }
        GrantedAuthority[] authorities = authentication.getAuthorities();
        ArrayList arrayList = new ArrayList();
        for (GrantedAuthority grantedAuthority : authorities) {
            arrayList.add(grantedAuthority.getAuthority());
        }
        String canonicalName = obj.getClass().getCanonicalName();
        List<SecurityRule> rulesForRoles = this.securityRuleManager.getRulesForRoles(obj, arrayList);
        if (!rulesForRoles.isEmpty()) {
            Criterion sqlRestriction = Restrictions.sqlRestriction(this.securityRuleManager.getEntityFilterFromRules(canonicalName, rulesForRoles).getFilterDefinition().getDefaultFilterCondition());
            this.log.debug("Adding sql restriction: {}", sqlRestriction.toString());
            list.add(sqlRestriction);
            return proceedingJoinPoint.proceed();
        }
        if (this.log.isWarnEnabled()) {
            String str = "";
            for (GrantedAuthority grantedAuthority2 : authorities) {
                str = str + grantedAuthority2.getAuthority() + " ";
            }
            this.log.warn("No rules found for " + canonicalName + ", user {} with roles {}", SecurityContextHolder.getContext().getAuthentication().getPrincipal().toString(), str);
        }
        if (this.denyIfNoRulesFound) {
            this.log.debug("denyIfNoRulesFound is true, denying access.");
            throw new SecurityException("Access denied");
        }
        this.log.debug("denyIfNoRulesFound is false, allowing access.");
        return proceedingJoinPoint.proceed();
    }

    public void setSecurityRuleManager(SecurityRuleManager securityRuleManager) {
        this.securityRuleManager = securityRuleManager;
    }

    public void setSecuredDAOs(List<String> list) {
        this.securedDAOs = list;
    }

    public void setEnabled(boolean z) {
        this.enabled = z;
    }

    public void setDenyIfNoRulesFound(boolean z) {
        this.denyIfNoRulesFound = z;
    }
}
