package in.hocg.boot.sso.client.autoconfigure.core.servlet;

import cn.hutool.core.collection.CollUtil;
import cn.hutool.core.util.ArrayUtil;
import cn.hutool.core.util.StrUtil;
import cn.hutool.json.JSONUtil;
import in.hocg.boot.sso.client.autoconfigure.core.AuthenticationResult;
import in.hocg.boot.sso.client.autoconfigure.properties.SsoClientProperties;
import in.hocg.boot.sso.client.autoconfigure.utils.AuthoritiesUtils;
import in.hocg.boot.utils.struct.result.ExceptionResult;
import in.hocg.boot.utils.struct.result.ResultCode;
import java.io.IOException;
import java.io.PrintWriter;
import java.nio.charset.StandardCharsets;
import java.util.Collection;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import javax.servlet.ServletException;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication;
import org.springframework.context.ApplicationContext;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Lazy;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.authority.mapping.GrantedAuthoritiesMapper;
import org.springframework.security.oauth2.client.web.OAuth2AuthorizationRequestRedirectFilter;
import org.springframework.security.oauth2.core.user.OAuth2UserAuthority;
import org.springframework.security.web.util.matcher.RequestHeaderRequestMatcher;
import org.springframework.security.web.util.matcher.RequestMatcher;
import org.springframework.util.StringUtils;

@ConditionalOnMissingBean({WebSecurityConfigurerAdapter.class})
@Configuration
@ConditionalOnWebApplication(type = ConditionalOnWebApplication.Type.SERVLET)
/* loaded from: input_file:in/hocg/boot/sso/client/autoconfigure/core/servlet/ServletSsoClientConfiguration.class */
public class ServletSsoClientConfiguration extends WebSecurityConfigurerAdapter {
    private final SsoClientProperties properties;
    private static final Logger log = LoggerFactory.getLogger(ServletSsoClientConfiguration.class);
    private static final RequestMatcher IS_AJAX = new RequestHeaderRequestMatcher("X-Requested-With", "XMLHttpRequest");

    protected void configure(HttpSecurity httpSecurity) throws Exception {
        String[] strArr = (String[]) this.properties.getIgnoreUrls().toArray(new String[0]);
        String[] strArr2 = (String[]) this.properties.getDenyUrls().toArray(new String[0]);
        String[] strArr3 = (String[]) this.properties.getAuthenticatedUrls().toArray(new String[0]);
        Map<String, List<String>> hasAnyRole = this.properties.getHasAnyRole();
        Map<String, List<String>> hasAnyAuthority = this.properties.getHasAnyAuthority();
        Map<String, List<String>> hasIpAddress = this.properties.getHasIpAddress();
        ExpressionUrlAuthorizationConfigurer.ExpressionInterceptUrlRegistry authorizeRequests = httpSecurity.authorizeRequests();
        if (strArr2.length > 0) {
            ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) authorizeRequests.antMatchers(strArr2)).denyAll();
        }
        if (strArr3.length > 0) {
            ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) authorizeRequests.antMatchers(strArr3)).authenticated();
        }
        if (strArr.length > 0) {
            ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) authorizeRequests.antMatchers(strArr)).permitAll();
        }
        if (CollUtil.isNotEmpty(hasIpAddress)) {
            hasIpAddress.entrySet().stream().filter(entry -> {
                return StrUtil.isNotBlank((CharSequence) entry.getKey()) && CollUtil.isNotEmpty((Collection) entry.getValue());
            }).forEach(entry2 -> {
                ((List) entry2.getValue()).stream().map(str -> {
                    return StrUtil.format("hasIpAddress('{}')", new Object[]{str});
                }).reduce((str2, str3) -> {
                    return StrUtil.format("{} or {}", new Object[]{str2, str3});
                }).ifPresent(str4 -> {
                    ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) authorizeRequests.antMatchers(new String[]{(String) entry2.getKey()})).access(str4);
                });
            });
        }
        if (CollUtil.isNotEmpty(hasAnyAuthority)) {
            hasAnyAuthority.entrySet().stream().filter(entry3 -> {
                return StrUtil.isNotBlank((CharSequence) entry3.getKey()) && CollUtil.isNotEmpty((Collection) entry3.getValue());
            }).forEach(entry4 -> {
                ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) authorizeRequests.antMatchers(new String[]{(String) entry4.getKey()})).hasAnyAuthority((String[]) ArrayUtil.toArray((Collection) entry4.getValue(), String.class));
            });
        }
        if (CollUtil.isNotEmpty(hasAnyRole)) {
            hasAnyRole.entrySet().stream().filter(entry5 -> {
                return StrUtil.isNotBlank((CharSequence) entry5.getKey()) && CollUtil.isNotEmpty((Collection) entry5.getValue());
            }).forEach(entry6 -> {
                ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) authorizeRequests.antMatchers(new String[]{(String) entry6.getKey()})).hasAnyRole(AuthoritiesUtils.asRoles((List) entry6.getValue()));
            });
        }
        ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) authorizeRequests.anyRequest()).authenticated().and();
        httpSecurity.oauth2Login();
        httpSecurity.exceptionHandling().defaultAuthenticationEntryPointFor((httpServletRequest, httpServletResponse, authenticationException) -> {
            handleAuthentication4Servlet(httpServletRequest, httpServletResponse);
        }, IS_AJAX);
        httpSecurity.csrf().disable();
        httpSecurity.addFilterBefore(authenticationManager(getApplicationContext()), OAuth2AuthorizationRequestRedirectFilter.class);
    }

    @ConditionalOnMissingBean
    @Bean
    public ServletExpandAuthenticationManager authenticationManager(ApplicationContext applicationContext) {
        return new ServletExpandAuthenticationManager(applicationContext);
    }

    private void handleAuthentication4Servlet(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        log.debug("匿名访问被拒绝");
        String str = null;
        String header = httpServletRequest.getHeader("X-Page-Url");
        if (StringUtils.isEmpty(header)) {
            header = httpServletRequest.getHeader("Referer");
        }
        if (!StringUtils.isEmpty(header)) {
            str = header;
        }
        AuthenticationResult create = AuthenticationResult.create(str);
        setUtf8(httpServletResponse);
        httpServletResponse.setStatus(401);
        try {
            PrintWriter writer = httpServletResponse.getWriter();
            try {
                writer.write(create.toJSON());
                if (writer != null) {
                    writer.close();
                }
            } finally {
            }
        } catch (IOException e) {
            log.error("匿名访问被拒绝: ", e);
        }
    }

    private void handleAccessDenied4Servlet(HttpServletResponse httpServletResponse, AccessDeniedException accessDeniedException) throws IOException, ServletException {
        log.warn("登录后，访问被拒绝", accessDeniedException);
        ExceptionResult fail = ExceptionResult.fail(401, ResultCode.ACCESS_DENIED_ERROR.getMessage());
        setUtf8(httpServletResponse);
        httpServletResponse.setStatus(401);
        PrintWriter writer = httpServletResponse.getWriter();
        try {
            writer.write(JSONUtil.toJsonStr(fail));
            if (writer != null) {
                writer.close();
            }
        } catch (Throwable th) {
            if (writer != null) {
                try {
                    writer.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    private HttpServletResponse setUtf8(ServletResponse servletResponse) {
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        httpServletResponse.setContentType("text/html;charset=utf-8");
        httpServletResponse.setCharacterEncoding(StandardCharsets.UTF_8.name());
        return httpServletResponse;
    }

    @ConditionalOnMissingBean
    @Bean
    public GrantedAuthoritiesMapper grantedAuthoritiesMapper() {
        return collection -> {
            HashSet hashSet = new HashSet();
            Iterator it = collection.iterator();
            while (it.hasNext()) {
                OAuth2UserAuthority oAuth2UserAuthority = (GrantedAuthority) it.next();
                if (oAuth2UserAuthority instanceof OAuth2UserAuthority) {
                    hashSet.add(new SimpleGrantedAuthority(oAuth2UserAuthority.getAuthority()));
                    hashSet.addAll(AuthoritiesUtils.getAuthorities(oAuth2UserAuthority.getAttributes()));
                } else {
                    hashSet.add(new SimpleGrantedAuthority(oAuth2UserAuthority.getAuthority()));
                }
            }
            return hashSet;
        };
    }

    @Lazy
    public ServletSsoClientConfiguration(SsoClientProperties ssoClientProperties) {
        this.properties = ssoClientProperties;
    }
}
