package org.craftercms.engine.util;

import java.util.Collection;
import java.util.stream.Collectors;
import org.apache.commons.collections4.CollectionUtils;
import org.apache.commons.lang3.StringUtils;
import org.springframework.lang.NonNull;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.authentication.AnonymousAuthenticationToken;
import org.springframework.security.authentication.AuthenticationCredentialsNotFoundException;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.context.SecurityContext;
import org.springframework.security.core.context.SecurityContextHolder;

/* loaded from: input_file:org/craftercms/engine/util/SecurityUtils.class */
public class SecurityUtils {
    public static final String ANONYMOUS_PSEUDO_ROLE = "anonymous";
    public static final String ROLE_PREFIX = "ROLE_";
    public static final String AUTHENTICATED_PSEUDO_ROLE = "authenticated";
    public static final String AUTHENTICATED_PSEUDO_ROLE_SEARCH_VALUE = "authenticated ROLE_authenticated";
    public static final String ANONYMOUS_PSEUDO_ROLE_SEARCH_VALUE = "anonymous ROLE_anonymous";

    private SecurityUtils() {
    }

    public static String getAuthorizedRolesMatchValue(@NonNull Collection<? extends GrantedAuthority> collection) {
        return (String) collection.stream().map((v0) -> {
            return v0.getAuthority();
        }).map(str -> {
            return str + " " + (StringUtils.startsWith(str, ROLE_PREFIX) ? StringUtils.removeStart(str, ROLE_PREFIX) : StringUtils.prependIfMissing(str, ROLE_PREFIX, new CharSequence[0]));
        }).collect(Collectors.joining(" "));
    }

    public static void checkAccess(Collection<String> collection, String str) throws AccessDeniedException, AuthenticationException {
        Authentication authentication = null;
        SecurityContext context = SecurityContextHolder.getContext();
        if (context != null && context.getAuthentication() != null) {
            authentication = context.getAuthentication();
        }
        if (CollectionUtils.isEmpty(collection) || containsRole(ANONYMOUS_PSEUDO_ROLE, collection)) {
            return;
        }
        if (authentication == null || (authentication instanceof AnonymousAuthenticationToken)) {
            throw new AuthenticationCredentialsNotFoundException(String.format("User is anonymous but page '%s' requires authentication", str));
        }
        if (!containsRole(AUTHENTICATED_PSEUDO_ROLE, collection) && !hasAnyRole(authentication, collection)) {
            throw new AccessDeniedException(String.format("User '%s' is not authorized to view page '%s'", authentication.getName(), str));
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public static boolean containsRole(String str, Collection<String> collection) {
        return collection.stream().map(str2 -> {
            return StringUtils.removeStart(str2, ROLE_PREFIX);
        }).anyMatch(str3 -> {
            return str3.equalsIgnoreCase(str);
        });
    }

    protected static boolean hasAnyRole(Authentication authentication, Collection<String> collection) {
        return authentication.getAuthorities().stream().map((v0) -> {
            return v0.getAuthority();
        }).map(str -> {
            return StringUtils.removeStart(str, ROLE_PREFIX);
        }).anyMatch(str2 -> {
            return containsRole(str2, collection);
        });
    }
}
