package tech.corefinance.common.aop;

import jakarta.servlet.http.HttpServletRequest;
import java.lang.annotation.Annotation;
import java.lang.invoke.MethodHandles;
import java.lang.invoke.MethodType;
import java.lang.reflect.Method;
import java.lang.reflect.Proxy;
import java.lang.runtime.ObjectMethods;
import java.util.Collection;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import org.aspectj.lang.ProceedingJoinPoint;
import org.aspectj.lang.annotation.Around;
import org.aspectj.lang.annotation.Aspect;
import org.aspectj.lang.reflect.MethodSignature;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.data.domain.Sort;
import org.springframework.data.util.Pair;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.web.util.matcher.RegexRequestMatcher;
import org.springframework.stereotype.Component;
import org.springframework.util.StringUtils;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.method.HandlerMethod;
import org.springframework.web.servlet.mvc.method.RequestMappingInfo;
import org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping;
import tech.corefinance.common.annotation.ControllerManagedResource;
import tech.corefinance.common.annotation.PermissionAction;
import tech.corefinance.common.annotation.PermissionResource;
import tech.corefinance.common.context.JwtContext;
import tech.corefinance.common.dto.JwtTokenDto;
import tech.corefinance.common.dto.UserRoleDto;
import tech.corefinance.common.enums.AccessControl;
import tech.corefinance.common.model.Permission;
import tech.corefinance.common.repository.PermissionRepository;
import tech.corefinance.common.service.InternalApiVerify;
import tech.corefinance.common.service.ResourceOwnerVerifier;
import tech.corefinance.common.util.CoreFinanceUtil;

@Aspect
@ConditionalOnProperty(prefix = "tech.corefinance.security", name = {"authorize-check"}, havingValue = "true", matchIfMissing = true)
@Component
/* loaded from: input_file:tech/corefinance/common/aop/ApiAuthorizationCheck.class */
public class ApiAuthorizationCheck {
    private static final Logger log = LoggerFactory.getLogger(ApiAuthorizationCheck.class);
    private static final String EXECUTION_EXCLUDED = "!@annotation(tech.corefinance.common.annotation.ManualPermissionCheck)";

    @Autowired
    private HttpServletRequest request;

    @Autowired
    private List<RequestMappingHandlerMapping> handlerMappings;

    @Autowired
    private CoreFinanceUtil coreFinanceUtil;

    @Autowired
    private PermissionRepository permissionRepository;

    @Autowired(required = false)
    private List<ResourceOwnerVerifier> resourceOwnerVerifiers;

    @Autowired(required = false)
    private List<InternalApiVerify> internalApiVerifiers;

    @Value("${tech.corefinance.security.permission.default-control}")
    private AccessControl permissionDefaultControl;

    @Value("${tech.corefinance.security.exclude-classes-authorize-check:}")
    private List<String> excludeClasses;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:tech/corefinance/common/aop/ApiAuthorizationCheck$ResourceInfoPair.class */
    public static final class ResourceInfoPair extends Record {
        private final String resourceType;
        private final Object resourceId;

        ResourceInfoPair(String str, Object obj) {
            this.resourceType = str;
            this.resourceId = obj;
        }

        @Override // java.lang.Record
        public final String toString() {
            return (String) ObjectMethods.bootstrap(MethodHandles.lookup(), "toString", MethodType.methodType(String.class, ResourceInfoPair.class), ResourceInfoPair.class, "resourceType;resourceId", "FIELD:Ltech/corefinance/common/aop/ApiAuthorizationCheck$ResourceInfoPair;->resourceType:Ljava/lang/String;", "FIELD:Ltech/corefinance/common/aop/ApiAuthorizationCheck$ResourceInfoPair;->resourceId:Ljava/lang/Object;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final int hashCode() {
            return (int) ObjectMethods.bootstrap(MethodHandles.lookup(), "hashCode", MethodType.methodType(Integer.TYPE, ResourceInfoPair.class), ResourceInfoPair.class, "resourceType;resourceId", "FIELD:Ltech/corefinance/common/aop/ApiAuthorizationCheck$ResourceInfoPair;->resourceType:Ljava/lang/String;", "FIELD:Ltech/corefinance/common/aop/ApiAuthorizationCheck$ResourceInfoPair;->resourceId:Ljava/lang/Object;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final boolean equals(Object obj) {
            return (boolean) ObjectMethods.bootstrap(MethodHandles.lookup(), "equals", MethodType.methodType(Boolean.TYPE, ResourceInfoPair.class, Object.class), ResourceInfoPair.class, "resourceType;resourceId", "FIELD:Ltech/corefinance/common/aop/ApiAuthorizationCheck$ResourceInfoPair;->resourceType:Ljava/lang/String;", "FIELD:Ltech/corefinance/common/aop/ApiAuthorizationCheck$ResourceInfoPair;->resourceId:Ljava/lang/Object;").dynamicInvoker().invoke(this, obj) /* invoke-custom */;
        }

        public String resourceType() {
            return this.resourceType;
        }

        public Object resourceId() {
            return this.resourceId;
        }
    }

    @Around("@annotation(org.springframework.web.bind.annotation.GetMapping) && !@annotation(tech.corefinance.common.annotation.ManualPermissionCheck)")
    public Object verifyGetRequest(ProceedingJoinPoint proceedingJoinPoint) throws Throwable {
        return verifyRequest(proceedingJoinPoint, RequestMethod.GET);
    }

    @Around("@annotation(org.springframework.web.bind.annotation.PostMapping) && !@annotation(tech.corefinance.common.annotation.ManualPermissionCheck)")
    public Object verifyPostRequest(ProceedingJoinPoint proceedingJoinPoint) throws Throwable {
        return verifyRequest(proceedingJoinPoint, RequestMethod.POST);
    }

    @Around("@annotation(org.springframework.web.bind.annotation.PutMapping) && !@annotation(tech.corefinance.common.annotation.ManualPermissionCheck)")
    public Object verifyPutRequest(ProceedingJoinPoint proceedingJoinPoint) throws Throwable {
        return verifyRequest(proceedingJoinPoint, RequestMethod.PUT);
    }

    @Around("@annotation(org.springframework.web.bind.annotation.PatchMapping) && !@annotation(tech.corefinance.common.annotation.ManualPermissionCheck)")
    public Object verifyPatchRequest(ProceedingJoinPoint proceedingJoinPoint) throws Throwable {
        return verifyRequest(proceedingJoinPoint, RequestMethod.PATCH);
    }

    @Around("@annotation(org.springframework.web.bind.annotation.DeleteMapping) && !@annotation(tech.corefinance.common.annotation.ManualPermissionCheck)")
    public Object verifyDeleteRequest(ProceedingJoinPoint proceedingJoinPoint) throws Throwable {
        return verifyRequest(proceedingJoinPoint, RequestMethod.DELETE);
    }

    @Around("@annotation(org.springframework.web.bind.annotation.RequestMapping) && !@annotation(tech.corefinance.common.annotation.ManualPermissionCheck)")
    public Object verifyGenericRequest(ProceedingJoinPoint proceedingJoinPoint) throws Throwable {
        return verifyRequest(proceedingJoinPoint, RequestMethod.valueOf(this.request.getMethod()));
    }

    public Object verifyRequest(ProceedingJoinPoint proceedingJoinPoint, RequestMethod requestMethod) throws Throwable {
        Object unProxy;
        JwtTokenDto jwt = JwtContext.getInstance().getJwt();
        if (jwt != null) {
            Object target = proceedingJoinPoint.getTarget();
            Class<?> cls = target.getClass();
            String name = cls.getName();
            MethodSignature signature = proceedingJoinPoint.getSignature();
            Method method = signature.getMethod();
            log.debug("Controller class [{}]", cls);
            if (Proxy.isProxyClass(cls) && (unProxy = this.coreFinanceUtil.unProxy(target)) != null) {
                cls = unProxy.getClass();
                log.debug("UnProxy target class [{}]", cls);
                log.debug("Checking with ignored list {}", this.excludeClasses);
                if (this.coreFinanceUtil.isMatchedInstanceType(unProxy, this.excludeClasses)) {
                    log.debug("Excluded for [{}]", unProxy);
                    return proceedingJoinPoint.proceed();
                }
            }
            log.debug("Verifying method [{}#{}]", name, signature.getName());
            Map.Entry<RequestMappingInfo, HandlerMethod> resolveHandlerInfo = resolveHandlerInfo(method);
            if (resolveHandlerInfo == null) {
                log.error("This error should not happen. If it happens, please check AOP condition.");
                throw new IllegalStateException("unknown_method_handler");
            }
            String resolveUrl = resolveUrl(resolveHandlerInfo, this.request);
            log.debug("Resolved URL [{}] for request URI [{}]", resolveUrl, this.request.getRequestURI());
            PermissionAction permissionAction = (PermissionAction) method.getAnnotation(PermissionAction.class);
            String resolveResourceAction = this.coreFinanceUtil.resolveResourceAction(permissionAction, resolveHandlerInfo.getKey());
            String resolveResourceType = this.coreFinanceUtil.resolveResourceType(permissionAction, (ControllerManagedResource) cls.getAnnotation(ControllerManagedResource.class));
            Collection<UserRoleDto> userRoles = jwt.getUserRoles();
            boolean z = false;
            boolean z2 = false;
            Iterator<UserRoleDto> it = userRoles.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                if ("SystemAdmin".equalsIgnoreCase(it.next().getRoleId())) {
                    z2 = true;
                    break;
                }
            }
            if (!z2) {
                boolean z3 = true;
                if (this.internalApiVerifiers != null) {
                    Iterator<InternalApiVerify> it2 = this.internalApiVerifiers.iterator();
                    while (true) {
                        if (!it2.hasNext()) {
                            break;
                        }
                        if (!it2.next().internalPermissionCheck(cls, method, this.request)) {
                            z3 = false;
                            break;
                        }
                    }
                }
                if (z3) {
                    Iterator<UserRoleDto> it3 = userRoles.iterator();
                    while (it3.hasNext()) {
                        if (verifyRole(jwt, it3.next(), resolveResourceAction, resolveUrl, requestMethod, resolveResourceType, proceedingJoinPoint)) {
                            z = true;
                        }
                    }
                }
                if (!z && AccessControl.ALLOWED != this.permissionDefaultControl) {
                    throw new AccessDeniedException("no_permission_config");
                }
            }
        }
        return proceedingJoinPoint.proceed();
    }

    private Map.Entry<RequestMappingInfo, HandlerMethod> resolveHandlerInfo(Method method) {
        Iterator<RequestMappingHandlerMapping> it = this.handlerMappings.iterator();
        while (it.hasNext()) {
            for (Map.Entry<RequestMappingInfo, HandlerMethod> entry : it.next().getHandlerMethods().entrySet()) {
                if (method.equals(entry.getValue().getMethod())) {
                    return entry;
                }
            }
        }
        return null;
    }

    private String resolveUrl(Map.Entry<RequestMappingInfo, HandlerMethod> entry, HttpServletRequest httpServletRequest) {
        String str = null;
        Iterator<Pair<String, String>> it = this.coreFinanceUtil.buildUrlPair(entry.getKey().getPatternValues()).iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            Pair<String, String> next = it.next();
            if (RegexRequestMatcher.regexMatcher((String) next.getSecond()).matches(httpServletRequest)) {
                str = (String) next.getSecond();
                break;
            }
            if (str == null) {
                str = (String) next.getSecond();
            }
        }
        return str;
    }

    private boolean verifyRole(JwtTokenDto jwtTokenDto, UserRoleDto userRoleDto, String str, String str2, RequestMethod requestMethod, String str3, ProceedingJoinPoint proceedingJoinPoint) {
        boolean z = false;
        for (Permission permission : this.permissionRepository.findAllByRoleIdAndResourceType(userRoleDto.getRoleId(), str3, Sort.by(new Sort.Order[]{new Sort.Order(Sort.Direction.ASC, "action"), new Sort.Order(Sort.Direction.ASC, "url")}))) {
            boolean z2 = Permission.ANY_ROLE_APPLIED_VALUE.equalsIgnoreCase(permission.getAction()) || str.equalsIgnoreCase(permission.getAction());
            boolean z3 = Permission.ANY_ROLE_APPLIED_VALUE.equalsIgnoreCase(permission.getUrl()) || str2.equalsIgnoreCase(permission.getUrl());
            boolean z4 = permission.getRequestMethod() == null || permission.getRequestMethod() == requestMethod;
            if (z2 && z3 && z4) {
                z = true;
                checkPermissionControl(jwtTokenDto, permission, proceedingJoinPoint, userRoleDto);
            }
        }
        return z;
    }

    private ResourceInfoPair resolveResourceId(ProceedingJoinPoint proceedingJoinPoint) {
        Annotation[][] parameterAnnotations = proceedingJoinPoint.getSignature().getMethod().getParameterAnnotations();
        log.debug("ANN [{}]", new Object[]{parameterAnnotations});
        PermissionResource permissionResource = null;
        Object obj = null;
        int i = 0;
        loop0: while (true) {
            if (i >= parameterAnnotations.length) {
                break;
            }
            for (Annotation annotation : parameterAnnotations[i]) {
                if (PermissionResource.class.isAssignableFrom(annotation.annotationType())) {
                    permissionResource = (PermissionResource) annotation;
                    obj = proceedingJoinPoint.getArgs()[i];
                    break loop0;
                }
            }
            i++;
        }
        if (permissionResource == null) {
            throw new AccessDeniedException("no_resource_id_to_verify_permission");
        }
        return !StringUtils.hasText(permissionResource.idPath()) ? new ResourceInfoPair(permissionResource.resourceType(), obj) : obj == null ? new ResourceInfoPair(permissionResource.resourceType(), null) : new ResourceInfoPair(permissionResource.resourceType(), this.coreFinanceUtil.getDeepAttributeValue(obj, permissionResource.idPath()));
    }

    private boolean checkResourceOwnership(JwtTokenDto jwtTokenDto, String str, Object obj, Permission permission, UserRoleDto userRoleDto) {
        boolean z = false;
        Iterator<ResourceOwnerVerifier> it = this.resourceOwnerVerifiers.iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            ResourceOwnerVerifier next = it.next();
            if (next.isSupportedResource(str)) {
                z = next.verifyOwner(jwtTokenDto, str, obj, permission, userRoleDto);
                break;
            }
        }
        return z;
    }

    private void checkPermissionControl(JwtTokenDto jwtTokenDto, Permission permission, ProceedingJoinPoint proceedingJoinPoint, UserRoleDto userRoleDto) {
        switch (permission.getControl()) {
            case DENIED:
                throw new AccessDeniedException("access_denied_" + permission.getId());
            case ALLOWED_SPECIFIC_RESOURCES:
                ResourceInfoPair resolveResourceId = resolveResourceId(proceedingJoinPoint);
                if (!checkResourceOwnership(jwtTokenDto, resolveResourceId.resourceType, resolveResourceId.resourceId, permission, userRoleDto)) {
                    throw new AccessDeniedException("access_denied_" + permission.getId());
                }
                return;
            case DENIED_SPECIFIC_RESOURCES:
                ResourceInfoPair resolveResourceId2 = resolveResourceId(proceedingJoinPoint);
                if (checkResourceOwnership(jwtTokenDto, resolveResourceId2.resourceType, resolveResourceId2.resourceId, permission, userRoleDto)) {
                    throw new AccessDeniedException("access_denied_" + permission.getId());
                }
                return;
            default:
                return;
        }
    }
}
