package org.springframework.security.authorization.method;

import java.lang.reflect.Method;
import java.util.function.Function;
import java.util.function.Supplier;
import kotlinx.coroutines.reactive.ReactiveFlowKt;
import org.aopalliance.aop.Advice;
import org.aopalliance.intercept.MethodInvocation;
import org.reactivestreams.Publisher;
import org.springframework.aop.Pointcut;
import org.springframework.core.KotlinDetector;
import org.springframework.core.MethodParameter;
import org.springframework.core.ReactiveAdapter;
import org.springframework.core.ReactiveAdapterRegistry;
import org.springframework.security.access.prepost.PostAuthorize;
import org.springframework.security.authorization.AuthorizationDecision;
import org.springframework.security.authorization.AuthorizationDeniedException;
import org.springframework.security.authorization.AuthorizationResult;
import org.springframework.security.authorization.ReactiveAuthorizationManager;
import org.springframework.security.core.Authentication;
import org.springframework.util.Assert;
import reactor.core.publisher.Flux;
import reactor.core.publisher.Mono;

/* loaded from: input_file:BOOT-INF/lib/spring-security-core-6.3.0.jar:org/springframework/security/authorization/method/AuthorizationManagerAfterReactiveMethodInterceptor.class */
public final class AuthorizationManagerAfterReactiveMethodInterceptor implements AuthorizationAdvisor {
    private static final String COROUTINES_FLOW_CLASS_NAME = "kotlinx.coroutines.flow.Flow";
    private static final int RETURN_TYPE_METHOD_PARAMETER_INDEX = -1;
    private final Pointcut pointcut;
    private final ReactiveAuthorizationManager<MethodInvocationResult> authorizationManager;
    private int order = AuthorizationInterceptorsOrder.LAST.getOrder();
    private final MethodAuthorizationDeniedHandler defaultHandler = new ThrowingMethodAuthorizationDeniedHandler();

    /* loaded from: input_file:BOOT-INF/lib/spring-security-core-6.3.0.jar:org/springframework/security/authorization/method/AuthorizationManagerAfterReactiveMethodInterceptor$KotlinDelegate.class */
    private static class KotlinDelegate {
        private KotlinDelegate() {
        }

        private static Object asFlow(Publisher<?> publisher) {
            return ReactiveFlowKt.asFlow(publisher);
        }
    }

    public static AuthorizationManagerAfterReactiveMethodInterceptor postAuthorize() {
        return postAuthorize(new PostAuthorizeReactiveAuthorizationManager());
    }

    public static AuthorizationManagerAfterReactiveMethodInterceptor postAuthorize(ReactiveAuthorizationManager<MethodInvocationResult> reactiveAuthorizationManager) {
        AuthorizationManagerAfterReactiveMethodInterceptor authorizationManagerAfterReactiveMethodInterceptor = new AuthorizationManagerAfterReactiveMethodInterceptor(AuthorizationMethodPointcuts.forAnnotations(PostAuthorize.class), reactiveAuthorizationManager);
        authorizationManagerAfterReactiveMethodInterceptor.setOrder(AuthorizationInterceptorsOrder.POST_AUTHORIZE.getOrder());
        return authorizationManagerAfterReactiveMethodInterceptor;
    }

    public AuthorizationManagerAfterReactiveMethodInterceptor(Pointcut pointcut, ReactiveAuthorizationManager<MethodInvocationResult> reactiveAuthorizationManager) {
        Assert.notNull(pointcut, "pointcut cannot be null");
        Assert.notNull(reactiveAuthorizationManager, "authorizationManager cannot be null");
        this.pointcut = pointcut;
        this.authorizationManager = reactiveAuthorizationManager;
    }

    @Override // org.aopalliance.intercept.MethodInterceptor
    public Object invoke(MethodInvocation methodInvocation) throws Throwable {
        Method method = methodInvocation.getMethod();
        Class<?> returnType = method.getReturnType();
        boolean isSuspendingFunction = KotlinDetector.isSuspendingFunction(method);
        boolean equals = COROUTINES_FLOW_CLASS_NAME.equals(new MethodParameter(method, -1).getParameterType().getName());
        Assert.state(Publisher.class.isAssignableFrom(returnType) || isSuspendingFunction || equals, (Supplier<String>) () -> {
            return "The returnType " + returnType + " on " + method + " must return an instance of org.reactivestreams.Publisher (for example, a Mono or Flux) or the function must be a Kotlin coroutine in order to support Reactor Context";
        });
        Mono<Authentication> authentication = ReactiveAuthenticationUtils.getAuthentication();
        Function function = signal -> {
            if (signal.isOnComplete()) {
                return Mono.empty();
            }
            if (!signal.hasError()) {
                return postAuthorize(authentication, methodInvocation, signal.get());
            }
            Throwable throwable = signal.getThrowable();
            return throwable instanceof AuthorizationDeniedException ? postProcess((AuthorizationDeniedException) throwable, methodInvocation) : Mono.error(signal.getThrowable());
        };
        ReactiveAdapter adapter = ReactiveAdapterRegistry.getSharedInstance().getAdapter(returnType);
        if (equals) {
            if (isSuspendingFunction) {
                return Flux.from((Publisher) ReactiveMethodInvocationUtils.proceed(methodInvocation)).materialize().flatMap(function);
            }
            Assert.state(adapter != null, (Supplier<String>) () -> {
                return "The returnType " + returnType + " on " + method + " must have a org.springframework.core.ReactiveAdapter registered";
            });
            return KotlinDelegate.asFlow(Flux.defer(() -> {
                return adapter.toPublisher(ReactiveMethodInvocationUtils.proceed(methodInvocation));
            }).materialize().flatMap(function));
        }
        Publisher publisher = (Publisher) ReactiveMethodInvocationUtils.proceed(methodInvocation);
        if (isMultiValue(returnType, adapter)) {
            Flux flatMap = Flux.from(publisher).materialize().flatMap(function);
            return adapter != null ? adapter.fromPublisher(flatMap) : flatMap;
        }
        Mono flatMap2 = Mono.from(publisher).materialize().flatMap(function);
        return adapter != null ? adapter.fromPublisher(flatMap2) : flatMap2;
    }

    private boolean isMultiValue(Class<?> cls, ReactiveAdapter reactiveAdapter) {
        if (Flux.class.isAssignableFrom(cls)) {
            return true;
        }
        return reactiveAdapter != null && reactiveAdapter.isMultiValue();
    }

    private Mono<Object> postAuthorize(Mono<Authentication> mono, MethodInvocation methodInvocation, Object obj) {
        MethodInvocationResult methodInvocationResult = new MethodInvocationResult(methodInvocation, obj);
        return this.authorizationManager.check(mono, methodInvocationResult).switchIfEmpty(Mono.just(new AuthorizationDecision(false))).flatMap(authorizationDecision -> {
            return postProcess(authorizationDecision, methodInvocationResult);
        });
    }

    private Mono<Object> postProcess(AuthorizationResult authorizationResult, MethodInvocationResult methodInvocationResult) {
        return authorizationResult.isGranted() ? Mono.just(methodInvocationResult.getResult()) : Mono.fromSupplier(() -> {
            ReactiveAuthorizationManager<MethodInvocationResult> reactiveAuthorizationManager = this.authorizationManager;
            return reactiveAuthorizationManager instanceof MethodAuthorizationDeniedHandler ? ((MethodAuthorizationDeniedHandler) reactiveAuthorizationManager).handleDeniedInvocationResult(methodInvocationResult, authorizationResult) : this.defaultHandler.handleDeniedInvocationResult(methodInvocationResult, authorizationResult);
        }).flatMap(obj -> {
            return Mono.class.isAssignableFrom(obj.getClass()) ? (Mono) obj : Mono.justOrEmpty(obj);
        });
    }

    private Mono<Object> postProcess(AuthorizationResult authorizationResult, MethodInvocation methodInvocation) {
        return Mono.fromSupplier(() -> {
            ReactiveAuthorizationManager<MethodInvocationResult> reactiveAuthorizationManager = this.authorizationManager;
            return reactiveAuthorizationManager instanceof MethodAuthorizationDeniedHandler ? ((MethodAuthorizationDeniedHandler) reactiveAuthorizationManager).handleDeniedInvocation(methodInvocation, authorizationResult) : this.defaultHandler.handleDeniedInvocation(methodInvocation, authorizationResult);
        }).flatMap(obj -> {
            return Mono.class.isAssignableFrom(obj.getClass()) ? (Mono) obj : Mono.justOrEmpty(obj);
        });
    }

    @Override // org.springframework.aop.PointcutAdvisor
    public Pointcut getPointcut() {
        return this.pointcut;
    }

    @Override // org.springframework.aop.Advisor
    public Advice getAdvice() {
        return this;
    }

    @Override // org.springframework.aop.Advisor
    public boolean isPerInstance() {
        return true;
    }

    @Override // org.springframework.core.Ordered
    public int getOrder() {
        return this.order;
    }

    public void setOrder(int i) {
        this.order = i;
    }
}
