package pl.edu.icm.synat.services.security;

import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
import java.util.Collections;
import java.util.HashSet;
import java.util.Set;
import org.aopalliance.intercept.MethodInterceptor;
import org.aopalliance.intercept.MethodInvocation;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.aop.framework.ProxyFactory;
import org.springframework.aop.support.AopUtils;
import org.springframework.util.ClassUtils;
import pl.edu.icm.synat.api.services.LocalService;
import pl.edu.icm.synat.api.services.RequiresServiceRole;
import pl.edu.icm.synat.api.services.Service;
import pl.edu.icm.synat.api.services.security.ServiceSecurityContext;
import pl.edu.icm.synat.api.services.security.ServiceUserAuthenticationToken;
import pl.edu.icm.synat.api.services.security.exception.ServiceSecurityException;
import pl.edu.icm.synat.api.services.security.user.ServiceUser;
import pl.edu.icm.synat.api.services.security.user.ServiceUserRole;

/* loaded from: input_file:WEB-INF/lib/synat-platform-connector-1.26.16.jar:pl/edu/icm/synat/services/security/ServiceSecurityProxyInterceptor.class */
public class ServiceSecurityProxyInterceptor implements MethodInterceptor {
    private static Logger logger = LoggerFactory.getLogger(ServiceSecurityProxyInterceptor.class);
    private Service service;
    private ServiceSecurityContext serviceSecurityContext;

    public ServiceSecurityProxyInterceptor(Service service, ServiceSecurityContext serviceSecurityContext) {
        this.service = service;
        this.serviceSecurityContext = serviceSecurityContext;
    }

    public LocalService createProxy() {
        ProxyFactory proxyFactory = new ProxyFactory();
        proxyFactory.setInterfaces(ClassUtils.getAllInterfaces(this.service));
        proxyFactory.addAdvice(this);
        return (LocalService) proxyFactory.getProxy(this.service.getClass().getClassLoader());
    }

    @Override // org.aopalliance.intercept.MethodInterceptor
    public Object invoke(MethodInvocation methodInvocation) throws Throwable {
        try {
            if (logger.isTraceEnabled()) {
                logger.trace("secured executing method " + methodInvocation.getMethod().getName() + " in service " + this.service.getServiceId());
            }
            Method method = methodInvocation.getMethod();
            checkUserAccessToMethod(method);
            return method.getDeclaringClass().isInstance(this.service) ? method.invoke(this.service, methodInvocation.getArguments()) : this.service.getClass().getMethod(method.getName(), method.getParameterTypes()).invoke(this.service, methodInvocation.getArguments());
        } catch (IllegalAccessException e) {
            throw new IllegalStateException("Could not access method [" + methodInvocation.getMethod().getName() + "] of SynatService [" + this.service.getServiceId() + "]", e);
        } catch (InvocationTargetException e2) {
            Throwable targetException = e2.getTargetException();
            if (logger.isTraceEnabled()) {
                logger.trace("Method of Synat Service [" + this.service.getServiceId() + "] threw exception", targetException);
            }
            throw targetException;
        }
    }

    protected void checkUserAccessToMethod(Method method) throws NoSuchMethodException, ServiceSecurityException {
        String requiredServiceRoleName;
        if (this.serviceSecurityContext.isSecurityEnabled() && (requiredServiceRoleName = getRequiredServiceRoleName(AopUtils.getTargetClass(this.service).getMethod(method.getName(), method.getParameterTypes()))) != null) {
            ServiceUser serviceUser = getServiceUser();
            if (!getServiceUserRolesNames(serviceUser, this.service.getServiceId()).contains(requiredServiceRoleName)) {
                throw new ServiceSecurityException("User '{}' has no access to method '{}' in service of ID '{}'. Service method requires role '{}'.", serviceUser.getUsername(), method.toString(), this.service.getServiceId(), requiredServiceRoleName);
            }
        }
    }

    private String getRequiredServiceRoleName(Method method) {
        RequiresServiceRole requiresServiceRole = (RequiresServiceRole) method.getAnnotation(RequiresServiceRole.class);
        String str = null;
        if (requiresServiceRole != null) {
            str = requiresServiceRole.roleName();
        }
        return str;
    }

    private Set<String> getServiceUserRolesNames(ServiceUser serviceUser, String str) {
        Set<ServiceUserRole> roles = serviceUser.getRoles();
        if (roles == null) {
            return Collections.emptySet();
        }
        HashSet hashSet = new HashSet();
        for (ServiceUserRole serviceUserRole : roles) {
            if (str.equals(serviceUserRole.getServiceId())) {
                hashSet.add(serviceUserRole.getRoleName());
            }
        }
        return hashSet;
    }

    protected ServiceUser getServiceUser() throws ServiceSecurityException {
        ServiceUserAuthenticationToken token = this.serviceSecurityContext.getToken();
        if (token != null) {
            return token.getServiceUser();
        }
        throw new ServiceSecurityException("Service user authentication token from security context is null.", new Object[0]);
    }
}
