package org.opensaml.profile.logic;

import com.google.common.base.Predicate;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import javax.servlet.ServletRequest;
import net.shibboleth.utilities.java.support.annotation.ParameterName;
import net.shibboleth.utilities.java.support.component.AbstractIdentifiableInitializableComponent;
import net.shibboleth.utilities.java.support.logic.Constraint;
import net.shibboleth.utilities.java.support.security.AccessControl;
import org.hsqldb.Tokens;
import org.opensaml.profile.context.AccessControlContext;
import org.opensaml.profile.context.ProfileRequestContext;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:lib/opensaml-profile-api-3.4.6.jar:org/opensaml/profile/logic/PredicateAccessControl.class */
public class PredicateAccessControl extends AbstractIdentifiableInitializableComponent implements AccessControl {

    @Nonnull
    private final Logger log = LoggerFactory.getLogger((Class<?>) PredicateAccessControl.class);

    @Nonnull
    private final Predicate<ProfileRequestContext> predicate;

    public PredicateAccessControl(@Nonnull @ParameterName(name = "condition") Predicate<ProfileRequestContext> predicate) {
        this.predicate = (Predicate) Constraint.isNotNull(predicate, "Predicate cannot be null");
    }

    @Override // net.shibboleth.utilities.java.support.security.AccessControl
    public boolean checkAccess(@Nonnull ServletRequest servletRequest, @Nullable String str, @Nullable String str2) {
        Constraint.isNotNull(servletRequest, "ServletRequest cannot be null");
        Object attribute = servletRequest.getAttribute(ProfileRequestContext.BINDING_KEY);
        if (attribute == null || !(attribute instanceof ProfileRequestContext)) {
            this.log.warn("{} Denied request based on predicate, missing ProfileRequestContext (Operation: {}, Resource: {})", getLogPrefix(), str, str2);
            return false;
        }
        ProfileRequestContext profileRequestContext = (ProfileRequestContext) attribute;
        AccessControlContext accessControlContext = (AccessControlContext) profileRequestContext.getSubcontext(AccessControlContext.class, true);
        accessControlContext.setOperation(str);
        accessControlContext.setResource(str2);
        if (this.predicate.apply(profileRequestContext)) {
            profileRequestContext.removeSubcontext(accessControlContext);
            this.log.debug("{} Granted access based on predicate (Operation: {}, Resource: {})", getLogPrefix(), str, str2);
            return true;
        }
        profileRequestContext.removeSubcontext(accessControlContext);
        this.log.warn("{} Denied request based on predicate (Operation: {}, Resource: {})", getLogPrefix(), str, str2);
        return false;
    }

    @Nonnull
    private String getLogPrefix() {
        return "Policy " + getId() + Tokens.T_COLON;
    }
}
