package com.elitescloud.boot.auth.client.config.security.configurer.filter;

import com.elitescloud.boot.auth.cas.provider.UserTransferHelper;
import com.elitescloud.boot.auth.client.config.AuthorizationProperties;
import com.elitescloud.boot.auth.client.config.security.resolver.BearerTokenResolver;
import com.elitescloud.boot.auth.client.config.security.resolver.impl.DefaultBearerTokenResolver;
import com.elitescloud.boot.auth.client.config.support.AuthenticationCache;
import com.elitescloud.boot.auth.model.Result;
import com.github.benmanes.caffeine.cache.Cache;
import com.github.benmanes.caffeine.cache.Caffeine;
import java.io.IOException;
import java.time.Duration;
import java.util.Iterator;
import java.util.List;
import java.util.concurrent.CompletableFuture;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.springframework.lang.NonNull;
import org.springframework.security.oauth2.jwt.Jwt;
import org.springframework.security.oauth2.jwt.JwtDecoder;
import org.springframework.security.oauth2.jwt.JwtException;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.springframework.security.web.util.matcher.RequestMatcher;
import org.springframework.util.StringUtils;
import org.springframework.web.filter.OncePerRequestFilter;

/* loaded from: input_file:com/elitescloud/boot/auth/client/config/security/configurer/filter/AccessTokenRenewalFilter.class */
public class AccessTokenRenewalFilter extends OncePerRequestFilter {
    private static final Logger log = LogManager.getLogger(AccessTokenRenewalFilter.class);
    private final AuthorizationProperties authorizationProperties;
    private final AuthenticationCache authenticationCache;
    private final JwtDecoder jwtDecoder;
    private final UserTransferHelper userTransferHelper;
    private Cache<String, String> tokenRefreshCache;
    private BearerTokenResolver bearerTokenResolver = new DefaultBearerTokenResolver();
    private final List<RequestMatcher> requestMatcherIgnore = List.of(new AntPathRequestMatcher("/rpc/**"), new AntPathRequestMatcher("/actuator/**"));

    public AccessTokenRenewalFilter(AuthorizationProperties authorizationProperties, AuthenticationCache authenticationCache, JwtDecoder jwtDecoder) {
        this.tokenRefreshCache = null;
        this.authorizationProperties = authorizationProperties;
        this.authenticationCache = authenticationCache;
        this.jwtDecoder = jwtDecoder;
        this.userTransferHelper = UserTransferHelper.getInstance(authorizationProperties.getIssuerUrl());
        this.tokenRefreshCache = Caffeine.newBuilder().expireAfterWrite(authorizationProperties.getTokenRenewalRate()).maximumSize(5000L).build();
    }

    public void setBearerTokenResolver(@NonNull BearerTokenResolver bearerTokenResolver) {
        this.bearerTokenResolver = bearerTokenResolver;
    }

    protected void doFilterInternal(@NonNull HttpServletRequest httpServletRequest, @NonNull HttpServletResponse httpServletResponse, @NonNull FilterChain filterChain) throws ServletException, IOException {
        if (!needRefresh(httpServletRequest)) {
            log.debug("无需刷新token的uri：{}", httpServletRequest.getRequestURI());
            filterChain.doFilter(httpServletRequest, httpServletResponse);
        } else {
            String resolve = this.bearerTokenResolver.resolve(httpServletRequest);
            if (StringUtils.hasText(resolve)) {
                refreshTokenTtl(resolve);
            }
            filterChain.doFilter(httpServletRequest, httpServletResponse);
        }
    }

    private void refreshTokenTtl(String str) {
        if (((String) this.tokenRefreshCache.getIfPresent(str)) == null) {
            CompletableFuture.runAsync(() -> {
                Duration tokenRenewal;
                try {
                    Jwt decode = this.jwtDecoder.decode(str);
                    if ("us".equals(decode.getClaimAsString("yst_pt"))) {
                        String claimAsString = decode.getClaimAsString("yst_cui");
                        String claimAsString2 = decode.getClaimAsString("yst_cli");
                        if (StringUtils.hasText(claimAsString2) && StringUtils.hasText(claimAsString)) {
                            Result validateClientUser = this.userTransferHelper.validateClientUser(claimAsString2, Long.valueOf(Long.parseLong(claimAsString)));
                            if (validateClientUser.getData() == null) {
                                log.error("验证用户失败：{}, {}", claimAsString, validateClientUser.getMsg());
                                return;
                            } else if (Boolean.FALSE.equals(validateClientUser.getData().getTokenRenewal())) {
                                log.debug("不支持自动续期：{}", claimAsString);
                                return;
                            } else {
                                tokenRenewal = validateClientUser.getData().getTokenTtl();
                                log.debug("根据CAS自动续期");
                            }
                        } else {
                            tokenRenewal = this.authorizationProperties.getTokenRenewal();
                            log.debug("根据应用配置自动续期");
                        }
                        if (tokenRenewal != null && tokenRenewal.toSeconds() > 0) {
                            log.info("自动续期token：{}, {}min", str, Long.valueOf(this.authorizationProperties.getTokenRenewal().toMinutes()));
                            this.authenticationCache.expireAt(str, this.authorizationProperties.getTokenRenewal());
                        }
                        this.tokenRefreshCache.put(str, "true");
                    }
                } catch (JwtException e) {
                    log.error("续期token异常：{}", e.getMessage());
                }
            });
        }
    }

    private boolean needRefresh(HttpServletRequest httpServletRequest) {
        Iterator<RequestMatcher> it = this.requestMatcherIgnore.iterator();
        while (it.hasNext()) {
            if (it.next().matches(httpServletRequest)) {
                return false;
            }
        }
        return true;
    }

    private Duration localTokenTtl() {
        Duration tokenRenewal = this.authorizationProperties.getTokenRenewal();
        if (tokenRenewal != null && tokenRenewal.toSeconds() > 0) {
            return tokenRenewal;
        }
        log.debug("不支持自动续期");
        return null;
    }
}
