package com.foresealife.iam.client.filter.security;

import com.foresealife.iam.client.api.IamServiceFactory;
import com.foresealife.iam.client.bean.IamPrincipal;
import com.foresealife.iam.client.bean.IamSubject;
import com.foresealife.iam.client.cache.AccCache;
import com.foresealife.iam.client.cache.AccCacheEntity;
import com.foresealife.iam.client.config.IamConfig;
import com.foresealife.iam.client.config.IamConfigFactory;
import com.foresealife.iam.client.filter.security.impl.DefaultRoleProvider;
import com.foresealife.iam.client.util.ClassUtils;
import com.foresealife.iam.client.util.StringUtils;
import com.foresealife.iam.client.util.http.HttpGetServletPath;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import repack.org.springframework.util.AntPathMatcher;

/* loaded from: input_file:com/foresealife/iam/client/filter/security/RoleBasedAclFilter.class */
public class RoleBasedAclFilter implements Filter {
    public static final String ANY_METHOD = "*";
    private static IamConfig config = IamConfigFactory.getInstance().getConfig();
    private static AccCache accCache = AccCache.getInstance();
    private AntPathMatcher pathMatcher;
    private AccessControl accessControl;
    private RoleProvider roleProvider;
    private List<String> ignoreRquestSuffix = new ArrayList();
    private List<String> ignoreRquestUrl = new ArrayList();

    public void init(FilterConfig filterConfig) throws ServletException {
        this.pathMatcher = new AntPathMatcher();
        initRoleProvider();
    }

    public void initRoleProvider() throws ServletException {
        try {
            if (StringUtils.isBlank(config.getRoleProvider())) {
                this.roleProvider = new DefaultRoleProvider();
            } else {
                this.roleProvider = (RoleProvider) ClassUtils.load(config.getRoleProvider()).newInstance();
            }
        } catch (Exception e) {
            throw new ServletException("Failed to load role provider class " + config.getRoleProvider(), e);
        }
    }

    private void getAccessControl() {
        accCache.doFreshAcl(IamServiceFactory.getInstance().getAclService());
        this.accessControl = AccCacheEntity.getAccessControlCache();
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        getAccessControl();
        this.ignoreRquestUrl = IamServiceFactory.getInstance().getUnitService().getCasIgnoreUrlFromApi();
        if (ignoreRequest(httpServletRequest) || isAuthorized(httpServletRequest)) {
            filterChain.doFilter(servletRequest, servletResponse);
            return;
        }
        httpServletResponse.setStatus(403);
        if (StringUtils.isBlank(config.getErrorPage())) {
            return;
        }
        httpServletRequest.getRequestDispatcher(config.getErrorPage()).forward(httpServletRequest, httpServletResponse);
    }

    private boolean isAuthorized(HttpServletRequest httpServletRequest) {
        List<Rule> findPathMatchedPattern = findPathMatchedPattern(httpServletRequest);
        return findPathMatchedPattern.isEmpty() ? true : hasAnyRuleAndMethodMatched(httpServletRequest, findPathMatchedPattern);
    }

    private boolean hasAnyRuleAndMethodMatched(HttpServletRequest httpServletRequest, List<Rule> list) {
        boolean z = false;
        IamSubject role = this.roleProvider.getRole(httpServletRequest.getRemoteUser(), config.getCompanyCode(), config.getUnitCode());
        if (role != null && role.getPrincipals() != null && !role.getPrincipals().isEmpty()) {
            Iterator<Rule> it = list.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                Rule next = it.next();
                if (isRoleAllowed(next, role) && isMethodAllowed(next, httpServletRequest.getMethod())) {
                    z = true;
                    break;
                }
            }
        }
        return z;
    }

    private boolean isMethodAllowed(Rule rule, String str) {
        return ANY_METHOD.equals(rule.getMethod()) || rule.getMethod().equals(str);
    }

    private boolean isRoleAllowed(Rule rule, IamSubject iamSubject) {
        boolean z = false;
        Iterator<IamPrincipal> it = iamSubject.getPrincipals().iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            if (it.next().getAttrValues().contains(rule.getRole())) {
                z = true;
                break;
            }
        }
        return z;
    }

    private List<Rule> findPathMatchedPattern(HttpServletRequest httpServletRequest) {
        ArrayList arrayList = new ArrayList();
        String servletPath = HttpGetServletPath.getServletPath(httpServletRequest);
        for (Rule rule : this.accessControl.getRules()) {
            String path = rule.getPath();
            if (this.pathMatcher.isPattern(path)) {
                if (this.pathMatcher.match(path, servletPath)) {
                    arrayList.add(rule);
                }
            } else if (path.equals(servletPath)) {
                arrayList.add(rule);
            }
        }
        return arrayList;
    }

    private boolean ignoreRequest(HttpServletRequest httpServletRequest) {
        String servletPath = HttpGetServletPath.getServletPath(httpServletRequest);
        if (this.ignoreRquestUrl.contains(servletPath)) {
            return true;
        }
        if (servletPath.contains(".")) {
            if (this.ignoreRquestSuffix.contains(servletPath.substring(servletPath.lastIndexOf(46) + 1).toLowerCase())) {
                return true;
            }
        }
        for (String str : this.ignoreRquestUrl) {
            if (this.pathMatcher.isPattern(str) && this.pathMatcher.match(str, servletPath)) {
                return true;
            }
        }
        return false;
    }

    public void destroy() {
    }
}
