package org.apache.linkis.gateway.security;

import java.io.File;
import java.text.DateFormat;
import java.util.Date;
import java.util.HashSet;
import java.util.Locale;
import java.util.concurrent.TimeUnit;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.lang3.exception.ExceptionUtils;
import org.apache.linkis.common.conf.Configuration$;
import org.apache.linkis.common.exception.LinkisException;
import org.apache.linkis.common.utils.Logging;
import org.apache.linkis.common.utils.Utils$;
import org.apache.linkis.gateway.config.GatewayConfiguration$;
import org.apache.linkis.gateway.http.GatewayContext;
import org.apache.linkis.gateway.http.GatewayHttpResponse;
import org.apache.linkis.gateway.security.sso.SSOInterceptor$;
import org.apache.linkis.gateway.security.token.TokenAuthentication$;
import org.apache.linkis.server.Message;
import org.apache.linkis.server.Message$;
import org.apache.linkis.server.conf.ServerConfiguration$;
import org.apache.linkis.server.exception.LoginExpireException;
import org.apache.linkis.server.exception.NonLoginException;
import org.apache.linkis.server.package$;
import org.slf4j.Logger;
import scala.Array$;
import scala.Function0;
import scala.MatchError;
import scala.None$;
import scala.Option;
import scala.Predef$;
import scala.collection.mutable.ArrayOps;
import scala.io.BufferedSource;
import scala.io.Source$;
import scala.reflect.ClassTag$;
import scala.runtime.BoxedUnit;
import scala.runtime.BoxesRunTime;
import scala.runtime.NonLocalReturnControl;

/* compiled from: SecurityFilter.scala */
/* loaded from: input_file:org/apache/linkis/gateway/security/SecurityFilter$.class */
public final class SecurityFilter$ implements Logging {
    public static SecurityFilter$ MODULE$;
    private final boolean refererValidate;
    private final String referers;
    private final String testUser;
    private final HashSet<String> ipSet;
    private UserRestful userRestful;
    private Logger logger;
    private volatile boolean bitmap$0;

    static {
        new SecurityFilter$();
    }

    public void trace(Function0<String> function0) {
        Logging.trace$(this, function0);
    }

    public void debug(Function0<String> function0) {
        Logging.debug$(this, function0);
    }

    public void info(Function0<String> function0) {
        Logging.info$(this, function0);
    }

    public void info(Function0<String> function0, Throwable th) {
        Logging.info$(this, function0, th);
    }

    public void warn(Function0<String> function0) {
        Logging.warn$(this, function0);
    }

    public void warn(Function0<String> function0, Throwable th) {
        Logging.warn$(this, function0, th);
    }

    public void error(Function0<String> function0, Throwable th) {
        Logging.error$(this, function0, th);
    }

    public void error(Function0<String> function0) {
        Logging.error$(this, function0);
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v0 */
    /* JADX WARN: Type inference failed for: r0v1, types: [java.lang.Throwable] */
    /* JADX WARN: Type inference failed for: r0v8, types: [org.apache.linkis.gateway.security.SecurityFilter$] */
    private Logger logger$lzycompute() {
        ?? r0 = this;
        synchronized (r0) {
            if (!this.bitmap$0) {
                this.logger = Logging.logger$(this);
                r0 = this;
                r0.bitmap$0 = true;
            }
        }
        return this.logger;
    }

    public Logger logger() {
        return !this.bitmap$0 ? logger$lzycompute() : this.logger;
    }

    private boolean refererValidate() {
        return this.refererValidate;
    }

    private String referers() {
        return this.referers;
    }

    public String testUser() {
        return this.testUser;
    }

    private HashSet<String> ipSet() {
        return this.ipSet;
    }

    public boolean doFilter(GatewayContext gatewayContext) {
        boolean z;
        Object obj = new Object();
        try {
            addAccessHeaders(gatewayContext);
            if (BoxesRunTime.unboxToBoolean(GatewayConfiguration$.MODULE$.ENABLE_GATEWAY_AUTH().getValue())) {
                String replaceAll = gatewayContext.getRequest().getRemoteAddress().getAddress().toString().replaceAll("/", "");
                int port = gatewayContext.getRequest().getRemoteAddress().getPort();
                if (!ipSet().contains(replaceAll)) {
                    logger().error(new StringBuilder(42).append(replaceAll).append(" and ").append(port).append(" is not in whitelist, it is dangerous").toString());
                    filterResponse(gatewayContext, Message$.MODULE$.error(new StringBuilder(20).append(replaceAll).append(" is not in whitelist").toString()));
                    return false;
                }
            }
            if (refererValidate()) {
                String[] strArr = gatewayContext.getRequest().getHeaders().get("Referer");
                boolean exists = new ArrayOps.ofRef(Predef$.MODULE$.refArrayOps(StringUtils.isNotEmpty(referers()) ? referers().split(",") : (String[]) Array$.MODULE$.empty(ClassTag$.MODULE$.Nothing()))).exists(str -> {
                    return BoxesRunTime.boxToBoolean($anonfun$doFilter$1(strArr, str));
                });
                if (strArr != null && new ArrayOps.ofRef(Predef$.MODULE$.refArrayOps(strArr)).nonEmpty() && StringUtils.isNotEmpty((CharSequence) new ArrayOps.ofRef(Predef$.MODULE$.refArrayOps(strArr)).head()) && !exists) {
                    filterResponse(gatewayContext, package$.MODULE$.validateFailed("Unallowed cross-site request(不允许的跨站请求)！"));
                    return false;
                }
                if (!gatewayContext.isWebSocketRequest() && (strArr == null || new ArrayOps.ofRef(Predef$.MODULE$.refArrayOps(strArr)).isEmpty() || StringUtils.isEmpty((CharSequence) new ArrayOps.ofRef(Predef$.MODULE$.refArrayOps(strArr)).head()))) {
                    filterResponse(gatewayContext, package$.MODULE$.validateFailed("referer为空,不能继续访问"));
                    return false;
                }
                String upperCase = gatewayContext.getRequest().getMethod().toUpperCase(Locale.getDefault());
                if (!("GET".equals(upperCase) ? true : "POST".equals(upperCase) ? true : "PUT".equals(upperCase) ? true : "DELETE".equals(upperCase) ? true : "HEAD".equals(upperCase) ? true : "TRACE".equals(upperCase) ? true : "CONNECT".equals(upperCase) ? true : "OPTIONS".equals(upperCase))) {
                    filterResponse(gatewayContext, package$.MODULE$.validateFailed("Do not use HTTP verbs to tamper with(不可使用HTTP动词篡改)！"));
                    return false;
                }
                BoxedUnit boxedUnit = BoxedUnit.UNIT;
            }
            boolean exists2 = new ArrayOps.ofRef(Predef$.MODULE$.refArrayOps(GatewayConfiguration$.MODULE$.PASS_AUTH_REQUEST_URI())).exists(str2 -> {
                return BoxesRunTime.boxToBoolean($anonfun$doFilter$2(gatewayContext, str2));
            });
            if (gatewayContext.getRequest().getRequestURI().startsWith((String) ServerConfiguration$.MODULE$.BDP_SERVER_USER_URI().getValue())) {
                Utils$.MODULE$.tryCatch(() -> {
                    MODULE$.userRestful().doUserRequest(gatewayContext);
                }, th -> {
                    $anonfun$doFilter$4(gatewayContext, th);
                    return BoxedUnit.UNIT;
                });
                z = false;
            } else if (exists2 && !BoxesRunTime.unboxToBoolean(GatewayConfiguration$.MODULE$.ENABLE_SSO_LOGIN().getValue())) {
                logger().info(new StringBuilder(31).append("No login needed for proxy uri: ").append(gatewayContext.getRequest().getRequestURI()).toString());
                z = true;
            } else if (TokenAuthentication$.MODULE$.isTokenRequest(gatewayContext)) {
                z = TokenAuthentication$.MODULE$.tokenAuth(gatewayContext, TokenAuthentication$.MODULE$.tokenAuth$default$2());
            } else if (((Option) Utils$.MODULE$.tryCatch(() -> {
                return GatewaySSOUtils$.MODULE$.getLoginUser(gatewayContext);
            }, th2 -> {
                if (th2 instanceof NonLoginException ? true : th2 instanceof LoginExpireException) {
                    if (BoxesRunTime.unboxToBoolean(Configuration$.MODULE$.IS_TEST_MODE().getValue())) {
                        return None$.MODULE$;
                    }
                    MODULE$.filterResponse(gatewayContext, Message$.MODULE$.noLogin(th2.getMessage()).$less$less(gatewayContext.getRequest().getRequestURI()));
                    throw new NonLocalReturnControl.mcZ.sp(obj, false);
                }
                if (th2 == null) {
                    throw new MatchError(th2);
                }
                MODULE$.logger().warn("", th2);
                throw th2;
            })).isDefined()) {
                z = true;
            } else if (BoxesRunTime.unboxToBoolean(Configuration$.MODULE$.IS_TEST_MODE().getValue())) {
                logger().info(new StringBuilder(26).append("test mode! login for uri: ").append(gatewayContext.getRequest().getRequestURI()).toString());
                GatewaySSOUtils$.MODULE$.setLoginUser(gatewayContext, testUser());
                z = true;
            } else if (BoxesRunTime.unboxToBoolean(GatewayConfiguration$.MODULE$.ENABLE_SSO_LOGIN().getValue())) {
                String user = SSOInterceptor$.MODULE$.getSSOInterceptor().getUser(gatewayContext);
                if (StringUtils.isNotBlank(user)) {
                    GatewaySSOUtils$.MODULE$.setLoginUser(gatewayContext.getRequest(), user, GatewaySSOUtils$.MODULE$.setLoginUser$default$3());
                    z = true;
                } else if (exists2) {
                    gatewayContext.getResponse().redirectTo(SSOInterceptor$.MODULE$.getSSOInterceptor().redirectTo(gatewayContext.getRequest().getURI()));
                    gatewayContext.getResponse().sendResponse();
                    z = false;
                } else {
                    filterResponse(gatewayContext, Message$.MODULE$.noLogin("You are not logged in, please login first(您尚未登录，请先登录)!").data("enableSSO", BoxesRunTime.boxToBoolean(true)).data("SSOURL", SSOInterceptor$.MODULE$.getSSOInterceptor().redirectTo(gatewayContext.getRequest().getURI())).$less$less(gatewayContext.getRequest().getRequestURI()));
                    z = false;
                }
            } else if (gatewayContext.getRequest().getRequestURI().matches((String) GatewayConfiguration$.MODULE$.GATEWAY_NO_AUTH_URL_REGEX().getValue())) {
                logger().info(new StringBuilder(56).append("Not logged in, still let it pass (GATEWAY_NO_AUTH_URL): ").append(gatewayContext.getRequest().getRequestURI()).toString());
                z = true;
            } else {
                filterResponse(gatewayContext, Message$.MODULE$.noLogin("You are not logged in, please login first(您尚未登录，请先登录)!").$less$less(gatewayContext.getRequest().getRequestURI()));
                z = false;
            }
            return z;
        } catch (NonLocalReturnControl e) {
            if (e.key() == obj) {
                return e.value$mcZ$sp();
            }
            throw e;
        }
    }

    private UserRestful userRestful() {
        return this.userRestful;
    }

    private void userRestful_$eq(UserRestful userRestful) {
        this.userRestful = userRestful;
    }

    public void setUserRestful(UserRestful userRestful) {
        userRestful_$eq(userRestful);
    }

    public void filterResponse(GatewayContext gatewayContext, Message message) {
        gatewayContext.getResponse().setStatus(Message$.MODULE$.messageToHttpStatus(message));
        gatewayContext.getResponse().write(Message$.MODULE$.response(message));
        gatewayContext.getResponse().sendResponse();
    }

    public void org$apache$linkis$gateway$security$SecurityFilter$$init() {
        Utils$.MODULE$.tryAndError(() -> {
            BufferedSource fromFile = Source$.MODULE$.fromFile(new File(MODULE$.getClass().getClassLoader().getResource((String) GatewayConfiguration$.MODULE$.AUTH_IP_FILE().getValue()).toURI().getPath()), "UTF-8");
            new ArrayOps.ofRef(Predef$.MODULE$.refArrayOps((String[]) Utils$.MODULE$.tryFinally(() -> {
                return (String[]) fromFile.getLines().toArray(ClassTag$.MODULE$.apply(String.class));
            }, () -> {
                fromFile.close();
            }))).foreach(str -> {
                return BoxesRunTime.boxToBoolean($anonfun$init$4(str));
            });
        }, logger());
    }

    public void addAccessHeaders(GatewayContext gatewayContext) {
        GatewayHttpResponse response = gatewayContext.getResponse();
        response.setHeader("Access-Control-Allow-Origin", (String) GatewayConfiguration$.MODULE$.GATEWAY_HEADER_ALLOW_ORIGIN().getValue());
        response.setHeader("Access-Control-Allow-Credentials", "true");
        response.setHeader("Access-Control-Allow-Headers", "authorization,Content-Type");
        response.setHeader("Access-Control-Allow-Methods", (String) GatewayConfiguration$.MODULE$.GATEWAY_HEADER_ALLOW_METHOD().getValue());
        response.setHeader("Date", DateFormat.getDateTimeInstance(0, 0, new Locale("EN", "en")).format(new Date()));
    }

    public static final /* synthetic */ boolean $anonfun$doFilter$1(String[] strArr, String str) {
        return strArr != null && new ArrayOps.ofRef(Predef$.MODULE$.refArrayOps(strArr)).nonEmpty() && StringUtils.isNotEmpty((CharSequence) new ArrayOps.ofRef(Predef$.MODULE$.refArrayOps(strArr)).head()) && ((String) new ArrayOps.ofRef(Predef$.MODULE$.refArrayOps(strArr)).head()).trim().contains(str);
    }

    public static final /* synthetic */ boolean $anonfun$doFilter$2(GatewayContext gatewayContext, String str) {
        return !str.equals("") && gatewayContext.getRequest().getRequestURI().startsWith(str);
    }

    public static final /* synthetic */ void $anonfun$doFilter$4(GatewayContext gatewayContext, Throwable th) {
        String message = th instanceof LinkisException ? ((LinkisException) th).getMessage() : new StringBuilder(22).append("login failed! reason: ").append(ExceptionUtils.getRootCauseMessage(th)).toString();
        MODULE$.logger().error(new StringBuilder(22).append("login failed! Reason: ").append(message).toString(), th);
        MODULE$.filterResponse(gatewayContext, Message$.MODULE$.error(message).$less$less(gatewayContext.getRequest().getRequestURI()));
    }

    public static final /* synthetic */ boolean $anonfun$init$4(String str) {
        return MODULE$.ipSet().add(str);
    }

    private SecurityFilter$() {
        MODULE$ = this;
        Logging.$init$(this);
        this.refererValidate = BoxesRunTime.unboxToBoolean(ServerConfiguration$.MODULE$.BDP_SERVER_SECURITY_REFERER_VALIDATE().getValue());
        this.referers = (String) ServerConfiguration$.MODULE$.BDP_SERVER_ADDRESS().getValue();
        this.testUser = (String) ServerConfiguration$.MODULE$.BDP_TEST_USER().getValue();
        this.ipSet = new HashSet<>();
        if (BoxesRunTime.unboxToBoolean(GatewayConfiguration$.MODULE$.ENABLE_GATEWAY_AUTH().getValue())) {
            Utils$.MODULE$.defaultScheduler().scheduleAtFixedRate(new Runnable() { // from class: org.apache.linkis.gateway.security.SecurityFilter$$anon$1
                @Override // java.lang.Runnable
                public void run() {
                    Utils$.MODULE$.tryAndError(() -> {
                        SecurityFilter$.MODULE$.org$apache$linkis$gateway$security$SecurityFilter$$init();
                    }, SecurityFilter$.MODULE$.logger());
                }
            }, 0L, 2L, TimeUnit.MINUTES);
        } else {
            BoxedUnit boxedUnit = BoxedUnit.UNIT;
        }
    }
}
