package com.digiwin.gateway.filter;

import com.auth0.jwt.JWT;
import com.digiwin.app.container.DWTargetAPI;
import com.digiwin.app.container.exceptions.DWRuntimeException;
import com.digiwin.app.merge.DWSourceAppAwareUtils;
import com.digiwin.app.merge.processor.DWSourceAppSwitchProcessor;
import com.digiwin.app.service.DWServiceContext;
import com.digiwin.gateway.filter.util.TokenUtils;
import com.digiwin.gateway.output.StandardExceptionOutput;
import com.digiwin.gateway.service.permission.DWSecurityContext;
import com.digiwin.gateway.service.permission.config.DWServicePermissionConfig;
import com.digiwin.gateway.service.permission.util.DWAPIPermissionUtil;
import com.digiwin.gateway.token.TokenService;
import com.digiwin.gateway.token.exception.DWTokenExpiredException;
import com.digiwin.gateway.token.exception.DWTokenSignatureException;
import com.digiwin.http.client.utils.DWPathPatternHelper;
import com.digiwin.iam.DWIAMProperties;
import com.google.gson.Gson;
import java.io.IOException;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;
import java.util.function.Supplier;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.http.HttpStatus;

/* loaded from: input_file:com/digiwin/gateway/filter/TokenFilter.class */
public class TokenFilter extends AuthenticationFilter {

    @Autowired
    private TokenService tokenService;

    @Autowired
    @Qualifier("dw-service-permission-config")
    DWServicePermissionConfig servicePermissionConfig;

    @Autowired
    @Qualifier("dw-api-permission-util")
    public DWAPIPermissionUtil dwapiPermissionUtil;

    @Autowired
    DWIAMProperties properties;
    private DWSourceAppSwitchProcessor switchContextAppIdProcessor = new DWSourceAppSwitchProcessor();
    private String tokenMode = "?";

    @Value("${serverHttpTokenmode:?}")
    public void setTokenMode(String str) {
        this.tokenMode = str;
    }

    public void init(FilterConfig filterConfig) throws ServletException {
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        boolean booleanValue = ((Boolean) httpServletRequest.getAttribute("isDWMethodAllowAnonymous")).booleanValue();
        Object attribute = httpServletRequest.getAttribute("targetAPI");
        Supplier supplier = () -> {
            return attribute instanceof DWTargetAPI ? DWSourceAppAwareUtils.getSourceAppId(((DWTargetAPI) attribute).getHeader().getModuleName()) : DWSourceAppAwareUtils.getCurrentAppId();
        };
        try {
            processAppToken(httpServletRequest, booleanValue);
            String token = TokenUtils.getToken(httpServletRequest);
            if (!booleanValue) {
                try {
                    if (!DWInnerInvocationUtils.isInnerInvocation(httpServletRequest)) {
                        String str = this.tokenMode;
                        boolean z = -1;
                        switch (str.hashCode()) {
                            case 72245:
                                if (str.equals("IAM")) {
                                    z = false;
                                    break;
                                }
                                break;
                        }
                        switch (z) {
                            case false:
                                DWSecurityContext securityContext = DWSecurityContext.getSecurityContext();
                                boolean isOpenTrustChain = this.servicePermissionConfig.isOpenTrustChain();
                                boolean isTokenVerified = securityContext.isTokenVerified();
                                if (isOpenTrustChain && (!isOpenTrustChain || isTokenVerified)) {
                                    DWServiceContext.getContext().setToken(token);
                                    DWServiceContext.getContext().setProfile(new HashMap(securityContext.getProfile()));
                                    break;
                                } else {
                                    try {
                                        securityContext.suspend();
                                        String str2 = (String) this.switchContextAppIdProcessor.process(supplier, () -> {
                                            boolean shouldCheckPermission = this.dwapiPermissionUtil.shouldCheckPermission(((DWTargetAPI) attribute).getMethod().getMethod());
                                            if (this.properties.isExchangeIntegrationToken()) {
                                                return this.tokenService.verifyAndExchangeIamToken(token, shouldCheckPermission);
                                            }
                                            this.tokenService.verifyIamToken(token, shouldCheckPermission);
                                            return null;
                                        });
                                        securityContext.resume();
                                        if (securityContext.getProfile() != null) {
                                            DWServiceContext.getContext().getProfile().putAll(securityContext.getProfile());
                                        }
                                        DWServiceContext.getContext().setToken(str2 == null ? token : str2);
                                        securityContext.setTokenVerified();
                                        securityContext.setProfile(DWServiceContext.getContext().deepClone().getProfile());
                                        break;
                                    } catch (Throwable th) {
                                        securityContext.resume();
                                        throw th;
                                    }
                                }
                            default:
                                this.switchContextAppIdProcessor.process(supplier, () -> {
                                    this.tokenService.verifyToken(token);
                                    return null;
                                });
                                break;
                        }
                    } else {
                        DWServiceContext.getContext().setProfile(DWInnerInvocationUtils.parseInnerInvocationProfile(httpServletRequest));
                        DWServiceContext.getContext().setToken(token);
                    }
                } catch (Exception e) {
                    HttpStatus httpStatus = HttpStatus.BAD_REQUEST;
                    generateErroResponse(httpServletResponse, StandardExceptionOutput.getStandardErrorResult(httpStatus, e), httpStatus);
                    return;
                } catch (DWTokenSignatureException | DWTokenExpiredException e2) {
                    HttpStatus httpStatus2 = HttpStatus.UNAUTHORIZED;
                    generateErroResponse(httpServletResponse, StandardExceptionOutput.getStandardErrorResult(httpStatus2, e2), httpStatus2);
                    return;
                }
            }
            filterChain.doFilter(servletRequest, servletResponse);
        } catch (Exception e3) {
            HttpStatus httpStatus3 = HttpStatus.BAD_REQUEST;
            generateErroResponse(httpServletResponse, StandardExceptionOutput.getStandardErrorResult(httpStatus3, e3), httpStatus3);
        }
    }

    public void destroy() {
    }

    private boolean isAppAuthExcludeURI(HttpServletRequest httpServletRequest, boolean z) {
        String str;
        if (!this.properties.isAppAuthEnabled()) {
            return true;
        }
        if (this.properties.isAppAuthExcludeAnonymousApi() && z) {
            return true;
        }
        String str2 = (String) httpServletRequest.getAttribute("targetServiceId");
        if (str2 == null) {
            str = httpServletRequest.getRequestURI();
        } else {
            if (str2.contains("@")) {
                String substring = str2.substring(0, str2.indexOf("@"));
                if ("eai-callback".equalsIgnoreCase(substring) && this.properties.isAppAuthExcludeEAICallback()) {
                    return true;
                }
                str2 = str2.substring(substring.length() + 1);
            }
            str = str2;
        }
        Iterator it = this.properties.getAppAuthExcludeURIs().iterator();
        while (it.hasNext()) {
            if (DWPathPatternHelper.getMatchingPattern((String) it.next(), str) != null) {
                return true;
            }
        }
        return false;
    }

    private void processAppToken(HttpServletRequest httpServletRequest, boolean z) {
        String header = httpServletRequest.getHeader("digi-middleware-auth-app");
        if (header == null || header.isEmpty()) {
            if (!isAppAuthExcludeURI(httpServletRequest, z)) {
                throw new DWRuntimeException("app auth info is null or empty!");
            }
        } else {
            DWServiceContext.getContext().getRequestHeader().put("digi-middleware-appid", JWT.decode(header).getClaim("id").asString());
        }
    }

    private void generateErroResponse(HttpServletResponse httpServletResponse, Map<String, Object> map, HttpStatus httpStatus) throws IOException {
        String json = new Gson().toJson(map);
        httpServletResponse.setHeader("Content-Type", "application/json");
        httpServletResponse.setStatus(httpStatus.value());
        httpServletResponse.getOutputStream().write(json.getBytes());
    }
}
