package com.elitescloud.cloudt.authorization.api.client.config.security.configurer.provider;

import cn.hutool.core.text.CharSequenceUtil;
import cn.hutool.core.util.ObjectUtil;
import com.elitescloud.cloudt.authorization.api.client.AuthenticationClaim;
import com.elitescloud.cloudt.authorization.api.client.common.AuthorizationException;
import com.elitescloud.cloudt.authorization.api.client.common.InterceptUri;
import com.elitescloud.cloudt.authorization.api.client.config.AuthorizationProperties;
import com.elitescloud.cloudt.authorization.api.client.config.support.AuthenticationCache;
import com.elitescloud.cloudt.authorization.api.client.principal.AuthorizedClient;
import com.elitescloud.cloudt.authorization.api.client.token.BearerTokenAuthenticationToken;
import com.elitescloud.cloudt.context.util.HttpServletUtil;
import com.elitescloud.cloudt.security.entity.GeneralUserDetails;
import java.time.Clock;
import java.time.Duration;
import java.time.Instant;
import java.time.temporal.ChronoUnit;
import java.time.temporal.TemporalAmount;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import javax.servlet.http.HttpServletRequest;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Lazy;
import org.springframework.security.authentication.AnonymousAuthenticationToken;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.authority.AuthorityUtils;
import org.springframework.security.oauth2.jwt.BadJwtException;
import org.springframework.security.oauth2.jwt.Jwt;
import org.springframework.security.oauth2.jwt.JwtDecoder;
import org.springframework.security.oauth2.server.resource.InvalidBearerTokenException;
import org.springframework.security.web.servlet.util.matcher.MvcRequestMatcher;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.springframework.security.web.util.matcher.RequestMatcher;
import org.springframework.web.servlet.handler.HandlerMappingIntrospector;

/* loaded from: input_file:com/elitescloud/cloudt/authorization/api/client/config/security/configurer/provider/BearerTokenAuthenticationProvider.class */
public class BearerTokenAuthenticationProvider implements AuthenticationProvider {
    private static final Logger a = LogManager.getLogger(BearerTokenAuthenticationProvider.class);
    private static final Duration b = Duration.of(60, ChronoUnit.SECONDS);
    private final Clock c = Clock.systemUTC();
    private final List<RequestMatcher> d = new ArrayList();
    private AuthenticationCache e;
    private JwtDecoder f;
    private AuthorizationProperties g;
    private HandlerMappingIntrospector h;

    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
        BearerTokenAuthenticationToken bearerTokenAuthenticationToken = (BearerTokenAuthenticationToken) authentication;
        Jwt a2 = a(bearerTokenAuthenticationToken);
        String claimAsString = a2.getClaimAsString(AuthenticationClaim.KEY_PRINCIPAL_TYPE);
        BearerTokenAuthenticationToken bearerTokenAuthenticationToken2 = new BearerTokenAuthenticationToken(bearerTokenAuthenticationToken.getToken(), Collections.emptyList());
        bearerTokenAuthenticationToken2.setAuthorizedClient(AuthorizedClient.buildByJwt(a2));
        if (CharSequenceUtil.equals(claimAsString, AuthenticationClaim.VALUE_PRINCIPAL_USER)) {
            GeneralUserDetails userDetail = this.e.getUserDetail(bearerTokenAuthenticationToken.getToken());
            if (userDetail == null) {
                if (a()) {
                    return new AnonymousAuthenticationToken("key", "anonymous", AuthorityUtils.createAuthorityList(new String[]{"ROLE_ANONYMOUS"}));
                }
                a.warn("无效token：{}", bearerTokenAuthenticationToken.getToken());
                throw new AuthorizationException("当前用户还未认证或身份认证已过期");
            }
            bearerTokenAuthenticationToken2.setPrincipal(userDetail);
        } else {
            a(a2);
        }
        return bearerTokenAuthenticationToken2;
    }

    public boolean supports(Class<?> cls) {
        return BearerTokenAuthenticationToken.class.isAssignableFrom(cls);
    }

    private boolean a() {
        if (this.g.getAnonymousEnabled().booleanValue()) {
            return true;
        }
        if (this.d.isEmpty()) {
            b();
        }
        if (this.d.isEmpty()) {
            return false;
        }
        HttpServletRequest currentRequest = HttpServletUtil.currentRequest();
        Iterator<RequestMatcher> it = this.d.iterator();
        while (it.hasNext()) {
            if (it.next().matches(currentRequest)) {
                return true;
            }
        }
        return false;
    }

    private void b() {
        HashSet<String> hashSet = new HashSet();
        if (this.g.getAllowList() != null) {
            hashSet.addAll(this.g.getAllowList());
        }
        hashSet.addAll(InterceptUri.getAllowUri());
        if (hashSet.isEmpty()) {
            return;
        }
        HandlerMappingIntrospector handlerMappingIntrospector = (HandlerMappingIntrospector) ObjectUtil.defaultIfNull(this.h, new HandlerMappingIntrospector());
        for (String str : hashSet) {
            if (a(str)) {
                this.d.add(new MvcRequestMatcher(handlerMappingIntrospector, str));
            } else {
                this.d.add(new AntPathRequestMatcher(str));
            }
        }
    }

    private boolean a(String str) {
        return str != null && str.indexOf("**") == str.length() - 2;
    }

    private Jwt a(BearerTokenAuthenticationToken bearerTokenAuthenticationToken) {
        try {
            return this.f.decode(bearerTokenAuthenticationToken.getToken());
        } catch (BadJwtException e) {
            a.error("解析token异常：", e);
            throw new InvalidBearerTokenException("不支持的token", e);
        }
    }

    private void a(Jwt jwt) {
        Instant expiresAt = jwt.getExpiresAt();
        if (expiresAt != null && Instant.now(this.c).minus((TemporalAmount) b).isAfter(expiresAt)) {
            throw new AuthorizationException("身份认证已过期");
        }
        Instant notBefore = jwt.getNotBefore();
        if (notBefore != null && Instant.now(this.c).plus((TemporalAmount) b).isBefore(notBefore)) {
            throw new AuthorizationException("身份认证还未生效");
        }
    }

    private boolean c() {
        return this.g.getTokenRenewal() != null && this.g.getTokenRenewal().getSeconds() > 0;
    }

    @Autowired
    public void setAuthenticationCache(AuthenticationCache authenticationCache) {
        this.e = authenticationCache;
    }

    @Autowired
    public void setJwtDecoder(JwtDecoder jwtDecoder) {
        this.f = jwtDecoder;
    }

    @Autowired
    public void setAuthorizationProperties(AuthorizationProperties authorizationProperties) {
        this.g = authorizationProperties;
    }

    @Autowired(required = false)
    @Lazy
    public void setHandlerMappingIntrospector(HandlerMappingIntrospector handlerMappingIntrospector) {
        this.h = handlerMappingIntrospector;
    }
}
