package org.osaf.cosmo.dav.acegisecurity;

import java.util.Collection;
import javax.servlet.http.HttpServletRequest;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.osaf.cosmo.acegisecurity.providers.ticket.TicketAuthenticationToken;
import org.osaf.cosmo.acegisecurity.userdetails.CosmoUserDetails;
import org.osaf.cosmo.dav.ExtendedDavConstants;
import org.osaf.cosmo.dav.acl.AclEvaluator;
import org.osaf.cosmo.dav.acl.DavPrivilege;
import org.osaf.cosmo.dav.acl.TicketAclEvaluator;
import org.osaf.cosmo.dav.acl.UserAclEvaluator;
import org.osaf.cosmo.http.Methods;
import org.osaf.cosmo.model.Item;
import org.osaf.cosmo.model.Ticket;
import org.osaf.cosmo.model.User;
import org.osaf.cosmo.service.UserService;
import org.osaf.cosmo.util.UriTemplate;
import org.springframework.security.access.AccessDecisionManager;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.access.ConfigAttribute;
import org.springframework.security.authentication.InsufficientAuthenticationException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.web.FilterInvocation;

/* loaded from: input_file:org/osaf/cosmo/dav/acegisecurity/DavAccessDecisionManager.class */
public class DavAccessDecisionManager implements AccessDecisionManager, ExtendedDavConstants {
    private static final Log log = LogFactory.getLog(DavAccessDecisionManager.class);
    private UserService userService;

    /* loaded from: input_file:org/osaf/cosmo/dav/acegisecurity/DavAccessDecisionManager$AclEvaluationException.class */
    public static class AclEvaluationException extends Exception {
        private static final long serialVersionUID = 1;
        private final Item item;
        private final DavPrivilege privilege;

        public AclEvaluationException(Item item, DavPrivilege davPrivilege) {
            this.item = item;
            this.privilege = davPrivilege;
        }

        public Item getItem() {
            return this.item;
        }

        public DavPrivilege getPrivilege() {
            return this.privilege;
        }
    }

    public void decide(Authentication authentication, Object obj, Collection<ConfigAttribute> collection) throws AccessDeniedException, InsufficientAuthenticationException {
        AclEvaluator ticketAclEvaluator;
        if (authentication instanceof UsernamePasswordAuthenticationToken) {
            ticketAclEvaluator = new UserAclEvaluator(((CosmoUserDetails) authentication.getPrincipal()).getUser());
        } else {
            if (!(authentication instanceof TicketAuthenticationToken)) {
                throw new InsufficientAuthenticationException("Unrecognized authentication token");
            }
            ticketAclEvaluator = new TicketAclEvaluator((Ticket) authentication.getPrincipal());
        }
        HttpServletRequest httpRequest = ((FilterInvocation) obj).getHttpRequest();
        String pathInfo = httpRequest.getPathInfo();
        if (pathInfo == null) {
            pathInfo = "/";
        }
        if (!pathInfo.equals("/") && pathInfo.endsWith("/")) {
            pathInfo = pathInfo.substring(0, pathInfo.length() - 1);
        }
        try {
            match(pathInfo, httpRequest.getMethod(), ticketAclEvaluator);
        } catch (AclEvaluationException e) {
            throw new DavAccessDeniedException(httpRequest.getRequestURI(), e.getPrivilege());
        }
    }

    public boolean supports(ConfigAttribute configAttribute) {
        return true;
    }

    public boolean supports(Class<?> cls) {
        return FilterInvocation.class.isAssignableFrom(cls);
    }

    protected void match(String str, String str2, AclEvaluator aclEvaluator) throws AclEvaluationException {
        if (log.isDebugEnabled()) {
            log.debug("matching resource " + str + " with method " + str2);
        }
        UriTemplate.Match match = TEMPLATE_USERS.match(false, str);
        if (match != null) {
            evaluateUserPrincipalCollection(match, str2, aclEvaluator);
            return;
        }
        UriTemplate.Match match2 = TEMPLATE_USER.match(false, str);
        if (match2 != null) {
            evaluateUserPrincipal(match2, str2, aclEvaluator);
        }
    }

    protected void evaluateUserPrincipalCollection(UriTemplate.Match match, String str, AclEvaluator aclEvaluator) throws AclEvaluationException {
        if (aclEvaluator instanceof TicketAclEvaluator) {
            throw new IllegalStateException("A ticket may not be used to access the user principal collection");
        }
        if (str.equals("PROPFIND")) {
            if (log.isDebugEnabled()) {
                log.debug("Allowing method " + str + " so provider can evaluate check access itself");
                return;
            }
            return;
        }
        UserAclEvaluator userAclEvaluator = (UserAclEvaluator) aclEvaluator;
        DavPrivilege davPrivilege = Methods.isReadMethod(str) ? DavPrivilege.READ : DavPrivilege.WRITE;
        if (!userAclEvaluator.evaluateUserPrincipalCollection(davPrivilege)) {
            if (log.isDebugEnabled()) {
                log.debug("Principal does not have privilege " + davPrivilege + "; denying access");
            }
            throw new AclEvaluationException(null, davPrivilege);
        }
        if (log.isDebugEnabled()) {
            log.debug("Principal has privilege " + davPrivilege + "; allowing access");
        }
    }

    protected void evaluateUserPrincipal(UriTemplate.Match match, String str, AclEvaluator aclEvaluator) throws AclEvaluationException {
        if (aclEvaluator instanceof TicketAclEvaluator) {
            throw new IllegalStateException("A ticket may not be used to access the user principal collection");
        }
        String str2 = match.get(User.USERNAME_URL_STRING);
        User user = getUserService().getUser(str2);
        if (user == null) {
            if (log.isDebugEnabled()) {
                log.debug("User " + str2 + " not found; allowing for 404");
            }
        } else {
            if (str.equals("PROPFIND")) {
                if (log.isDebugEnabled()) {
                    log.debug("Allowing method " + str + " so provider can evaluate check access itself");
                    return;
                }
                return;
            }
            UserAclEvaluator userAclEvaluator = (UserAclEvaluator) aclEvaluator;
            DavPrivilege davPrivilege = Methods.isReadMethod(str) ? DavPrivilege.READ : DavPrivilege.WRITE;
            if (!userAclEvaluator.evaluateUserPrincipal(user, davPrivilege)) {
                if (log.isDebugEnabled()) {
                    log.debug("Principal does not have privilege " + davPrivilege + "; denying access");
                }
                throw new AclEvaluationException(null, davPrivilege);
            }
            if (log.isDebugEnabled()) {
                log.debug("Principal has privilege " + davPrivilege + "; allowing access");
            }
        }
    }

    public void setUserService(UserService userService) {
        this.userService = userService;
    }

    public UserService getUserService() {
        return this.userService;
    }
}
