package act.aaa;

import act.Act;
import act.aaa.AAAConfig;
import act.aaa.AAAPlugin;
import act.app.ActionContext;
import act.app.App;
import act.app.AppClassLoader;
import act.app.AppServiceBase;
import act.app.ProjectLayout;
import act.app.conf.AutoConfig;
import act.conf.ConfLoader;
import act.event.OnceEventListenerBase;
import act.handler.RequestHandler;
import act.handler.builtin.controller.ActionHandlerInvoker;
import act.handler.builtin.controller.Handler;
import act.handler.builtin.controller.RequestHandlerProxy;
import act.handler.builtin.controller.impl.ReflectedHandlerInvoker;
import act.util.SubClassFinder;
import act.view.ActForbidden;
import com.alibaba.fastjson.parser.ParserConfig;
import com.alibaba.fastjson.serializer.SerializeConfig;
import java.io.File;
import java.io.IOException;
import java.lang.annotation.Annotation;
import java.lang.reflect.Method;
import java.net.URL;
import java.util.ArrayList;
import java.util.Enumeration;
import java.util.EventObject;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.regex.Pattern;
import org.osgl.$;
import org.osgl.Osgl;
import org.osgl.aaa.AAA;
import org.osgl.aaa.AAAContext;
import org.osgl.aaa.AAAPersistentService;
import org.osgl.aaa.Auditor;
import org.osgl.aaa.AuthenticationService;
import org.osgl.aaa.AuthorizationService;
import org.osgl.aaa.NoAccessException;
import org.osgl.aaa.NoAuthenticate;
import org.osgl.aaa.NoAuthentication;
import org.osgl.aaa.Permission;
import org.osgl.aaa.Principal;
import org.osgl.aaa.Privilege;
import org.osgl.aaa.RequireAuthenticate;
import org.osgl.aaa.RequireAuthentication;
import org.osgl.aaa.Role;
import org.osgl.aaa.impl.DumbAuditor;
import org.osgl.aaa.impl.SimpleAAAContext;
import org.osgl.aaa.impl.SimpleAuthorizationService;
import org.osgl.aaa.impl.SimplePermission;
import org.osgl.aaa.impl.SimplePrincipal;
import org.osgl.aaa.impl.SimplePrivilege;
import org.osgl.aaa.impl.SimpleRole;
import org.osgl.exception.NotAppliedException;
import org.osgl.http.H;
import org.osgl.mvc.annotation.Catch;
import org.osgl.util.C;
import org.osgl.util.Const;
import org.osgl.util.E;
import org.osgl.util.IO;
import org.osgl.util.S;
import org.yaml.snakeyaml.Yaml;
import osgl.version.Version;

@AutoConfig("aaa")
/* loaded from: input_file:act/aaa/AAAService.class */
public class AAAService extends AppServiceBase<AAAService> {
    private static final String AAA_AUTH_LIST = "aaa.authenticate.list";
    private List<AAAPlugin.Listener> listeners;
    private Set<Object> needsAuthentication;
    private Set<Object> noAuthentication;
    private Set<String> waiveAuthenticateList;
    private Set<String> forceAuthenticateList;
    private boolean allowBasicAuthentication;
    private boolean disabled;
    private final String sessionKeyUsername;
    private AuthenticationService authenticationService;
    private AuthorizationService authorizationService;
    private AAAPersistentService persistentService;
    private Auditor auditor;
    private OnceEventListenerBase onServiceInitialized;
    public static final Version VERSION = AAAPlugin.VERSION;
    private static final Const<Boolean> ALWAYS_AUTHENTICATE = $.constant(true);
    private static final Const<String> ACL_FILE = $.constant("acl.yaml");
    private static final Const<Boolean> ALLOW_SYS_SERVICE_ON_DEV_MODE = $.constant(false);
    private static final Pattern P_PRINCIPAL = Pattern.compile("(principal|prin|pn|account|acc|a)", 2);
    private static final Pattern P_ROLE = Pattern.compile("(role|ro)", 2);
    private static final Pattern P_PRIVILEGE = Pattern.compile("(privilege|priv|pi)", 2);
    private static final Pattern P_PERMISSION = Pattern.compile("(permission|perm|pe)", 2);

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:act/aaa/AAAService$AuthenticationRequirementSensor.class */
    public class AuthenticationRequirementSensor implements Handler.Visitor, ReflectedHandlerInvoker.ReflectedHandlerInvokerVisitor {
        boolean requireAuthentication;

        private AuthenticationRequirementSensor() {
            this.requireAuthentication = false;
        }

        public ActionHandlerInvoker.Visitor invokerVisitor() {
            return this;
        }

        private boolean hasAnnotation(Class<? extends Annotation> cls, Class<?> cls2, Method method) {
            return (null == AnnotationUtil.findAnnotation(cls2, cls) && null == AnnotationUtil.findAnnotation(method, cls)) ? false : true;
        }

        public Void apply(Class<?> cls, Method method) throws NotAppliedException, Osgl.Break {
            if (null != method.getAnnotation(Catch.class)) {
                return null;
            }
            if (hasAnnotation(RequireAuthentication.class, cls, method) || hasAnnotation(RequireAuthenticate.class, cls, method)) {
                this.requireAuthentication = true;
                throw $.breakOut(true);
            }
            if (hasAnnotation(NoAuthentication.class, cls, method) || hasAnnotation(NoAuthenticate.class, cls, method)) {
                return null;
            }
            this.requireAuthentication = AAAService.this.requireAuthentication(S.builder(cls.getName()).append(".").append(method.getName()).toString());
            if (this.requireAuthentication) {
                throw $.breakOut(true);
            }
            return null;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public AAAService(App app) {
        super(app);
        this.listeners = C.newList();
        this.needsAuthentication = C.newSet();
        this.noAuthentication = C.newSet();
        this.waiveAuthenticateList = C.newSet();
        this.forceAuthenticateList = C.newSet();
        this.allowBasicAuthentication = false;
        this.onServiceInitialized = new OnceEventListenerBase() { // from class: act.aaa.AAAService.1
            public boolean tryHandle(EventObject eventObject) throws Exception {
                if (!AAAService.this.serviceInitialized()) {
                    return true;
                }
                AAAService.this.loadAcl();
                AAAService.this.registerFastJsonConfig();
                AAAService.this.registerDefaultContext();
                return true;
            }
        };
        loadAuthenticateList();
        this.sessionKeyUsername = app.config().sessionKeyUsername();
        this.authorizationService = new SimpleAuthorizationService();
        this.auditor = DumbAuditor.INSTANCE;
        this.allowBasicAuthentication = app.config().basicAuthenticationEnabled();
        postOperations(app);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public AAAService(App app, ActAAAService actAAAService) {
        this(app);
        persistentService(new DefaultPersistentService(actAAAService));
    }

    public boolean serviceInitialized() {
        return (null == this.authenticationService || null == this.authorizationService || null == this.persistentService) ? false : true;
    }

    private void postOperations(App app) {
        app.eventBus().once(AAAPersistenceServiceInitialized.class, this.onServiceInitialized);
        app.eventBus().once(AuthenticationServiceInitialized.class, this.onServiceInitialized);
        app.eventBus().once(AuthorizationServiceInitialized.class, this.onServiceInitialized);
    }

    private void loadAuthenticateList() {
        ArrayList<String> arrayList = new ArrayList();
        try {
            Enumeration<URL> resources = Act.class.getClassLoader().getResources(AAA_AUTH_LIST);
            while (resources.hasMoreElements()) {
                arrayList.addAll(C.listOf(IO.readContentAsString(resources.nextElement().openStream()).split("[\r\n]+")).filter(S.F.startsWith("#").negate()).filter(S.F.IS_BLANK.negate()));
            }
            for (String str : arrayList) {
                if (str.startsWith("-")) {
                    this.waiveAuthenticateList.add(str.substring(1));
                }
            }
            for (String str2 : arrayList) {
                if (!str2.startsWith("-")) {
                    if (str2.startsWith("+")) {
                        this.forceAuthenticateList.add(str2.substring(1));
                        this.waiveAuthenticateList.remove(str2.substring(1));
                    } else {
                        this.forceAuthenticateList.add(str2);
                        this.waiveAuthenticateList.remove(str2);
                    }
                }
            }
        } catch (IOException e) {
            throw E.ioException(e);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void loadAcl() {
        if (Act.isDev()) {
            devLoadAcl();
        } else {
            prodLoadAcl();
        }
    }

    private void devLoadAcl() {
        String str = (String) ACL_FILE.get();
        File resource = app().layout().resource(app().base());
        loadYaml(ProjectLayout.Utils.file(resource, str));
        File file = ProjectLayout.Utils.file(resource, "/conf");
        loadYaml(ProjectLayout.Utils.file(file, str));
        loadYaml(ProjectLayout.Utils.file(ProjectLayout.Utils.file(file, ConfLoader.common()), str));
        loadYaml(ProjectLayout.Utils.file(ProjectLayout.Utils.file(file, Act.profile()), str));
    }

    private void prodLoadAcl() {
        URL resource = app().classLoader().getResource((String) ACL_FILE.get());
        if (null != resource) {
            loadYaml(resource);
        }
        AppClassLoader classLoader = app().classLoader();
        URL resource2 = classLoader.getResource(S.fmt("conf/%s", new Object[]{ACL_FILE}));
        if (null != resource2) {
            loadYaml(resource2);
        }
        URL resource3 = classLoader.getResource(S.fmt("conf/%s/%s", new Object[]{ConfLoader.common(), ACL_FILE}));
        if (null != resource3) {
            loadYaml(resource3);
        }
        URL resource4 = classLoader.getResource(S.fmt("conf/%s/%s", new Object[]{app().profile(), ACL_FILE}));
        if (null != resource4) {
            loadYaml(resource4);
        }
    }

    protected void releaseResources() {
        this.listeners.clear();
        this.needsAuthentication.clear();
        this.noAuthentication.clear();
    }

    public AAAPersistentService persistentService() {
        return this.persistentService;
    }

    public AuthenticationService authenticationService() {
        return this.authenticationService;
    }

    public AuthorizationService authorizationService() {
        return this.authorizationService;
    }

    public Auditor auditor() {
        return this.auditor;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public AAAService persistentService(AAAPersistentService aAAPersistentService) {
        boolean z = null == this.persistentService;
        if (null != this.persistentService && (aAAPersistentService instanceof DefaultPersistentService)) {
            return this;
        }
        this.persistentService = (AAAPersistentService) $.notNull(aAAPersistentService);
        if (z) {
            app().eventBus().trigger(new AAAPersistenceServiceInitialized(this), new Object[0]);
        }
        return this;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public AAAService authenticationService(AuthenticationService authenticationService) {
        boolean z = null == this.authenticationService;
        this.authenticationService = (AuthenticationService) $.notNull(authenticationService);
        if (z) {
            app().eventBus().trigger(new AuthenticationServiceInitialized(this), new Object[0]);
        }
        return this;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public AAAService authorizationService(AuthorizationService authorizationService) {
        boolean z = null == this.authorizationService;
        this.authorizationService = (AuthorizationService) $.notNull(authorizationService);
        if (z) {
            app().eventBus().trigger(new AuthorizationServiceInitialized(this), new Object[0]);
        }
        return this;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public AAAService auditor(Auditor auditor) {
        boolean z = null == this.auditor;
        this.auditor = (Auditor) $.notNull(auditor);
        if (z) {
            app().eventBus().trigger(new AuditorInitialized(this), new Object[0]);
        }
        return this;
    }

    public void sessionResolved(H.Session session, ActionContext actionContext) {
        if (this.disabled) {
            return;
        }
        AAAContext createAAAContext = createAAAContext();
        AAA.setContext(createAAAContext);
        try {
            ensureAuthenticity(resolvePrincipal(createAAAContext, actionContext), actionContext);
        } catch (NoAccessException e) {
            throw ActForbidden.create(e);
        }
    }

    public AAAContext createAAAContext() {
        return new SimpleAAAContext(this.authenticationService, this.authorizationService, this.persistentService, this.auditor);
    }

    private Principal resolvePrincipal(AAAContext aAAContext, ActionContext actionContext) {
        Principal principal = null;
        String str = actionContext.session().get(this.sessionKeyUsername);
        if (!S.blank(str)) {
            principal = (Principal) this.persistentService.findByName(str, Principal.class);
        } else if (this.allowBasicAuthentication) {
            String user = actionContext.req().user();
            if (S.notBlank(user)) {
                principal = this.authenticationService.authenticate(user, actionContext.req().password());
            }
        }
        if (null == principal) {
            actionContext.session().remove(this.sessionKeyUsername);
        } else {
            aAAContext.setCurrentPrincipal(principal);
        }
        firePrincipalResolved(principal, actionContext);
        return principal;
    }

    private void firePrincipalResolved(Principal principal, ActionContext actionContext) {
        int size = this.listeners.size();
        for (int i = 0; i < size; i++) {
            this.listeners.get(i).principalResolved(principal, actionContext);
        }
        if (null != principal) {
            actionContext.app().eventBus().trigger(new PrincipalResolved(principal), new Object[0]);
        }
    }

    private void ensureAuthenticity(Principal principal, ActionContext actionContext) {
        RequestHandler handler;
        if (S.eq(AAAConfig.loginUrl, actionContext.req().path()) || null == (handler = actionContext.handler()) || handler.sessionFree() || null != principal || !requireAuthenticate(handler)) {
            return;
        }
        actionContext.missingAuthenticationHandler().handle(actionContext);
    }

    private boolean requireAuthenticate(RequestHandler requestHandler) {
        if (this.needsAuthentication.contains(requestHandler)) {
            return true;
        }
        if (this.noAuthentication.contains(requestHandler)) {
            return false;
        }
        if (!(requestHandler instanceof RequestHandlerProxy)) {
            boolean requireAuthentication = requireAuthentication(requestHandler.getClass().getName());
            if (requireAuthentication) {
                this.needsAuthentication.add(requestHandler);
            } else {
                this.noAuthentication.add(requestHandler);
            }
            return requireAuthentication;
        }
        AuthenticationRequirementSensor authenticationRequirementSensor = new AuthenticationRequirementSensor();
        try {
            ((RequestHandlerProxy) requestHandler).accept(authenticationRequirementSensor);
        } catch (Osgl.Break e) {
        }
        boolean z = authenticationRequirementSensor.requireAuthentication;
        if (z) {
            this.needsAuthentication.add(requestHandler);
        } else {
            this.noAuthentication.add(requestHandler);
        }
        return z;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public boolean requireAuthentication(String str) {
        if (this.forceAuthenticateList.contains(str)) {
            return true;
        }
        if (this.waiveAuthenticateList.contains(str)) {
            return false;
        }
        for (String str2 : this.forceAuthenticateList) {
            if (str.startsWith(str2) || str.matches(str2)) {
                return true;
            }
        }
        for (String str3 : this.waiveAuthenticateList) {
            if (str.startsWith(str3) || str.matches(str3)) {
                return false;
            }
        }
        return (Act.isProd() || !((Boolean) ALLOW_SYS_SERVICE_ON_DEV_MODE.get()).booleanValue()) && ((Boolean) ALWAYS_AUTHENTICATE.get()).booleanValue();
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void registerFastJsonConfig() {
        SerializeConfig globalInstance = SerializeConfig.getGlobalInstance();
        ParserConfig globalInstance2 = ParserConfig.getGlobalInstance();
        FastJsonPermissionCodec fastJsonPermissionCodec = new FastJsonPermissionCodec(this.persistentService);
        globalInstance.put(SimplePermission.class, fastJsonPermissionCodec);
        globalInstance2.putDeserializer(SimplePermission.class, fastJsonPermissionCodec);
        FastJsonPrivilegeCodec fastJsonPrivilegeCodec = new FastJsonPrivilegeCodec(this.persistentService);
        globalInstance.put(SimplePrivilege.class, fastJsonPrivilegeCodec);
        globalInstance2.putDeserializer(SimplePrivilege.class, fastJsonPrivilegeCodec);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void registerDefaultContext() {
        try {
            AAA.setDefaultContext(createAAAContext());
        } catch (NullPointerException e) {
            warn("Cannot create AAA context. AAA plugin disabled", new Object[0]);
            this.disabled = true;
        }
    }

    void loadYaml(URL url) {
        try {
            loadYamlContent(IO.readContentAsString(url.openStream()), persistentService());
        } catch (IOException e) {
            throw E.ioException(e);
        }
    }

    void loadYaml(File file) {
        if (file.exists() && file.canRead()) {
            loadYamlContent(IO.readContentAsString(file), persistentService());
        }
    }

    static void loadYamlContent(String str, AAAPersistentService aAAPersistentService) {
        Yaml yaml = new Yaml();
        prepareStore(aAAPersistentService);
        Object load = yaml.load(str);
        if (load instanceof Map) {
            Map map = (Map) $.cast(load);
            Iterator it = map.keySet().iterator();
            while (it.hasNext()) {
                loadObject(it.next().toString().trim(), map, aAAPersistentService);
            }
        }
    }

    static void loadObject(String str, Map<Object, Map<?, ?>> map, AAAPersistentService aAAPersistentService) {
        Map<?, ?> map2 = map.get(str);
        String str2 = (String) map2.get("type");
        if (null == str2) {
            str2 = "principal";
        }
        if (P_PRINCIPAL.matcher(str2).matches()) {
            loadPrincipal(str, map2, aAAPersistentService);
            return;
        }
        if (P_ROLE.matcher(str2).matches()) {
            loadRole(str, map2, aAAPersistentService);
        } else if (P_PERMISSION.matcher(str2).matches()) {
            loadPermission(str, map2, aAAPersistentService);
        } else if (P_PRIVILEGE.matcher(str2).matches()) {
            loadPrivilege(str, map2, aAAPersistentService);
        }
    }

    static void loadPrivilege(String str, Map<?, ?> map, AAAPersistentService aAAPersistentService) {
        if (null != aAAPersistentService.findByName(str, Privilege.class)) {
            if (!AAAConfig.ddl.update.booleanValue()) {
                return;
            }
        } else if (!AAAConfig.ddl.create) {
            return;
        }
        aAAPersistentService.save(new SimplePrivilege(str, ((Integer) map.get("level")).intValue()));
    }

    static void loadPermission(String str, Map<?, ?> map, AAAPersistentService aAAPersistentService) {
        if (null != aAAPersistentService.findByName(str, Permission.class)) {
            if (!AAAConfig.ddl.update.booleanValue()) {
                return;
            }
        } else if (!AAAConfig.ddl.create) {
            return;
        }
        boolean booleanValue = map.containsKey("dynamic") ? ((Boolean) map.get("dynamic")).booleanValue() : false;
        SimplePermission.Builder builder = new SimplePermission.Builder(str);
        builder.dynamic(booleanValue);
        List<String> list = (List) map.get("implied");
        if (null != list) {
            for (String str2 : list) {
                Permission findByName = aAAPersistentService.findByName(str2, Permission.class);
                E.invalidConfigurationIf(null == findByName, "Cannot find implied permission[%s] when loading permission[%s]", new Object[]{str2, str});
                builder.addImplied(findByName);
            }
        }
        aAAPersistentService.save(builder.toPermission());
    }

    static void loadRole(String str, Map<?, ?> map, AAAPersistentService aAAPersistentService) {
        if (null != aAAPersistentService.findByName(str, Role.class)) {
            if (!AAAConfig.ddl.update.booleanValue()) {
                return;
            }
        } else if (!AAAConfig.ddl.create) {
            return;
        }
        SimpleRole.Builder builder = new SimpleRole.Builder(str);
        List<String> list = (List) map.get("permissions");
        if (null != list) {
            for (String str2 : list) {
                Permission findByName = aAAPersistentService.findByName(str2, Permission.class);
                E.invalidConfigurationIf(null == findByName, "Cannot find permission[%s] when loading principal[%s]", new Object[]{str2, str});
                builder.grantPermission(findByName);
            }
        }
        aAAPersistentService.save(builder.toRole());
    }

    static void loadPrincipal(String str, Map<?, ?> map, AAAPersistentService aAAPersistentService) {
        if (null != aAAPersistentService.findByName(str, Principal.class)) {
            if (!AAAConfig.ddl.principal.update.booleanValue()) {
                return;
            }
        } else if (!AAAConfig.ddl.principal.create) {
            return;
        }
        SimplePrincipal.Builder builder = new SimplePrincipal.Builder(str);
        String str2 = (String) map.get("privilege");
        if (null != str2) {
            Privilege findByName = aAAPersistentService.findByName(str2, Privilege.class);
            E.invalidConfigurationIf(null == findByName, "Cannot find privilege[%s] when loading principal[%s]", new Object[]{str2, str});
            builder.grantPrivilege(findByName);
        }
        List<String> list = (List) map.get("roles");
        if (null != list) {
            for (String str3 : list) {
                Role findByName2 = aAAPersistentService.findByName(str3, Role.class);
                E.invalidConfigurationIf(null == findByName2, "Cannot find role[%s] when loading principal[%s]", new Object[]{str3, str});
                builder.grantRole(findByName2);
            }
        }
        List<String> list2 = (List) map.get("permissions");
        if (null != list2) {
            for (String str4 : list2) {
                Permission findByName3 = aAAPersistentService.findByName(str4, Permission.class);
                E.invalidConfigurationIf(null == findByName3, "Cannot find permission[%s] when loading principal[%s]", new Object[]{str4, str});
                builder.grantPermission(findByName3);
            }
        }
        aAAPersistentService.save(builder.toPrincipal());
    }

    static void prepareStore(AAAPersistentService aAAPersistentService) {
        if (AAAConfig.ddl.delete) {
            aAAPersistentService.removeAll(Privilege.class);
            aAAPersistentService.removeAll(Permission.class);
            aAAPersistentService.removeAll(Role.class);
        }
        if (AAAConfig.ddl.principal.delete) {
            aAAPersistentService.removeAll(Principal.class);
        }
    }

    @SubClassFinder
    void loadListener(AAAPlugin.Listener listener) {
        this.listeners.add(listener);
    }
}
