package com.goldgov.origin.security.access;

import com.goldgov.origin.core.cache.CacheHolder;
import com.goldgov.origin.security.resource.ResourceConstants;
import com.goldgov.origin.security.resource.ResourceContext;
import java.util.Collection;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import javax.servlet.http.HttpServletRequest;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.security.access.AccessDecisionManager;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.access.ConfigAttribute;
import org.springframework.security.authentication.AnonymousAuthenticationToken;
import org.springframework.security.authentication.InsufficientAuthenticationException;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.web.FilterInvocation;

/* loaded from: input_file:com/goldgov/origin/security/access/BaseAccessDecisionManager.class */
public abstract class BaseAccessDecisionManager implements AccessDecisionManager {
    private boolean initialized;

    @Value("${server.context-path:}")
    private String contextPath;

    public void decide(Authentication authentication, Object obj, Collection<ConfigAttribute> collection) throws AccessDeniedException, InsufficientAuthenticationException {
        Iterator<ConfigAttribute> it = collection.iterator();
        while (it.hasNext()) {
            if (!it.next().toString().equals("authenticated")) {
                return;
            }
        }
        FilterInvocation filterInvocation = (FilterInvocation) obj;
        HttpServletRequest httpRequest = filterInvocation.getHttpRequest();
        if (authentication instanceof AnonymousAuthenticationToken) {
            throw new AccessDeniedException("拒绝以匿名身份访问：" + filterInvocation.getFullRequestUrl());
        }
        synchronized (this) {
            if (!this.initialized) {
                try {
                    CacheHolder.put(ResourceConstants.CACHE_CODE_ROLE_RESOURCE_MAPPING, roleResourceMap());
                    this.initialized = true;
                } catch (Exception e) {
                    throw new RuntimeException("获取角色资源映射关系时出现错误", e);
                }
            }
        }
        Map<String, String> allResourcesMap = ResourceContext.getAllResourcesMap();
        Map map = (Map) CacheHolder.get(ResourceConstants.CACHE_CODE_ROLE_RESOURCE_MAPPING);
        String str = allResourcesMap.get(httpRequest.getRequestURI().substring(this.contextPath.length()));
        List list = str != null ? (List) map.get(str) : null;
        String adminRole = adminRole();
        for (GrantedAuthority grantedAuthority : authentication.getAuthorities()) {
            if ("ROLE_ANONYMOUS".equals(grantedAuthority.getAuthority())) {
                throw new AccessDeniedException("以ROLE_ANONYMOUS角色访问被拒绝：" + filterInvocation.getFullRequestUrl());
            }
            if (adminRole != null && adminRole.equals(grantedAuthority.getAuthority())) {
                return;
            }
            if (list != null && list.contains(grantedAuthority.getAuthority())) {
                return;
            }
        }
        if (str != null) {
            throw new AccessDeniedException("访问拒绝：" + filterInvocation.getFullRequestUrl());
        }
    }

    protected abstract Map<String, List<String>> roleResourceMap() throws Exception;

    protected String adminRole() {
        return null;
    }

    public boolean supports(ConfigAttribute configAttribute) {
        return true;
    }

    public boolean supports(Class<?> cls) {
        return true;
    }
}
