package com.elitescloud.boot.auth.cas.provider;

import com.elitescloud.boot.auth.cas.AuthorizeCacheable;
import com.elitescloud.boot.auth.cas.model.AuthorizeDTO;
import com.elitescloud.boot.auth.cas.task.ClientTokenHolder;
import com.elitescloud.boot.auth.config.AuthorizationSdkProperties;
import com.elitescloud.boot.auth.config.CloudtOAuth2Client;
import com.elitescloud.boot.auth.model.OAuthToken;
import com.elitescloud.boot.auth.model.Result;
import com.elitescloud.boot.auth.resolver.UniqueRequestResolver;
import com.elitescloud.boot.auth.resolver.impl.DefaultUniquestResolver;
import com.elitescloud.boot.auth.util.AuthSdkUtil;
import com.elitescloud.boot.auth.util.RestTemplateFactory;
import com.github.benmanes.caffeine.cache.Cache;
import com.github.benmanes.caffeine.cache.Caffeine;
import java.io.Serializable;
import java.time.Duration;
import java.util.Collections;
import java.util.HashMap;
import java.util.Map;
import java.util.concurrent.CompletableFuture;
import java.util.function.Supplier;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.validation.constraints.NotBlank;
import javax.validation.constraints.NotNull;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.InitializingBean;
import org.springframework.core.ParameterizedTypeReference;
import org.springframework.http.HttpEntity;
import org.springframework.http.HttpMethod;
import org.springframework.http.ResponseEntity;
import org.springframework.security.oauth2.core.AuthorizationGrantType;
import org.springframework.util.Assert;
import org.springframework.util.LinkedMultiValueMap;
import org.springframework.util.StringUtils;
import org.springframework.web.client.RestTemplate;
import org.springframework.web.util.UriComponentsBuilder;

/* loaded from: input_file:com/elitescloud/boot/auth/cas/provider/OAuth2ClientProvider.class */
public class OAuth2ClientProvider implements InitializingBean {
    private static final Logger LOG = LoggerFactory.getLogger(OAuth2ClientProvider.class);
    private final AuthorizationSdkProperties sdkProperties;
    private final AuthorizeCacheable authorizeCacheable;
    private UniqueRequestResolver uniqueRequestResolver = new DefaultUniquestResolver("X-Auth-Cas-Client");
    private RestTemplate restTemplate;
    private OAuth2ClientBO clientBO;

    /* loaded from: input_file:com/elitescloud/boot/auth/cas/provider/OAuth2ClientProvider$AuthorizeCacheDefault.class */
    static class AuthorizeCacheDefault implements AuthorizeCacheable {
        private final Cache<String, AuthorizeDTO> authorizeCache = Caffeine.newBuilder().maximumSize(2000).expireAfterWrite(Duration.ofMinutes(60)).build();

        @Override // com.elitescloud.boot.auth.cas.AuthorizeCacheable
        public void setCache(String str, AuthorizeDTO authorizeDTO) {
            this.authorizeCache.put(str, authorizeDTO);
        }

        @Override // com.elitescloud.boot.auth.cas.AuthorizeCacheable
        public AuthorizeDTO get(String str) {
            return (AuthorizeDTO) this.authorizeCache.getIfPresent(str);
        }
    }

    public OAuth2ClientProvider(AuthorizationSdkProperties authorizationSdkProperties, AuthorizeCacheable authorizeCacheable) {
        this.sdkProperties = authorizationSdkProperties;
        this.authorizeCacheable = authorizeCacheable == null ? new AuthorizeCacheDefault() : authorizeCacheable;
    }

    public String getAuthorizeInfo(@NotNull HttpServletResponse httpServletResponse, @NotBlank String str, String str2) {
        if (this.clientBO == null) {
            init();
        }
        String signRequest = this.uniqueRequestResolver.signRequest(httpServletResponse);
        AuthorizeDTO authorizeDTO = new AuthorizeDTO();
        authorizeDTO.setAuthorizeEndpoint(this.clientBO.getAuthorizeEndpoint());
        authorizeDTO.setClientId(this.sdkProperties.getCasClient().getOauth2Client().getClientId());
        authorizeDTO.setResponseType("code");
        authorizeDTO.setScope("openid");
        authorizeDTO.setRedirectUri(str);
        if (this.sdkProperties.getCasClient().getOauth2Client().isPkceEnabled()) {
            authorizeDTO.setCodeVerifier(AuthSdkUtil.generateCodeVerifier());
            authorizeDTO.setCodeChallengeMethod("S256");
            authorizeDTO.setCodeChallenge(AuthSdkUtil.generateCodeChallenge(authorizeDTO.getCodeVerifier()));
        }
        authorizeDTO.setState(str2);
        this.authorizeCacheable.setCache(signRequest, authorizeDTO);
        return authorizeDTO.getUrl();
    }

    public AuthorizeDTO getAuthorize(@NotNull HttpServletRequest httpServletRequest) {
        return this.authorizeCacheable.get(this.uniqueRequestResolver.analyze(httpServletRequest));
    }

    public Result<OAuthToken> code2AccessToken(@NotNull HttpServletRequest httpServletRequest, @NotNull HttpServletResponse httpServletResponse, @NotBlank String str) {
        String analyze = this.uniqueRequestResolver.analyze(httpServletRequest);
        Assert.hasText(analyze, "认证请求超时，请重试");
        this.uniqueRequestResolver.clear(httpServletResponse, analyze);
        AuthorizeDTO authorizeDTO = this.authorizeCacheable.get(analyze);
        Assert.notNull(authorizeDTO, "认证超时，请重试");
        LinkedMultiValueMap linkedMultiValueMap = new LinkedMultiValueMap(8);
        linkedMultiValueMap.add("client_id", authorizeDTO.getClientId());
        linkedMultiValueMap.add("client_secret", this.sdkProperties.getCasClient().getOauth2Client().getClientSecret());
        linkedMultiValueMap.add("grant_type", AuthorizationGrantType.AUTHORIZATION_CODE.getValue());
        linkedMultiValueMap.add("code", str);
        String redirectUri = authorizeDTO.getRedirectUri();
        if (StringUtils.hasText(redirectUri)) {
            linkedMultiValueMap.add("redirect_uri", redirectUri);
        }
        if (StringUtils.hasText(authorizeDTO.getCodeVerifier())) {
            linkedMultiValueMap.add("code_verifier", authorizeDTO.getCodeVerifier());
        }
        return executeWithRetry(() -> {
            try {
                ResponseEntity exchange = this.restTemplate.exchange(this.clientBO.getTokenEndpoint(), HttpMethod.POST, new HttpEntity(linkedMultiValueMap), new ParameterizedTypeReference<OAuthToken>() { // from class: com.elitescloud.boot.auth.cas.provider.OAuth2ClientProvider.1
                }, new Object[0]);
                if (exchange.getStatusCode().is2xxSuccessful()) {
                    return Result.ok((OAuthToken) exchange.getBody());
                }
                LOG.error("授权码转token失败：{}", exchange);
                return Result.fail("获取认证token失败");
            } catch (Exception e) {
                LOG.error("获取认证token异常：", e);
                return Result.fail("获取认证token异常！");
            }
        });
    }

    public Result<HashMap<String, String>> queryUserInfo(@NotBlank String str, @NotBlank String str2) {
        Assert.hasText(str, "token类型为空");
        Assert.hasText(str2, "token为空");
        LinkedMultiValueMap linkedMultiValueMap = new LinkedMultiValueMap(4);
        linkedMultiValueMap.add("Authorization", str + " " + str2);
        return executeWithRetry(() -> {
            try {
                ResponseEntity exchange = this.restTemplate.exchange(this.clientBO.getUserinfoEndpoint(), HttpMethod.GET, new HttpEntity((Object) null, linkedMultiValueMap), new ParameterizedTypeReference<HashMap<String, String>>() { // from class: com.elitescloud.boot.auth.cas.provider.OAuth2ClientProvider.2
                }, new Object[0]);
                if (exchange.getStatusCode().is2xxSuccessful()) {
                    return Result.ok((HashMap) exchange.getBody());
                }
                LOG.error("获取用户信息失败：{}", exchange);
                return Result.fail("获取用户信息失败！");
            } catch (Exception e) {
                LOG.error("获取用户信息异常：", e);
                return Result.fail("获取用户信息异常！");
            }
        });
    }

    public Result<OAuthToken> refreshToken(@NotBlank String str) {
        Assert.notNull(str, "刷新token为空");
        LinkedMultiValueMap linkedMultiValueMap = new LinkedMultiValueMap(8);
        linkedMultiValueMap.add("client_id", this.sdkProperties.getCasClient().getOauth2Client().getClientId());
        linkedMultiValueMap.add("client_secret", this.sdkProperties.getCasClient().getOauth2Client().getClientSecret());
        linkedMultiValueMap.add("grant_type", AuthorizationGrantType.REFRESH_TOKEN.getValue());
        linkedMultiValueMap.add("refresh_token", str);
        return executeWithRetry(() -> {
            try {
                ResponseEntity exchange = this.restTemplate.exchange(this.clientBO.getTokenEndpoint(), HttpMethod.POST, new HttpEntity(linkedMultiValueMap), new ParameterizedTypeReference<OAuthToken>() { // from class: com.elitescloud.boot.auth.cas.provider.OAuth2ClientProvider.3
                }, new Object[0]);
                if (exchange.getStatusCode().is2xxSuccessful()) {
                    return Result.ok((OAuthToken) exchange.getBody());
                }
                LOG.error("刷新token失败：{}", exchange);
                return Result.fail("刷新token失败");
            } catch (Exception e) {
                LOG.error("刷新认证token异常：", e);
                return Result.fail("刷新认证token异常！");
            }
        });
    }

    public Result<OAuthToken> clientToken() {
        LinkedMultiValueMap linkedMultiValueMap = new LinkedMultiValueMap(8);
        linkedMultiValueMap.add("grant_type", AuthorizationGrantType.CLIENT_CREDENTIALS.getValue());
        linkedMultiValueMap.add("client_id", this.sdkProperties.getCasClient().getOauth2Client().getClientId());
        linkedMultiValueMap.add("client_secret", this.sdkProperties.getCasClient().getOauth2Client().getClientSecret());
        try {
            ResponseEntity exchange = this.restTemplate.exchange(this.clientBO.getTokenEndpoint(), HttpMethod.POST, new HttpEntity(linkedMultiValueMap), new ParameterizedTypeReference<OAuthToken>() { // from class: com.elitescloud.boot.auth.cas.provider.OAuth2ClientProvider.4
            }, new Object[0]);
            if (exchange.getStatusCode().is2xxSuccessful()) {
                return Result.ok((OAuthToken) exchange.getBody());
            }
            LOG.error("生成token失败：{}", exchange.getStatusCode());
            return Result.fail("获取认证token失败");
        } catch (Exception e) {
            LOG.error("获取认证token失败：", e);
            return Result.fail("获取认证token失败！");
        }
    }

    public Result<Boolean> revokeToken(@NotBlank String str) {
        Assert.hasText(str, "token为空");
        LinkedMultiValueMap linkedMultiValueMap = new LinkedMultiValueMap(8);
        linkedMultiValueMap.add("client_id", this.sdkProperties.getCasClient().getOauth2Client().getClientId());
        linkedMultiValueMap.add("client_secret", this.sdkProperties.getCasClient().getOauth2Client().getClientSecret());
        linkedMultiValueMap.add("token", str);
        try {
            ResponseEntity exchange = this.restTemplate.exchange(this.clientBO.getRevocationEndpoint(), HttpMethod.POST, new HttpEntity(linkedMultiValueMap), new ParameterizedTypeReference<String>() { // from class: com.elitescloud.boot.auth.cas.provider.OAuth2ClientProvider.5
            }, new Object[0]);
            if (exchange.getStatusCode().is2xxSuccessful()) {
                return Result.ok(true);
            }
            LOG.error("注销token失败：{}", exchange.getStatusCode());
            return Result.fail("注销token失败");
        } catch (Exception e) {
            LOG.error("注销token失败：", e);
            return Result.fail("注销token失败！");
        }
    }

    public void afterPropertiesSet() throws Exception {
        if (!this.sdkProperties.getCasClient().getOauth2Client().isPkceEnabled()) {
            Assert.hasText(this.sdkProperties.getCasClient().getOauth2Client().getClientSecret(), "OAuth2 Client的clientSecret为空");
        }
        CompletableFuture.runAsync(this::init).whenComplete((r4, th) -> {
            if (th != null) {
                LOG.error("初始化OAuth2客户端异常：", th);
            }
        });
    }

    public void setUniqueRequestResolver(UniqueRequestResolver uniqueRequestResolver) {
        this.uniqueRequestResolver = uniqueRequestResolver;
    }

    private <T extends Serializable> Result<T> executeWithRetry(Supplier<Result<T>> supplier) {
        Result<T> result = null;
        try {
            result = supplier.get();
        } catch (Exception e) {
        }
        if (result != null && Boolean.TRUE.equals(result.getSuccess())) {
            return result;
        }
        Result<OAuthToken> clientToken = clientToken();
        if (clientToken != null) {
            ClientTokenHolder.setToken(clientToken.getData());
        }
        try {
            return supplier.get();
        } catch (Exception e2) {
            LOG.error("请求认证授权服务异常：", e2);
            throw e2;
        }
    }

    private void init() {
        if (this.restTemplate == null) {
            this.restTemplate = RestTemplateFactory.instance();
        }
        initClient();
    }

    private void initClient() {
        this.clientBO = initClient(obtainAuthServer());
    }

    private String obtainAuthServer() {
        return this.sdkProperties.getAuthServer();
    }

    private OAuth2ClientBO initClient(String str) {
        OAuth2ClientBO oAuth2ClientBO = new OAuth2ClientBO();
        CloudtOAuth2Client oauth2Client = this.sdkProperties.getCasClient().getOauth2Client();
        oAuth2ClientBO.setAuthorizeEndpoint(normalizeUrl(str, oauth2Client.getAuthorizeEndpoint()));
        oAuth2ClientBO.setTokenEndpoint(normalizeUrl(str, oauth2Client.getTokenEndpoint()));
        oAuth2ClientBO.setUserinfoEndpoint(normalizeUrl(str, oauth2Client.getUserinfoEndpoint()));
        Assert.hasText(str, "未知认证服务器地址");
        Map<String, Object> queryServerConfig = queryServerConfig(normalizeUrl(str, CasUrlConstant.URI_OIDC_METADATA));
        oAuth2ClientBO.setAuthorizeEndpoint(blankToDefault(oAuth2ClientBO.getAuthorizeEndpoint(), (String) queryServerConfig.get("authorization_endpoint")));
        Assert.hasText(oAuth2ClientBO.getAuthorizeEndpoint(), "OAuth2客户端初始化失败");
        oAuth2ClientBO.setTokenEndpoint(blankToDefault(oAuth2ClientBO.getTokenEndpoint(), (String) queryServerConfig.get("token_endpoint")));
        oAuth2ClientBO.setUserinfoEndpoint(blankToDefault(oAuth2ClientBO.getUserinfoEndpoint(), (String) queryServerConfig.get("userinfo_endpoint")));
        oAuth2ClientBO.setRevocationEndpoint((String) queryServerConfig.get("revocation_endpoint"));
        return oAuth2ClientBO;
    }

    private Map<String, Object> queryServerConfig(String str) {
        ResponseEntity exchange;
        try {
            exchange = this.restTemplate.exchange(str, HttpMethod.GET, (HttpEntity) null, new ParameterizedTypeReference<Map<String, Object>>() { // from class: com.elitescloud.boot.auth.cas.provider.OAuth2ClientProvider.6
            }, new Object[0]);
        } catch (Exception e) {
            LOG.error("查询OAuth2服务端配置异常", e);
        }
        if (exchange.getStatusCode().is2xxSuccessful()) {
            LOG.info("查询OAuth2服务端配置成功：{}", exchange.getBody());
            return (Map) exchange.getBody();
        }
        LOG.warn("查询OAuth2服务端配置失败：{}", exchange.getStatusCode());
        return Collections.emptyMap();
    }

    private String normalizeUrl(String str, String str2) {
        if (!StringUtils.hasText(str2)) {
            return null;
        }
        if (str2.toLowerCase().startsWith("http")) {
            return UriComponentsBuilder.fromUriString(str2).toUriString();
        }
        return UriComponentsBuilder.fromUriString((str == null ? "" : str) + "/" + str2).toUriString();
    }

    private String blankToDefault(String str, String str2) {
        return StringUtils.hasText(str) ? str : str2;
    }
}
