package org.trails.hibernate;

import java.io.Serializable;
import java.util.Iterator;
import ognl.Ognl;
import ognl.OgnlException;
import org.acegisecurity.AuthenticationCredentialsNotFoundException;
import org.acegisecurity.GrantedAuthority;
import org.acegisecurity.context.SecurityContext;
import org.acegisecurity.context.SecurityContextHolder;
import org.acegisecurity.userdetails.UserDetails;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.hibernate.CallbackException;
import org.hibernate.type.Type;
import org.trails.security.EntityModificationInterception;
import org.trails.security.RestrictionType;
import org.trails.security.TrailsSecurityException;
import org.trails.security.annotation.RemoveRequiresAssociation;
import org.trails.security.annotation.RemoveRequiresRole;
import org.trails.security.annotation.UpdateRequiresAssociation;
import org.trails.security.annotation.UpdateRequiresRole;
import org.trails.security.password.DigestUtil;

/* loaded from: input_file:org/trails/hibernate/TrailsSecurityInterceptor.class */
public class TrailsSecurityInterceptor extends TrailsInterceptor {
    private static final Log log = LogFactory.getLog(TrailsSecurityInterceptor.class);

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: org.trails.hibernate.TrailsSecurityInterceptor$1, reason: invalid class name */
    /* loaded from: input_file:org/trails/hibernate/TrailsSecurityInterceptor$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$trails$security$RestrictionType = new int[RestrictionType.values().length];

        static {
            try {
                $SwitchMap$org$trails$security$RestrictionType[RestrictionType.UPDATE.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$trails$security$RestrictionType[RestrictionType.REMOVE.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
        }
    }

    private void checkRestriction(Object obj, RestrictionType restrictionType) {
        SecurityContext context;
        log.info("Check restriction for entity : " + obj);
        if (obj == null || restrictionType == null || (context = SecurityContextHolder.getContext()) == null || context.getAuthentication() == null) {
            return;
        }
        boolean z = false;
        String[] strArr = null;
        switch (AnonymousClass1.$SwitchMap$org$trails$security$RestrictionType[restrictionType.ordinal()]) {
            case 1:
                UpdateRequiresRole updateRequiresRole = (UpdateRequiresRole) obj.getClass().getAnnotation(UpdateRequiresRole.class);
                if (updateRequiresRole != null) {
                    strArr = updateRequiresRole.value();
                    break;
                }
                break;
            case DigestUtil.SALT_MINLENGTH /* 2 */:
                RemoveRequiresRole removeRequiresRole = (RemoveRequiresRole) obj.getClass().getAnnotation(RemoveRequiresRole.class);
                if (removeRequiresRole != null) {
                    strArr = removeRequiresRole.value();
                    break;
                }
                break;
        }
        if (strArr != null) {
            for (GrantedAuthority grantedAuthority : context.getAuthentication().getAuthorities()) {
                for (String str : strArr) {
                    if (str.equals(grantedAuthority.getAuthority())) {
                        return;
                    }
                }
            }
            z = true;
        }
        String str2 = null;
        switch (AnonymousClass1.$SwitchMap$org$trails$security$RestrictionType[restrictionType.ordinal()]) {
            case 1:
                UpdateRequiresAssociation updateRequiresAssociation = (UpdateRequiresAssociation) obj.getClass().getAnnotation(UpdateRequiresAssociation.class);
                if (updateRequiresAssociation != null) {
                    str2 = updateRequiresAssociation.value();
                    break;
                }
                break;
            case DigestUtil.SALT_MINLENGTH /* 2 */:
                RemoveRequiresAssociation removeRequiresAssociation = (RemoveRequiresAssociation) obj.getClass().getAnnotation(RemoveRequiresAssociation.class);
                if (removeRequiresAssociation != null) {
                    str2 = removeRequiresAssociation.value();
                    break;
                }
                break;
        }
        if ((str2 == null || !checkOwnershipRestriction(obj, str2)) && z) {
            throw new EntityModificationInterception(obj, "Authenticated user does not have a required role or ownership");
        }
    }

    private boolean checkOwnershipRestriction(Object obj, String str) {
        if (obj == null || str == null) {
            return false;
        }
        try {
            SecurityContext context = SecurityContextHolder.getContext();
            if (context.getAuthentication() == null) {
                throw new AuthenticationCredentialsNotFoundException("Entity requires an authenticated user as owner");
            }
            String name = context.getAuthentication().getName();
            if (name == null) {
                name = "";
            }
            if ("".equals(str)) {
                if (!(obj instanceof UserDetails)) {
                    throw new TrailsSecurityException("Entity is not of type UserDetails");
                }
                if (name.equals(((UserDetails) obj).getUsername())) {
                    return true;
                }
                throw new EntityModificationInterception(obj, "Entity does not represent the authenticated user");
            }
            Object value = Ognl.getValue(str, obj);
            if (value == null) {
                throw new EntityModificationInterception(obj, "Associated owner property is null");
            }
            if (value instanceof Iterable) {
                try {
                    Iterator it = ((Iterable) value).iterator();
                    while (true) {
                        if (!it.hasNext()) {
                            break;
                        }
                        if (name.equals(((UserDetails) it.next()).getUsername())) {
                            value = null;
                            break;
                        }
                    }
                    if (value != null) {
                        throw new EntityModificationInterception(obj, "Authenticated user is not in the owners collection");
                    }
                } catch (ClassCastException e) {
                    throw new TrailsSecurityException("Associated collection doesn't contain UserDetails objects");
                }
            } else {
                if (!(value instanceof UserDetails)) {
                    throw new TrailsSecurityException("Associate property is not of type UserDetails");
                }
                if (!name.equals(((UserDetails) value).getUsername())) {
                    throw new EntityModificationInterception(obj, "Authenticated user is not the owner");
                }
            }
            return true;
        } catch (OgnlException e2) {
            throw new TrailsSecurityException("Could not evaluate the owner association", e2);
        }
    }

    public boolean onFlushDirty(Object obj, Serializable serializable, Object[] objArr, Object[] objArr2, String[] strArr, Type[] typeArr) throws CallbackException {
        checkRestriction(obj, RestrictionType.UPDATE);
        return super.onFlushDirty(obj, serializable, objArr, objArr2, strArr, typeArr);
    }

    public boolean onSave(Object obj, Serializable serializable, Object[] objArr, String[] strArr, Type[] typeArr) throws CallbackException {
        checkRestriction(obj, RestrictionType.UPDATE);
        return super.onSave(obj, serializable, objArr, strArr, typeArr);
    }

    public void onDelete(Object obj, Serializable serializable, Object[] objArr, String[] strArr, Type[] typeArr) throws CallbackException {
        checkRestriction(obj, RestrictionType.REMOVE);
        super.onDelete(obj, serializable, objArr, strArr, typeArr);
    }
}
