package org.beangle.security.blueprint.function.service.internal;

import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import org.beangle.commons.bean.Initializing;
import org.beangle.commons.collection.CollectUtils;
import org.beangle.commons.dao.impl.BaseServiceImpl;
import org.beangle.commons.lang.Assert;
import org.beangle.commons.web.util.RequestUtils;
import org.beangle.security.access.AuthorityManager;
import org.beangle.security.auth.AnonymousAuthentication;
import org.beangle.security.blueprint.SecurityUtils;
import org.beangle.security.blueprint.function.FuncResource;
import org.beangle.security.blueprint.function.service.FuncPermissionService;
import org.beangle.security.blueprint.service.UserService;
import org.beangle.security.core.Authentication;
import org.beangle.security.core.GrantedAuthority;
import org.beangle.security.core.session.category.CategoryPrincipal;
import org.beangle.security.core.userdetail.UserDetail;
import org.beangle.security.web.AuthenticationEntryPoint;
import org.beangle.security.web.FilterInvocation;
import org.beangle.security.web.auth.UrlEntryPoint;

/* loaded from: input_file:org/beangle/security/blueprint/function/service/internal/CacheableAuthorityManager.class */
public class CacheableAuthorityManager extends BaseServiceImpl implements AuthorityManager, Initializing {
    protected AuthenticationEntryPoint authenticationEntryPoint;
    protected Map<GrantedAuthority, Set<?>> authorities = CollectUtils.newHashMap();
    protected Set<String> publicResources;
    protected Set<?> protectedResources;
    protected FuncPermissionService permissionService;
    private UserService userService;

    public boolean isAuthorized(Authentication authentication, Object obj) {
        if (null == authentication) {
            return false;
        }
        String extractResource = obj instanceof FilterInvocation ? this.permissionService.extractResource(RequestUtils.getServletPath(((FilterInvocation) obj).getHttpRequest())) : obj.toString();
        SecurityUtils.setResource(extractResource);
        if (this.publicResources.contains(extractResource)) {
            return true;
        }
        if (AnonymousAuthentication.class.isAssignableFrom(authentication.getClass())) {
            return false;
        }
        if (this.protectedResources.contains(extractResource)) {
            return true;
        }
        Iterator it = authentication.getAuthorities().iterator();
        while (it.hasNext()) {
            if (isAuthorizedByRole((GrantedAuthority) it.next(), extractResource)) {
                return true;
            }
        }
        Object principal = authentication.getPrincipal();
        return (principal instanceof CategoryPrincipal) && this.userService.isRoot(((UserDetail) principal).getUsername());
    }

    private boolean isAuthorizedByRole(GrantedAuthority grantedAuthority, Object obj) {
        Set<?> set = this.authorities.get(grantedAuthority);
        if (null == set) {
            set = refreshRolePermissions(grantedAuthority);
        }
        return set.contains(obj);
    }

    public Set<?> refreshRolePermissions(GrantedAuthority grantedAuthority) {
        Set<String> resourceNamesByRole = this.permissionService.getResourceNamesByRole((Integer) grantedAuthority.getAuthority());
        this.authorities.put(grantedAuthority, resourceNamesByRole);
        this.logger.debug("Refresh role:{}'s permissions:{}", grantedAuthority, resourceNamesByRole);
        return resourceNamesByRole;
    }

    public void refreshCache() {
        this.publicResources = this.permissionService.getResourceNamesByScope(FuncResource.Scope.Public);
        if (null != this.authenticationEntryPoint && (this.authenticationEntryPoint instanceof UrlEntryPoint)) {
            String extractResource = this.permissionService.extractResource(this.authenticationEntryPoint.getLoginUrl());
            if (null != extractResource) {
                this.publicResources.add(extractResource);
            }
        }
        this.protectedResources = this.permissionService.getResourceNamesByScope(FuncResource.Scope.Protected);
    }

    public void init() throws Exception {
        Assert.notNull(this.permissionService, "authorityService cannot be null", new Object[0]);
        refreshCache();
    }

    public void setPermissionService(FuncPermissionService funcPermissionService) {
        this.permissionService = funcPermissionService;
    }

    public void setAuthenticationEntryPoint(AuthenticationEntryPoint authenticationEntryPoint) {
        this.authenticationEntryPoint = authenticationEntryPoint;
    }

    public void setUserService(UserService userService) {
        this.userService = userService;
    }
}
