package com.dtyunxi.cube.starter.api.auth;

import cn.hutool.core.lang.Assert;
import com.alibaba.fastjson.JSON;
import com.dtyunxi.app.ServiceContext;
import com.dtyunxi.cube.starter.api.auth.api.IRoleQueryApi;
import com.dtyunxi.cube.starter.api.auth.consts.AuthTypeEnum;
import com.dtyunxi.cube.starter.api.auth.dto.ApiValidateDto;
import com.dtyunxi.cube.starter.api.auth.properties.ApiAuthConfigVo;
import com.dtyunxi.cube.starter.api.auth.properties.ApiAuthVo;
import com.dtyunxi.exceptions.BizException;
import com.dtyunxi.rest.RestResponse;
import com.dtyunxi.util.SpringBeanUtil;
import com.dtyunxi.yundt.module.context.biz.ContextConstants;
import com.dtyunxi.yundt.module.context.common.config.UrlWhiteList;
import java.io.IOException;
import java.io.PrintWriter;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.regex.Pattern;
import java.util.stream.Collectors;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.lang3.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.util.StopWatch;
import org.springframework.web.servlet.HandlerInterceptor;

/* loaded from: input_file:com/dtyunxi/cube/starter/api/auth/ApiAuthInterceptor.class */
public class ApiAuthInterceptor implements HandlerInterceptor {
    private static final Logger logger = LoggerFactory.getLogger(ApiAuthInterceptor.class);
    private final String module;
    private UrlWhiteList configPathList;
    private IRoleQueryApi roleQueryApi;
    private Map<String, ApiAuthConfigVo> apiAuthMap;
    private static final String MSG_USER_UNAUTHORIZED = "{\"resultCode\":403,\"resultMsg\":\"user unauthorized\"}";
    private static final String API_AUTH_PASS_BY = "yes-req-apiAuthPassBy";
    private static final String SUFFIX_QUERY_API = "QueryApi";
    private static final String BEST_MATCH_PATH_PATTER = "org.springframework.web.servlet.HandlerMapping.bestMatchingPattern";

    public ApiAuthInterceptor(String str, ApiAuthVo apiAuthVo) {
        this.module = str;
        init(apiAuthVo);
    }

    public boolean preHandle(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Object obj) throws Exception {
        StopWatch stopWatch = new StopWatch("API鉴权");
        stopWatch.start("api auth");
        String str = (String) httpServletRequest.getAttribute(BEST_MATCH_PATH_PATTER);
        String method = httpServletRequest.getMethod();
        if ("OPTIONS".equals(method)) {
            return true;
        }
        if (ContextConstants.REQ_SOURCE_FEIGN.equals(httpServletRequest.getHeader(ContextConstants.KEY_REQ_SOURCE))) {
            logger.debug("请求来自feign调用，不进行API鉴权。path:{}", str);
            return true;
        }
        ApiValidateDto apiValidateDto = new ApiValidateDto();
        apiValidateDto.setUserId(ServiceContext.getContext().getRequestUserId());
        apiValidateDto.setModule(this.module);
        apiValidateDto.setPath(str);
        apiValidateDto.setMethod(method);
        boolean validate = validate(apiValidateDto, httpServletResponse);
        stopWatch.stop();
        logger.debug("{}", stopWatch.prettyPrint());
        return validate;
    }

    private void init(ApiAuthVo apiAuthVo) {
        this.apiAuthMap = new HashMap();
        List<ApiAuthConfigVo> config = apiAuthVo.getConfig();
        if (CollectionUtils.isEmpty(config)) {
            logger.warn("没有配置任何API授权规则");
            return;
        }
        ArrayList arrayList = new ArrayList();
        Iterator<ApiAuthConfigVo> it = config.iterator();
        while (it.hasNext()) {
            assembleApiAuthMap(this.apiAuthMap, arrayList, it.next());
        }
        this.configPathList = new UrlWhiteList();
        this.configPathList.init(arrayList, (String) null);
        logAuthConfig();
    }

    private void logAuthConfig() {
        if (this.apiAuthMap.isEmpty()) {
            return;
        }
        Set<Map.Entry<String, ApiAuthConfigVo>> entrySet = this.apiAuthMap.entrySet();
        HashMap hashMap = new HashMap();
        for (Map.Entry<String, ApiAuthConfigVo> entry : entrySet) {
            String key = entry.getKey();
            ApiAuthConfigVo value = entry.getValue();
            String authType = value.getAuthType();
            String path = value.getPath();
            logger.info("加载API鉴权规则, authType:{} api:{} 授权给角色:{}, 授权给应用模板:{}", new Object[]{authType, key, value.getRoleIdSet(), value.getApplicationIdSet()});
            if (hashMap.containsKey(path)) {
                ((Set) hashMap.get(path)).add(authType);
            } else {
                HashSet hashSet = new HashSet();
                hashSet.add(authType);
                hashMap.put(path, hashSet);
            }
        }
        for (Map.Entry entry2 : hashMap.entrySet()) {
            Set set = (Set) entry2.getValue();
            String str = (String) entry2.getKey();
            if (set != null && set.size() > 1) {
                logger.warn("为{} 配置类多种类型的鉴权规则, 类型分别为：{}，请注意规则只会有一个生效，生效的优先级为：基于角色[authType:1] -> 基于应用模板[authType:2] -> 基于角色或者应用模板[authType:3] -> 基于角色和应用模板[authType:4]", str, JSON.toJSONString(set));
            }
        }
    }

    private void assembleApiAuthMap(Map<String, ApiAuthConfigVo> map, List<String> list, ApiAuthConfigVo apiAuthConfigVo) {
        if (isValidConfig(apiAuthConfigVo)) {
            String path = apiAuthConfigVo.getPath();
            list.add(path);
            String patternPath = getPatternPath(path);
            String method = apiAuthConfigVo.getMethod();
            String authType = apiAuthConfigVo.getAuthType();
            String str = !StringUtils.isEmpty(patternPath) ? patternPath + ":" + authType : method + ":" + path + ":" + authType;
            String roleIds = apiAuthConfigVo.getRoleIds();
            String applicationIds = apiAuthConfigVo.getApplicationIds();
            Set<Long> convert2Set = convert2Set(roleIds);
            Set<Long> convert2Set2 = convert2Set(applicationIds);
            if (map.containsKey(str)) {
                mergeApiAuthConfigVo(convert2Set, convert2Set2, map.get(str));
            } else {
                map.put(str, createApiAuthConfigVo(path, method, authType, convert2Set, convert2Set2));
            }
        }
    }

    private boolean isValidConfig(ApiAuthConfigVo apiAuthConfigVo) {
        String path = apiAuthConfigVo.getPath();
        String method = apiAuthConfigVo.getMethod();
        String authType = apiAuthConfigVo.getAuthType();
        String roleIds = apiAuthConfigVo.getRoleIds();
        String applicationIds = apiAuthConfigVo.getApplicationIds();
        if (StringUtils.isEmpty(path) || StringUtils.isEmpty(method) || StringUtils.isEmpty(authType)) {
            logger.warn("配置的API鉴权规则格式错误，忽略该配置, path:{} method:{} authType:{}", new Object[]{path, method, authType});
            return false;
        }
        AuthTypeEnum authTypeEnum = AuthTypeEnum.getInstance(Integer.parseInt(authType));
        Assert.notNull(authTypeEnum, "未支持的授权类型({})", new Object[]{authType});
        switch (authTypeEnum) {
            case ROLE:
                if (!StringUtils.isEmpty(roleIds)) {
                    return true;
                }
                logger.warn("{} 配置了基于角色的API鉴权规则，但是没有配置授予角色, 忽略该配置", path);
                return false;
            case APPLICATION:
                if (!StringUtils.isEmpty(applicationIds)) {
                    return true;
                }
                logger.warn("{} 配置了基于应用模板的API鉴权规则，但是没有配置授予应用模板, 忽略该配置", path);
                return false;
            case ROLE_OR_APPLICATION:
                if (!StringUtils.isEmpty(roleIds) || !StringUtils.isEmpty(applicationIds)) {
                    return true;
                }
                logger.warn("{} 配置了基于角色或者应用模板的API鉴权规则，但是授予角色和授予应用模板都没有配置, 忽略该配置", path);
                return false;
            case ROLE_AND_APPLICATION:
                if (!StringUtils.isEmpty(roleIds) && !StringUtils.isEmpty(applicationIds)) {
                    return true;
                }
                logger.warn("{} 配置了基于角色和应用模板的API鉴权规则，但是授予角色或授予应用模板为空, 忽略该配置", path);
                return false;
            default:
                return true;
        }
    }

    private String getPatternPath(String str) {
        String str2 = "(((/[a-zA-Z0-9-|_]+)*|(/\\{[a-zA-Z0-9-|_]+\\}))*)+";
        if (str.contains("/**")) {
            return Pattern.compile(str.replace("/**", str2).replace("/*", "((/[a-zA-Z0-9-|_]+)*|(/\\{[a-zA-Z0-9-|_]+\\}))*")).pattern();
        }
        if (str.contains("/*")) {
            return Pattern.compile(str.replace("/*", "((/[a-zA-Z0-9-|_]+)*|(/\\{[a-zA-Z0-9-|_]+\\}))*")).pattern();
        }
        return null;
    }

    private void mergeApiAuthConfigVo(Set<Long> set, Set<Long> set2, ApiAuthConfigVo apiAuthConfigVo) {
        Set<Long> roleIdSet = apiAuthConfigVo.getRoleIdSet();
        if (!CollectionUtils.isEmpty(set)) {
            if (roleIdSet == null) {
                roleIdSet = new HashSet();
                apiAuthConfigVo.setRoleIdSet(roleIdSet);
            }
            roleIdSet.addAll(set);
        }
        if (CollectionUtils.isEmpty(set2)) {
            return;
        }
        Set<Long> applicationIdSet = apiAuthConfigVo.getApplicationIdSet();
        if (applicationIdSet == null) {
            applicationIdSet = new HashSet();
            apiAuthConfigVo.setApplicationIdSet(applicationIdSet);
        }
        applicationIdSet.addAll(set2);
    }

    private ApiAuthConfigVo createApiAuthConfigVo(String str, String str2, String str3, Set<Long> set, Set<Long> set2) {
        ApiAuthConfigVo apiAuthConfigVo = new ApiAuthConfigVo();
        apiAuthConfigVo.setRoleIdSet(set);
        apiAuthConfigVo.setApplicationIdSet(set2);
        apiAuthConfigVo.setPath(str);
        apiAuthConfigVo.setMethod(str2);
        apiAuthConfigVo.setAuthType(str3);
        return apiAuthConfigVo;
    }

    private Set<Long> convert2Set(String str) {
        if (StringUtils.isEmpty(str)) {
            return null;
        }
        List asList = Arrays.asList(str.split(","));
        HashSet hashSet = new HashSet();
        hashSet.addAll((Collection) asList.stream().filter(str2 -> {
            return !StringUtils.isEmpty(str2);
        }).map(Long::parseLong).collect(Collectors.toList()));
        return hashSet;
    }

    private boolean validate(ApiValidateDto apiValidateDto, HttpServletResponse httpServletResponse) {
        String path = apiValidateDto.getPath();
        String method = apiValidateDto.getMethod();
        String attachment = ServiceContext.getContext().getAttachment(API_AUTH_PASS_BY);
        logger.info("api auth check path:{} method:{} apiAuthPassBy:{}", new Object[]{path, method, attachment});
        if (!StringUtils.isEmpty(attachment)) {
            logger.info(" {} {} 已经在{} 完成API权限检查，不继续检查", new Object[]{method, path, attachment});
            return true;
        }
        if (!this.configPathList.isWhiteList(path)) {
            logger.info("{} 没有配置API鉴权规则,不作权限检查", path);
            return true;
        }
        String matchPattern = this.configPathList.matchPattern(path);
        logger.info("path [{}] match pattern [{}]", path, matchPattern);
        String str = !StringUtils.isEmpty(matchPattern) ? matchPattern : method + ":" + path;
        String str2 = str + ":" + AuthTypeEnum.ROLE.getValue();
        String str3 = str + ":" + AuthTypeEnum.APPLICATION.getValue();
        String str4 = str + ":" + AuthTypeEnum.ROLE_AND_APPLICATION.getValue();
        String str5 = str + ":" + AuthTypeEnum.ROLE_OR_APPLICATION.getValue();
        ApiAuthConfigVo apiAuthConfigVo = this.apiAuthMap.get(str2);
        ApiAuthConfigVo apiAuthConfigVo2 = this.apiAuthMap.get(str3);
        ApiAuthConfigVo apiAuthConfigVo3 = this.apiAuthMap.get(str4);
        ApiAuthConfigVo apiAuthConfigVo4 = this.apiAuthMap.get(str5);
        if (apiAuthConfigVo == null && apiAuthConfigVo2 == null && apiAuthConfigVo3 == null && apiAuthConfigVo4 == null) {
            logger.info(" {} {} 没有配置有效的API鉴权规则,不作权限检查", method, path);
            return true;
        }
        if (apiAuthConfigVo != null) {
            return apiAuthByRole(str, apiAuthConfigVo, httpServletResponse);
        }
        if (apiAuthConfigVo2 != null) {
            return authByApplication(str, apiAuthConfigVo2, httpServletResponse);
        }
        if (apiAuthConfigVo4 != null) {
            return apiAuthByRoleOrApplication(str, apiAuthConfigVo4, httpServletResponse);
        }
        if (apiAuthConfigVo3 != null) {
            return apiAuthByRoleAndApplication(str, apiAuthConfigVo3, httpServletResponse);
        }
        return false;
    }

    private boolean authByApplication(String str, ApiAuthConfigVo apiAuthConfigVo, HttpServletResponse httpServletResponse) {
        Long requestApplicationId = ServiceContext.getContext().getRequestApplicationId();
        logger.debug("{} 配置了类型为 [2 应用模板] 的API鉴权规则，当前应用模板id{}", str, requestApplicationId);
        if (null == requestApplicationId) {
            logger.warn("{} 配置了类型为 [2 应用模板] 的API鉴权规则，，但当前应用模板id为空", requestApplicationId);
            return unAuthorized(str, httpServletResponse);
        }
        if (applicationHasPermission(str, apiAuthConfigVo, requestApplicationId)) {
            return authorized();
        }
        logger.warn("应用模板{} 没有拥有 {} 权限", requestApplicationId, str);
        return unAuthorized(str, httpServletResponse);
    }

    private boolean apiAuthByRole(String str, ApiAuthConfigVo apiAuthConfigVo, HttpServletResponse httpServletResponse) {
        Long requestUserId = ServiceContext.getContext().getRequestUserId();
        logger.debug("{} 配置了类型为 [1 角色] 的API鉴权规则，当前用户id{}", str, requestUserId);
        Assert.notNull(requestUserId, "当前用户id为空", new Object[0]);
        if (roleHasPermission(str, apiAuthConfigVo, requestUserId)) {
            return authorized();
        }
        logger.warn("用户{} 没有拥有 {} 权限", requestUserId, str);
        return unAuthorized(str, httpServletResponse);
    }

    private boolean roleHasPermission(String str, ApiAuthConfigVo apiAuthConfigVo, Long l) {
        try {
            if (this.roleQueryApi == null) {
                initRoleQueryApi();
            }
            RestResponse<List<Long>> queryRoleByUserId = this.roleQueryApi.queryRoleByUserId(l);
            if (null != queryRoleByUserId && "0".equals(queryRoleByUserId.getResultCode())) {
                List<Long> list = (List) queryRoleByUserId.getData();
                if (!CollectionUtils.isEmpty(list)) {
                    for (Long l2 : list) {
                        if (apiAuthConfigVo.getRoleIdSet().contains(l2)) {
                            logger.info("{} 有为角色[{}] 配置API鉴权规则", str, l2);
                            return true;
                        }
                    }
                }
            }
            return false;
        } catch (Exception e) {
            logger.error(e.getMessage(), e);
            throw new BizException(e.getMessage());
        }
    }

    private boolean applicationHasPermission(String str, ApiAuthConfigVo apiAuthConfigVo, Long l) {
        boolean contains = apiAuthConfigVo.getApplicationIdSet().contains(l);
        if (contains) {
            logger.info("{} 有为应用模板[{}] 配置API鉴权规则", str, l);
        }
        return contains;
    }

    private boolean apiAuthByRoleOrApplication(String str, ApiAuthConfigVo apiAuthConfigVo, HttpServletResponse httpServletResponse) {
        Long requestUserId = ServiceContext.getContext().getRequestUserId();
        Long requestApplicationId = ServiceContext.getContext().getRequestApplicationId();
        logger.debug("{} 配置了类型为 [3 角色或者应用模板] 的API鉴权规则，当前用户id:{} 应用模板id:{}", new Object[]{str, requestUserId, requestApplicationId});
        if (requestUserId == null && requestApplicationId == null) {
            logger.warn("{} 配置了类型为 [3 角色或者应用模板] 的API鉴权规则，但是当前用户id和应用模板id同时为空", str);
            return unAuthorized(str, httpServletResponse);
        }
        boolean z = false;
        if (requestUserId != null && !CollectionUtils.isEmpty(apiAuthConfigVo.getRoleIdSet())) {
            z = roleHasPermission(str, apiAuthConfigVo, requestUserId);
        }
        if (z) {
            return authorized();
        }
        if (requestApplicationId != null && !CollectionUtils.isEmpty(apiAuthConfigVo.getApplicationIdSet())) {
            z = applicationHasPermission(str, apiAuthConfigVo, requestApplicationId);
        }
        return z ? authorized() : unAuthorized(str, httpServletResponse);
    }

    private boolean apiAuthByRoleAndApplication(String str, ApiAuthConfigVo apiAuthConfigVo, HttpServletResponse httpServletResponse) {
        Long requestUserId = ServiceContext.getContext().getRequestUserId();
        Long requestApplicationId = ServiceContext.getContext().getRequestApplicationId();
        logger.debug("{} 配置了类型为 [4 角色和应用模板] 的API鉴权规则，当前用户id:{} 应用模板id:{}", new Object[]{str, requestUserId, requestApplicationId});
        if (requestUserId == null || requestApplicationId == null) {
            logger.warn("{} 配置了类型为 [4 角色和应用模板] 的API鉴权规则，但是当前用户id:{} 应用模板id:{},其中至少有一项为空", new Object[]{str, requestUserId, requestApplicationId});
            return unAuthorized(str, httpServletResponse);
        }
        if (!roleHasPermission(str, apiAuthConfigVo, requestUserId)) {
            logger.warn("用户{} 没有拥有 {} 权限", requestUserId, str);
            return unAuthorized(str, httpServletResponse);
        }
        if (applicationHasPermission(str, apiAuthConfigVo, requestApplicationId)) {
            logger.debug("当前角色和应用模板同时满足{} 配置的规则", str);
            return authorized();
        }
        logger.warn("应用模板{} 没有拥有 {} 权限", requestApplicationId, str);
        return unAuthorized(str, httpServletResponse);
    }

    private void initRoleQueryApi() {
        Map beansOfType = SpringBeanUtil.getApplicationContext().getBeansOfType(IRoleQueryApi.class);
        if (beansOfType.size() == 0) {
            throw new BizException(" 找不到IRoleQueryApi实例，请在工程的FeignClientConfig的EnableFeignClients 配置中添加扫描路径：com.dtyunxi.cube.starter.api.auth.api!");
        }
        if (beansOfType.size() <= 1) {
            this.roleQueryApi = (IRoleQueryApi) beansOfType.values().iterator().next();
            return;
        }
        IRoleQueryApi iRoleQueryApi = null;
        IRoleQueryApi iRoleQueryApi2 = null;
        for (Map.Entry entry : beansOfType.entrySet()) {
            if (((String) entry.getKey()).endsWith(SUFFIX_QUERY_API)) {
                iRoleQueryApi = (IRoleQueryApi) entry.getValue();
            }
            iRoleQueryApi2 = (IRoleQueryApi) entry.getValue();
        }
        if (iRoleQueryApi != null) {
            this.roleQueryApi = iRoleQueryApi;
        } else {
            this.roleQueryApi = iRoleQueryApi2;
        }
    }

    private boolean unAuthorized(String str, HttpServletResponse httpServletResponse) {
        httpServletResponse.setStatus(403);
        PrintWriter printWriter = null;
        try {
            printWriter = httpServletResponse.getWriter();
        } catch (IOException e) {
            logger.error(e.getMessage());
        }
        printWriter.append((CharSequence) MSG_USER_UNAUTHORIZED);
        printWriter.close();
        return false;
    }

    private boolean authorized() {
        ServiceContext.getContext().setAttachment(API_AUTH_PASS_BY, this.module);
        return true;
    }
}
