package com.vaadin.flow.server.auth;

import com.vaadin.flow.component.Component;
import com.vaadin.flow.router.AccessDeniedException;
import com.vaadin.flow.router.BeforeEnterEvent;
import com.vaadin.flow.router.BeforeEnterListener;
import com.vaadin.flow.router.Location;
import com.vaadin.flow.router.NotFoundException;
import com.vaadin.flow.router.RouteParameters;
import com.vaadin.flow.router.internal.PathUtil;
import com.vaadin.flow.server.Constants;
import com.vaadin.flow.server.HandlerHelper;
import com.vaadin.flow.server.VaadinRequest;
import com.vaadin.flow.server.VaadinService;
import com.vaadin.flow.server.VaadinServletRequest;
import com.vaadin.flow.server.WrappedSession;
import java.lang.reflect.AnnotatedElement;
import java.security.Principal;
import java.util.Collection;
import java.util.List;
import java.util.Objects;
import java.util.function.Predicate;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/flow-server-24.8-SNAPSHOT.jar:com/vaadin/flow/server/auth/NavigationAccessControl.class */
public class NavigationAccessControl implements BeforeEnterListener {
    public static final String SESSION_STORED_REDIRECT = NavigationAccessControl.class.getName() + ".redirect";
    public static final String SESSION_STORED_REDIRECT_ABSOLUTE = NavigationAccessControl.class.getName() + ".redirectAbsolute";
    private final List<NavigationAccessChecker> checkerList;
    private final AccessCheckDecisionResolver decisionResolver;
    private Class<? extends Component> loginView;
    private String loginUrl;
    private boolean enabled;

    public NavigationAccessControl() {
        this(List.of(new AnnotatedViewAccessChecker()));
    }

    public NavigationAccessControl(Collection<NavigationAccessChecker> collection, AccessCheckDecisionResolver accessCheckDecisionResolver) {
        this.enabled = true;
        this.decisionResolver = (AccessCheckDecisionResolver) Objects.requireNonNull(accessCheckDecisionResolver, "decision resolver must not be null");
        this.checkerList = List.copyOf(collection);
    }

    protected NavigationAccessControl(Collection<NavigationAccessChecker> collection) {
        this(collection, new DefaultAccessCheckDecisionResolver());
    }

    public final void setEnabled(boolean z) {
        this.enabled = z;
    }

    public final boolean isEnabled() {
        return this.enabled;
    }

    public final void setLoginView(Class<? extends Component> cls) {
        if (cls == this.loginView) {
            return;
        }
        throwIfLoginViewSet();
        this.loginView = cls;
    }

    protected Class<? extends Component> getLoginView() {
        return this.loginView;
    }

    public void setLoginView(String str) {
        if (Objects.equals(str, this.loginUrl)) {
            return;
        }
        throwIfLoginViewSet();
        this.loginUrl = str;
    }

    protected String getLoginUrl() {
        return this.loginUrl;
    }

    private void throwIfLoginViewSet() {
        if (this.loginUrl != null) {
            throw new IllegalStateException("Already using " + this.loginUrl + " as the login view");
        }
        if (this.loginView != null) {
            throw new IllegalStateException("Already using " + this.loginView.getName() + " as the login view");
        }
    }

    @Override // com.vaadin.flow.router.internal.BeforeEnterHandler
    public void beforeEnter(BeforeEnterEvent beforeEnterEvent) {
        VaadinRequest current = VaadinRequest.getCurrent();
        NavigationContext navigationContext = new NavigationContext(beforeEnterEvent, getPrincipal(current), getRolesChecker(current));
        AccessCheckResult checkAccess = checkAccess(navigationContext, isProductionMode(beforeEnterEvent));
        if (checkAccess.decision() != AccessCheckDecision.ALLOW) {
            if (navigationContext.getPrincipal() != null) {
                beforeEnterEvent.rerouteToError(getAccessDeniedException(AccessAnnotationChecker.securityTarget(beforeEnterEvent.getNavigationTarget())), checkAccess.reason());
                return;
            }
            storeRedirectURL(beforeEnterEvent, current);
            if (this.loginView != null) {
                beforeEnterEvent.forwardTo(this.loginView, true);
            } else if (this.loginUrl != null) {
                beforeEnterEvent.forwardToUrl(this.loginUrl);
            } else {
                beforeEnterEvent.rerouteToError(NotFoundException.class, checkAccess.reason());
            }
        }
    }

    public AccessCheckResult checkAccess(NavigationContext navigationContext, boolean z) {
        Class<?> navigationTarget = navigationContext.getNavigationTarget();
        if (!this.enabled) {
            getLogger().trace("Navigation to view {} allowed because navigation access control is disable", navigationTarget.getName());
            return navigationContext.allow();
        }
        if (this.checkerList.isEmpty()) {
            getLogger().debug("Navigation to view {} allowed because there are no navigation checkers configured", navigationTarget.getName());
            return navigationContext.allow();
        }
        getLogger().debug("Checking access for view {}", navigationTarget.getName());
        if (this.loginView != null && navigationTarget == this.loginView) {
            getLogger().debug("Allowing access for login view {}", navigationTarget.getName());
            return navigationContext.allow();
        }
        if (this.loginUrl != null && PathUtil.trimPath(this.loginUrl).equals(navigationContext.getLocation().getPath())) {
            getLogger().debug("Allowing access for login URL {}", this.loginUrl);
            return AccessCheckResult.allow();
        }
        List<AccessCheckResult> list = this.checkerList.stream().map(navigationAccessChecker -> {
            return navigationAccessChecker.check(navigationContext);
        }).toList();
        AccessCheckResult resolve = this.decisionResolver.resolve(list, navigationContext);
        getLogger().debug("Decision against {} checker results: {}", Integer.valueOf(list.size()), resolve);
        if (resolve.decision() == AccessCheckDecision.REJECT && !z) {
            throw new IllegalStateException(resolve.reason());
        }
        if (z) {
            resolve = new AccessCheckResult(resolve.decision(), "");
        }
        return resolve;
    }

    protected Principal getPrincipal(VaadinRequest vaadinRequest) {
        if (vaadinRequest == null) {
            return null;
        }
        return vaadinRequest.getUserPrincipal();
    }

    protected Predicate<String> getRolesChecker(VaadinRequest vaadinRequest) {
        if (vaadinRequest == null) {
            return str -> {
                return false;
            };
        }
        Objects.requireNonNull(vaadinRequest);
        return vaadinRequest::isUserInRole;
    }

    protected String getRequestURL(VaadinRequest vaadinRequest) {
        if (!(vaadinRequest instanceof VaadinServletRequest)) {
            return "";
        }
        String stringBuffer = ((VaadinServletRequest) vaadinRequest).getRequestURL().toString();
        if (HandlerHelper.isRequestType(vaadinRequest, HandlerHelper.RequestType.PUSH) && stringBuffer.endsWith(Constants.PUSH_MAPPING)) {
            stringBuffer = stringBuffer.substring(0, stringBuffer.indexOf(Constants.PUSH_MAPPING));
        }
        return stringBuffer;
    }

    private void storeRedirectURL(BeforeEnterEvent beforeEnterEvent, VaadinRequest vaadinRequest) {
        WrappedSession wrappedSession = vaadinRequest != null ? vaadinRequest.getWrappedSession() : null;
        if (wrappedSession == null) {
            if (vaadinRequest == null) {
                getLogger().debug("Unable to store redirect in session because no request is available");
            }
        } else {
            String requestURL = getRequestURL(vaadinRequest);
            String pathWithQueryParameters = beforeEnterEvent.getLocation().getPathWithQueryParameters();
            wrappedSession.setAttribute(SESSION_STORED_REDIRECT, pathWithQueryParameters);
            wrappedSession.setAttribute(SESSION_STORED_REDIRECT_ABSOLUTE, requestURL + pathWithQueryParameters);
        }
    }

    protected Class<? extends RuntimeException> getAccessDeniedException(AnnotatedElement annotatedElement) {
        return annotatedElement.isAnnotationPresent(AccessDeniedErrorRouter.class) ? ((AccessDeniedErrorRouter) annotatedElement.getAnnotation(AccessDeniedErrorRouter.class)).rerouteToError() : AccessDeniedException.class;
    }

    private boolean isProductionMode(BeforeEnterEvent beforeEnterEvent) {
        return beforeEnterEvent.getUI().getSession().getConfiguration().isProductionMode();
    }

    private static Logger getLogger() {
        return LoggerFactory.getLogger((Class<?>) NavigationAccessControl.class);
    }

    public boolean hasAccessChecker(Class<? extends NavigationAccessChecker> cls) {
        return this.checkerList.stream().anyMatch(navigationAccessChecker -> {
            return cls.isAssignableFrom(navigationAccessChecker.getClass());
        });
    }

    public NavigationContext createNavigationContext(Class<?> cls, String str, VaadinService vaadinService, VaadinRequest vaadinRequest) {
        Objects.requireNonNull(cls);
        Objects.requireNonNull(str);
        Objects.requireNonNull(vaadinService);
        return new NavigationContext(vaadinService.getRouter(), cls, new Location(str), RouteParameters.empty(), getPrincipal(vaadinRequest), getRolesChecker(vaadinRequest), false);
    }
}
