package com.cloudera.nav.auth;

import com.cloudera.nav.server.NavOptions;
import com.google.common.base.Strings;
import javax.inject.Inject;
import org.springframework.security.access.expression.SecurityExpressionOperations;
import org.springframework.security.authentication.AuthenticationTrustResolver;
import org.springframework.security.authentication.AuthenticationTrustResolverImpl;
import org.springframework.security.core.Authentication;
import org.springframework.security.web.FilterInvocation;
import org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler;
import org.springframework.security.web.access.expression.WebSecurityExpressionRoot;

/* loaded from: input_file:com/cloudera/nav/auth/NavWebSecurityExpressionHandler.class */
public class NavWebSecurityExpressionHandler extends DefaultWebSecurityExpressionHandler {

    @Inject
    private NavOptions options;
    private AuthenticationTrustResolver trustResolver = new AuthenticationTrustResolverImpl();

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/cloudera/nav/auth/NavWebSecurityExpressionHandler$NavWebSecurityExpression.class */
    public static class NavWebSecurityExpression extends WebSecurityExpressionRoot {
        private final NavOptions options;
        private final boolean isSAML;

        public NavWebSecurityExpression(Authentication authentication, FilterInvocation filterInvocation, NavOptions navOptions) {
            super(authentication, filterInvocation);
            this.options = navOptions;
            this.isSAML = navOptions.getExternalAuthType() == NavOptions.ExternalAuthType.SAML && navOptions.getAuthBackendOrder() != NavOptions.AuthBackendOrder.CM_ONLY;
        }

        public boolean permitAllIfNotSAML() {
            boolean isNullOrEmpty = Strings.isNullOrEmpty(this.options.getSAMLOptions().getSamlLoginUrl());
            if (this.isSAML && isNullOrEmpty) {
                return false;
            }
            return permitAll();
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public SecurityExpressionOperations createSecurityExpressionRoot(Authentication authentication, FilterInvocation filterInvocation) {
        NavWebSecurityExpression navWebSecurityExpression = new NavWebSecurityExpression(authentication, filterInvocation, this.options);
        navWebSecurityExpression.setPermissionEvaluator(getPermissionEvaluator());
        navWebSecurityExpression.setTrustResolver(this.trustResolver);
        navWebSecurityExpression.setRoleHierarchy(getRoleHierarchy());
        return navWebSecurityExpression;
    }

    public void setTrustResolver(AuthenticationTrustResolver authenticationTrustResolver) {
        this.trustResolver = authenticationTrustResolver;
        super.setTrustResolver(authenticationTrustResolver);
    }
}
