package org.sentilo.web.catalog.security.access;

import java.io.IOException;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import org.sentilo.web.catalog.context.TenantContextHolder;
import org.sentilo.web.catalog.security.CatalogUserDetails;
import org.sentilo.web.catalog.security.service.CatalogUserDetailsService;
import org.sentilo.web.catalog.utils.TenantUtils;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.authentication.AnonymousAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.authority.AuthorityUtils;
import org.springframework.security.web.access.WebInvocationPrivilegeEvaluator;
import org.springframework.web.context.support.WebApplicationContextUtils;
import org.springframework.web.filter.GenericFilterBean;

/* loaded from: input_file:WEB-INF/classes/org/sentilo/web/catalog/security/access/TenantAccessControlFilter.class */
public class TenantAccessControlFilter extends GenericFilterBean {

    @Autowired
    private CatalogUserDetailsService userDetailsService;
    private WebInvocationPrivilegeEvaluator requestEvaluator;
    private final Authentication anonymousAuth = new AnonymousAuthenticationToken("_KEY", "anonymousUser", AuthorityUtils.createAuthorityList("ROLE_ANONYMOUS"));

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        if (!allowUserAccess((HttpServletRequest) servletRequest)) {
            throw new AccessDeniedException("You are not allowed to access this page!");
        }
        filterChain.doFilter(servletRequest, servletResponse);
    }

    private boolean allowUserAccess(HttpServletRequest httpServletRequest) {
        boolean z = true;
        if (filterByTenantEnabled() && userIsLoggedIn() && !isAnonymousRequest(httpServletRequest)) {
            z = userBelongsToRequestTenant(httpServletRequest);
        }
        return z;
    }

    private boolean filterByTenantEnabled() {
        return TenantContextHolder.isEnabled();
    }

    private boolean isAnonymousRequest(HttpServletRequest httpServletRequest) {
        String substring = httpServletRequest.getRequestURI().substring(httpServletRequest.getContextPath().length());
        return substring.startsWith("/WEB-INF/") || getRequestEvaluator().isAllowed(substring, this.anonymousAuth);
    }

    private boolean userIsLoggedIn() {
        return this.userDetailsService.getCatalogUserDetails() != null;
    }

    private boolean userBelongsToRequestTenant(HttpServletRequest httpServletRequest) {
        boolean z = false;
        CatalogUserDetails catalogUserDetails = this.userDetailsService.getCatalogUserDetails();
        if (catalogUserDetails != null) {
            String requestTenant = TenantUtils.getRequestTenant();
            z = (catalogUserDetails.isSuperAdminUser() && requestTenant == null) || (!catalogUserDetails.isSuperAdminUser() && catalogUserDetails.getTenantId().equals(requestTenant));
        }
        return z;
    }

    private WebInvocationPrivilegeEvaluator getRequestEvaluator() {
        if (this.requestEvaluator == null) {
            this.requestEvaluator = (WebInvocationPrivilegeEvaluator) WebApplicationContextUtils.getRequiredWebApplicationContext(getServletContext()).getBeansOfType(WebInvocationPrivilegeEvaluator.class).values().toArray()[1];
        }
        return this.requestEvaluator;
    }
}
