package org.duracloud.security.vote;

import java.text.ParseException;
import java.util.Collection;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import javax.servlet.http.HttpServletRequest;
import org.duracloud.common.model.AclType;
import org.duracloud.security.domain.HttpVerb;
import org.duracloud.snapshot.id.SnapshotIdentifier;
import org.duracloud.storage.provider.StorageProvider;
import org.duracloud.storage.util.StorageProviderFactory;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.authentication.AnonymousAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.util.CollectionUtils;

/* loaded from: input_file:WEB-INF/lib/security-4.2.3.jar:org/duracloud/security/vote/SpaceReadAccessVoter.class */
public class SpaceReadAccessVoter extends SpaceAccessVoter {
    private final Logger log;
    private List<String> pathExemptions;

    public SpaceReadAccessVoter(StorageProviderFactory storageProviderFactory, UserDetailsService userDetailsService) {
        this(storageProviderFactory, userDetailsService, new LinkedList());
    }

    public SpaceReadAccessVoter(StorageProviderFactory storageProviderFactory, UserDetailsService userDetailsService, List<String> list) {
        super(storageProviderFactory, userDetailsService);
        this.log = LoggerFactory.getLogger(SpaceReadAccessVoter.class);
        this.pathExemptions = null;
        this.pathExemptions = list;
    }

    @Override // org.springframework.security.access.AccessDecisionVoter
    public int vote(Authentication authentication, Object obj, Collection collection) {
        if (obj != null && !supports(obj.getClass())) {
            this.log.debug(VoterUtil.debugText("SpaceReadAccessVoterImpl", authentication, collection, obj, 0));
            return 0;
        }
        HttpServletRequest httpServletRequest = getHttpServletRequest(obj);
        if (null == httpServletRequest) {
            this.log.debug(VoterUtil.debugText("SpaceReadAccessVoterImpl", authentication, collection, obj, -1));
            return -1;
        }
        HttpVerb httpVerb = getHttpVerb(httpServletRequest);
        if (null == httpVerb) {
            this.log.debug(VoterUtil.debugText("SpaceReadAccessVoterImpl", authentication, collection, obj, -1));
            return -1;
        }
        if (!httpVerb.isRead()) {
            this.log.debug(VoterUtil.debugText("SpaceReadAccessVoterImpl", authentication, collection, obj, 0));
            return 0;
        }
        if (isAdmin(authentication.getName())) {
            this.log.debug(VoterUtil.debugText("SpaceReadAccessVoterImpl", authentication, collection, obj, 1));
            return 1;
        }
        if (isOpenResource(httpServletRequest)) {
            this.log.debug(VoterUtil.debugText("SpaceReadAccessVoterImpl", authentication, collection, obj, 1));
            return 1;
        }
        Map<String, AclType> spaceACLs = getSpaceACLs(httpServletRequest);
        if (spaceACLs.containsKey(StorageProvider.PROPERTIES_SPACE_ACL_PUBLIC)) {
            this.log.debug(VoterUtil.debugText("SpaceReadAccessVoterImpl", authentication, collection, obj, 1));
            return 1;
        }
        if (authentication instanceof AnonymousAuthenticationToken) {
            this.log.debug(VoterUtil.debugText("SpaceReadAccessVoterImpl", authentication, collection, obj, -1));
            return -1;
        }
        String name = authentication.getName();
        if (hasReadAccess(name, spaceACLs)) {
            this.log.debug(VoterUtil.debugText("SpaceReadAccessVoterImpl", authentication, collection, obj, 1));
            return 1;
        }
        List<String> userGroups = getUserGroups(authentication);
        if (groupsHaveReadAccess(userGroups, spaceACLs)) {
            this.log.debug(VoterUtil.debugText("SpaceReadAccessVoterImpl", authentication, collection, obj, 1));
            return 1;
        }
        if (isSnapshotMetadataSpace(httpServletRequest) && hasContentId(httpServletRequest)) {
            return hasSnapshotSpacePermissions(httpServletRequest, name, userGroups) ? 1 : -1;
        }
        if (matchesPathExemptions(httpServletRequest)) {
            return 1;
        }
        this.log.debug(VoterUtil.debugText("SpaceReadAccessVoterImpl", authentication, collection, obj, -1));
        return -1;
    }

    private boolean hasSnapshotSpacePermissions(HttpServletRequest httpServletRequest, String str, List<String> list) {
        String contentId = getContentId(httpServletRequest);
        if (contentId == null || !contentId.endsWith(".zip")) {
            this.log.error("snapshot metadata content id did not end in '.zip' as expected.");
            return false;
        }
        try {
            Map<String, AclType> spaceACLs = getSpaceACLs(getStoreId(httpServletRequest), SnapshotIdentifier.parseSnapshotId(contentId.substring(0, contentId.indexOf(".zip"))).getSpaceId());
            if (hasReadAccess(str, spaceACLs)) {
                return true;
            }
            return groupsHaveReadAccess(list, spaceACLs);
        } catch (ParseException e) {
            this.log.error("unable to parse snapshot metadata content id : " + contentId + ": " + e.getMessage(), (Throwable) e);
            return false;
        }
    }

    private boolean matchesPathExemptions(HttpServletRequest httpServletRequest) {
        String pathInfo = httpServletRequest.getPathInfo();
        if (CollectionUtils.isEmpty(this.pathExemptions)) {
            return false;
        }
        Iterator<String> it = this.pathExemptions.iterator();
        while (it.hasNext()) {
            if (pathInfo.matches(it.next())) {
                return true;
            }
        }
        return false;
    }
}
