package com.jxdinfo.hussar.support.security.integration.authentication.support;

import com.jxdinfo.hussar.platform.core.support.service.AuthSecurityClientModelDetailService;
import com.jxdinfo.hussar.platform.core.utils.HussarUtils;
import com.jxdinfo.hussar.support.apimanager.core.util.ApiManagerUtil;
import com.jxdinfo.hussar.support.security.core.SecurityManager;
import com.jxdinfo.hussar.support.security.core.context.model.SecurityRequest;
import com.jxdinfo.hussar.support.security.core.context.model.SecurityResponse;
import com.jxdinfo.hussar.support.security.core.router.SecurityRouter;
import com.jxdinfo.hussar.support.security.core.stp.SecurityUtil;
import com.jxdinfo.hussar.support.security.core.strategy.SecurityStrategy;
import com.jxdinfo.hussar.support.security.core.util.SecurityFoxUtil;
import com.jxdinfo.hussar.support.security.integration.authentication.constants.SecurityConstants;
import com.jxdinfo.hussar.support.security.plugin.oauth2.SecurityOAuth2Manager;
import com.jxdinfo.hussar.support.security.plugin.oauth2.config.SecurityOAuth2Config;
import com.jxdinfo.hussar.support.security.plugin.oauth2.exception.SecurityOAuth2Exception;
import com.jxdinfo.hussar.support.security.plugin.oauth2.logic.SecurityOAuth2Constants;
import com.jxdinfo.hussar.support.security.plugin.oauth2.logic.SecurityOAuth2Template;
import com.jxdinfo.hussar.support.security.plugin.oauth2.logic.SecurityOAuth2Util;
import com.jxdinfo.hussar.support.security.plugin.oauth2.model.AccessTokenModel;
import com.jxdinfo.hussar.support.security.plugin.oauth2.model.ClientTokenModel;
import com.jxdinfo.hussar.support.security.plugin.oauth2.model.PastAccessTokenModel;
import com.jxdinfo.hussar.support.security.plugin.oauth2.model.SecurityClientModel;
import com.jxdinfo.hussar.support.security.plugin.oauth2.model.SpecialTokenModel;
import com.jxdinfo.hussar.support.security.plugin.oauth2.model.support.TokenModel;
import com.jxdinfo.hussar.support.security.servlet.model.SecurityResponseForServlet;
import java.util.Arrays;
import java.util.List;
import javax.servlet.http.HttpServletResponse;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.stereotype.Component;
import org.springframework.web.method.HandlerMethod;

@ConditionalOnProperty(prefix = "hussar.security", name = {"enable"}, havingValue = "true", matchIfMissing = true)
@Component
/* loaded from: input_file:com/jxdinfo/hussar/support/security/integration/authentication/support/HussarSecurityOAuth2Template.class */
public class HussarSecurityOAuth2Template extends SecurityOAuth2Template {

    @Autowired
    private AuthSecurityClientModelDetailService authSecurityClientModelDetailService;

    public SecurityClientModel getClientModel(String str) {
        return getClientModel(str, null);
    }

    public SecurityClientModel getClientModel(String str, String str2) {
        SecurityClientModel securityClientModel = new SecurityClientModel();
        HussarUtils.copy(this.authSecurityClientModelDetailService.loadClientModelByClientId(str, (String) null, str2), securityClientModel);
        return securityClientModel;
    }

    public String getOpenid(String str, Object obj) {
        return "gr_SwoIN0MC1ewxHX_vfCW3BothWDZMMtx__";
    }

    public AccessTokenModel checkAccessToken(String str) {
        AccessTokenModel accessToken = getAccessToken(str);
        SecurityOAuth2Exception.throwBy(accessToken == null, "无效access_token：" + str);
        SecurityOAuth2Exception.throwBy(accessToken.getExpiresIn() <= 0, "无效的access_token：" + str + "失效");
        SecurityOAuth2Exception.throwBy(HussarUtils.isEmpty(getClientModel(accessToken.clientId)), "无效accesss_token:" + str + "客户端不存在");
        return accessToken;
    }

    public boolean checkOauthToken(TokenModel tokenModel, SecurityRequest securityRequest, SecurityResponse securityResponse, Object obj) {
        SecurityOAuth2Exception.throwBy(HussarUtils.isEmpty(tokenModel), "请求失败，token无效");
        if (tokenModel instanceof AccessTokenModel) {
            validateAccessToken((AccessTokenModel) tokenModel, securityRequest, securityResponse, obj);
            return true;
        }
        if (tokenModel instanceof PastAccessTokenModel) {
            vaildatePastAccessToken((PastAccessTokenModel) tokenModel, obj);
            return true;
        }
        if (tokenModel instanceof ClientTokenModel) {
            validateClientToken((ClientTokenModel) tokenModel, securityRequest);
            return true;
        }
        if (tokenModel instanceof SpecialTokenModel) {
            validateSpecialClientToken((SpecialTokenModel) tokenModel, securityRequest, obj);
            return true;
        }
        SecurityOAuth2Exception.throwBy(true, "请求失败,tokenModel转化失败");
        return true;
    }

    public void checkClientScope(String str, SecurityClientModel securityClientModel) {
        String[] contractScope = securityClientModel.getContractScope();
        SecurityOAuth2Exception.throwBy(HussarUtils.isEmpty(contractScope), "认证失败，clientId=[" + securityClientModel.getClientId() + "]，未设置权限类型scope");
        List convertStringToList = SecurityFoxUtil.convertStringToList(str);
        List asList = Arrays.asList(contractScope);
        convertStringToList.forEach(str2 -> {
            SecurityOAuth2Exception.throwBy(!asList.contains(str2), "认证失败，clientId=[" + securityClientModel.getClientId() + "],不存在scope=[" + str2 + "]");
        });
    }

    private void validatePastOrAccessToken(TokenModel tokenModel, SecurityRequest securityRequest, SecurityResponse securityResponse, Object obj) {
        if (tokenModel instanceof AccessTokenModel) {
            validateAccessToken((AccessTokenModel) tokenModel, securityRequest, securityResponse, obj);
        } else if (tokenModel instanceof PastAccessTokenModel) {
            vaildatePastAccessToken((PastAccessTokenModel) tokenModel, obj);
        } else {
            SecurityOAuth2Exception.throwBy(true, "请求失败,tokenModel转化失败");
        }
    }

    private void vaildatePastAccessToken(PastAccessTokenModel pastAccessTokenModel, Object obj) {
        SecurityOAuth2Exception.throwBy(pastAccessTokenModel.getExpiresIn() <= 0, "请求失败，pastToken=[" + pastAccessTokenModel.accessToken + "]已经过期~！");
        String str = pastAccessTokenModel.loginTicket;
        SecurityOAuth2Exception.throwBy(HussarUtils.isEmpty(str), "请求失败，LoginToken必须设置为永不过期，然后禁用cookie");
        SecurityOAuth2Exception.throwBy(HussarUtils.isEmpty(getClientModel(pastAccessTokenModel.clientId)), "请求失败,token=[" + pastAccessTokenModel.accessToken + "],客户端clientId=[" + pastAccessTokenModel.clientId + "]不存在");
        if (HussarUtils.isNotEmpty(obj)) {
            SecurityManager.getStpLogic(pastAccessTokenModel.loginType).setTokenValue(str, -1);
            checkLoginToken(obj, pastAccessTokenModel.loginType);
        }
    }

    private void validateAccessToken(AccessTokenModel accessTokenModel, SecurityRequest securityRequest, SecurityResponse securityResponse, Object obj) {
        SecurityOAuth2Exception.throwBy(accessTokenModel.getExpiresIn() <= 0, "请求失败，token=[" + accessTokenModel.accessToken + "]过期");
        String str = accessTokenModel.loginTicket;
        SecurityOAuth2Exception.throwBy(HussarUtils.isEmpty(str), "请求失败，LoginToken必须设置为永不过期，然后禁用cookie");
        SecurityClientModel clientModel = getClientModel(accessTokenModel.clientId);
        SecurityOAuth2Exception.throwBy(HussarUtils.isEmpty(clientModel), "请求失败,token=[" + accessTokenModel.accessToken + "],客户端clientId=[" + accessTokenModel.clientId + "]不存在");
        if (!SecurityRouter.isMatchCurrURI(SecurityConstants.SECURITY_NO_RENEW_URL)) {
            AccessTokenModel renewalAndRefreshToken = renewalAndRefreshToken(accessTokenModel, clientModel);
            returnAccessTokenModelToResponse((HttpServletResponse) securityResponse.getSource(), renewalAndRefreshToken);
            if (HussarUtils.isNotEmpty(renewalAndRefreshToken)) {
                str = renewalAndRefreshToken.loginTicket;
            }
        }
        if (HussarUtils.isNotEmpty(obj)) {
            SecurityManager.getStpLogic(accessTokenModel.loginType).setTokenValue(str, -1);
            checkLoginToken(obj, accessTokenModel.loginType);
        }
    }

    private void validateClientToken(ClientTokenModel clientTokenModel, SecurityRequest securityRequest) {
        SecurityOAuth2Exception.throwBy(clientTokenModel.getExpiresIn() <= 0, "请求失败，token=[" + clientTokenModel.clientToken + "]过期");
        List list = clientTokenModel.permissions;
        SecurityOAuth2Exception.throwBy(HussarUtils.isEmpty(list) || !list.contains(securityRequest.getRequestPath()), "请求失败，clientId=[" + clientTokenModel.clientId + "]无权访问url=[" + securityRequest.getRequestPath() + "]");
    }

    private void validateSpecialClientToken(SpecialTokenModel specialTokenModel, SecurityRequest securityRequest, Object obj) {
        SecurityOAuth2Exception.throwBy(specialTokenModel.getExpiresIn() <= 0, "请求失败，token=[" + specialTokenModel.accessToken + "]过期");
        String str = specialTokenModel.loginTicket;
        SecurityOAuth2Exception.throwBy(HussarUtils.isEmpty(str), "请求失败，LoginToken必须设置为永不过期，然后禁用cookie");
        SecurityOAuth2Exception.throwBy(HussarUtils.isEmpty(getClientModel(specialTokenModel.clientId)), "请求失败,token=[" + specialTokenModel.accessToken + "],客户端clientId=[" + specialTokenModel.clientId + "]不存在");
        if (HussarUtils.isNotEmpty(obj)) {
            SecurityManager.getStpLogic(specialTokenModel.getLoginType()).setTokenValue(str, -1);
            checkLoginToken(obj, specialTokenModel.getLoginType());
        }
    }

    private AccessTokenModel renewalAndRefreshToken(AccessTokenModel accessTokenModel, SecurityClientModel securityClientModel) {
        SecurityOAuth2Config config = SecurityOAuth2Manager.getConfig();
        if (config.getRefreshTokenThreshold() <= 0 || HussarUtils.isEmpty(securityClientModel)) {
            return null;
        }
        AccessTokenModel accessTokenModel2 = null;
        if (config.getEnableRenewal().booleanValue()) {
            SecurityUtil.updateAllLoginTokenTimeout(accessTokenModel.loginTicket, securityClientModel.getRefreshTokenValidTime());
            SecurityOAuth2Util.updateAllAccessTokenTimeout(accessTokenModel.accessToken, securityClientModel.getAccessTokenValidTime(), securityClientModel.getRefreshTokenValidTime());
        } else if (accessTokenModel.getExpiresIn() > config.getRefreshTokenThreshold()) {
            SecurityUtil.updateAllLoginTokenTimeout(accessTokenModel.loginTicket, securityClientModel.getRefreshTokenValidTime());
            SecurityOAuth2Util.updateAllAccessTokenTimeout(accessTokenModel.accessToken, securityClientModel.getAccessTokenValidTime(), securityClientModel.getRefreshTokenValidTime());
        } else {
            accessTokenModel2 = SecurityOAuth2Util.refreshAccessToken(accessTokenModel.refreshToken);
        }
        return accessTokenModel2;
    }

    private void returnAccessTokenModelToResponse(HttpServletResponse httpServletResponse, AccessTokenModel accessTokenModel) {
        if (HussarUtils.isEmpty(accessTokenModel)) {
            return;
        }
        SecurityResponseForServlet securityResponseForServlet = new SecurityResponseForServlet(httpServletResponse);
        securityResponseForServlet.setHeader(SecurityOAuth2Constants.Param.client_id, accessTokenModel.clientId);
        securityResponseForServlet.setHeader(SecurityOAuth2Constants.Param.access_token, accessTokenModel.accessToken);
        securityResponseForServlet.setHeader(SecurityOAuth2Constants.Param.refresh_token, accessTokenModel.refreshToken);
        securityResponseForServlet.setHeader(SecurityOAuth2Constants.Param.expires_in, accessTokenModel.getExpiresIn() + "");
        securityResponseForServlet.setHeader(SecurityOAuth2Constants.Param.refresh_expires_in, accessTokenModel.getRefreshExpiresIn() + "");
        securityResponseForServlet.setHeader(SecurityOAuth2Constants.Param.openid, accessTokenModel.openid);
        securityResponseForServlet.setHeader(SecurityOAuth2Constants.Param.scope, accessTokenModel.scope);
        securityResponseForServlet.setHeader(SecurityOAuth2Constants.Param.login_ticket, accessTokenModel.loginTicket);
    }

    private boolean checkLoginToken(Object obj, String str) {
        if (obj instanceof HandlerMethod) {
            SecurityStrategy.me.checkMethodAuthenticatonAnnotation.accept(((HandlerMethod) obj).getMethod());
        }
        SecurityRouter.match(new String[]{"/**"}).check(() -> {
            SecurityManager.getStpLogic(str).checkLogin();
        });
        return true;
    }

    public ClientTokenModel generateClientToken(SecurityClientModel securityClientModel, String str, String str2) {
        String clientTokenValue = getClientTokenValue(securityClientModel.getClientId(), str2);
        if (HussarUtils.isNotEmpty(clientTokenValue)) {
            deleteClientToken(clientTokenValue, str2);
        }
        deleteClientTokenIndex(securityClientModel.getClientId(), str2);
        ClientTokenModel clientTokenModel = new ClientTokenModel(randomClientToken(securityClientModel.getClientId(), str), securityClientModel.getClientId(), str);
        clientTokenModel.expiresTime = System.currentTimeMillis() + (securityClientModel.getAccessTokenValidTime() * 1000);
        clientTokenModel.permissions = ApiManagerUtil.getPermissionList(clientTokenModel.scope, str2);
        clientTokenModel.tenantCode = str2;
        saveClientToken(clientTokenModel);
        saveClientTokenIndex(clientTokenModel);
        return clientTokenModel;
    }
}
