package org.craftercms.studio.impl.v1.web.security.access;

import java.io.IOException;
import java.util.ArrayList;
import java.util.Collection;
import java.util.HashSet;
import java.util.Set;
import javax.servlet.ServletInputStream;
import javax.servlet.http.HttpServletRequest;
import net.sf.json.JSONArray;
import net.sf.json.JSONException;
import net.sf.json.JSONObject;
import org.apache.commons.fileupload.servlet.ServletFileUpload;
import org.apache.commons.io.IOUtils;
import org.apache.commons.lang3.StringUtils;
import org.craftercms.studio.api.v1.exception.ServiceLayerException;
import org.craftercms.studio.api.v1.exception.security.UserNotFoundException;
import org.craftercms.studio.api.v1.log.Logger;
import org.craftercms.studio.api.v1.log.LoggerFactory;
import org.craftercms.studio.api.v2.dal.User;
import org.springframework.http.HttpMethod;
import org.springframework.security.access.ConfigAttribute;
import org.springframework.security.core.Authentication;
import org.springframework.security.web.FilterInvocation;

/* loaded from: input_file:org/craftercms/studio/impl/v1/web/security/access/StudioWorkflowAPIAccessDecisionVoter.class */
public class StudioWorkflowAPIAccessDecisionVoter extends StudioAbstractAccessDecisionVoter {
    private static final String GO_LIVE = "/api/1/services/api/1/workflow/go-live.json";
    private static final String REJECT = "/api/1/services/api/1/workflow/reject.json";
    private static final String GO_DELETE = "/api/1/services/api/1/workflow/go-delete.json";
    private static final String PUBLISH_PERMISSION = "publish";
    private static final String DELETE_PERMISSION = "delete";
    private static final String DELETE_CONTENT_PERMISSION = "delete_content";
    private static final String CANCEL_PUBLISH_PERMISSION = "cancel_publish";
    private static final Logger logger = LoggerFactory.getLogger(StudioWorkflowAPIAccessDecisionVoter.class);
    private static final Set<String> URIS_TO_VOTE = new HashSet<String>() { // from class: org.craftercms.studio.impl.v1.web.security.access.StudioWorkflowAPIAccessDecisionVoter.1
        {
            add(StudioWorkflowAPIAccessDecisionVoter.GO_LIVE);
            add(StudioWorkflowAPIAccessDecisionVoter.REJECT);
            add(StudioWorkflowAPIAccessDecisionVoter.GO_DELETE);
        }
    };
    private static final Set<String> DELETE_PERMISSIONS = new HashSet<String>() { // from class: org.craftercms.studio.impl.v1.web.security.access.StudioWorkflowAPIAccessDecisionVoter.2
        {
            add("delete");
            add("delete_content");
        }
    };
    private static final Set<String> REJECT_PERMISSIONS = new HashSet<String>() { // from class: org.craftercms.studio.impl.v1.web.security.access.StudioWorkflowAPIAccessDecisionVoter.3
        {
            add("publish");
            add("cancel_publish");
        }
    };

    public boolean supports(ConfigAttribute configAttribute) {
        return true;
    }

    public int vote(Authentication authentication, Object obj, Collection collection) {
        int i = 0;
        String str = "";
        if (obj instanceof FilterInvocation) {
            HttpServletRequest request = ((FilterInvocation) obj).getRequest();
            str = request.getRequestURI().replace(request.getContextPath(), "");
            if (URIS_TO_VOTE.contains(str)) {
                String parameter = request.getParameter("username");
                String parameter2 = request.getParameter("site_id");
                ArrayList<String> arrayList = new ArrayList();
                if (StringUtils.isEmpty(parameter2)) {
                    parameter2 = request.getParameter("site");
                }
                if (StringUtils.isEmpty(parameter) && StringUtils.equalsIgnoreCase(request.getMethod(), HttpMethod.POST.name()) && !ServletFileUpload.isMultipartContent(request)) {
                    try {
                        ServletInputStream inputStream = request.getInputStream();
                        inputStream.mark(0);
                        String iOUtils = IOUtils.toString(inputStream);
                        if (StringUtils.isNoneEmpty(new CharSequence[]{iOUtils})) {
                            JSONObject fromObject = JSONObject.fromObject(iOUtils);
                            if (fromObject.has("username")) {
                                fromObject.getString("username");
                            }
                            if (fromObject.has("site")) {
                                parameter2 = fromObject.getString("site");
                            }
                            if (fromObject.has("site_id")) {
                                parameter2 = fromObject.getString("site_id");
                            }
                            if (fromObject.has("items")) {
                                JSONArray jSONArray = fromObject.getJSONArray("items");
                                for (int i2 = 0; i2 < jSONArray.size(); i2++) {
                                    arrayList.add(jSONArray.optString(i2));
                                }
                            }
                        }
                        inputStream.reset();
                    } catch (IOException | JSONException e) {
                        logger.debug("Failed to extract username from POST request", new Object[0]);
                    }
                }
                User user = null;
                try {
                    user = this.userServiceInternal.getUserByIdOrUsername(-1L, authentication.getPrincipal().toString());
                } catch (ClassCastException | ServiceLayerException | UserNotFoundException e2) {
                    if (!authentication.getPrincipal().toString().equals("anonymousUser")) {
                        logger.info("Error getting current user", e2);
                        return -1;
                    }
                }
                boolean z = -1;
                switch (str.hashCode()) {
                    case -658369964:
                        if (str.equals(GO_DELETE)) {
                            z = 2;
                            break;
                        }
                        break;
                    case 432141811:
                        if (str.equals(GO_LIVE)) {
                            z = false;
                            break;
                        }
                        break;
                    case 494372905:
                        if (str.equals(REJECT)) {
                            z = true;
                            break;
                        }
                        break;
                }
                switch (z) {
                    case false:
                        if (this.siteService.exists(parameter2)) {
                            for (String str2 : arrayList) {
                                if (user != null && isSiteMember(parameter2, user) && hasPermission(parameter2, str2, user.getUsername(), "publish")) {
                                    i = 1;
                                } else {
                                    i = -1;
                                }
                            }
                            break;
                        }
                        break;
                    case true:
                        if (this.siteService.exists(parameter2)) {
                            for (String str3 : arrayList) {
                                if (user != null && isSiteMember(parameter2, user) && hasAnyPermission(parameter2, str3, user.getUsername(), REJECT_PERMISSIONS)) {
                                    i = 1;
                                } else {
                                    i = -1;
                                }
                            }
                            break;
                        } else {
                            i = 0;
                            break;
                        }
                        break;
                    case true:
                        if (this.siteService.exists(parameter2)) {
                            for (String str4 : arrayList) {
                                if (user != null && isSiteMember(parameter2, user) && hasAnyPermission(parameter2, str4, user.getUsername(), DELETE_PERMISSIONS)) {
                                    i = 1;
                                } else {
                                    i = -1;
                                }
                            }
                            break;
                        } else {
                            i = 0;
                            break;
                        }
                    default:
                        i = 0;
                        break;
                }
            }
        }
        logger.debug("Request: " + str + " - Access: " + i, new Object[0]);
        return i;
    }

    public boolean supports(Class cls) {
        return true;
    }
}
