package org.springframework.security.access.intercept;

import java.util.Collection;
import java.util.HashSet;
import java.util.function.Supplier;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.beans.factory.InitializingBean;
import org.springframework.context.ApplicationEvent;
import org.springframework.context.ApplicationEventPublisher;
import org.springframework.context.ApplicationEventPublisherAware;
import org.springframework.context.MessageSource;
import org.springframework.context.MessageSourceAware;
import org.springframework.context.support.MessageSourceAccessor;
import org.springframework.security.access.AccessDecisionManager;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.access.ConfigAttribute;
import org.springframework.security.access.SecurityMetadataSource;
import org.springframework.security.access.event.AuthenticationCredentialsNotFoundEvent;
import org.springframework.security.access.event.AuthorizationFailureEvent;
import org.springframework.security.access.event.AuthorizedEvent;
import org.springframework.security.access.event.PublicInvocationEvent;
import org.springframework.security.authentication.AuthenticationCredentialsNotFoundException;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.AuthenticationServiceException;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.SpringSecurityMessageSource;
import org.springframework.security.core.context.SecurityContext;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.util.Assert;

/* loaded from: input_file:WEB-INF/lib/spring-security-core-5.1.8.RELEASE.jar:org/springframework/security/access/intercept/AbstractSecurityInterceptor.class */
public abstract class AbstractSecurityInterceptor implements InitializingBean, ApplicationEventPublisherAware, MessageSourceAware {
    private ApplicationEventPublisher eventPublisher;
    private AccessDecisionManager accessDecisionManager;
    private AfterInvocationManager afterInvocationManager;
    protected final Log logger = LogFactory.getLog(getClass());
    protected MessageSourceAccessor messages = SpringSecurityMessageSource.getAccessor();
    private AuthenticationManager authenticationManager = new NoOpAuthenticationManager();
    private RunAsManager runAsManager = new NullRunAsManager();
    private boolean alwaysReauthenticate = false;
    private boolean rejectPublicInvocations = false;
    private boolean validateConfigAttributes = true;
    private boolean publishAuthorizationSuccess = false;

    /* loaded from: input_file:WEB-INF/lib/spring-security-core-5.1.8.RELEASE.jar:org/springframework/security/access/intercept/AbstractSecurityInterceptor$NoOpAuthenticationManager.class */
    private static class NoOpAuthenticationManager implements AuthenticationManager {
        private NoOpAuthenticationManager() {
        }

        @Override // org.springframework.security.authentication.AuthenticationManager
        public Authentication authenticate(Authentication authentication) throws AuthenticationException {
            throw new AuthenticationServiceException("Cannot authenticate " + authentication);
        }
    }

    @Override // org.springframework.beans.factory.InitializingBean
    public void afterPropertiesSet() throws Exception {
        Assert.notNull(getSecureObjectClass(), "Subclass must provide a non-null response to getSecureObjectClass()");
        Assert.notNull(this.messages, "A message source must be set");
        Assert.notNull(this.authenticationManager, "An AuthenticationManager is required");
        Assert.notNull(this.accessDecisionManager, "An AccessDecisionManager is required");
        Assert.notNull(this.runAsManager, "A RunAsManager is required");
        Assert.notNull(obtainSecurityMetadataSource(), "An SecurityMetadataSource is required");
        Assert.isTrue(obtainSecurityMetadataSource().supports(getSecureObjectClass()), (Supplier<String>) () -> {
            return "SecurityMetadataSource does not support secure object class: " + getSecureObjectClass();
        });
        Assert.isTrue(this.runAsManager.supports(getSecureObjectClass()), (Supplier<String>) () -> {
            return "RunAsManager does not support secure object class: " + getSecureObjectClass();
        });
        Assert.isTrue(this.accessDecisionManager.supports(getSecureObjectClass()), (Supplier<String>) () -> {
            return "AccessDecisionManager does not support secure object class: " + getSecureObjectClass();
        });
        if (this.afterInvocationManager != null) {
            Assert.isTrue(this.afterInvocationManager.supports(getSecureObjectClass()), (Supplier<String>) () -> {
                return "AfterInvocationManager does not support secure object class: " + getSecureObjectClass();
            });
        }
        if (this.validateConfigAttributes) {
            Collection<ConfigAttribute> allConfigAttributes = obtainSecurityMetadataSource().getAllConfigAttributes();
            if (allConfigAttributes == null) {
                this.logger.warn("Could not validate configuration attributes as the SecurityMetadataSource did not return any attributes from getAllConfigAttributes()");
                return;
            }
            HashSet hashSet = new HashSet();
            for (ConfigAttribute configAttribute : allConfigAttributes) {
                if (!this.runAsManager.supports(configAttribute) && !this.accessDecisionManager.supports(configAttribute) && (this.afterInvocationManager == null || !this.afterInvocationManager.supports(configAttribute))) {
                    hashSet.add(configAttribute);
                }
            }
            if (hashSet.size() != 0) {
                throw new IllegalArgumentException("Unsupported configuration attributes: " + hashSet);
            }
            this.logger.debug("Validated configuration attributes");
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public InterceptorStatusToken beforeInvocation(Object obj) {
        Assert.notNull(obj, "Object was null");
        boolean isDebugEnabled = this.logger.isDebugEnabled();
        if (!getSecureObjectClass().isAssignableFrom(obj.getClass())) {
            throw new IllegalArgumentException("Security invocation attempted for object " + obj.getClass().getName() + " but AbstractSecurityInterceptor only configured to support secure objects of type: " + getSecureObjectClass());
        }
        Collection<ConfigAttribute> attributes = obtainSecurityMetadataSource().getAttributes(obj);
        if (attributes == null || attributes.isEmpty()) {
            if (this.rejectPublicInvocations) {
                throw new IllegalArgumentException("Secure object invocation " + obj + " was denied as public invocations are not allowed via this interceptor. This indicates a configuration error because the rejectPublicInvocations property is set to 'true'");
            }
            if (isDebugEnabled) {
                this.logger.debug("Public object - authentication not attempted");
            }
            publishEvent(new PublicInvocationEvent(obj));
            return null;
        }
        if (isDebugEnabled) {
            this.logger.debug("Secure object: " + obj + "; Attributes: " + attributes);
        }
        if (SecurityContextHolder.getContext().getAuthentication() == null) {
            credentialsNotFound(this.messages.getMessage("AbstractSecurityInterceptor.authenticationNotFound", "An Authentication object was not found in the SecurityContext"), obj, attributes);
        }
        Authentication authenticateIfRequired = authenticateIfRequired();
        try {
            this.accessDecisionManager.decide(authenticateIfRequired, obj, attributes);
            if (isDebugEnabled) {
                this.logger.debug("Authorization successful");
            }
            if (this.publishAuthorizationSuccess) {
                publishEvent(new AuthorizedEvent(obj, attributes, authenticateIfRequired));
            }
            Authentication buildRunAs = this.runAsManager.buildRunAs(authenticateIfRequired, obj, attributes);
            if (buildRunAs == null) {
                if (isDebugEnabled) {
                    this.logger.debug("RunAsManager did not change Authentication object");
                }
                return new InterceptorStatusToken(SecurityContextHolder.getContext(), false, attributes, obj);
            }
            if (isDebugEnabled) {
                this.logger.debug("Switching to RunAs Authentication: " + buildRunAs);
            }
            SecurityContext context = SecurityContextHolder.getContext();
            SecurityContextHolder.setContext(SecurityContextHolder.createEmptyContext());
            SecurityContextHolder.getContext().setAuthentication(buildRunAs);
            return new InterceptorStatusToken(context, true, attributes, obj);
        } catch (AccessDeniedException e) {
            publishEvent(new AuthorizationFailureEvent(obj, attributes, authenticateIfRequired, e));
            throw e;
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void finallyInvocation(InterceptorStatusToken interceptorStatusToken) {
        if (interceptorStatusToken == null || !interceptorStatusToken.isContextHolderRefreshRequired()) {
            return;
        }
        if (this.logger.isDebugEnabled()) {
            this.logger.debug("Reverting to original Authentication: " + interceptorStatusToken.getSecurityContext().getAuthentication());
        }
        SecurityContextHolder.setContext(interceptorStatusToken.getSecurityContext());
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Object afterInvocation(InterceptorStatusToken interceptorStatusToken, Object obj) {
        if (interceptorStatusToken == null) {
            return obj;
        }
        finallyInvocation(interceptorStatusToken);
        if (this.afterInvocationManager != null) {
            try {
                obj = this.afterInvocationManager.decide(interceptorStatusToken.getSecurityContext().getAuthentication(), interceptorStatusToken.getSecureObject(), interceptorStatusToken.getAttributes(), obj);
            } catch (AccessDeniedException e) {
                publishEvent(new AuthorizationFailureEvent(interceptorStatusToken.getSecureObject(), interceptorStatusToken.getAttributes(), interceptorStatusToken.getSecurityContext().getAuthentication(), e));
                throw e;
            }
        }
        return obj;
    }

    private Authentication authenticateIfRequired() {
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        if (authentication.isAuthenticated() && !this.alwaysReauthenticate) {
            if (this.logger.isDebugEnabled()) {
                this.logger.debug("Previously Authenticated: " + authentication);
            }
            return authentication;
        }
        Authentication authenticate = this.authenticationManager.authenticate(authentication);
        if (this.logger.isDebugEnabled()) {
            this.logger.debug("Successfully Authenticated: " + authenticate);
        }
        SecurityContextHolder.getContext().setAuthentication(authenticate);
        return authenticate;
    }

    private void credentialsNotFound(String str, Object obj, Collection<ConfigAttribute> collection) {
        AuthenticationCredentialsNotFoundException authenticationCredentialsNotFoundException = new AuthenticationCredentialsNotFoundException(str);
        publishEvent(new AuthenticationCredentialsNotFoundEvent(obj, collection, authenticationCredentialsNotFoundException));
        throw authenticationCredentialsNotFoundException;
    }

    public AccessDecisionManager getAccessDecisionManager() {
        return this.accessDecisionManager;
    }

    public AfterInvocationManager getAfterInvocationManager() {
        return this.afterInvocationManager;
    }

    public AuthenticationManager getAuthenticationManager() {
        return this.authenticationManager;
    }

    public RunAsManager getRunAsManager() {
        return this.runAsManager;
    }

    public abstract Class<?> getSecureObjectClass();

    public boolean isAlwaysReauthenticate() {
        return this.alwaysReauthenticate;
    }

    public boolean isRejectPublicInvocations() {
        return this.rejectPublicInvocations;
    }

    public boolean isValidateConfigAttributes() {
        return this.validateConfigAttributes;
    }

    public abstract SecurityMetadataSource obtainSecurityMetadataSource();

    public void setAccessDecisionManager(AccessDecisionManager accessDecisionManager) {
        this.accessDecisionManager = accessDecisionManager;
    }

    public void setAfterInvocationManager(AfterInvocationManager afterInvocationManager) {
        this.afterInvocationManager = afterInvocationManager;
    }

    public void setAlwaysReauthenticate(boolean z) {
        this.alwaysReauthenticate = z;
    }

    @Override // org.springframework.context.ApplicationEventPublisherAware
    public void setApplicationEventPublisher(ApplicationEventPublisher applicationEventPublisher) {
        this.eventPublisher = applicationEventPublisher;
    }

    public void setAuthenticationManager(AuthenticationManager authenticationManager) {
        this.authenticationManager = authenticationManager;
    }

    @Override // org.springframework.context.MessageSourceAware
    public void setMessageSource(MessageSource messageSource) {
        this.messages = new MessageSourceAccessor(messageSource);
    }

    public void setPublishAuthorizationSuccess(boolean z) {
        this.publishAuthorizationSuccess = z;
    }

    public void setRejectPublicInvocations(boolean z) {
        this.rejectPublicInvocations = z;
    }

    public void setRunAsManager(RunAsManager runAsManager) {
        this.runAsManager = runAsManager;
    }

    public void setValidateConfigAttributes(boolean z) {
        this.validateConfigAttributes = z;
    }

    private void publishEvent(ApplicationEvent applicationEvent) {
        if (this.eventPublisher != null) {
            this.eventPublisher.publishEvent(applicationEvent);
        }
    }
}
