package team.sailboat.commons.ms.xca;

import jakarta.servlet.http.HttpServletRequest;
import java.io.UnsupportedEncodingException;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.util.Arrays;
import java.util.Base64;
import java.util.Map;
import java.util.function.BiPredicate;
import java.util.function.Function;
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.http.HttpStatus;
import team.sailboat.commons.fan.collection.AutoCleanHashMap;
import team.sailboat.commons.fan.collection.XC;
import team.sailboat.commons.fan.excep.HttpException;
import team.sailboat.commons.fan.http.IdentityTrace;
import team.sailboat.commons.fan.lang.Assert;
import team.sailboat.commons.fan.lang.JCommon;
import team.sailboat.commons.fan.text.XString;
import team.sailboat.commons.ms.cors.CORSFilter;

/* loaded from: input_file:team/sailboat/commons/ms/xca/XAppSignChecker.class */
public class XAppSignChecker implements IAppSignChecker {
    static final int mTimeBias = 600000;
    BiPredicate<String, HttpServletRequest> mCanVisitPred;
    Function<String, IClientApp> mAppByAppKey;
    final Logger mLogger = LoggerFactory.getLogger(getClass());
    final Map<String, Object> mOnceIdMap = AutoCleanHashMap.withExpired_Created(10);

    public XAppSignChecker(BiPredicate<String, HttpServletRequest> biPredicate, Function<String, IClientApp> function) {
        this.mCanVisitPred = biPredicate;
        this.mAppByAppKey = function;
        Assert.notNull(this.mAppByAppKey);
    }

    @Override // team.sailboat.commons.ms.xca.IAppSignChecker
    public AppCertificate check(HttpServletRequest httpServletRequest) throws HttpException, IllegalStateException, UnsupportedEncodingException {
        String header = httpServletRequest.getHeader("X-Ca-Signature");
        String header2 = httpServletRequest.getHeader("X-Ca-Timestamp");
        if (XString.isEmpty(header2)) {
            throw new HttpException(HttpStatus.BAD_REQUEST.value(), httpServletRequest.getMethod(), (String) null, (String) null, XString.msgFmt("缺少头信息：{}！", new Object[]{"X-Ca-Timestamp"}));
        }
        if (Math.abs(System.currentTimeMillis() - Long.parseLong(header2)) > 600000) {
            throw new HttpException(HttpStatus.BAD_REQUEST.value(), httpServletRequest.getMethod(), (String) null, (String) null, "请求过期！");
        }
        String header3 = httpServletRequest.getHeader("X-Ca-Nonce");
        if (this.mOnceIdMap.put(header3, JCommon.sNullObject) != null) {
            throw new HttpException(HttpStatus.BAD_REQUEST.value(), httpServletRequest.getMethod(), (String) null, (String) null, XString.msgFmt("{}重复！", new Object[]{header3}));
        }
        String header4 = httpServletRequest.getHeader("X-Ca-Key");
        if (XString.isEmpty(header4)) {
            throw new HttpException(HttpStatus.BAD_REQUEST.value(), httpServletRequest.getMethod(), (String) null, (String) null, XString.msgFmt("缺少头信息：{}！", new Object[]{"X-Ca-Key"}));
        }
        if (this.mCanVisitPred != null && !this.mCanVisitPred.test(header4, httpServletRequest)) {
            this.mLogger.warn("拒绝访问！" + IdentityTrace.get(httpServletRequest).toString());
            throw new HttpException(HttpStatus.FORBIDDEN.value(), httpServletRequest.getMethod(), (String) null, (String) null, XString.msgFmt("禁止访问：{}-{}！", new Object[]{httpServletRequest.getMethod(), httpServletRequest.getServletPath()}));
        }
        IClientApp apply = this.mAppByAppKey.apply(header4);
        String str = null;
        if (apply != null) {
            str = apply.getAppSecret();
        }
        if (XString.isEmpty(str)) {
            throw new HttpException(HttpStatus.BAD_REQUEST.value(), httpServletRequest.getMethod(), (String) null, (String) null, XString.msgFmt("无效的{}！", new Object[]{"X-Ca-Key"}));
        }
        StringBuilder sb = new StringBuilder();
        sb.append(httpServletRequest.getMethod().toUpperCase()).append("\n").append(httpServletRequest.getContextPath() + httpServletRequest.getServletPath()).append("\n");
        spliceParams(httpServletRequest, sb);
        sb.append("\n");
        spliceHeaders(httpServletRequest, sb, "Accept", "Content-MD5", "Content-Type", "Date");
        sb.append("\n");
        spliceHeaders(httpServletRequest, sb, "X-Ca-Nonce", "X-Ca-Key", "X-Ca-Timestamp", "X-Ca-Signature-Headers", "X-Ca-Signature-Algorithm");
        sb.append("\n");
        String header5 = httpServletRequest.getHeader("X-Ca-Signature-Headers");
        if (XString.isNotEmpty(header5)) {
            spliceHeaders(httpServletRequest, sb, header5.split(","));
        }
        String str2 = (String) JCommon.defaultIfEmpty(httpServletRequest.getHeader("X-Ca-Signature-Algorithm"), "HmacSHA256");
        String sb2 = sb.toString();
        try {
            Mac mac = Mac.getInstance(str2);
            byte[] bytes = str.getBytes("UTF-8");
            mac.init(new SecretKeySpec(bytes, 0, bytes.length, str2));
            if (JCommon.unequals(header, Base64.getEncoder().encodeToString(mac.doFinal(sb2.getBytes("UTF-8"))))) {
                throw new HttpException(HttpStatus.FORBIDDEN.value(), httpServletRequest.getMethod(), (String) null, (String) null, CORSFilter.DEFAULT_EXPOSED_HEADERS);
            }
            return new AppKeySecret(apply.getId(), apply.getAppKey(), apply.getAppSecret());
        } catch (InvalidKeyException e) {
            throw new HttpException(HttpStatus.INTERNAL_SERVER_ERROR.value(), httpServletRequest.getMethod(), (String) null, (String) null, "服务出现错误！");
        } catch (NoSuchAlgorithmException e2) {
            throw new HttpException(HttpStatus.BAD_REQUEST.value(), httpServletRequest.getMethod(), (String) null, (String) null, "不支持的算法：" + str2);
        }
    }

    static void spliceParams(HttpServletRequest httpServletRequest, StringBuilder sb) {
        Map parameterMap = httpServletRequest.getParameterMap();
        String[] strArr = (String[]) parameterMap.keySet().toArray(JCommon.sEmptyStringArray);
        Arrays.sort(strArr);
        boolean z = true;
        for (String str : strArr) {
            if (z) {
                z = false;
            } else {
                sb.append('&');
            }
            sb.append(str);
            String[] strArr2 = (String[]) parameterMap.get(str);
            if (XC.isNotEmpty(strArr2)) {
                if (strArr2.length != 1) {
                    Arrays.sort(strArr2);
                    for (int i = 0; i < strArr2.length; i++) {
                        if (i > 0) {
                            sb.append('&').append(str);
                        }
                        if (strArr2[i] != null) {
                            sb.append('=').append(strArr2[i]);
                        }
                    }
                } else if (strArr2[0] != null) {
                    sb.append('=').append(strArr2[0]);
                }
            }
        }
    }

    static void spliceHeaders(HttpServletRequest httpServletRequest, StringBuilder sb, String... strArr) {
        boolean z = true;
        for (String str : strArr) {
            if (z) {
                z = false;
            } else {
                sb.append(';');
            }
            sb.append(str).append(':').append((String) JCommon.defaultIfNull(httpServletRequest.getHeader(str), CORSFilter.DEFAULT_EXPOSED_HEADERS));
        }
    }
}
