package cn.gtmap.gtc.starter.gscas.config;

import cn.gtmap.gtc.common.properties.security.AppSecurity;
import cn.gtmap.gtc.starter.gcas.domain.SecurityMetaUrlSource;
import cn.gtmap.gtc.starter.gcas.util.HttpUtils;
import cn.gtmap.gtc.starter.gscas.expression.GtmapFilterInvocationSecurityMetadataSource;
import cn.gtmap.gtc.starter.gscas.expression.SecurityUrlConfig;
import com.alibaba.fastjson.JSON;
import java.util.Collection;
import java.util.HashMap;
import java.util.Iterator;
import java.util.LinkedHashMap;
import java.util.List;
import java.util.Map;
import java.util.Random;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.cloud.client.ServiceInstance;
import org.springframework.cloud.client.discovery.DiscoveryClient;
import org.springframework.cloud.netflix.zuul.filters.discovery.DiscoveryClientRouteLocator;
import org.springframework.context.annotation.Configuration;
import org.springframework.scheduling.annotation.Scheduled;
import org.springframework.security.access.ConfigAttribute;
import org.springframework.security.oauth2.client.resource.OAuth2ProtectedResourceDetails;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.springframework.security.web.util.matcher.AnyRequestMatcher;
import org.springframework.security.web.util.matcher.RequestMatcher;
import org.springframework.util.CollectionUtils;
import org.springframework.util.StringUtils;
import org.springframework.web.cors.CorsUtils;

@Configuration
/* loaded from: input_file:BOOT-INF/lib/gtmap-security-cloud-app-starter-1.2.21.jar:cn/gtmap/gtc/starter/gscas/config/InitSecurityCfgThreadConfig.class */
public class InitSecurityCfgThreadConfig {
    private static final RequestMatcher ANY_REQUEST = AnyRequestMatcher.INSTANCE;
    private static int start = 0;
    final String clientId;
    final DiscoveryClient discoveryClient;
    protected final Log logger = LogFactory.getLog(InitSecurityCfgThreadConfig.class);

    public InitSecurityCfgThreadConfig(OAuth2ProtectedResourceDetails oAuth2ProtectedResourceDetails, DiscoveryClient discoveryClient, AppSecurity appSecurity) {
        this.discoveryClient = discoveryClient;
        this.clientId = oAuth2ProtectedResourceDetails.getClientId();
        Iterator<Map.Entry<String, String[]>> it = appSecurity.getAuthorities().entrySet().iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            Map.Entry<String, String[]> next = it.next();
            if ("authenticated".equalsIgnoreCase(next.getKey()) && "false".equals(next.getValue()[0])) {
                GtmapFilterInvocationSecurityMetadataSource.localAuthenticated = false;
                break;
            }
        }
        saveRequestMap(null);
    }

    @Scheduled(cron = "0 */1 * * * ?")
    public void accessInit() {
        try {
            List<ServiceInstance> instances = this.discoveryClient.getInstances("account");
            if (CollectionUtils.isEmpty(instances)) {
                saveRequestMap(null);
            } else {
                ServiceInstance serviceInstance = instances.get(new Random().nextInt(instances.size()));
                String concat = "http://".concat(serviceInstance.getHost() + ":" + serviceInstance.getPort()).concat("/account/auth/client/access/config");
                HashMap hashMap = new HashMap();
                hashMap.put("clientId", this.clientId);
                String str = HttpUtils.get(concat, hashMap, null);
                if (this.logger.isDebugEnabled()) {
                    this.logger.debug("clientUrlConfig: " + str);
                }
                List<SecurityMetaUrlSource> parseArray = JSON.parseArray(str, SecurityMetaUrlSource.class);
                if (CollectionUtils.isEmpty(parseArray)) {
                    saveRequestMap(null);
                } else {
                    LinkedHashMap linkedHashMap = new LinkedHashMap();
                    linkedHashMap.put(CorsUtils::isPreFlightRequest, SecurityUrlConfig.createList(null, "permitAll"));
                    for (SecurityMetaUrlSource securityMetaUrlSource : parseArray) {
                        try {
                            if ("UNLIMITED".equals(securityMetaUrlSource.getType())) {
                                linkedHashMap.put(new AntPathRequestMatcher(securityMetaUrlSource.getUrl(), null), SecurityUrlConfig.createList(securityMetaUrlSource.getDatas(), "permitAll"));
                            } else if ("HAS_SCOPE".equals(securityMetaUrlSource.getType())) {
                                linkedHashMap.put(new AntPathRequestMatcher(securityMetaUrlSource.getUrl(), securityMetaUrlSource.getMethod()), SecurityUrlConfig.createList(securityMetaUrlSource.getDatas(), hasAnyScope((String[]) securityMetaUrlSource.getAuthorities().toArray(new String[securityMetaUrlSource.getAuthorities().size()]))));
                            } else if ("HAS_ROLE".equals(securityMetaUrlSource.getType()) || "HAS_ORG".equals(securityMetaUrlSource.getType())) {
                                linkedHashMap.put(new AntPathRequestMatcher(securityMetaUrlSource.getUrl(), securityMetaUrlSource.getMethod()), SecurityUrlConfig.createList(securityMetaUrlSource.getDatas(), hasAnyAuthority((String[]) securityMetaUrlSource.getAuthorities().toArray(new String[securityMetaUrlSource.getAuthorities().size()]))));
                            } else if ("HAS_IP".equals(securityMetaUrlSource.getType())) {
                                linkedHashMap.put(new AntPathRequestMatcher(securityMetaUrlSource.getUrl(), securityMetaUrlSource.getMethod()), SecurityUrlConfig.createList(securityMetaUrlSource.getDatas(), hasAnyIpAddress((String[]) securityMetaUrlSource.getAuthorities().toArray(new String[securityMetaUrlSource.getAuthorities().size()]))));
                            } else if ("HAS_AUTHENTICATED".equals(securityMetaUrlSource.getType())) {
                                if (GtmapFilterInvocationSecurityMetadataSource.localAuthenticated) {
                                    linkedHashMap.put(new AntPathRequestMatcher(securityMetaUrlSource.getUrl(), null), SecurityUrlConfig.createList(securityMetaUrlSource.getDatas(), "authenticated"));
                                }
                            } else if ("DENY".equals(securityMetaUrlSource.getType()) && GtmapFilterInvocationSecurityMetadataSource.localAuthenticated) {
                                linkedHashMap.put(new AntPathRequestMatcher(securityMetaUrlSource.getUrl(), null), SecurityUrlConfig.createList(securityMetaUrlSource.getDatas(), "denyAll"));
                            }
                        } catch (Exception e) {
                            this.logger.warn("build PathRequestMatcher error:", e);
                        }
                    }
                    saveRequestMap(linkedHashMap);
                }
            }
        } catch (Exception e2) {
            this.logger.warn("AccessInitRunnable", e2);
            saveRequestMap(null);
        }
    }

    private void saveRequestMap(Map<RequestMatcher, Collection<ConfigAttribute>> map) {
        if (!CollectionUtils.isEmpty(map)) {
            GtmapFilterInvocationSecurityMetadataSource.setRequestMap(map);
            return;
        }
        if (start == 0) {
            LinkedHashMap linkedHashMap = new LinkedHashMap();
            linkedHashMap.put(CorsUtils::isPreFlightRequest, SecurityUrlConfig.createList(null, "permitAll"));
            if (GtmapFilterInvocationSecurityMetadataSource.localScopes != null) {
                for (String str : GtmapFilterInvocationSecurityMetadataSource.localScopes) {
                    linkedHashMap.put(new AntPathRequestMatcher(str, null), SecurityUrlConfig.createList(null, "authenticated"));
                }
            }
            if (GtmapFilterInvocationSecurityMetadataSource.localAuthenticated) {
                linkedHashMap.put(new AntPathRequestMatcher(DiscoveryClientRouteLocator.DEFAULT_ROUTE, null), SecurityUrlConfig.createList(null, "authenticated"));
            } else {
                linkedHashMap.put(new AntPathRequestMatcher(DiscoveryClientRouteLocator.DEFAULT_ROUTE, null), SecurityUrlConfig.createList(null, "permitAll"));
            }
            GtmapFilterInvocationSecurityMetadataSource.setRequestMap(linkedHashMap);
            start = 1;
            this.logger.warn("init security config settings!!!");
        }
    }

    private static String hasAnyAuthority(String... strArr) {
        return "hasAnyAuthority('" + StringUtils.arrayToDelimitedString(strArr, "','") + "')";
    }

    private static String hasAnyScope(String... strArr) {
        return "#oauth2.hasAnyScope('" + StringUtils.arrayToDelimitedString(strArr, "','") + "')";
    }

    private static String hasAnyIpAddress(String... strArr) {
        return "hasAnyIpAddress('" + StringUtils.arrayToDelimitedString(strArr, "','") + "')";
    }
}
