package io.github.icodegarden.commons.gateway.core.security.signature;

import io.github.icodegarden.commons.gateway.core.security.AuthMatcher;
import io.github.icodegarden.commons.gateway.spi.AppProvider;
import io.github.icodegarden.commons.gateway.spi.AuthWebFilter;
import io.github.icodegarden.commons.gateway.spi.OpenApiRequestValidator;
import io.github.icodegarden.commons.gateway.util.CommonsGatewayUtils;
import io.github.icodegarden.commons.lang.spec.response.ClientParameterInvalidErrorCodeException;
import io.github.icodegarden.commons.lang.spec.response.ClientParameterMissingErrorCodeException;
import io.github.icodegarden.commons.lang.spec.response.InternalApiResponse;
import io.github.icodegarden.commons.lang.spec.sign.OpenApiRequestBody;
import io.github.icodegarden.commons.lang.util.JsonUtils;
import io.github.icodegarden.commons.lang.util.LogUtils;
import io.github.icodegarden.commons.springboot.exception.ErrorCodeAuthenticationException;
import io.github.icodegarden.commons.springboot.security.SpringUser;
import java.nio.charset.Charset;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.cloud.gateway.support.ServerWebExchangeUtils;
import org.springframework.core.io.buffer.DataBuffer;
import org.springframework.core.io.buffer.DataBufferUtils;
import org.springframework.http.HttpMethod;
import org.springframework.http.HttpStatus;
import org.springframework.http.MediaType;
import org.springframework.http.codec.HttpMessageReader;
import org.springframework.http.codec.ServerCodecConfigurer;
import org.springframework.http.server.reactive.ServerHttpResponse;
import org.springframework.security.authentication.ReactiveAuthenticationManager;
import org.springframework.security.core.Authentication;
import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken;
import org.springframework.security.web.server.authentication.AuthenticationWebFilter;
import org.springframework.security.web.server.authentication.ServerAuthenticationConverter;
import org.springframework.security.web.server.authentication.ServerAuthenticationFailureHandler;
import org.springframework.security.web.server.authentication.ServerAuthenticationSuccessHandler;
import org.springframework.util.StringUtils;
import org.springframework.web.reactive.function.server.ServerRequest;
import org.springframework.web.server.ServerWebExchange;
import org.springframework.web.server.WebFilterChain;
import reactor.core.publisher.Mono;

/* loaded from: input_file:io/github/icodegarden/commons/gateway/core/security/signature/SignatureAuthenticationWebFilter.class */
public class SignatureAuthenticationWebFilter implements AuthWebFilter {
    static final String CACHED_ORIGINAL_REQUEST_BODY_BACKUP_ATTR = "cachedOriginalRequestBodyBackup";
    private final List<HttpMessageReader<?>> messageReaders;
    private final AuthenticationWebFilter authenticationWebFilter;
    private final AppProvider appProvider;
    private final OpenApiRequestValidator openApiRequestValidator;
    private final AuthMatcher authMatcher;
    private static final Logger log = LoggerFactory.getLogger(SignatureAuthenticationWebFilter.class);
    private static final Charset CHARSET = Charset.forName("utf-8");

    /* loaded from: input_file:io/github/icodegarden/commons/gateway/core/security/signature/SignatureAuthenticationWebFilter$AppServerAuthenticationConverter.class */
    private class AppServerAuthenticationConverter implements ServerAuthenticationConverter {
        private AppServerAuthenticationConverter() {
        }

        public Mono<Authentication> convert(ServerWebExchange serverWebExchange) {
            return Mono.defer(() -> {
                String path = serverWebExchange.getRequest().getURI().getPath();
                OpenApiRequestBody openApiRequestBody = CommonsGatewayUtils.getOpenApiRequestBody(serverWebExchange);
                if (openApiRequestBody == null) {
                    if (SignatureAuthenticationWebFilter.log.isWarnEnabled()) {
                        SignatureAuthenticationWebFilter.log.warn("request body cache not exist");
                    }
                    return Mono.empty();
                }
                if (!StringUtils.hasText(openApiRequestBody.getApp_id())) {
                    throw new ErrorCodeAuthenticationException(new ClientParameterMissingErrorCodeException(ClientParameterMissingErrorCodeException.SubPair.MISSING_APP_ID));
                }
                App app = SignatureAuthenticationWebFilter.this.appProvider.getApp(openApiRequestBody.getApp_id());
                if (app == null) {
                    throw new ErrorCodeAuthenticationException(new ClientParameterInvalidErrorCodeException(ClientParameterInvalidErrorCodeException.SubPair.INVALID_APP_ID));
                }
                CommonsGatewayUtils.setApp(serverWebExchange, app);
                SignatureAuthenticationWebFilter.this.openApiRequestValidator.validate(path, openApiRequestBody, app);
                PreAuthenticatedAuthenticationToken preAuthenticatedAuthenticationToken = new PreAuthenticatedAuthenticationToken(new SpringUser(openApiRequestBody.getApp_id(), app.getAppName(), "", Collections.emptyList()), "", Collections.emptyList());
                String flowTagRequired = app.getFlowTagRequired();
                String flowTagFirst = app.getFlowTagFirst();
                if (StringUtils.hasText(flowTagRequired) || StringUtils.hasText(flowTagFirst)) {
                    HashMap hashMap = new HashMap(1, 1.0f);
                    hashMap.put("flowTagRequired", flowTagRequired);
                    hashMap.put("flowTagFirst", flowTagFirst);
                    preAuthenticatedAuthenticationToken.setDetails(hashMap);
                }
                return Mono.just(preAuthenticatedAuthenticationToken);
            });
        }
    }

    /* loaded from: input_file:io/github/icodegarden/commons/gateway/core/security/signature/SignatureAuthenticationWebFilter$Config.class */
    public static class Config {
        private ServerCodecConfigurer codecConfigurer;
        private AppProvider appProvider;
        private OpenApiRequestValidator openApiRequestValidator;
        private ReactiveAuthenticationManager authenticationManager;
        private ServerAuthenticationSuccessHandler serverAuthenticationSuccessHandler;
        private ServerAuthenticationFailureHandler serverAuthenticationFailureHandler;

        public Config(ServerCodecConfigurer serverCodecConfigurer, AppProvider appProvider, OpenApiRequestValidator openApiRequestValidator, ReactiveAuthenticationManager reactiveAuthenticationManager, ServerAuthenticationSuccessHandler serverAuthenticationSuccessHandler, ServerAuthenticationFailureHandler serverAuthenticationFailureHandler) {
            this.codecConfigurer = serverCodecConfigurer;
            this.appProvider = appProvider;
            this.openApiRequestValidator = openApiRequestValidator;
            this.authenticationManager = reactiveAuthenticationManager;
            this.serverAuthenticationSuccessHandler = serverAuthenticationSuccessHandler;
            this.serverAuthenticationFailureHandler = serverAuthenticationFailureHandler;
        }

        public ServerCodecConfigurer getCodecConfigurer() {
            return this.codecConfigurer;
        }

        public AppProvider getAppProvider() {
            return this.appProvider;
        }

        public OpenApiRequestValidator getOpenApiRequestValidator() {
            return this.openApiRequestValidator;
        }

        public ReactiveAuthenticationManager getAuthenticationManager() {
            return this.authenticationManager;
        }

        public ServerAuthenticationSuccessHandler getServerAuthenticationSuccessHandler() {
            return this.serverAuthenticationSuccessHandler;
        }

        public ServerAuthenticationFailureHandler getServerAuthenticationFailureHandler() {
            return this.serverAuthenticationFailureHandler;
        }

        public String toString() {
            return "SignatureAuthenticationWebFilter.Config(codecConfigurer=" + getCodecConfigurer() + ", appProvider=" + getAppProvider() + ", openApiRequestValidator=" + getOpenApiRequestValidator() + ", authenticationManager=" + getAuthenticationManager() + ", serverAuthenticationSuccessHandler=" + getServerAuthenticationSuccessHandler() + ", serverAuthenticationFailureHandler=" + getServerAuthenticationFailureHandler() + ")";
        }
    }

    public SignatureAuthenticationWebFilter(AuthMatcher authMatcher, Config config) {
        this.messageReaders = config.getCodecConfigurer().getReaders();
        this.authMatcher = authMatcher;
        this.appProvider = config.getAppProvider();
        this.openApiRequestValidator = config.getOpenApiRequestValidator();
        this.authenticationWebFilter = new AuthenticationWebFilter(config.getAuthenticationManager());
        this.authenticationWebFilter.setServerAuthenticationConverter(new AppServerAuthenticationConverter());
        this.authenticationWebFilter.setAuthenticationSuccessHandler(config.getServerAuthenticationSuccessHandler());
        this.authenticationWebFilter.setAuthenticationFailureHandler(config.getServerAuthenticationFailureHandler());
    }

    public Mono<Void> filter(ServerWebExchange serverWebExchange, WebFilterChain webFilterChain) {
        String path = serverWebExchange.getRequest().getURI().getPath();
        if (!this.authMatcher.isAuthPath(serverWebExchange)) {
            if (log.isDebugEnabled()) {
                log.debug("request path:{} not a AuthPath, ignore authentication", path);
            }
            return webFilterChain.filter(serverWebExchange);
        }
        if (serverWebExchange.getRequest().getMethod() != HttpMethod.POST) {
            ServerHttpResponse response = serverWebExchange.getResponse();
            response.setStatusCode(HttpStatus.METHOD_NOT_ALLOWED);
            response.getHeaders().setContentType(MediaType.APPLICATION_JSON);
            return response.writeWith(Mono.empty());
        }
        MediaType contentType = serverWebExchange.getRequest().getHeaders().getContentType();
        if (!MediaType.APPLICATION_JSON.isCompatibleWith(contentType) && !MediaType.APPLICATION_JSON_UTF8.isCompatibleWith(contentType)) {
            ServerHttpResponse response2 = serverWebExchange.getResponse();
            response2.setStatusCode(HttpStatus.UNSUPPORTED_MEDIA_TYPE);
            response2.getHeaders().setContentType(MediaType.APPLICATION_JSON);
            return response2.writeWith(Mono.empty());
        }
        String scheme = serverWebExchange.getRequest().getURI().getScheme();
        if (("http".equals(scheme) || "https".equals(scheme)) && CommonsGatewayUtils.getOpenApiRequestBody(serverWebExchange) == null) {
            return ServerWebExchangeUtils.cacheRequestBodyAndRequest(serverWebExchange, serverHttpRequest -> {
                ServerRequest create = ServerRequest.create(serverWebExchange.mutate().request(serverHttpRequest).build(), this.messageReaders);
                return create.bodyToMono(OpenApiRequestBody.class).doOnError(th -> {
                    try {
                        create.bodyToMono(String.class).doOnNext(str -> {
                            LogUtils.debugIfEnabled(log, () -> {
                                log.debug("cache body failed, request path:{} body:{}", path, str);
                            });
                        });
                    } catch (Exception e) {
                        log.error("ex on log request body after cache body error", e);
                    }
                    ServerHttpResponse response3 = serverWebExchange.getResponse();
                    response3.setStatusCode(HttpStatus.OK);
                    response3.getHeaders().setContentType(MediaType.APPLICATION_JSON);
                    DataBuffer wrap = response3.bufferFactory().wrap(JsonUtils.serialize(InternalApiResponse.fail(new ClientParameterInvalidErrorCodeException(ClientParameterInvalidErrorCodeException.SubPair.INVALID_PARAMETER.getSub_code(), "Invalid:Request Body"))).getBytes(CHARSET));
                    response3.writeWith(Mono.just(wrap)).doOnError(th -> {
                        DataBufferUtils.release(wrap);
                    }).subscribe();
                }).doOnNext(openApiRequestBody -> {
                    LogUtils.debugIfEnabled(log, () -> {
                        log.debug("request path:{} body:{}", path, openApiRequestBody);
                    });
                    Object openApiRequestBody = CommonsGatewayUtils.setOpenApiRequestBody(serverWebExchange, openApiRequestBody);
                    if (openApiRequestBody != null) {
                        serverWebExchange.getAttributes().put(CACHED_ORIGINAL_REQUEST_BODY_BACKUP_ATTR, openApiRequestBody);
                    }
                });
            }).then(this.authenticationWebFilter.filter(serverWebExchange, webFilterChain)).doFinally(signalType -> {
                Object obj = serverWebExchange.getAttributes().get(CACHED_ORIGINAL_REQUEST_BODY_BACKUP_ATTR);
                if (obj instanceof DataBuffer) {
                    DataBufferUtils.release((DataBuffer) obj);
                }
            });
        }
        return webFilterChain.filter(serverWebExchange);
    }
}
