package com.digiwin.dap.middle.encrypt.filter;

import cn.hutool.extra.servlet.ServletUtil;
import com.digiwin.dap.middle.encrypt.config.EncryptRequestWrapper;
import com.digiwin.dap.middle.encrypt.constant.EncryptConstants;
import com.digiwin.dap.middle.encrypt.domain.DapEncryptDTO;
import com.digiwin.dap.middle.encrypt.domain.annotation.DapEncrypt;
import com.digiwin.dap.middle.encrypt.domain.annotation.DapSign;
import com.digiwin.dap.middle.encrypt.support.DapSecretSupport;
import com.digiwin.dap.middleware.cache.RedisUtils;
import com.digiwin.dap.middleware.commons.crypto.AES;
import com.digiwin.dap.middleware.commons.crypto.SignUtils;
import com.digiwin.dap.middleware.constant.DapHttpHeaders;
import com.digiwin.dap.middleware.domain.CommonErrorCode;
import com.digiwin.dap.middleware.domain.DapEnv;
import com.digiwin.dap.middleware.domain.FilterOrderEnum;
import com.digiwin.dap.middleware.domain.SignInfo;
import com.digiwin.dap.middleware.exception.BusinessException;
import com.digiwin.dap.middleware.exception.UnauthorizedException;
import com.digiwin.dap.middleware.util.JsonUtils;
import com.digiwin.dap.middleware.util.UserUtils;
import java.beans.Introspector;
import java.io.IOException;
import java.lang.annotation.Annotation;
import java.lang.reflect.Method;
import java.nio.charset.StandardCharsets;
import java.time.Duration;
import java.util.Arrays;
import java.util.List;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.BeanUtils;
import org.springframework.core.MethodParameter;
import org.springframework.core.Ordered;
import org.springframework.core.annotation.AnnotationUtils;
import org.springframework.util.ObjectUtils;
import org.springframework.web.bind.annotation.ModelAttribute;
import org.springframework.web.bind.annotation.RequestBody;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.context.support.WebApplicationContextUtils;
import org.springframework.web.filter.OncePerRequestFilter;
import org.springframework.web.method.HandlerMethod;
import org.springframework.web.servlet.HandlerExecutionChain;
import org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping;

/* loaded from: input_file:com/digiwin/dap/middle/encrypt/filter/EncryptRequestFilter.class */
public class EncryptRequestFilter extends OncePerRequestFilter implements Ordered {
    private static final Logger LOGGER = LoggerFactory.getLogger(EncryptRequestFilter.class);
    private static final List<String> bodyMethodList = Arrays.asList(RequestMethod.POST.name(), RequestMethod.PUT.name());
    private final DapEnv dapEnv;
    private final DapSecretSupport dapSecretSupport;

    public EncryptRequestFilter(DapEnv dapEnv, DapSecretSupport dapSecretSupport) {
        this.dapEnv = dapEnv;
        this.dapSecretSupport = dapSecretSupport;
    }

    private static DapEncrypt getDapEncrypt(HandlerMethod handlerMethod) {
        DapEncrypt dapEncrypt = (DapEncrypt) AnnotationUtils.findAnnotation(handlerMethod.getBeanType(), DapEncrypt.class);
        if (dapEncrypt == null) {
            dapEncrypt = (DapEncrypt) handlerMethod.getMethodAnnotation(DapEncrypt.class);
        }
        return dapEncrypt;
    }

    private static DapSign getDapSign(HandlerMethod handlerMethod) {
        DapSign dapSign = (DapSign) AnnotationUtils.findAnnotation(handlerMethod.getBeanType(), DapSign.class);
        if (dapSign == null) {
            dapSign = (DapSign) handlerMethod.getMethodAnnotation(DapSign.class);
        }
        return dapSign;
    }

    private static HandlerExecutionChain getHandlerExecutionChain(HttpServletRequest httpServletRequest) {
        try {
            return ((RequestMappingHandlerMapping) WebApplicationContextUtils.getWebApplicationContext(httpServletRequest.getServletContext()).getBean(Introspector.decapitalize(RequestMappingHandlerMapping.class.getSimpleName()), RequestMappingHandlerMapping.class)).getHandler(httpServletRequest);
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }

    private static String getBodyParam(String str, Method method) {
        String str2 = null;
        if (!ObjectUtils.isEmpty(str)) {
            for (int i = 0; i < method.getParameterCount(); i++) {
                MethodParameter methodParameter = new MethodParameter(method, i);
                for (Annotation annotation : methodParameter.getParameterAnnotations()) {
                    if ((annotation instanceof RequestBody) || (annotation instanceof ModelAttribute)) {
                        str2 = BeanUtils.isSimpleProperty(methodParameter.getParameterType()) ? str : SignUtils.sortParam(str);
                    }
                }
            }
        }
        return str2;
    }

    protected void doFilterInternal(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws ServletException, IOException {
        HandlerExecutionChain handlerExecutionChain = getHandlerExecutionChain(httpServletRequest);
        if (handlerExecutionChain == null) {
            filterChain.doFilter(httpServletRequest, httpServletResponse);
            return;
        }
        HandlerMethod handlerMethod = (HandlerMethod) handlerExecutionChain.getHandler();
        Method method = handlerMethod.getMethod();
        DapSign dapSign = getDapSign(handlerMethod);
        DapEncrypt dapEncrypt = getDapEncrypt(handlerMethod);
        String header = httpServletRequest.getHeader(DapHttpHeaders.APP_ARGS.getHeader());
        boolean isSign = isSign(dapSign, header);
        EncryptRequestWrapper encryptRequestWrapper = new EncryptRequestWrapper(httpServletRequest);
        String bodyString = encryptRequestWrapper.getBodyString();
        boolean isEncrypt = isEncrypt(httpServletRequest, dapEncrypt, bodyString);
        if (!isSign && !isEncrypt) {
            filterChain.doFilter(encryptRequestWrapper, httpServletResponse);
            return;
        }
        if (ObjectUtils.isEmpty(UserUtils.getSysId())) {
            throw new BusinessException(CommonErrorCode.APP_ID_NONE);
        }
        String appSecret = this.dapSecretSupport.getAppSecret(UserUtils.getToken(), httpServletRequest.getHeader(DapHttpHeaders.APP_TOKEN.getHeader()));
        if (ObjectUtils.isEmpty(appSecret)) {
            throw new BusinessException(CommonErrorCode.APP_ID_SECRET_NONE, new Object[]{UserUtils.getSysId()});
        }
        if (isSign) {
            try {
                SignInfo signInfo = SignInfo.get(header);
                signInfo.verify(() -> {
                    return Boolean.valueOf(getLock(dapSign.resubmit(), signInfo.getNonce()));
                });
                if (!SignUtils.verify(JsonUtils.objToMap(signInfo), appSecret, ServletUtil.getParamMap(httpServletRequest), getBodyParam(bodyString, method))) {
                    throw new UnauthorizedException(CommonErrorCode.SIGN_INCONSISTENT_SIGNATURE);
                }
                httpServletRequest.setAttribute(EncryptConstants.SIGN_STATUS_KEY, true);
                httpServletRequest.setAttribute(EncryptConstants.APP_SECRET_KEY, appSecret);
            } catch (Exception e) {
                throw new UnauthorizedException(CommonErrorCode.SIGN_INCONSISTENT_SIGNATURE, e.getMessage());
            }
        }
        if (isEncrypt) {
            String decryptIvCBC = AES.decryptIvCBC(((DapEncryptDTO) JsonUtils.readValue(bodyString, DapEncryptDTO.class)).geteData(), appSecret);
            httpServletRequest.setAttribute(EncryptConstants.ENCRYPT_STATUS_KEY, true);
            httpServletRequest.setAttribute(EncryptConstants.APP_SECRET_KEY, appSecret);
            encryptRequestWrapper.setBodyString(decryptIvCBC.getBytes(StandardCharsets.UTF_8));
        }
        filterChain.doFilter(encryptRequestWrapper, httpServletResponse);
    }

    private boolean getLock(boolean z, String str) {
        if (z) {
            return true;
        }
        return RedisUtils.setIfAbsent(String.format(EncryptConstants.REDIS_DWPAY_SIGN_NONCE, this.dapEnv.getAppName(), str), 1, Duration.ofMillis(600000L));
    }

    public int getOrder() {
        return FilterOrderEnum.API_ENCRYPT.order();
    }

    private boolean isSign(DapSign dapSign, String str) {
        if (dapSign == null) {
            return false;
        }
        return dapSign.force() || Boolean.TRUE.equals(this.dapEnv.getSign()) || !ObjectUtils.isEmpty(str);
    }

    private boolean isEncrypt(HttpServletRequest httpServletRequest, DapEncrypt dapEncrypt, String str) {
        if (!bodyMethodList.contains(httpServletRequest.getMethod()) || dapEncrypt == null) {
            return false;
        }
        if (dapEncrypt.force() || Boolean.TRUE.equals(this.dapEnv.getEncrypt())) {
            return true;
        }
        if (ObjectUtils.isEmpty(str)) {
            throw new BusinessException(CommonErrorCode.ENCRYPT_REQUEST_BODY_EMPTY);
        }
        if (LOGGER.isDebugEnabled()) {
            LOGGER.debug("请求参数body：{}", str);
        }
        DapEncryptDTO dapEncryptDTO = (DapEncryptDTO) JsonUtils.readValue(str, DapEncryptDTO.class);
        return (dapEncryptDTO == null || ObjectUtils.isEmpty(dapEncryptDTO.geteData())) ? false : true;
    }
}
