package org.craftercms.engine.security;

import java.util.Iterator;
import java.util.List;
import org.apache.commons.collections.CollectionUtils;
import org.craftercms.engine.model.SiteItem;
import org.craftercms.security.annotations.RunIfSecurityEnabled;
import org.craftercms.security.api.RequestContext;
import org.craftercms.security.api.UserProfile;
import org.craftercms.security.exception.AccessDeniedException;
import org.craftercms.security.exception.AuthenticationRequiredException;
import org.springframework.beans.factory.annotation.Required;

/* loaded from: input_file:org/craftercms/engine/security/CrafterPageAccessManager.class */
public class CrafterPageAccessManager {
    protected String authorizedRolesXPathQuery;

    @Required
    public void setAuthorizedRolesXPathQuery(String str) {
        this.authorizedRolesXPathQuery = str;
    }

    @RunIfSecurityEnabled
    public void checkAccess(SiteItem siteItem) throws AuthenticationRequiredException, AccessDeniedException {
        RequestContext current = RequestContext.getCurrent();
        if (current == null || current.getAuthenticationToken() == null || current.getAuthenticationToken().getProfile() == null) {
            return;
        }
        UserProfile profile = current.getAuthenticationToken().getProfile();
        String userName = profile.getUserName();
        String storeUrl = siteItem.getStoreUrl();
        List<String> authorizedRolesForPage = getAuthorizedRolesForPage(siteItem);
        if (!CollectionUtils.isNotEmpty(authorizedRolesForPage) || containsRole("anonymous", authorizedRolesForPage)) {
            return;
        }
        if (profile.isAnonymous()) {
            throw new AuthenticationRequiredException("User is anonymous but page '" + storeUrl + "' requires authentication");
        }
        if (!containsRole("Authenticated", authorizedRolesForPage) && !profile.hasAnyRole(authorizedRolesForPage)) {
            throw new AccessDeniedException("User '" + userName + "' is not authorized to view page '" + storeUrl + "'");
        }
    }

    protected List<String> getAuthorizedRolesForPage(SiteItem siteItem) {
        return siteItem.getItem().queryDescriptorValues(this.authorizedRolesXPathQuery);
    }

    protected boolean containsRole(String str, List<String> list) {
        Iterator<String> it = list.iterator();
        while (it.hasNext()) {
            if (it.next().equals(str)) {
                return true;
            }
        }
        return false;
    }
}
