package com.appiancorp.security.authz;

import com.appiancorp.security.auth.SecurityContext;
import com.appiancorp.security.authz.annotation.RequiresRole;
import com.appiancorp.suiteapi.common.exceptions.AppianRuntimeException;
import com.google.common.collect.ImmutableSet;
import java.lang.reflect.AnnotatedElement;
import java.lang.reflect.Method;
import java.util.Arrays;
import java.util.Set;
import java.util.stream.Collectors;
import org.aopalliance.intercept.MethodInvocation;
import org.springframework.core.annotation.MergedAnnotation;
import org.springframework.core.annotation.MergedAnnotations;
import org.springframework.util.ClassUtils;

/* loaded from: input_file:com/appiancorp/security/authz/AnnotationAuthorizationProvider.class */
public class AnnotationAuthorizationProvider implements AuthorizationProvider {
    private final AuthorizationEventLogger authorizationEventLogger;

    public AnnotationAuthorizationProvider(AuthorizationEventLogger authorizationEventLogger) {
        this.authorizationEventLogger = authorizationEventLogger;
    }

    @Override // com.appiancorp.security.authz.AuthorizationProvider
    public void authorize(Method method, MethodInvocation methodInvocation, SecurityContext securityContext, String str, String str2) {
        try {
            this.authorizationEventLogger.logAllowed(securityContext, str, str2, doAuthorize(method, methodInvocation, securityContext, str2));
        } catch (AuthorizationException e) {
            this.authorizationEventLogger.logDenied(securityContext, str, str2, e);
            throw new AppianRuntimeException(e);
        } catch (RuntimeException e2) {
            this.authorizationEventLogger.logError(securityContext, str, str2, e2);
            throw e2;
        }
    }

    private Set<String> doAuthorize(Method method, MethodInvocation methodInvocation, SecurityContext securityContext, String str) throws AuthorizationException {
        if (isUserAlwaysAllowed(securityContext)) {
            return null;
        }
        Set<String> roles = securityContext.getRoles();
        ImmutableSet.Builder builder = ImmutableSet.builder();
        RequiresRole requiresRoleAnnotation = getRequiresRoleAnnotation(method, methodInvocation);
        if (requiresRoleAnnotation != null) {
            SystemRole[] value = requiresRoleAnnotation.value();
            if (value != null) {
                builder.addAll((Iterable) Arrays.stream(value).map((v0) -> {
                    return v0.getName();
                }).collect(Collectors.toSet()));
            }
            if (requiresRoleAnnotation.allowForSysAdmins()) {
                builder.add(AuthorizationProvider.SYS_ADMIN_ROLE);
            }
        }
        return getAuthorizedUserRolesOrThrow(securityContext, str, roles, builder.build());
    }

    private static RequiresRole getRequiresRoleAnnotation(Method method, MethodInvocation methodInvocation) {
        Class<?> cls = ((MethodInvocationPJPWrapper) methodInvocation).getPjp().getTarget().getClass();
        Method mostSpecificMethod = ClassUtils.getMostSpecificMethod(method, cls);
        MergedAnnotation<RequiresRole> requiresRoleMergedAnnotation = getRequiresRoleMergedAnnotation(mostSpecificMethod, MergedAnnotations.SearchStrategy.DIRECT);
        if (requiresRoleMergedAnnotation.isPresent()) {
            return (RequiresRole) requiresRoleMergedAnnotation.synthesize();
        }
        MergedAnnotation<RequiresRole> requiresRoleMergedAnnotation2 = getRequiresRoleMergedAnnotation(cls, MergedAnnotations.SearchStrategy.DIRECT);
        if (requiresRoleMergedAnnotation2.isPresent()) {
            return (RequiresRole) requiresRoleMergedAnnotation2.synthesize();
        }
        MergedAnnotation<RequiresRole> requiresRoleMergedAnnotation3 = getRequiresRoleMergedAnnotation(method, MergedAnnotations.SearchStrategy.DIRECT);
        if (requiresRoleMergedAnnotation3.isPresent()) {
            return (RequiresRole) requiresRoleMergedAnnotation3.synthesize();
        }
        MergedAnnotation<RequiresRole> requiresRoleMergedAnnotation4 = getRequiresRoleMergedAnnotation(method.getDeclaringClass(), MergedAnnotations.SearchStrategy.DIRECT);
        if (requiresRoleMergedAnnotation4.isPresent()) {
            return (RequiresRole) requiresRoleMergedAnnotation4.synthesize();
        }
        MergedAnnotation<RequiresRole> requiresRoleMergedAnnotation5 = getRequiresRoleMergedAnnotation(mostSpecificMethod, MergedAnnotations.SearchStrategy.TYPE_HIERARCHY);
        if (requiresRoleMergedAnnotation5.isPresent()) {
            return (RequiresRole) requiresRoleMergedAnnotation5.synthesize();
        }
        MergedAnnotation<RequiresRole> requiresRoleMergedAnnotation6 = getRequiresRoleMergedAnnotation(cls, MergedAnnotations.SearchStrategy.TYPE_HIERARCHY);
        if (requiresRoleMergedAnnotation6.isPresent()) {
            return (RequiresRole) requiresRoleMergedAnnotation6.synthesize();
        }
        return null;
    }

    private static MergedAnnotation<RequiresRole> getRequiresRoleMergedAnnotation(AnnotatedElement annotatedElement, MergedAnnotations.SearchStrategy searchStrategy) {
        return MergedAnnotations.from(annotatedElement, searchStrategy).get(RequiresRole.class, (v0) -> {
            return v0.isDirectlyPresent();
        });
    }
}
