package team.sailboat.commons.ms.authclient;

import com.nimbusds.jose.util.Base64URL;
import jakarta.servlet.FilterChain;
import jakarta.servlet.ServletException;
import jakarta.servlet.ServletRequest;
import jakarta.servlet.ServletResponse;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import jakarta.servlet.http.HttpSession;
import java.io.IOException;
import java.util.Base64;
import java.util.Date;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.context.ApplicationEventPublisher;
import org.springframework.context.ApplicationEventPublisherAware;
import org.springframework.core.log.LogMessage;
import org.springframework.security.authentication.AuthenticationServiceException;
import org.springframework.security.authentication.InternalAuthenticationServiceException;
import org.springframework.security.authentication.event.InteractiveAuthenticationSuccessEvent;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.web.authentication.AuthenticationFailureHandler;
import org.springframework.security.web.authentication.NullRememberMeServices;
import org.springframework.security.web.authentication.RememberMeServices;
import org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler;
import org.springframework.security.web.authentication.session.NullAuthenticatedSessionStrategy;
import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy;
import org.springframework.security.web.util.matcher.RequestHeaderRequestMatcher;
import org.springframework.security.web.util.matcher.RequestMatcher;
import org.springframework.web.filter.GenericFilterBean;
import team.sailboat.commons.fan.app.AppContext;
import team.sailboat.commons.fan.excep.ExceptionAssist;
import team.sailboat.commons.fan.http.Request;
import team.sailboat.commons.fan.http.URLCoder;
import team.sailboat.commons.fan.json.JSONArray;
import team.sailboat.commons.fan.json.JSONObject;
import team.sailboat.commons.fan.text.XString;

/* loaded from: input_file:team/sailboat/commons/ms/authclient/CorsTokenLoginFilter.class */
public class CorsTokenLoginFilter extends GenericFilterBean implements ApplicationEventPublisherAware {
    OAuthClientConf mClientConf;
    protected ApplicationEventPublisher eventPublisher;
    final Logger mLogger = LoggerFactory.getLogger(getClass());
    final URLCoder mURLCoder = URLCoder.getDefault();
    SessionAuthenticationStrategy sessionStrategy = new NullAuthenticatedSessionStrategy();
    RememberMeServices rememberMeServices = new NullRememberMeServices();
    AuthenticationFailureHandler failureHandler = new SimpleUrlAuthenticationFailureHandler();
    RequestMatcher requiresAuthenticationRequestMatcher = new RequestHeaderRequestMatcher("cors-token-auth");

    public CorsTokenLoginFilter(OAuthClientConf oAuthClientConf) {
        this.mClientConf = oAuthClientConf;
    }

    protected boolean requireAuth(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        if (!this.requiresAuthenticationRequestMatcher.matches(httpServletRequest)) {
            return false;
        }
        CoupleAuthenticationToken authentication = SecurityContextHolder.getContext().getAuthentication();
        if (authentication == null || !(authentication instanceof CoupleAuthenticationToken)) {
            return true;
        }
        CoupleAuthenticationToken coupleAuthenticationToken = authentication;
        return !coupleAuthenticationToken.isAuthenticated() || coupleAuthenticationToken.isExpired();
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        if (!requireAuth(httpServletRequest, httpServletResponse)) {
            filterChain.doFilter(httpServletRequest, httpServletResponse);
            return;
        }
        try {
            Authentication attemptAuthentication = attemptAuthentication(httpServletRequest, httpServletResponse);
            if (attemptAuthentication == null) {
                return;
            }
            this.sessionStrategy.onAuthentication(attemptAuthentication, httpServletRequest, httpServletResponse);
            SecurityContextHolder.getContext().setAuthentication(attemptAuthentication);
            if (this.logger.isDebugEnabled()) {
                this.logger.debug(LogMessage.format("Set SecurityContextHolder to %s", attemptAuthentication));
            }
            this.rememberMeServices.loginSuccess(httpServletRequest, httpServletResponse, attemptAuthentication);
            if (this.eventPublisher != null) {
                this.eventPublisher.publishEvent(new InteractiveAuthenticationSuccessEvent(attemptAuthentication, getClass()));
            }
            clearAuthenticationAttributes(httpServletRequest);
            filterChain.doFilter(httpServletRequest, httpServletResponse);
        } catch (AuthenticationException e) {
            unsuccessfulAuthentication(httpServletRequest, httpServletResponse, e);
        } catch (InternalAuthenticationServiceException e2) {
            this.logger.error("An internal error occurred while trying to authenticate the user.", e2);
            unsuccessfulAuthentication(httpServletRequest, httpServletResponse, e2);
        }
    }

    public Authentication attemptAuthentication(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws AuthenticationException, IOException, ServletException {
        if (httpServletRequest.getContextPath().equals(this.mClientConf.getLocalLoginPath())) {
            return null;
        }
        String parameter = httpServletRequest.getParameter("error");
        if (XString.isNotEmpty(parameter) && "access_denied".equals(parameter)) {
            httpServletResponse.sendRedirect(XString.msgFmt("{}/error_view?http-status=403&msg={}&url={}", new Object[]{httpServletRequest.getContextPath(), this.mURLCoder.encodeParam("您目前无权限访问此应用!"), httpServletRequest.getRequestURL()}));
            return null;
        }
        String header = httpServletRequest.getHeader("cors-token-auth");
        if (XString.isEmpty(header)) {
            throw new AuthenticationServiceException("cors-token-auth不能为空！");
        }
        try {
            JSONObject jSONObject = (JSONObject) this.mClientConf.getAuthCenterClient().ask(Request.POST().path(this.mClientConf.getAuthServerTokenPath()).queryParam("client_id", this.mClientConf.getClientId()).queryParam("grant_type", "cors_token").queryParam("token", header).queryParam("redirect_uri", this.mClientConf.getCodeCallbackUrl()));
            String optString = new JSONObject(new String(Base64.getUrlDecoder().decode(XString.lastSeg_i(header, '.', 1)), AppContext.sUTF8)).optString("referer");
            String header2 = httpServletRequest.getHeader("referer");
            if (header2 == null || !header2.startsWith(optString)) {
                throw new AuthenticationServiceException("不允许的调用源！");
            }
            String optString2 = jSONObject.optString("access_token");
            String optString3 = jSONObject.optString("refresh_token");
            JSONObject jSONObject2 = new JSONObject(new String(Base64URL.from(XString.seg_i(optString2, '.', 1)).decode(), "UTF-8"));
            Date date = new Date(jSONObject2.optLong("iat") * 1000);
            Date date2 = new Date(jSONObject2.optLong("exp") * 1000);
            JSONArray optJSONArray = jSONObject2.optJSONArray("auths");
            JSONObject optJSONObject = jSONObject2.optJSONObject("detail");
            User user = new User(optJSONObject.optString("id"), jSONObject2.optString("sub"), optJSONArray != null ? optJSONArray.toStringArray() : null);
            user.setRealName(optJSONObject.optString("realName"));
            user.setSex(optJSONObject.optString("sex"));
            user.setAdditionProperties(optJSONObject);
            CoupleAuthenticationToken coupleAuthenticationToken = new CoupleAuthenticationToken(optString2, optString3, user, date, date2);
            coupleAuthenticationToken.setAuthenticated(true);
            return coupleAuthenticationToken;
        } catch (Exception e) {
            this.mLogger.error(ExceptionAssist.getClearMessage(getClass(), e, "连接的目标端是：" + String.valueOf(this.mClientConf.getAuthCenterClient())));
            if (e instanceof IOException) {
                throw ((IOException) e);
            }
            throw new IOException(e);
        }
    }

    protected void unsuccessfulAuthentication(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationException authenticationException) throws IOException, ServletException {
        SecurityContextHolder.clearContext();
        this.logger.trace("Failed to process authentication request", authenticationException);
        this.logger.trace("Cleared SecurityContextHolder");
        this.logger.trace("Handling authentication failure");
        this.rememberMeServices.loginFail(httpServletRequest, httpServletResponse);
        this.failureHandler.onAuthenticationFailure(httpServletRequest, httpServletResponse, authenticationException);
    }

    public void setApplicationEventPublisher(ApplicationEventPublisher applicationEventPublisher) {
        this.eventPublisher = applicationEventPublisher;
    }

    public void clearAuthenticationAttributes(HttpServletRequest httpServletRequest) {
        HttpSession session = httpServletRequest.getSession(false);
        if (session != null) {
            session.removeAttribute("SPRING_SECURITY_LAST_EXCEPTION");
        }
    }
}
