package y9.oauth2.resource.filter;

import com.auth0.jwk.InvalidPublicKeyException;
import com.auth0.jwk.JwkException;
import com.auth0.jwk.JwkProviderBuilder;
import com.auth0.jwt.JWT;
import com.auth0.jwt.JWTVerifier;
import com.auth0.jwt.algorithms.Algorithm;
import com.auth0.jwt.exceptions.JWTVerificationException;
import com.auth0.jwt.exceptions.SignatureVerificationException;
import com.auth0.jwt.interfaces.DecodedJWT;
import jakarta.servlet.Filter;
import jakarta.servlet.FilterChain;
import jakarta.servlet.ServletException;
import jakarta.servlet.ServletRequest;
import jakarta.servlet.ServletResponse;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import jakarta.servlet.http.HttpSession;
import java.io.IOException;
import java.net.MalformedURLException;
import java.net.URI;
import java.nio.charset.StandardCharsets;
import java.security.PublicKey;
import java.security.interfaces.RSAPublicKey;
import java.util.Collections;
import java.util.concurrent.TimeUnit;
import lombok.Generated;
import net.risesoft.enums.platform.ManagerLevelEnum;
import net.risesoft.enums.platform.SexEnum;
import net.risesoft.exception.ErrorCode;
import net.risesoft.exception.GlobalErrorCodeEnum;
import net.risesoft.model.user.UserInfo;
import net.risesoft.pojo.Y9Result;
import net.risesoft.y9.Y9LoginUserHolder;
import net.risesoft.y9.configuration.feature.oauth2.resource.Y9Oauth2ResourceProperties;
import net.risesoft.y9.json.Y9JsonUtil;
import net.risesoft.y9.util.Y9EnumUtil;
import org.apache.commons.lang3.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.core.io.AbstractResource;
import org.springframework.core.io.ClassPathResource;
import org.springframework.core.io.FileSystemResource;
import org.springframework.core.io.UrlResource;
import org.springframework.http.HttpHeaders;
import org.springframework.http.HttpMethod;
import org.springframework.http.HttpStatus;
import org.springframework.http.MediaType;
import org.springframework.http.RequestEntity;
import org.springframework.http.ResponseEntity;
import org.springframework.web.client.RestTemplate;

/* loaded from: input_file:y9/oauth2/resource/filter/Y9Oauth2ResourceFilter.class */
public class Y9Oauth2ResourceFilter implements Filter {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger(Y9Oauth2ResourceFilter.class);
    private final RestTemplate restTemplate = new RestTemplate();
    private final Y9Oauth2ResourceProperties y9Oauth2ResourceProperties;

    public Y9Oauth2ResourceFilter(Y9Oauth2ResourceProperties y9Oauth2ResourceProperties) {
        this.y9Oauth2ResourceProperties = y9Oauth2ResourceProperties;
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        UserInfo userInfo;
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        try {
            try {
                HttpSession session = httpServletRequest.getSession(false);
                String accessTokenFromRequest = getAccessTokenFromRequest(httpServletRequest);
                if (StringUtils.isBlank(accessTokenFromRequest)) {
                    setResponse(httpServletResponse, HttpStatus.UNAUTHORIZED, GlobalErrorCodeEnum.ACCESS_TOKEN_NOT_FOUND);
                    return;
                }
                try {
                    ResponseEntity<OAuth20IntrospectionAccessTokenResponse> invokeIntrospectEndpoint = invokeIntrospectEndpoint(accessTokenFromRequest);
                    if (invokeIntrospectEndpoint.getStatusCode().value() != HttpStatus.OK.value()) {
                        setResponse(httpServletResponse, HttpStatus.UNAUTHORIZED, GlobalErrorCodeEnum.ACCESS_TOKEN_VERIFICATION_FAILED);
                        return;
                    }
                    if (!((OAuth20IntrospectionAccessTokenResponse) invokeIntrospectEndpoint.getBody()).isActive()) {
                        setResponse(httpServletResponse, HttpStatus.UNAUTHORIZED, GlobalErrorCodeEnum.ACCESS_TOKEN_EXPIRED);
                        return;
                    }
                    if (isJwtAccessToken(accessTokenFromRequest)) {
                        DecodedJWT decode = JWT.decode(accessTokenFromRequest);
                        if (this.y9Oauth2ResourceProperties.getJwt().isValidationRequired() && !verify(decode)) {
                            setResponse(httpServletResponse, HttpStatus.UNAUTHORIZED, GlobalErrorCodeEnum.ACCESS_TOKEN_VERIFICATION_FAILED);
                            return;
                        }
                        userInfo = toUserInfo(decode);
                    } else {
                        try {
                            userInfo = (UserInfo) Y9JsonUtil.readValue(((String) invokeProfileEndpoint(accessTokenFromRequest).getBody()).replace("[]", "\"\""), UserInfo.class);
                        } catch (Exception e) {
                            LOGGER.warn(e.getMessage(), e);
                            setResponse(httpServletResponse, HttpStatus.INTERNAL_SERVER_ERROR, GlobalErrorCodeEnum.FAILURE);
                            return;
                        }
                    }
                    if (userInfo != null) {
                        if (session == null) {
                            session = httpServletRequest.getSession(true);
                        }
                        session.setAttribute("access_token", accessTokenFromRequest);
                        session.setAttribute("userInfo", userInfo);
                        session.setAttribute("loginName", userInfo.getLoginName());
                        session.setAttribute("positionId", userInfo.getPositionId());
                        session.setAttribute("deptId", userInfo.getParentId());
                        if (StringUtils.isNotBlank(userInfo.getPositionId())) {
                            Y9LoginUserHolder.setPositionId(userInfo.getPositionId());
                        } else if (StringUtils.isNotBlank(userInfo.getPositions())) {
                            Y9LoginUserHolder.setPositionId(userInfo.getPositions().split(",")[0]);
                        }
                        Y9LoginUserHolder.setTenantId(userInfo.getTenantId());
                        Y9LoginUserHolder.setTenantName(userInfo.getTenantName());
                        Y9LoginUserHolder.setTenantShortName(userInfo.getTenantShortName());
                        Y9LoginUserHolder.setUserInfo(userInfo);
                    }
                    filterChain.doFilter(httpServletRequest, httpServletResponse);
                } catch (Exception e2) {
                    LOGGER.warn(e2.getMessage(), e2);
                    setResponse(httpServletResponse, HttpStatus.INTERNAL_SERVER_ERROR, GlobalErrorCodeEnum.FAILURE);
                }
            } finally {
                Y9LoginUserHolder.clear();
            }
        } catch (Exception e3) {
            throw e3;
        }
    }

    private boolean isJwtAccessToken(String str) {
        return StringUtils.isNotBlank(str) && str.split("\\.").length == 3;
    }

    private String getAccessTokenFromRequest(HttpServletRequest httpServletRequest) {
        String parameter = httpServletRequest.getParameter("access_token");
        if (StringUtils.isBlank(parameter)) {
            String header = httpServletRequest.getHeader("Authorization");
            if (StringUtils.isNotBlank(header) && header.startsWith("Bearer ")) {
                parameter = header.substring("Bearer ".length());
            }
        }
        return parameter;
    }

    private ResponseEntity<OAuth20IntrospectionAccessTokenResponse> invokeIntrospectEndpoint(String str) {
        HttpHeaders httpHeaders = new HttpHeaders();
        httpHeaders.setAccept(Collections.singletonList(MediaType.APPLICATION_JSON));
        httpHeaders.setContentType(MediaType.APPLICATION_FORM_URLENCODED);
        httpHeaders.setBasicAuth(this.y9Oauth2ResourceProperties.getOpaque().getClientId(), this.y9Oauth2ResourceProperties.getOpaque().getClientSecret(), StandardCharsets.UTF_8);
        return this.restTemplate.exchange(new RequestEntity(httpHeaders, HttpMethod.POST, URI.create(this.y9Oauth2ResourceProperties.getOpaque().getIntrospectionUri() + "?token=" + str)), OAuth20IntrospectionAccessTokenResponse.class);
    }

    private ResponseEntity<String> invokeProfileEndpoint(String str) {
        HttpHeaders httpHeaders = new HttpHeaders();
        httpHeaders.setAccept(Collections.singletonList(MediaType.APPLICATION_JSON));
        httpHeaders.set("Authorization", "Bearer " + str);
        return this.restTemplate.exchange(new RequestEntity(httpHeaders, HttpMethod.GET, URI.create(this.y9Oauth2ResourceProperties.getOpaque().getProfileUri() + "?access_token=" + str)), String.class);
    }

    private void setResponse(HttpServletResponse httpServletResponse, HttpStatus httpStatus, ErrorCode errorCode) {
        httpServletResponse.addHeader("WWW-Authenticate", "Bearer realm=\"risesoft\"");
        httpServletResponse.setStatus(httpStatus.value());
        httpServletResponse.setContentType("application/json");
        try {
            httpServletResponse.getWriter().write(Y9JsonUtil.writeValueAsString(Y9Result.failure(errorCode)));
        } catch (IOException e) {
            LOGGER.warn(e.getMessage(), e);
        }
    }

    public AbstractResource getResourceFrom(String str) {
        if (str.toLowerCase().startsWith("file:")) {
            return new FileSystemResource(StringUtils.remove(str, "file:"));
        }
        if (str.toLowerCase().startsWith("classpath:")) {
            return new ClassPathResource(str.substring("classpath:".length()));
        }
        if (!str.toLowerCase().startsWith("http")) {
            return null;
        }
        try {
            return new UrlResource(str);
        } catch (MalformedURLException e) {
            e.printStackTrace();
            return null;
        }
    }

    private boolean verify(DecodedJWT decodedJWT) {
        String keyId = decodedJWT.getKeyId();
        AbstractResource resourceFrom = getResourceFrom(this.y9Oauth2ResourceProperties.getJwt().getJwksLocation());
        if (resourceFrom == null) {
            return false;
        }
        try {
            try {
                try {
                    PublicKey publicKey = new JwkProviderBuilder(resourceFrom.getURL()).cached(10L, 24L, TimeUnit.HOURS).rateLimited(10L, 1L, TimeUnit.MINUTES).build().get(keyId).getPublicKey();
                    Algorithm algorithm = null;
                    String algorithm2 = decodedJWT.getAlgorithm();
                    boolean z = -1;
                    switch (algorithm2.hashCode()) {
                        case 78251122:
                            if (algorithm2.equals("RS256")) {
                                z = false;
                                break;
                            }
                            break;
                        case 78253877:
                            if (algorithm2.equals("RS512")) {
                                z = true;
                                break;
                            }
                            break;
                    }
                    switch (z) {
                        case false:
                            algorithm = Algorithm.RSA256((RSAPublicKey) publicKey);
                            break;
                        case true:
                            algorithm = Algorithm.RSA512((RSAPublicKey) publicKey);
                            break;
                    }
                    try {
                        algorithm.verify(decodedJWT);
                        JWTVerifier.BaseVerification require = JWT.require(algorithm);
                        require.withClaimPresence("tenantId");
                        try {
                            require.build().verify(decodedJWT);
                            return true;
                        } catch (JWTVerificationException e) {
                            e.printStackTrace();
                            return false;
                        }
                    } catch (SignatureVerificationException e2) {
                        e2.printStackTrace();
                        return false;
                    }
                } catch (InvalidPublicKeyException e3) {
                    e3.printStackTrace();
                    return false;
                }
            } catch (JwkException e4) {
                e4.printStackTrace();
                return false;
            }
        } catch (IOException e5) {
            e5.printStackTrace();
            return false;
        }
    }

    private UserInfo toUserInfo(DecodedJWT decodedJWT) {
        UserInfo userInfo = new UserInfo();
        userInfo.setCaid(decodedJWT.getClaim("caid").asString());
        userInfo.setEmail(decodedJWT.getClaim("email").asString());
        userInfo.setGuidPath(decodedJWT.getClaim("guidPath").asString());
        userInfo.setDn(decodedJWT.getClaim("dn").asString());
        userInfo.setLoginName(decodedJWT.getClaim("loginName").asString());
        userInfo.setName(decodedJWT.getClaim("name").asString());
        userInfo.setLoginType(decodedJWT.getClaim("loginType").asString());
        userInfo.setMobile(decodedJWT.getClaim("mobile").asString());
        userInfo.setOriginal(decodedJWT.getClaim("original").asBoolean().booleanValue());
        userInfo.setOriginal(decodedJWT.getClaim("original").asBoolean() != null && decodedJWT.getClaim("original").asBoolean().booleanValue());
        userInfo.setOriginalId(decodedJWT.getClaim("originalId").asString());
        userInfo.setParentId(decodedJWT.getClaim("parentId").asString());
        userInfo.setPersonId(decodedJWT.getClaim("personId").asString());
        userInfo.setPositionId(decodedJWT.getClaim("positionId").asString());
        userInfo.setSex(Y9EnumUtil.valueOf(SexEnum.class, decodedJWT.getClaim("sex").asInt()));
        userInfo.setTenantId(decodedJWT.getClaim("tenantId").asString());
        userInfo.setTenantShortName(decodedJWT.getClaim("tenantShortName").asString());
        userInfo.setTenantName(decodedJWT.getClaim("tenantName").asString());
        userInfo.setIdNum(decodedJWT.getClaim("idNum").asString());
        userInfo.setAvator(decodedJWT.getClaim("avator").asString());
        userInfo.setPersonType(decodedJWT.getClaim("personType").asString());
        userInfo.setGlobalManager(decodedJWT.getClaim("globalManager").asBoolean().booleanValue());
        userInfo.setManagerLevel(Y9EnumUtil.valueOf(ManagerLevelEnum.class, decodedJWT.getClaim("managerLevel").asInt()));
        return userInfo;
    }
}
