package de.codecamp.vaadin.security.spring.access.endpoint;

import com.vaadin.flow.server.auth.AccessAnnotationChecker;
import com.vaadin.flow.server.connect.auth.CsrfChecker;
import com.vaadin.flow.server.connect.auth.VaadinConnectAccessChecker;
import de.codecamp.vaadin.security.spring.access.AccessEvaluator;
import de.codecamp.vaadin.security.spring.access.AccessRule;
import de.codecamp.vaadin.security.spring.access.SecuredAccess;
import de.codecamp.vaadin.security.spring.access.VaadinSecurity;
import java.lang.reflect.Method;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.ConcurrentMap;
import javax.servlet.http.HttpServletRequest;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.web.context.support.WebApplicationContextUtils;

/* loaded from: input_file:de/codecamp/vaadin/security/spring/access/endpoint/EndpointAccessChecker.class */
public class EndpointAccessChecker extends VaadinConnectAccessChecker {
    private static final Logger LOG = LoggerFactory.getLogger(EndpointAccessChecker.class);
    private CsrfChecker csrfChecker;
    private ConcurrentMap<Method, AccessRule> accessRuleCache;

    public EndpointAccessChecker(AccessAnnotationChecker accessAnnotationChecker, CsrfChecker csrfChecker) {
        super(accessAnnotationChecker, csrfChecker);
        this.accessRuleCache = new ConcurrentHashMap();
        this.csrfChecker = csrfChecker;
    }

    public void enableCsrf(boolean z) {
        this.csrfChecker.setCsrfProtection(z);
        super.enableCsrf(z);
    }

    public String check(Method method, HttpServletRequest httpServletRequest) {
        LOG.trace("Checking access to endpoint method '{} # {}(...)' in {}.", new Object[]{method.getDeclaringClass().getSimpleName(), method.getName(), method.getDeclaringClass().getName()});
        if (!this.csrfChecker.validateCsrfTokenInRequest(httpServletRequest)) {
            LOG.debug("Access denied to endpoint method '{} # {}(...)' in {}: CSRF validation failed.", new Object[]{method.getDeclaringClass().getSimpleName(), method.getName(), method.getDeclaringClass().getName()});
            return "Access denied";
        }
        AccessRule computeIfAbsent = this.accessRuleCache.computeIfAbsent(method, method2 -> {
            return (AccessRule) EndpointAccessContext.findAnnotation(method, SecuredAccess.class).map(AccessRule::asCopyOf).orElse(null);
        });
        if (computeIfAbsent == null) {
            LOG.debug("Delegating to Vaadin's default access control for endpoint method '{} # {}(...)' in {}.", new Object[]{method.getDeclaringClass().getSimpleName(), method.getName(), method.getDeclaringClass().getName()});
            return super.check(method, httpServletRequest);
        }
        boolean z = true;
        if (computeIfAbsent.expression() != null && !VaadinSecurity.hasAccess(computeIfAbsent.expression())) {
            z = false;
        }
        if (z && computeIfAbsent.evaluator() != null && !((AccessEvaluator) WebApplicationContextUtils.getRequiredWebApplicationContext(httpServletRequest.getServletContext()).getBean(computeIfAbsent.evaluator())).hasAccess(new EndpointAccessContext(method, httpServletRequest))) {
            z = false;
        }
        if (z) {
            LOG.debug("Access granted to endpoint method '{} # {}(...)' in {}.", new Object[]{method.getDeclaringClass().getSimpleName(), method.getName(), method.getDeclaringClass().getName()});
            return null;
        }
        LOG.debug("Access denied to endpoint method '{} # {}(...)' in {}.", new Object[]{method.getDeclaringClass().getSimpleName(), method.getName(), method.getDeclaringClass().getName()});
        return "Access denied";
    }
}
