package cn.herodotus.engine.oauth2.authorization.processor;

import cn.herodotus.engine.assistant.core.utils.http.HeaderUtils;
import cn.herodotus.engine.oauth2.authorization.definition.HerodotusConfigAttribute;
import cn.herodotus.engine.oauth2.authorization.definition.HerodotusRequest;
import cn.herodotus.engine.oauth2.authorization.definition.HerodotusRequestMatcher;
import cn.herodotus.engine.rest.core.utils.WebUtils;
import jakarta.servlet.http.HttpServletRequest;
import java.util.Iterator;
import java.util.LinkedHashMap;
import java.util.List;
import java.util.Map;
import java.util.function.Supplier;
import org.apache.commons.collections4.CollectionUtils;
import org.apache.commons.collections4.MapUtils;
import org.apache.commons.lang3.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.authorization.AuthorizationDecision;
import org.springframework.security.authorization.AuthorizationManager;
import org.springframework.security.core.Authentication;
import org.springframework.security.web.access.expression.WebExpressionAuthorizationManager;
import org.springframework.security.web.access.intercept.RequestAuthorizationContext;

/* loaded from: input_file:cn/herodotus/engine/oauth2/authorization/processor/SecurityAuthorizationManager.class */
public class SecurityAuthorizationManager implements AuthorizationManager<RequestAuthorizationContext> {
    private static final Logger log = LoggerFactory.getLogger(SecurityAuthorizationManager.class);
    private final SecurityMetadataSourceStorage securityMetadataSourceStorage;
    private final SecurityMatcherConfigurer securityMatcherConfigurer;

    public SecurityAuthorizationManager(SecurityMetadataSourceStorage securityMetadataSourceStorage, SecurityMatcherConfigurer securityMatcherConfigurer) {
        this.securityMetadataSourceStorage = securityMetadataSourceStorage;
        this.securityMatcherConfigurer = securityMatcherConfigurer;
    }

    public AuthorizationDecision check(Supplier<Authentication> supplier, RequestAuthorizationContext requestAuthorizationContext) {
        HttpServletRequest request = requestAuthorizationContext.getRequest();
        String requestURI = request.getRequestURI();
        String method = request.getMethod();
        if (WebUtils.isStaticResources(requestURI)) {
            log.trace("[Herodotus] |- Is static resource : [{}], Passed!", requestURI);
            return new AuthorizationDecision(true);
        }
        if (WebUtils.isPathMatch(this.securityMatcherConfigurer.getPermitAllList(), requestURI)) {
            log.trace("[Herodotus] |- Is white list resource : [{}], Passed!", requestURI);
            return new AuthorizationDecision(true);
        }
        if (StringUtils.isNotBlank(HeaderUtils.getHerodotusFromIn(request))) {
            log.trace("[Herodotus] |- Is feign inner invoke : [{}], Passed!", requestURI);
            return new AuthorizationDecision(true);
        }
        if (WebUtils.isPathMatch(this.securityMatcherConfigurer.getHasAuthenticatedList(), requestURI)) {
            log.trace("[Herodotus] |- Is has authenticated resource : [{}]", requestURI);
            return new AuthorizationDecision(supplier.get().isAuthenticated());
        }
        List<HerodotusConfigAttribute> findConfigAttribute = findConfigAttribute(requestURI, method, request);
        if (CollectionUtils.isEmpty(findConfigAttribute)) {
            log.warn("[Herodotus] |- NO PRIVILEGES : [{}].", requestURI);
            if (this.securityMatcherConfigurer.getAuthorizationProperties().getStrict().booleanValue() || !supplier.get().isAuthenticated()) {
                return new AuthorizationDecision(false);
            }
            log.debug("[Herodotus] |- Request is authenticated: [{}].", requestURI);
            return new AuthorizationDecision(true);
        }
        Iterator<HerodotusConfigAttribute> it = findConfigAttribute.iterator();
        while (it.hasNext()) {
            AuthorizationDecision check = new WebExpressionAuthorizationManager(it.next().getAttribute()).check(supplier, requestAuthorizationContext);
            if (check.isGranted()) {
                log.debug("[Herodotus] |- Request [{}] is authorized!", requestAuthorizationContext.getRequest().getRequestURI());
                return check;
            }
        }
        return new AuthorizationDecision(false);
    }

    private List<HerodotusConfigAttribute> findConfigAttribute(String str, String str2, HttpServletRequest httpServletRequest) {
        log.debug("[Herodotus] |- Current Request is : [{}] - [{}]", str, str2);
        List<HerodotusConfigAttribute> configAttribute = this.securityMetadataSourceStorage.getConfigAttribute(str, str2);
        if (CollectionUtils.isNotEmpty(configAttribute)) {
            log.debug("[Herodotus] |- Get configAttributes from local storage for : [{}] - [{}]", str, str2);
            return configAttribute;
        }
        LinkedHashMap<HerodotusRequest, List<HerodotusConfigAttribute>> compatible = this.securityMetadataSourceStorage.getCompatible();
        if (!MapUtils.isNotEmpty(compatible)) {
            return null;
        }
        for (Map.Entry<HerodotusRequest, List<HerodotusConfigAttribute>> entry : compatible.entrySet()) {
            if (new HerodotusRequestMatcher(entry.getKey()).matches(httpServletRequest)) {
                log.debug("[Herodotus] |- Request match the wildcard [{}] - [{}]", entry.getKey(), entry.getValue());
                return entry.getValue();
            }
        }
        return null;
    }

    public /* bridge */ /* synthetic */ AuthorizationDecision check(Supplier supplier, Object obj) {
        return check((Supplier<Authentication>) supplier, (RequestAuthorizationContext) obj);
    }
}
