package io.github.icodegarden.commons.gateway.core.security.signature;

import io.github.icodegarden.commons.gateway.spi.AppProvider;
import io.github.icodegarden.commons.gateway.spi.AuthWebFilter;
import io.github.icodegarden.commons.gateway.spi.OpenApiRequestValidator;
import io.github.icodegarden.commons.gateway.util.CommonsGatewayUtils;
import io.github.icodegarden.commons.lang.spec.response.ClientParameterInvalidErrorCodeException;
import io.github.icodegarden.commons.lang.spec.response.ClientParameterMissingErrorCodeException;
import io.github.icodegarden.commons.lang.spec.response.ClientPermissionErrorCodeException;
import io.github.icodegarden.commons.lang.spec.response.InternalApiResponse;
import io.github.icodegarden.commons.lang.spec.sign.OpenApiRequestBody;
import io.github.icodegarden.commons.lang.util.JsonUtils;
import io.github.icodegarden.commons.lang.util.SystemUtils;
import io.github.icodegarden.commons.springboot.exception.ErrorCodeAuthenticationException;
import io.github.icodegarden.commons.springboot.security.SpringUser;
import java.nio.charset.Charset;
import java.time.LocalDateTime;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.regex.Pattern;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.cloud.gateway.support.ServerWebExchangeUtils;
import org.springframework.core.io.buffer.DataBuffer;
import org.springframework.core.io.buffer.DataBufferUtils;
import org.springframework.http.HttpMethod;
import org.springframework.http.HttpStatus;
import org.springframework.http.MediaType;
import org.springframework.http.codec.HttpMessageReader;
import org.springframework.http.server.reactive.ServerHttpResponse;
import org.springframework.security.authentication.ReactiveAuthenticationManager;
import org.springframework.security.core.Authentication;
import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken;
import org.springframework.security.web.server.authentication.AuthenticationWebFilter;
import org.springframework.security.web.server.authentication.ServerAuthenticationConverter;
import org.springframework.security.web.server.authentication.ServerAuthenticationFailureHandler;
import org.springframework.security.web.server.authentication.ServerAuthenticationSuccessHandler;
import org.springframework.util.StringUtils;
import org.springframework.web.reactive.function.server.HandlerStrategies;
import org.springframework.web.reactive.function.server.ServerRequest;
import org.springframework.web.server.ServerWebExchange;
import org.springframework.web.server.WebFilterChain;
import reactor.core.publisher.Mono;

/* loaded from: input_file:io/github/icodegarden/commons/gateway/core/security/signature/SignatureAuthenticationWebFilter.class */
public class SignatureAuthenticationWebFilter implements AuthWebFilter {
    private static final Logger log = LoggerFactory.getLogger(SignatureAuthenticationWebFilter.class);
    public static int REJECT_SECONDS_BEFORE = 300;
    public static int REJECT_SECONDS_AFTER = 10;
    private static final Charset CHARSET = Charset.forName("utf-8");
    private static final Pattern DATETIME_PATTERN = Pattern.compile("^[0-9]{4}-[0-9]{2}-[0-9]{2} [0-9]{2}:[0-9]{2}:[0-9]{2}$");
    private final List<HttpMessageReader<?>> messageReaders = HandlerStrategies.withDefaults().messageReaders();
    private final AuthenticationWebFilter authenticationWebFilter;
    private final AppProvider appProvider;
    private final OpenApiRequestValidator openApiRequestValidator;

    /* loaded from: input_file:io/github/icodegarden/commons/gateway/core/security/signature/SignatureAuthenticationWebFilter$AppServerAuthenticationConverter.class */
    private class AppServerAuthenticationConverter implements ServerAuthenticationConverter {
        private AppServerAuthenticationConverter() {
        }

        public Mono<Authentication> convert(ServerWebExchange serverWebExchange) {
            return Mono.defer(() -> {
                OpenApiRequestBody openApiRequestBody = CommonsGatewayUtils.getOpenApiRequestBody(serverWebExchange);
                if (openApiRequestBody == null) {
                    if (SignatureAuthenticationWebFilter.log.isWarnEnabled()) {
                        SignatureAuthenticationWebFilter.log.warn("request body cache not exist");
                    }
                    return Mono.empty();
                }
                if (!StringUtils.hasText(openApiRequestBody.getApp_id())) {
                    throw new ErrorCodeAuthenticationException(new ClientParameterMissingErrorCodeException(ClientParameterMissingErrorCodeException.SubPair.MISSING_APP_ID));
                }
                App app = SignatureAuthenticationWebFilter.this.appProvider.getApp(openApiRequestBody.getApp_id());
                if (openApiRequestBody.getApp_id().length() > 32 || app == null) {
                    throw new ErrorCodeAuthenticationException(new ClientParameterInvalidErrorCodeException(ClientParameterInvalidErrorCodeException.SubPair.INVALID_APP_ID));
                }
                if (!StringUtils.hasText(openApiRequestBody.getMethod())) {
                    throw new ErrorCodeAuthenticationException(new ClientParameterMissingErrorCodeException(ClientParameterMissingErrorCodeException.SubPair.MISSING_METHOD));
                }
                if (!StringUtils.hasText(openApiRequestBody.getSign())) {
                    throw new ErrorCodeAuthenticationException(new ClientParameterMissingErrorCodeException(ClientParameterMissingErrorCodeException.SubPair.MISSING_SIGNATURE));
                }
                if (!StringUtils.hasText(openApiRequestBody.getSign_type())) {
                    throw new ErrorCodeAuthenticationException(new ClientParameterMissingErrorCodeException(ClientParameterMissingErrorCodeException.SubPair.MISSING_SIGNATURE_TYPE));
                }
                if (!StringUtils.hasText(openApiRequestBody.getApp_id())) {
                    throw new ErrorCodeAuthenticationException(new ClientParameterMissingErrorCodeException(ClientParameterMissingErrorCodeException.SubPair.MISSING_APP_ID));
                }
                if (!StringUtils.hasText(openApiRequestBody.getTimestamp())) {
                    throw new ErrorCodeAuthenticationException(new ClientParameterMissingErrorCodeException(ClientParameterMissingErrorCodeException.SubPair.MISSING_TIMESTAMP));
                }
                if (!StringUtils.hasText(openApiRequestBody.getVersion())) {
                    throw new ErrorCodeAuthenticationException(new ClientParameterMissingErrorCodeException(ClientParameterMissingErrorCodeException.SubPair.MISSING_VERSION));
                }
                if (!StringUtils.hasText(openApiRequestBody.getRequest_id())) {
                    throw new ErrorCodeAuthenticationException(new ClientParameterMissingErrorCodeException(ClientParameterMissingErrorCodeException.SubPair.MISSING_REQUEST_ID));
                }
                if (!"JSON".equalsIgnoreCase(openApiRequestBody.getFormat())) {
                    throw new ErrorCodeAuthenticationException(new ClientParameterInvalidErrorCodeException(ClientParameterInvalidErrorCodeException.SubPair.INVALID_FORMAT));
                }
                if (!CommonsGatewayUtils.supportsSignType(openApiRequestBody.getSign_type())) {
                    throw new ErrorCodeAuthenticationException(new ClientParameterInvalidErrorCodeException(ClientParameterInvalidErrorCodeException.SubPair.INVALID_SIGNATURE_TYPE));
                }
                if (openApiRequestBody.getTimestamp().length() != 19 || !SignatureAuthenticationWebFilter.DATETIME_PATTERN.matcher(openApiRequestBody.getTimestamp()).matches()) {
                    throw new ErrorCodeAuthenticationException(new ClientParameterInvalidErrorCodeException(ClientParameterInvalidErrorCodeException.SubPair.INVALID_TIMESTAMP));
                }
                LocalDateTime parse = LocalDateTime.parse(openApiRequestBody.getTimestamp(), SystemUtils.STANDARD_DATETIME_FORMATTER);
                if (parse.plusSeconds(SignatureAuthenticationWebFilter.REJECT_SECONDS_BEFORE).isBefore(SystemUtils.now()) || parse.minusSeconds(SignatureAuthenticationWebFilter.REJECT_SECONDS_AFTER).isAfter(SystemUtils.now())) {
                    throw new ErrorCodeAuthenticationException(new ClientParameterInvalidErrorCodeException(ClientParameterInvalidErrorCodeException.SubPair.INVALID_TIMESTAMP));
                }
                if (!StringUtils.hasText(openApiRequestBody.getCharset()) || !"UTF-8".equalsIgnoreCase(openApiRequestBody.getCharset())) {
                    throw new ErrorCodeAuthenticationException(new ClientParameterInvalidErrorCodeException(ClientParameterInvalidErrorCodeException.SubPair.INVALID_CHARSET));
                }
                if (!CommonsGatewayUtils.validateSign(openApiRequestBody, app.getAppKey())) {
                    throw new ErrorCodeAuthenticationException(new ClientParameterInvalidErrorCodeException(ClientParameterInvalidErrorCodeException.SubPair.INVALID_SIGNATURE));
                }
                if (!app.getMethods().isEmpty() && !app.getMethods().contains(openApiRequestBody.getMethod())) {
                    throw new ErrorCodeAuthenticationException(new ClientPermissionErrorCodeException(ClientPermissionErrorCodeException.SubPair.INSUFFICIENT_PERMISSIONS));
                }
                if (!StringUtils.hasText(openApiRequestBody.getRequest_id()) || openApiRequestBody.getRequest_id().length() > 32 || !SignatureAuthenticationWebFilter.this.openApiRequestValidator.validate(openApiRequestBody)) {
                    throw new ErrorCodeAuthenticationException(new ClientParameterInvalidErrorCodeException(ClientParameterInvalidErrorCodeException.SubPair.INVALID_REQUEST_ID));
                }
                PreAuthenticatedAuthenticationToken preAuthenticatedAuthenticationToken = new PreAuthenticatedAuthenticationToken(new SpringUser(openApiRequestBody.getApp_id(), app.getAppName(), "", Collections.emptyList()), "", Collections.emptyList());
                String flowTagRequired = app.getFlowTagRequired();
                String flowTagFirst = app.getFlowTagFirst();
                if (StringUtils.hasText(flowTagRequired) || StringUtils.hasText(flowTagFirst)) {
                    HashMap hashMap = new HashMap(1, 1.0f);
                    hashMap.put("flowTagRequired", flowTagRequired);
                    hashMap.put("flowTagFirst", flowTagFirst);
                    preAuthenticatedAuthenticationToken.setDetails(hashMap);
                }
                return Mono.just(preAuthenticatedAuthenticationToken);
            });
        }
    }

    public SignatureAuthenticationWebFilter(AppProvider appProvider, OpenApiRequestValidator openApiRequestValidator, ReactiveAuthenticationManager reactiveAuthenticationManager, ServerAuthenticationSuccessHandler serverAuthenticationSuccessHandler, ServerAuthenticationFailureHandler serverAuthenticationFailureHandler) {
        this.appProvider = appProvider;
        this.openApiRequestValidator = openApiRequestValidator;
        this.authenticationWebFilter = new AuthenticationWebFilter(reactiveAuthenticationManager);
        this.authenticationWebFilter.setServerAuthenticationConverter(new AppServerAuthenticationConverter());
        this.authenticationWebFilter.setAuthenticationSuccessHandler(serverAuthenticationSuccessHandler);
        this.authenticationWebFilter.setAuthenticationFailureHandler(serverAuthenticationFailureHandler);
    }

    public Mono<Void> filter(ServerWebExchange serverWebExchange, WebFilterChain webFilterChain) {
        if (!"/openapi/v1/biz/methods".equals(serverWebExchange.getRequest().getURI().getPath())) {
            return webFilterChain.filter(serverWebExchange);
        }
        if (serverWebExchange.getRequest().getMethod() != HttpMethod.POST) {
            ServerHttpResponse response = serverWebExchange.getResponse();
            response.setStatusCode(HttpStatus.METHOD_NOT_ALLOWED);
            response.getHeaders().setContentType(MediaType.APPLICATION_JSON);
            return response.writeWith(Mono.empty());
        }
        MediaType contentType = serverWebExchange.getRequest().getHeaders().getContentType();
        if (!MediaType.APPLICATION_JSON.isCompatibleWith(contentType) && !MediaType.APPLICATION_JSON_UTF8.isCompatibleWith(contentType)) {
            ServerHttpResponse response2 = serverWebExchange.getResponse();
            response2.setStatusCode(HttpStatus.UNSUPPORTED_MEDIA_TYPE);
            response2.getHeaders().setContentType(MediaType.APPLICATION_JSON);
            return response2.writeWith(Mono.empty());
        }
        String scheme = serverWebExchange.getRequest().getURI().getScheme();
        if (("http".equals(scheme) || "https".equals(scheme)) && serverWebExchange.getAttribute("cachedRequestBody") == null) {
            return ServerWebExchangeUtils.cacheRequestBodyAndRequest(serverWebExchange, serverHttpRequest -> {
                return ServerRequest.create(serverWebExchange.mutate().request(serverHttpRequest).build(), this.messageReaders).bodyToMono(OpenApiRequestBody.class).doOnError(th -> {
                    ServerHttpResponse response3 = serverWebExchange.getResponse();
                    response3.setStatusCode(HttpStatus.OK);
                    response3.getHeaders().setContentType(MediaType.APPLICATION_JSON);
                    DataBuffer wrap = response3.bufferFactory().wrap(JsonUtils.serialize(InternalApiResponse.fail(new ClientParameterInvalidErrorCodeException(ClientParameterInvalidErrorCodeException.SubPair.INVALID_PARAMETER.getSub_code(), "Invalid:Request Body"))).getBytes(CHARSET));
                    response3.writeWith(Mono.just(wrap)).doOnError(th -> {
                        DataBufferUtils.release(wrap);
                    }).subscribe();
                }).doOnNext(openApiRequestBody -> {
                    serverWebExchange.getAttributes().put("cachedRequestBody", openApiRequestBody);
                });
            }).then(this.authenticationWebFilter.filter(serverWebExchange, webFilterChain));
        }
        return webFilterChain.filter(serverWebExchange);
    }
}
