package leap.web.security;

import java.util.Iterator;
import leap.core.annotation.Inject;
import leap.core.annotation.M;
import leap.core.security.Authentication;
import leap.core.security.Authorization;
import leap.core.security.annotation.Ignore;
import leap.core.web.RequestIgnore;
import leap.lang.Assert;
import leap.lang.Strings;
import leap.lang.intercepting.State;
import leap.lang.logging.Log;
import leap.lang.logging.LogFactory;
import leap.web.App;
import leap.web.AppListener;
import leap.web.Request;
import leap.web.RequestInterceptor;
import leap.web.Response;
import leap.web.action.ActionContext;
import leap.web.cors.CorsHandler;
import leap.web.route.Route;
import leap.web.route.RouteProcessor;
import leap.web.security.csrf.CSRF;
import leap.web.security.csrf.CsrfHandler;
import leap.web.security.path.DefaultSecuredPathBuilder;
import leap.web.security.path.MergedSecuredPath;
import leap.web.security.path.SecuredPath;
import leap.web.security.path.SecuredPathBuilder;
import leap.web.security.path.SecuredPathSource;
import leap.web.security.permission.PermissionManager;

/* loaded from: input_file:leap/web/security/SecurityRequestInterceptor.class */
public class SecurityRequestInterceptor implements RequestInterceptor, AppListener, RouteProcessor {
    private static final Log log = LogFactory.get(SecurityRequestInterceptor.class);

    @Inject
    @M
    protected SecurityConfig config;

    @Inject
    @M
    protected SecurityConfigurator configurator;

    @Inject
    @M
    protected PermissionManager perm;

    @Inject
    @M
    protected SecuredPathSource pathSource;

    @Inject
    @M
    protected SecurityHandler handler;

    @Inject
    @M
    protected CsrfHandler csrf;

    @Inject
    @M
    protected CorsHandler cors;

    protected SecuredPathBuilder spb(Route route) {
        SecuredPathBuilder securedPathBuilder = (SecuredPathBuilder) route.getExtension(SecuredPathBuilder.class);
        if (null == securedPathBuilder) {
            securedPathBuilder = new DefaultSecuredPathBuilder(route);
            route.setExtension(SecuredPathBuilder.class, securedPathBuilder);
        }
        return securedPathBuilder;
    }

    public void postAppStart(App app) throws Throwable {
        Iterator it = app.routes().iterator();
        while (it.hasNext()) {
            processRoute((Route) it.next());
        }
    }

    public void processRoute(Route route) {
        Ignore searchAnnotation;
        if (null != route.getAction() && null != (searchAnnotation = route.getAction().searchAnnotation(Ignore.class)) && searchAnnotation.value()) {
            this.configurator.ignore(route.getPathTemplate().getTemplate());
        }
        if (null != route.getAllowAnonymous()) {
            spb(route).setAllowAnonymous(route.getAllowAnonymous());
        }
        if (null != route.getAllowClientOnly()) {
            spb(route).setAllowClientOnly(route.getAllowClientOnly());
        }
        if (null != route.getAllowRememberMe()) {
            spb(route).setAllowRememberMe(route.getAllowRememberMe());
        }
        if (null != route.getPermissions()) {
            spb(route).setPermissions(route.getPermissions());
        }
        if (null != route.getRoles()) {
            spb(route).setRoles(route.getRoles());
        }
        this.config.getPathPrefixFailureHandlers().forEach((str, securityFailureHandler) -> {
            if (Strings.startsWith(route.getPathTemplate().getTemplate(), str)) {
                log.debug("Set failure handler for path prefix '{}'", new Object[]{route.getPathTemplate()});
                spb(route).setFailureHandler(securityFailureHandler);
            }
        });
        SecuredPathBuilder securedPathBuilder = (SecuredPathBuilder) route.removeExtension(SecuredPathBuilder.class);
        if (null != securedPathBuilder) {
            route.setExtension(SecuredPath.class, securedPathBuilder.build());
        }
    }

    public State preHandleRequest(Request request, Response response, ActionContext actionContext) throws Throwable {
        if (!this.config.isEnabled()) {
            log.debug("Web security not enabled, ignore the interceptor");
            return State.CONTINUE;
        }
        if (State.isIntercepted(this.csrf.handleRequest(request, response))) {
            return State.INTERCEPTED;
        }
        if (this.config.isCorsIgnored() && this.cors.isPreflightRequest(request)) {
            return State.CONTINUE;
        }
        for (RequestIgnore requestIgnore : this.config.getIgnores()) {
            if (requestIgnore.matches(request)) {
                return State.CONTINUE;
            }
        }
        DefaultSecurityContextHolder defaultSecurityContextHolder = new DefaultSecurityContextHolder(this.config, this.perm, request, actionContext);
        defaultSecurityContextHolder.setSecuredPath(resolveSecuredPath(request, response, defaultSecurityContextHolder, actionContext.getRoute()));
        return preHandleRequest(request, response, defaultSecurityContextHolder);
    }

    protected State preHandleRequest(Request request, Response response, DefaultSecurityContextHolder defaultSecurityContextHolder) throws Throwable {
        if (this.config.isLoginEnabled() && handleLoginRequest(request, response, defaultSecurityContextHolder)) {
            return State.INTERCEPTED;
        }
        if (this.config.isLogoutEnabled() && handleLogoutRequest(request, response, defaultSecurityContextHolder)) {
            return State.INTERCEPTED;
        }
        State resolveAuthentication = resolveAuthentication(request, response, defaultSecurityContextHolder);
        if (resolveAuthentication.isIntercepted()) {
            return resolveAuthentication;
        }
        if (!defaultSecurityContextHolder.getAuthentication().isAuthenticated()) {
            CSRF.ignore(request);
        }
        return State.CONTINUE;
    }

    public State handleRoute(Request request, Response response, Route route, ActionContext actionContext) throws Throwable {
        return handleSecurity(request, response, route);
    }

    public State handleNoRoute(Request request, Response response) throws Throwable {
        return handleSecurity(request, response, null);
    }

    protected State handleSecurity(Request request, Response response, Route route) throws Throwable {
        DefaultSecurityContextHolder tryGet = DefaultSecurityContextHolder.tryGet(request);
        if (null == tryGet || tryGet.isHandled()) {
            return State.CONTINUE;
        }
        tryGet.markHandled();
        tryGet.setSecuredPath(resolveSecuredPath(request, response, tryGet, route));
        State checkAuthentication = checkAuthentication(request, response, tryGet);
        if (checkAuthentication.isIntercepted()) {
            return checkAuthentication;
        }
        State resolveAuthorization = resolveAuthorization(request, response, tryGet);
        return resolveAuthorization.isIntercepted() ? resolveAuthorization : checkAuthorization(request, response, tryGet);
    }

    protected State resolveAuthentication(Request request, Response response, DefaultSecurityContextHolder defaultSecurityContextHolder) throws Throwable {
        SecurityInterceptor[] interceptors = this.config.getInterceptors();
        for (SecurityInterceptor securityInterceptor : interceptors) {
            if (securityInterceptor.preResolveAuthentication(request, response, defaultSecurityContextHolder).isIntercepted()) {
                log.debug("Intercepted by interceptor : {}", new Object[]{securityInterceptor.getClass()});
                return State.INTERCEPTED;
            }
        }
        Authentication authentication = defaultSecurityContextHolder.getAuthentication();
        if (null == authentication) {
            log.debug("Resolving authentication...");
            authentication = this.handler.resolveAuthentication(request, response, defaultSecurityContextHolder);
            Assert.notNull(authentication, "'Authentication' must not be null");
            defaultSecurityContextHolder.setAuthentication(authentication);
        } else {
            log.debug("Authentication already resolved by interceptor -> {}", new Object[]{authentication});
        }
        if (log.isDebugEnabled()) {
            if (authentication.isAuthenticated()) {
                log.debug("Request authenticated to : {}", new Object[]{authentication});
            } else {
                log.debug("Request not authenticated!");
            }
        }
        request.setAuthentication(authentication);
        request.setUser(authentication.getUser());
        for (SecurityInterceptor securityInterceptor2 : interceptors) {
            if (securityInterceptor2.postResolveAuthentication(request, response, defaultSecurityContextHolder).isIntercepted()) {
                return State.INTERCEPTED;
            }
        }
        return State.CONTINUE;
    }

    protected boolean handleLoginRequest(Request request, Response response, DefaultSecurityContextHolder defaultSecurityContextHolder) throws Throwable {
        return this.handler.handleLoginRequest(request, response, defaultSecurityContextHolder);
    }

    protected boolean handleLogoutRequest(Request request, Response response, DefaultSecurityContextHolder defaultSecurityContextHolder) throws Throwable {
        return this.handler.handleLogoutRequest(request, response, defaultSecurityContextHolder);
    }

    protected SecuredPath resolveSecuredPath(Request request, Response response, DefaultSecurityContextHolder defaultSecurityContextHolder, Route route) throws Throwable {
        for (SecurityInterceptor securityInterceptor : this.config.getInterceptors()) {
            SecuredPath resolveSecuredPath = securityInterceptor.resolveSecuredPath(defaultSecurityContextHolder);
            if (resolveSecuredPath != null) {
                return resolveSecuredPath;
            }
        }
        SecuredPath securedPath = null == route ? null : (SecuredPath) route.getExtension(SecuredPath.class);
        SecuredPath securedPath2 = this.pathSource.getSecuredPath(defaultSecurityContextHolder, request);
        return null == securedPath ? securedPath2 : null == securedPath2 ? securedPath : new MergedSecuredPath(route, securedPath, securedPath2);
    }

    protected State checkAuthentication(Request request, Response response, DefaultSecurityContextHolder defaultSecurityContextHolder) throws Throwable {
        if (this.handler.checkAuthentication(request, response, defaultSecurityContextHolder)) {
            return State.CONTINUE;
        }
        this.handler.handleAuthenticationDenied(request, response, defaultSecurityContextHolder);
        return State.INTERCEPTED;
    }

    protected State resolveAuthorization(Request request, Response response, DefaultSecurityContextHolder defaultSecurityContextHolder) throws Throwable {
        SecurityInterceptor[] interceptors = this.config.getInterceptors();
        for (SecurityInterceptor securityInterceptor : interceptors) {
            if (State.isIntercepted(securityInterceptor.preResolveAuthorization(request, response, defaultSecurityContextHolder))) {
                return State.INTERCEPTED;
            }
        }
        Authorization authorization = defaultSecurityContextHolder.getAuthorization();
        if (null == authorization) {
            log.debug("Resolving authorization...");
            Authorization resolveAuthorization = this.handler.resolveAuthorization(request, response, defaultSecurityContextHolder);
            Assert.notNull(resolveAuthorization, "The authorization must not be null");
            defaultSecurityContextHolder.setAuthorization(resolveAuthorization);
        } else {
            log.debug("Authorization already resolved by interceptor -> {}", new Object[]{authorization});
        }
        for (SecurityInterceptor securityInterceptor2 : interceptors) {
            if (State.isIntercepted(securityInterceptor2.postResolveAuthorization(request, response, defaultSecurityContextHolder))) {
                return State.INTERCEPTED;
            }
        }
        return State.CONTINUE;
    }

    protected State checkAuthorization(Request request, Response response, DefaultSecurityContextHolder defaultSecurityContextHolder) throws Throwable {
        if (this.handler.checkAuthorization(request, response, defaultSecurityContextHolder)) {
            return State.CONTINUE;
        }
        this.handler.handleAuthorizationDenied(request, response, defaultSecurityContextHolder);
        return State.INTERCEPTED;
    }
}
