package com.supwisdom.institute.backend.gateway.filter;

import com.supwisdom.infras.security.core.userdetails.InfrasUser;
import com.supwisdom.institute.backend.gateway.authn.model.ResourceRoleSet;
import com.supwisdom.institute.backend.gateway.authn.model.Role;
import com.supwisdom.institute.backend.gateway.authn.service.AuthnService;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.concurrent.ConcurrentHashMap;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.cloud.gateway.filter.GatewayFilterChain;
import org.springframework.cloud.gateway.filter.GlobalFilter;
import org.springframework.core.Ordered;
import org.springframework.http.HttpMethod;
import org.springframework.http.server.RequestPath;
import org.springframework.http.server.reactive.ServerHttpRequest;
import org.springframework.scheduling.annotation.Scheduled;
import org.springframework.security.access.ConfigAttribute;
import org.springframework.security.access.SecurityConfig;
import org.springframework.security.core.context.ReactiveSecurityContextHolder;
import org.springframework.security.core.context.SecurityContext;
import org.springframework.util.AntPathMatcher;
import org.springframework.util.Assert;
import org.springframework.util.StringUtils;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Mono;

/* loaded from: input_file:BOOT-INF/classes/com/supwisdom/institute/backend/gateway/filter/AccessControlGlobalFilter.class */
public class AccessControlGlobalFilter implements GlobalFilter, Ordered {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) AccessControlGlobalFilter.class);

    @Autowired
    private AuthnService authnService;
    private Map<RequestMatcher, Collection<ConfigAttribute>> requestMap = new ConcurrentHashMap();

    /* loaded from: input_file:BOOT-INF/classes/com/supwisdom/institute/backend/gateway/filter/AccessControlGlobalFilter$AntPathRequestMatcher.class */
    public static class AntPathRequestMatcher implements RequestMatcher {
        private static final Logger log = LoggerFactory.getLogger((Class<?>) AntPathRequestMatcher.class);
        private static final String MATCH_ALL = "/**";
        private final Matcher matcher;
        private final String pattern;
        private final HttpMethod httpMethod;
        private final boolean caseSensitive;

        /* loaded from: input_file:BOOT-INF/classes/com/supwisdom/institute/backend/gateway/filter/AccessControlGlobalFilter$AntPathRequestMatcher$Matcher.class */
        private interface Matcher {
            boolean matches(String str);

            Map<String, String> extractUriTemplateVariables(String str);
        }

        /* loaded from: input_file:BOOT-INF/classes/com/supwisdom/institute/backend/gateway/filter/AccessControlGlobalFilter$AntPathRequestMatcher$SpringAntMatcher.class */
        private static class SpringAntMatcher implements Matcher {
            private final AntPathMatcher antMatcher;
            private final String pattern;

            private SpringAntMatcher(String str, boolean z) {
                this.pattern = str;
                this.antMatcher = createMatcher(z);
            }

            @Override // com.supwisdom.institute.backend.gateway.filter.AccessControlGlobalFilter.AntPathRequestMatcher.Matcher
            public boolean matches(String str) {
                return this.antMatcher.match(this.pattern, str);
            }

            @Override // com.supwisdom.institute.backend.gateway.filter.AccessControlGlobalFilter.AntPathRequestMatcher.Matcher
            public Map<String, String> extractUriTemplateVariables(String str) {
                return this.antMatcher.extractUriTemplateVariables(this.pattern, str);
            }

            private static AntPathMatcher createMatcher(boolean z) {
                AntPathMatcher antPathMatcher = new AntPathMatcher();
                antPathMatcher.setTrimTokens(false);
                antPathMatcher.setCaseSensitive(z);
                return antPathMatcher;
            }
        }

        /* loaded from: input_file:BOOT-INF/classes/com/supwisdom/institute/backend/gateway/filter/AccessControlGlobalFilter$AntPathRequestMatcher$SubpathMatcher.class */
        private static class SubpathMatcher implements Matcher {
            private final String subpath;
            private final int length;
            private final boolean caseSensitive;
            static final /* synthetic */ boolean $assertionsDisabled;

            private SubpathMatcher(String str, boolean z) {
                if (!$assertionsDisabled && str.contains("*")) {
                    throw new AssertionError();
                }
                this.subpath = z ? str : str.toLowerCase();
                this.length = str.length();
                this.caseSensitive = z;
            }

            @Override // com.supwisdom.institute.backend.gateway.filter.AccessControlGlobalFilter.AntPathRequestMatcher.Matcher
            public boolean matches(String str) {
                if (!this.caseSensitive) {
                    str = str.toLowerCase();
                }
                return str.startsWith(this.subpath) && (str.length() == this.length || str.charAt(this.length) == '/');
            }

            @Override // com.supwisdom.institute.backend.gateway.filter.AccessControlGlobalFilter.AntPathRequestMatcher.Matcher
            public Map<String, String> extractUriTemplateVariables(String str) {
                return Collections.emptyMap();
            }

            static {
                $assertionsDisabled = !AccessControlGlobalFilter.class.desiredAssertionStatus();
            }
        }

        public AntPathRequestMatcher(String str) {
            this(str, null);
        }

        public AntPathRequestMatcher(String str, String str2) {
            this(str, str2, true);
        }

        public AntPathRequestMatcher(String str, String str2, boolean z) {
            Assert.hasText(str, "Pattern cannot be null or empty");
            this.caseSensitive = z;
            if (str.equals(MATCH_ALL) || str.equals("**")) {
                str = MATCH_ALL;
                this.matcher = null;
            } else if (str.endsWith(MATCH_ALL) && str.indexOf(63) == -1 && str.indexOf(123) == -1 && str.indexOf(125) == -1 && str.indexOf("*") == str.length() - 2) {
                this.matcher = new SubpathMatcher(str.substring(0, str.length() - 3), z);
            } else {
                this.matcher = new SpringAntMatcher(str, z);
            }
            this.pattern = str;
            this.httpMethod = StringUtils.hasText(str2) ? HttpMethod.valueOf(str2) : null;
        }

        @Override // com.supwisdom.institute.backend.gateway.filter.AccessControlGlobalFilter.RequestMatcher
        public boolean matches(ServerHttpRequest serverHttpRequest) {
            if (this.httpMethod != null && StringUtils.hasText(serverHttpRequest.getMethodValue()) && this.httpMethod != valueOf(serverHttpRequest.getMethodValue())) {
                if (!log.isDebugEnabled()) {
                    return false;
                }
                log.debug("Request '" + serverHttpRequest.getMethod() + org.apache.commons.lang3.StringUtils.SPACE + getRequestPath(serverHttpRequest) + "' doesn't match '" + this.httpMethod + org.apache.commons.lang3.StringUtils.SPACE + this.pattern);
                return false;
            }
            if (this.pattern.equals(MATCH_ALL)) {
                if (!log.isDebugEnabled()) {
                    return true;
                }
                log.debug("Request '" + getRequestPath(serverHttpRequest) + "' matched by universal pattern '/**'");
                return true;
            }
            String requestPath = getRequestPath(serverHttpRequest);
            if (log.isDebugEnabled()) {
                log.debug("Checking match of request : '" + requestPath + "'; against '" + this.pattern + "'");
            }
            return this.matcher.matches(requestPath);
        }

        private String getRequestPath(ServerHttpRequest serverHttpRequest) {
            RequestPath path = serverHttpRequest.getPath();
            log.info(path.pathWithinApplication().value());
            return path.pathWithinApplication().value();
        }

        public String getPattern() {
            return this.pattern;
        }

        public boolean equals(Object obj) {
            if (!(obj instanceof AntPathRequestMatcher)) {
                return false;
            }
            AntPathRequestMatcher antPathRequestMatcher = (AntPathRequestMatcher) obj;
            return this.pattern.equals(antPathRequestMatcher.pattern) && this.httpMethod == antPathRequestMatcher.httpMethod && this.caseSensitive == antPathRequestMatcher.caseSensitive;
        }

        public int hashCode() {
            int hashCode = 31 ^ this.pattern.hashCode();
            if (this.httpMethod != null) {
                hashCode ^= this.httpMethod.hashCode();
            }
            return hashCode;
        }

        public String toString() {
            StringBuilder sb = new StringBuilder();
            sb.append("Ant [pattern='").append(this.pattern).append("'");
            if (this.httpMethod != null) {
                sb.append(", ").append(this.httpMethod);
            }
            sb.append("]");
            return sb.toString();
        }

        private static HttpMethod valueOf(String str) {
            try {
                return HttpMethod.valueOf(str);
            } catch (IllegalArgumentException e) {
                return null;
            }
        }
    }

    /* loaded from: input_file:BOOT-INF/classes/com/supwisdom/institute/backend/gateway/filter/AccessControlGlobalFilter$RequestMatcher.class */
    public interface RequestMatcher {
        boolean matches(ServerHttpRequest serverHttpRequest);
    }

    /* loaded from: input_file:BOOT-INF/classes/com/supwisdom/institute/backend/gateway/filter/AccessControlGlobalFilter$RestRequestMatcher.class */
    public static class RestRequestMatcher implements RequestMatcher {
        private final String path;
        private final RequestMethod[] method;
        private final String[] params;
        private final String[] headers;
        private final String[] consumes;
        private final String[] produces;

        @Override // com.supwisdom.institute.backend.gateway.filter.AccessControlGlobalFilter.RequestMatcher
        public boolean matches(ServerHttpRequest serverHttpRequest) {
            return false;
        }

        public RestRequestMatcher(String str, RequestMethod[] requestMethodArr, String[] strArr, String[] strArr2, String[] strArr3, String[] strArr4) {
            this.path = str;
            this.method = requestMethodArr;
            this.params = strArr;
            this.headers = strArr2;
            this.consumes = strArr3;
            this.produces = strArr4;
        }

        public String getPath() {
            return this.path;
        }

        public RequestMethod[] getMethod() {
            return this.method;
        }

        public String[] getParams() {
            return this.params;
        }

        public String[] getHeaders() {
            return this.headers;
        }

        public String[] getConsumes() {
            return this.consumes;
        }

        public String[] getProduces() {
            return this.produces;
        }
    }

    @Override // org.springframework.core.Ordered
    public int getOrder() {
        return Integer.MIN_VALUE;
    }

    @Override // org.springframework.cloud.gateway.filter.GlobalFilter
    public Mono<Void> filter(ServerWebExchange serverWebExchange, GatewayFilterChain gatewayFilterChain) {
        log.debug("AccessControlGlobalFilter.filter");
        Collection<ConfigAttribute> attributes = getAttributes(serverWebExchange);
        log.debug("request's attributes is {}", attributes);
        return (attributes == null || attributes.size() <= 0) ? gatewayFilterChain.filter(serverWebExchange) : ReactiveSecurityContextHolder.getContext().filter(securityContext -> {
            return securityContext.getAuthentication() != null && securityContext.getAuthentication().isAuthenticated();
        }).flatMap(securityContext2 -> {
            return Mono.just(Optional.of(securityContext2));
        }).defaultIfEmpty(Optional.empty()).flatMap(optional -> {
            List arrayList;
            if (optional.isPresent()) {
                SecurityContext securityContext3 = (SecurityContext) optional.get();
                if (securityContext3.getAuthentication().getPrincipal() instanceof InfrasUser) {
                    InfrasUser infrasUser = (InfrasUser) securityContext3.getAuthentication().getPrincipal();
                    log.debug("infrasUser's roles is {}", infrasUser.getRoles());
                    arrayList = infrasUser.getRoles();
                } else {
                    arrayList = new ArrayList();
                }
            } else {
                arrayList = new ArrayList();
            }
            boolean z = false;
            Iterator it = attributes.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                ConfigAttribute configAttribute = (ConfigAttribute) it.next();
                String attribute = configAttribute.getAttribute();
                if (attribute != null && !attribute.isEmpty()) {
                    if (attribute.startsWith("ACCESS_")) {
                        String substring = attribute.substring("ACCESS_".length());
                        log.debug("Access is {}", substring);
                        z = "anonymous".equals(substring) ? false : ResourceRoleSet.ACCESS_AUTHENTICATE.equals(substring) ? true : ResourceRoleSet.ACCESS_PERMIT_ALL.equals(substring) ? true : ResourceRoleSet.ACCESS_DENY_ALL.equals(substring) ? false : false;
                    } else {
                        z = arrayList.contains(configAttribute.getAttribute());
                        if (z) {
                            log.debug("match attribute is {}", configAttribute.getAttribute());
                            break;
                        }
                    }
                }
            }
            if (z) {
                return Mono.just(serverWebExchange);
            }
            throw new RuntimeException("no right");
        }).flatMap(serverWebExchange2 -> {
            return gatewayFilterChain.filter(serverWebExchange2);
        });
    }

    @Scheduled(initialDelayString = "${sw-backend-gateway.resource.refresh-delay:200}", fixedDelayString = "${sw-backend-gateway.resource.refresh-delay:10000}")
    protected void refreshRequestMap() {
        log.debug("AccessControlGlobalFilter.refreshRequestMap");
        this.requestMap.clear();
        loadRequestMap();
    }

    private void loadRequestMap() {
        if (this.requestMap.isEmpty()) {
            AntPathRequestMatcher antPathRequestMatcher = new AntPathRequestMatcher("/api/*/v*/open/**");
            ArrayList arrayList = new ArrayList();
            arrayList.add(new SecurityConfig("ACCESS_permitAll"));
            this.requestMap.put(antPathRequestMatcher, arrayList);
            List<ResourceRoleSet> resourceRoleSets = this.authnService.resourceRoleSets();
            if (resourceRoleSets != null) {
                for (ResourceRoleSet resourceRoleSet : resourceRoleSets) {
                    String method = resourceRoleSet.getMethod();
                    String path = resourceRoleSet.getPath();
                    String access = resourceRoleSet.getAccess();
                    AntPathRequestMatcher antPathRequestMatcher2 = new AntPathRequestMatcher(path, method);
                    ArrayList arrayList2 = new ArrayList();
                    if (access == null) {
                        Iterator<Role> it = resourceRoleSet.getRoles().iterator();
                        while (it.hasNext()) {
                            arrayList2.add(new SecurityConfig(it.next().getCode()));
                        }
                    } else if (access.equals("anonymous")) {
                        arrayList2.add(new SecurityConfig("ACCESS_anonymous"));
                    } else if (access.equals(ResourceRoleSet.ACCESS_AUTHENTICATE)) {
                        arrayList2.add(new SecurityConfig("ACCESS_authenticate"));
                    } else if (access.equals(ResourceRoleSet.ACCESS_AUTHORIZE)) {
                        Iterator<Role> it2 = resourceRoleSet.getRoles().iterator();
                        while (it2.hasNext()) {
                            arrayList2.add(new SecurityConfig(it2.next().getCode()));
                        }
                    } else if (access.equals(ResourceRoleSet.ACCESS_PERMIT_ALL)) {
                        arrayList2.add(new SecurityConfig("ACCESS_permitAll"));
                    } else if (access.equals(ResourceRoleSet.ACCESS_DENY_ALL)) {
                        arrayList2.add(new SecurityConfig("ACCESS_denyAll"));
                    } else {
                        Iterator<Role> it3 = resourceRoleSet.getRoles().iterator();
                        while (it3.hasNext()) {
                            arrayList2.add(new SecurityConfig(it3.next().getCode()));
                        }
                    }
                    this.requestMap.put(antPathRequestMatcher2, arrayList2);
                }
            }
        }
    }

    public Collection<ConfigAttribute> getAttributes(ServerWebExchange serverWebExchange) throws IllegalArgumentException {
        if (this.requestMap.isEmpty()) {
            loadRequestMap();
        }
        ServerHttpRequest request = serverWebExchange.getRequest();
        for (RequestMatcher requestMatcher : this.requestMap.keySet()) {
            if (requestMatcher.matches(request)) {
                return this.requestMap.get(requestMatcher);
            }
        }
        return null;
    }
}
