package io.github.icodegarden.commons.gateway.core.security;

import io.github.icodegarden.commons.lang.spec.response.ClientParameterInvalidErrorCodeException;
import io.github.icodegarden.commons.lang.spec.response.ClientParameterMissingErrorCodeException;
import io.github.icodegarden.commons.lang.spec.response.ClientPermissionErrorCodeException;
import io.github.icodegarden.commons.lang.spec.response.InternalApiResponse;
import io.github.icodegarden.commons.lang.spec.sign.AppKeySignUtils;
import io.github.icodegarden.commons.lang.spec.sign.OpenApiRequestBody;
import io.github.icodegarden.commons.lang.spec.sign.RSASignUtils;
import io.github.icodegarden.commons.lang.util.JsonUtils;
import io.github.icodegarden.commons.springboot.exception.ErrorCodeAuthenticationException;
import io.github.icodegarden.commons.springboot.security.SpringUser;
import io.github.icodegarden.commons.springboot.security.User;
import java.nio.charset.Charset;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.regex.Pattern;
import java.util.stream.Collectors;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.cloud.gateway.support.ServerWebExchangeUtils;
import org.springframework.core.io.buffer.DataBuffer;
import org.springframework.core.io.buffer.DataBufferUtils;
import org.springframework.http.HttpMethod;
import org.springframework.http.HttpStatus;
import org.springframework.http.MediaType;
import org.springframework.http.codec.HttpMessageReader;
import org.springframework.http.server.reactive.ServerHttpResponse;
import org.springframework.security.authentication.ReactiveAuthenticationManager;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken;
import org.springframework.security.web.server.ServerAuthenticationEntryPoint;
import org.springframework.security.web.server.WebFilterExchange;
import org.springframework.security.web.server.authentication.AuthenticationWebFilter;
import org.springframework.security.web.server.authentication.ServerAuthenticationConverter;
import org.springframework.security.web.server.authentication.ServerAuthenticationFailureHandler;
import org.springframework.security.web.server.authentication.ServerAuthenticationSuccessHandler;
import org.springframework.util.StringUtils;
import org.springframework.web.reactive.function.server.HandlerStrategies;
import org.springframework.web.reactive.function.server.ServerRequest;
import org.springframework.web.server.ServerWebExchange;
import org.springframework.web.server.WebFilter;
import org.springframework.web.server.WebFilterChain;
import reactor.core.publisher.Mono;

/* loaded from: input_file:io/github/icodegarden/commons/gateway/core/security/AppKeyAuthenticationWebFilter.class */
public class AppKeyAuthenticationWebFilter implements WebFilter {
    private static final Logger log = LoggerFactory.getLogger(AppKeyAuthenticationWebFilter.class);
    private static final Charset CHARSET = Charset.forName("utf-8");
    private static final Pattern DATETIME_PATTERN = Pattern.compile("^[0-9]{4}-[0-9]{2}-[0-9]{2} [0-9]{2}:[0-9]{2}:[0-9]{2}$");
    private final List<HttpMessageReader<?>> messageReaders = HandlerStrategies.withDefaults().messageReaders();
    private final AuthenticationWebFilter authenticationWebFilter = new AuthenticationWebFilter(new NoOpReactiveAuthenticationManager());
    private final Map<String, App> appMap;
    private boolean headerAppKey;

    /* loaded from: input_file:io/github/icodegarden/commons/gateway/core/security/AppKeyAuthenticationWebFilter$ApiResponseServerAuthenticationFailureHandler.class */
    private class ApiResponseServerAuthenticationFailureHandler implements ServerAuthenticationFailureHandler {
        private final ServerAuthenticationEntryPoint authenticationEntryPoint;

        public ApiResponseServerAuthenticationFailureHandler(ServerAuthenticationEntryPoint serverAuthenticationEntryPoint) {
            this.authenticationEntryPoint = serverAuthenticationEntryPoint;
        }

        public Mono<Void> onAuthenticationFailure(WebFilterExchange webFilterExchange, AuthenticationException authenticationException) {
            return this.authenticationEntryPoint.commence(webFilterExchange.getExchange(), authenticationException);
        }
    }

    /* loaded from: input_file:io/github/icodegarden/commons/gateway/core/security/AppKeyAuthenticationWebFilter$GatewayPreAuthenticatedServerAuthenticationSuccessHandler.class */
    private class GatewayPreAuthenticatedServerAuthenticationSuccessHandler implements ServerAuthenticationSuccessHandler {
        private GatewayPreAuthenticatedServerAuthenticationSuccessHandler() {
        }

        public Mono<Void> onAuthenticationSuccess(WebFilterExchange webFilterExchange, Authentication authentication) {
            return Mono.defer(() -> {
                WebFilterChain chain = webFilterExchange.getChain();
                ServerWebExchange exchange = webFilterExchange.getExchange();
                User user = (User) authentication.getPrincipal();
                Map map = (Map) authentication.getDetails();
                return chain.filter(exchange.mutate().request(exchange.getRequest().mutate().headers(httpHeaders -> {
                    httpHeaders.add("X-Auth-AppId", user.getUserId());
                    httpHeaders.add("X-Auth-Appname", user.getUsername());
                    if (map != null) {
                        httpHeaders.add("X-Flow-Tag", (String) map.get("flowTag"));
                    }
                    if (AppKeyAuthenticationWebFilter.this.headerAppKey) {
                        httpHeaders.add("X-Auth-AppKey", ((App) AppKeyAuthenticationWebFilter.this.appMap.get(((OpenApiRequestBody) exchange.getAttribute("cachedRequestBody")).getApp_id())).getAppKey());
                    }
                }).build()).build());
            });
        }
    }

    /* loaded from: input_file:io/github/icodegarden/commons/gateway/core/security/AppKeyAuthenticationWebFilter$NoOpReactiveAuthenticationManager.class */
    private class NoOpReactiveAuthenticationManager implements ReactiveAuthenticationManager {
        private NoOpReactiveAuthenticationManager() {
        }

        public Mono<Authentication> authenticate(Authentication authentication) {
            return Mono.just(authentication);
        }
    }

    /* loaded from: input_file:io/github/icodegarden/commons/gateway/core/security/AppKeyAuthenticationWebFilter$SignResolveServerAuthenticationConverter.class */
    private class SignResolveServerAuthenticationConverter implements ServerAuthenticationConverter {
        private SignResolveServerAuthenticationConverter() {
        }

        public Mono<Authentication> convert(ServerWebExchange serverWebExchange) {
            return Mono.defer(() -> {
                boolean validateRequestSign;
                OpenApiRequestBody openApiRequestBody = (OpenApiRequestBody) serverWebExchange.getAttribute("cachedRequestBody");
                if (openApiRequestBody == null) {
                    if (AppKeyAuthenticationWebFilter.log.isWarnEnabled()) {
                        AppKeyAuthenticationWebFilter.log.warn("request body cache not exist");
                    }
                    return Mono.empty();
                }
                if (!StringUtils.hasText(openApiRequestBody.getApp_id())) {
                    throw new ErrorCodeAuthenticationException(new ClientParameterMissingErrorCodeException(ClientParameterMissingErrorCodeException.SubPair.MISSING_APP_ID));
                }
                App app = (App) AppKeyAuthenticationWebFilter.this.appMap.get(openApiRequestBody.getApp_id());
                if (openApiRequestBody.getApp_id().length() > 32 || app == null) {
                    throw new ErrorCodeAuthenticationException(new ClientParameterInvalidErrorCodeException(ClientParameterInvalidErrorCodeException.SubPair.INVALID_APP_ID));
                }
                if (!StringUtils.hasText(openApiRequestBody.getMethod())) {
                    throw new ErrorCodeAuthenticationException(new ClientParameterMissingErrorCodeException(ClientParameterMissingErrorCodeException.SubPair.MISSING_METHOD));
                }
                if (!StringUtils.hasText(openApiRequestBody.getSign())) {
                    throw new ErrorCodeAuthenticationException(new ClientParameterMissingErrorCodeException(ClientParameterMissingErrorCodeException.SubPair.MISSING_SIGNATURE));
                }
                if (!StringUtils.hasText(openApiRequestBody.getSign_type())) {
                    throw new ErrorCodeAuthenticationException(new ClientParameterMissingErrorCodeException(ClientParameterMissingErrorCodeException.SubPair.MISSING_SIGNATURE_TYPE));
                }
                if (!StringUtils.hasText(openApiRequestBody.getApp_id())) {
                    throw new ErrorCodeAuthenticationException(new ClientParameterMissingErrorCodeException(ClientParameterMissingErrorCodeException.SubPair.MISSING_APP_ID));
                }
                if (!StringUtils.hasText(openApiRequestBody.getTimestamp())) {
                    throw new ErrorCodeAuthenticationException(new ClientParameterMissingErrorCodeException(ClientParameterMissingErrorCodeException.SubPair.MISSING_TIMESTAMP));
                }
                if (!StringUtils.hasText(openApiRequestBody.getVersion())) {
                    throw new ErrorCodeAuthenticationException(new ClientParameterMissingErrorCodeException(ClientParameterMissingErrorCodeException.SubPair.MISSING_VERSION));
                }
                if (!StringUtils.hasText(openApiRequestBody.getRequest_id())) {
                    throw new ErrorCodeAuthenticationException(new ClientParameterMissingErrorCodeException(ClientParameterMissingErrorCodeException.SubPair.MISSING_REQUEST_ID));
                }
                if (!"JSON".equalsIgnoreCase(openApiRequestBody.getFormat())) {
                    throw new ErrorCodeAuthenticationException(new ClientParameterInvalidErrorCodeException(ClientParameterInvalidErrorCodeException.SubPair.INVALID_FORMAT));
                }
                if (!"SHA256".equals(openApiRequestBody.getSign_type()) && !"RSA2".equals(openApiRequestBody.getSign_type())) {
                    throw new ErrorCodeAuthenticationException(new ClientParameterInvalidErrorCodeException(ClientParameterInvalidErrorCodeException.SubPair.INVALID_SIGNATURE_TYPE));
                }
                if (openApiRequestBody.getTimestamp().length() != 19 || !AppKeyAuthenticationWebFilter.DATETIME_PATTERN.matcher(openApiRequestBody.getTimestamp()).matches()) {
                    throw new ErrorCodeAuthenticationException(new ClientParameterInvalidErrorCodeException(ClientParameterInvalidErrorCodeException.SubPair.INVALID_TIMESTAMP));
                }
                if (!StringUtils.hasText(openApiRequestBody.getCharset()) || !"UTF-8".equalsIgnoreCase(openApiRequestBody.getCharset())) {
                    throw new ErrorCodeAuthenticationException(new ClientParameterInvalidErrorCodeException(ClientParameterInvalidErrorCodeException.SubPair.INVALID_CHARSET));
                }
                if (!StringUtils.hasText(openApiRequestBody.getRequest_id()) || openApiRequestBody.getRequest_id().length() > 32) {
                    throw new ErrorCodeAuthenticationException(new ClientParameterInvalidErrorCodeException(ClientParameterInvalidErrorCodeException.SubPair.INVALID_REQUEST_ID));
                }
                if ("SHA256".equals(openApiRequestBody.getSign_type())) {
                    validateRequestSign = AppKeySignUtils.validateRequestSign(openApiRequestBody, app.getAppKey());
                } else {
                    if (!"RSA2".equals(openApiRequestBody.getSign_type())) {
                        throw new ErrorCodeAuthenticationException(new ClientParameterInvalidErrorCodeException(ClientParameterInvalidErrorCodeException.SubPair.INVALID_SIGNATURE_TYPE));
                    }
                    validateRequestSign = RSASignUtils.validateRequestSign(openApiRequestBody, app.getAppKey());
                }
                if (!validateRequestSign) {
                    throw new ErrorCodeAuthenticationException(new ClientParameterInvalidErrorCodeException(ClientParameterInvalidErrorCodeException.SubPair.INVALID_SIGNATURE));
                }
                if (!app.getMethods().isEmpty() && !app.getMethods().contains(openApiRequestBody.getMethod())) {
                    throw new ErrorCodeAuthenticationException(new ClientPermissionErrorCodeException(ClientPermissionErrorCodeException.SubPair.INSUFFICIENT_PERMISSIONS));
                }
                PreAuthenticatedAuthenticationToken preAuthenticatedAuthenticationToken = new PreAuthenticatedAuthenticationToken(new SpringUser(openApiRequestBody.getApp_id(), app.getAppName(), "", Collections.emptyList()), "", Collections.emptyList());
                String flowTag = app.getFlowTag();
                if (StringUtils.hasText(flowTag)) {
                    HashMap hashMap = new HashMap(1, 1.0f);
                    hashMap.put("flowTag", flowTag);
                    preAuthenticatedAuthenticationToken.setDetails(hashMap);
                }
                return Mono.just(preAuthenticatedAuthenticationToken);
            });
        }
    }

    public AppKeyAuthenticationWebFilter(List<App> list, ServerAuthenticationEntryPoint serverAuthenticationEntryPoint) {
        this.appMap = (Map) list.stream().collect(Collectors.toMap((v0) -> {
            return v0.getAppId();
        }, app -> {
            return app;
        }));
        this.authenticationWebFilter.setServerAuthenticationConverter(new SignResolveServerAuthenticationConverter());
        this.authenticationWebFilter.setAuthenticationSuccessHandler(new GatewayPreAuthenticatedServerAuthenticationSuccessHandler());
        this.authenticationWebFilter.setAuthenticationFailureHandler(new ApiResponseServerAuthenticationFailureHandler(serverAuthenticationEntryPoint));
    }

    public AppKeyAuthenticationWebFilter setHeaderAppKey(boolean z) {
        this.headerAppKey = z;
        return this;
    }

    public Mono<Void> filter(ServerWebExchange serverWebExchange, WebFilterChain webFilterChain) {
        if (!"/openapi/v1/biz/methods".equals(serverWebExchange.getRequest().getURI().getPath())) {
            return webFilterChain.filter(serverWebExchange);
        }
        if (serverWebExchange.getRequest().getMethod() != HttpMethod.POST) {
            ServerHttpResponse response = serverWebExchange.getResponse();
            response.setStatusCode(HttpStatus.METHOD_NOT_ALLOWED);
            response.getHeaders().setContentType(MediaType.APPLICATION_JSON);
            return response.writeWith(Mono.empty());
        }
        MediaType contentType = serverWebExchange.getRequest().getHeaders().getContentType();
        if (!MediaType.APPLICATION_JSON.isCompatibleWith(contentType) && !MediaType.APPLICATION_JSON_UTF8.isCompatibleWith(contentType)) {
            ServerHttpResponse response2 = serverWebExchange.getResponse();
            response2.setStatusCode(HttpStatus.UNSUPPORTED_MEDIA_TYPE);
            response2.getHeaders().setContentType(MediaType.APPLICATION_JSON);
            return response2.writeWith(Mono.empty());
        }
        String scheme = serverWebExchange.getRequest().getURI().getScheme();
        if (("http".equals(scheme) || "https".equals(scheme)) && serverWebExchange.getAttribute("cachedRequestBody") == null) {
            return ServerWebExchangeUtils.cacheRequestBodyAndRequest(serverWebExchange, serverHttpRequest -> {
                return ServerRequest.create(serverWebExchange.mutate().request(serverHttpRequest).build(), this.messageReaders).bodyToMono(OpenApiRequestBody.class).doOnError(th -> {
                    ServerHttpResponse response3 = serverWebExchange.getResponse();
                    response3.setStatusCode(HttpStatus.OK);
                    response3.getHeaders().setContentType(MediaType.APPLICATION_JSON);
                    DataBuffer wrap = response3.bufferFactory().wrap(JsonUtils.serialize(InternalApiResponse.fail(new ClientParameterInvalidErrorCodeException(ClientParameterInvalidErrorCodeException.SubPair.INVALID_PARAMETER.getSub_code(), "Invalid:Request Body"))).getBytes(CHARSET));
                    response3.writeWith(Mono.just(wrap)).doOnError(th -> {
                        DataBufferUtils.release(wrap);
                    }).subscribe();
                }).doOnNext(openApiRequestBody -> {
                    serverWebExchange.getAttributes().put("cachedRequestBody", openApiRequestBody);
                });
            }).then(this.authenticationWebFilter.filter(serverWebExchange, webFilterChain));
        }
        return webFilterChain.filter(serverWebExchange);
    }
}
