package com.liferay.portal.security.service.access.policy.internal;

import com.liferay.petra.string.StringBundler;
import com.liferay.portal.kernel.exception.PortalException;
import com.liferay.portal.kernel.exception.SystemException;
import com.liferay.portal.kernel.module.configuration.ConfigurationException;
import com.liferay.portal.kernel.module.configuration.ConfigurationProvider;
import com.liferay.portal.kernel.security.access.control.AccessControlPolicy;
import com.liferay.portal.kernel.security.access.control.AccessControlUtil;
import com.liferay.portal.kernel.security.access.control.AccessControlled;
import com.liferay.portal.kernel.security.access.control.BaseAccessControlPolicy;
import com.liferay.portal.kernel.security.auth.AccessControlContext;
import com.liferay.portal.kernel.security.auth.CompanyThreadLocal;
import com.liferay.portal.kernel.security.auth.verifier.AuthVerifierResult;
import com.liferay.portal.kernel.security.service.access.policy.ServiceAccessPolicy;
import com.liferay.portal.kernel.security.service.access.policy.ServiceAccessPolicyThreadLocal;
import com.liferay.portal.kernel.settings.CompanyServiceSettingsLocator;
import com.liferay.portal.kernel.util.Validator;
import com.liferay.portal.security.service.access.policy.configuration.SAPConfiguration;
import com.liferay.portal.security.service.access.policy.model.SAPEntry;
import com.liferay.portal.security.service.access.policy.service.SAPEntryLocalService;
import java.lang.reflect.Method;
import java.util.ArrayList;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import org.osgi.service.component.annotations.Component;
import org.osgi.service.component.annotations.Reference;

@Component(service = {AccessControlPolicy.class})
/* loaded from: input_file:com/liferay/portal/security/service/access/policy/internal/SAPAccessControlPolicy.class */
public class SAPAccessControlPolicy extends BaseAccessControlPolicy {

    @Reference
    private ConfigurationProvider _configurationProvider;

    @Reference
    private SAPEntryLocalService _sapEntryLocalService;

    public void onServiceRemoteAccess(Method method, Object[] objArr, AccessControlled accessControlled) throws SecurityException {
        if (_isChecked()) {
            return;
        }
        ArrayList arrayList = new ArrayList();
        arrayList.addAll(_getActiveServiceAccessPolicyNames());
        arrayList.addAll(_getDefaultServiceAccessPolicyNames(CompanyThreadLocal.getCompanyId().longValue()));
        arrayList.addAll(_getSystemServiceAccessPolicyNames(CompanyThreadLocal.getCompanyId().longValue()));
        _checkAccess(_loadAllowedServiceSignatures(CompanyThreadLocal.getCompanyId().longValue(), arrayList), method.getDeclaringClass().getName(), method.getName());
    }

    protected boolean matches(String str, String str2, String str3) {
        String str4;
        String str5 = null;
        int indexOf = str3.indexOf(35);
        if (indexOf > -1) {
            str4 = str3.substring(0, indexOf);
            str5 = str3.substring(indexOf + 1);
        } else {
            str4 = str3;
        }
        boolean z = false;
        if (Validator.isNotNull(str4) && str4.endsWith("*")) {
            str4 = str4.substring(0, str4.length() - 1);
            z = true;
        }
        boolean z2 = false;
        if (Validator.isNotNull(str5) && str5.endsWith("*")) {
            str5 = str5.substring(0, str5.length() - 1);
            z2 = true;
        }
        if (Validator.isNotNull(str4) && Validator.isNotNull(str5)) {
            if (z && !str.startsWith(str4)) {
                return false;
            }
            if (!z && !str.equals(str4)) {
                return false;
            }
            if (!z2 || str2.startsWith(str5)) {
                return z2 || str2.equals(str5);
            }
            return false;
        }
        if (Validator.isNotNull(str4)) {
            if (!z || str.startsWith(str4)) {
                return z || str.equals(str4);
            }
            return false;
        }
        if (!Validator.isNotNull(str5)) {
            return z && Validator.isNull(str4);
        }
        if (!z2 || str2.startsWith(str5)) {
            return z2 || str2.equals(str5);
        }
        return false;
    }

    private void _checkAccess(Set<String> set, String str, String str2) {
        if (set.contains("*") || set.contains(str)) {
            return;
        }
        String concat = StringBundler.concat(new String[]{str, "#", str2});
        if (set.contains(concat)) {
            return;
        }
        Iterator<String> it = set.iterator();
        while (it.hasNext()) {
            if (matches(str, str2, it.next())) {
                return;
            }
        }
        throw new SecurityException("Access denied to " + concat);
    }

    private List<String> _getActiveServiceAccessPolicyNames() {
        AuthVerifierResult authVerifierResult;
        List<String> activeServiceAccessPolicyNames = ServiceAccessPolicyThreadLocal.getActiveServiceAccessPolicyNames();
        if (activeServiceAccessPolicyNames == null) {
            activeServiceAccessPolicyNames = new ArrayList();
            ServiceAccessPolicyThreadLocal.setActiveServiceAccessPolicyNames(activeServiceAccessPolicyNames);
        }
        AccessControlContext accessControlContext = AccessControlUtil.getAccessControlContext();
        if (accessControlContext != null && (authVerifierResult = accessControlContext.getAuthVerifierResult()) != null) {
            List list = (List) authVerifierResult.getSettings().get(ServiceAccessPolicy.SERVICE_ACCESS_POLICY_NAMES);
            if (list != null) {
                activeServiceAccessPolicyNames.addAll(list);
            }
            return activeServiceAccessPolicyNames;
        }
        return activeServiceAccessPolicyNames;
    }

    private List<String> _getDefaultServiceAccessPolicyNames(long j) {
        List defaultSAPEntries = this._sapEntryLocalService.getDefaultSAPEntries(j, true);
        ArrayList arrayList = new ArrayList(defaultSAPEntries.size());
        Iterator it = defaultSAPEntries.iterator();
        while (it.hasNext()) {
            arrayList.add(((SAPEntry) it.next()).getName());
        }
        return arrayList;
    }

    private List<String> _getSystemServiceAccessPolicyNames(long j) {
        AuthVerifierResult authVerifierResult;
        try {
            SAPConfiguration sAPConfiguration = (SAPConfiguration) this._configurationProvider.getConfiguration(SAPConfiguration.class, new CompanyServiceSettingsLocator(j, "com.liferay.portal.security.service.access.policy"));
            ArrayList arrayList = new ArrayList(2);
            if (!sAPConfiguration.useSystemSAPEntries()) {
                return arrayList;
            }
            arrayList.add(sAPConfiguration.systemDefaultSAPEntryName());
            boolean z = false;
            AccessControlContext accessControlContext = AccessControlUtil.getAccessControlContext();
            if (accessControlContext != null && (authVerifierResult = accessControlContext.getAuthVerifierResult()) != null) {
                z = authVerifierResult.isPasswordBasedAuthentication();
            }
            if (z) {
                arrayList.add(sAPConfiguration.systemUserPasswordSAPEntryName());
            }
            return arrayList;
        } catch (ConfigurationException e) {
            throw new SystemException("Unable to get service access policy configuration", e);
        }
    }

    private boolean _isChecked() {
        AccessControlContext accessControlContext = AccessControlUtil.getAccessControlContext();
        return accessControlContext != null && ((Integer) accessControlContext.getSettings().get(AccessControlContext.Settings.SERVICE_DEPTH.toString())).intValue() > 1;
    }

    private Set<String> _loadAllowedServiceSignatures(long j, List<String> list) {
        HashSet hashSet = new HashSet();
        Iterator<String> it = list.iterator();
        while (it.hasNext()) {
            try {
                SAPEntry sAPEntry = this._sapEntryLocalService.getSAPEntry(j, it.next());
                if (sAPEntry.isEnabled()) {
                    hashSet.addAll(sAPEntry.getAllowedServiceSignaturesList());
                }
            } catch (PortalException e) {
                throw new SystemException(e);
            }
        }
        return hashSet;
    }
}
