package org.ligoj.bootstrap.core.security;

import jakarta.servlet.FilterChain;
import jakarta.servlet.ServletException;
import jakarta.servlet.ServletRequest;
import jakarta.servlet.ServletResponse;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import jakarta.ws.rs.core.Response;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.util.Collection;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.regex.Pattern;
import org.apache.commons.lang3.StringUtils;
import org.ligoj.bootstrap.core.resource.mapper.AccessDeniedExceptionMapper;
import org.ligoj.bootstrap.model.system.SystemAuthorization;
import org.ligoj.bootstrap.resource.system.security.AuthorizationResource;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.web.filter.GenericFilterBean;

/* loaded from: input_file:org/ligoj/bootstrap/core/security/AuthorizingFilter.class */
public class AuthorizingFilter extends GenericFilterBean {

    @Autowired
    private AuthorizationResource authorizationResource;

    @Autowired
    private AccessDeniedExceptionMapper accessDeniedHelper;

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        Collection<? extends GrantedAuthority> authorities = SecurityContextHolder.getContext().getAuthentication().getAuthorities();
        if (authorities.contains(new SimpleGrantedAuthority("ROLE_ANONYMOUS")) || isAuthorized(authorities, getFullRequest(httpServletRequest), StringUtils.upperCase(httpServletRequest.getMethod()))) {
            filterChain.doFilter(servletRequest, servletResponse);
        } else {
            updateForbiddenAccess((HttpServletResponse) servletResponse);
        }
    }

    private void updateForbiddenAccess(HttpServletResponse httpServletResponse) throws IOException {
        Response response = this.accessDeniedHelper.toResponse(new AccessDeniedException(""));
        httpServletResponse.setStatus(response.getStatus());
        httpServletResponse.setContentType(response.getMediaType().toString());
        httpServletResponse.getOutputStream().write(((String) response.getEntity()).getBytes(StandardCharsets.UTF_8));
    }

    private String getFullRequest(HttpServletRequest httpServletRequest) {
        return StringUtils.removeStart(httpServletRequest.getRequestURI().substring(getServletContext().getContextPath().length()), "/");
    }

    private boolean isAuthorized(Collection<? extends GrantedAuthority> collection, String str, String str2) {
        Map<String, Map<String, List<Pattern>>> map = this.authorizationResource.getAuthorizations().get(SystemAuthorization.AuthorizationType.API);
        if (map == null) {
            return false;
        }
        Iterator<? extends GrantedAuthority> it = collection.iterator();
        while (it.hasNext()) {
            Map<String, List<Pattern>> map2 = map.get(it.next().getAuthority());
            if (map2 != null && match(map2.get(str2), str)) {
                return true;
            }
        }
        return false;
    }

    private boolean match(Collection<Pattern> collection, String str) {
        if (collection == null) {
            return false;
        }
        Iterator<Pattern> it = collection.iterator();
        while (it.hasNext()) {
            if (it.next().matcher(str).find()) {
                return true;
            }
        }
        return false;
    }
}
