package com.digiwin.gateway.service.permission;

import com.digiwin.app.container.DWTargetAPI;
import com.digiwin.app.resource.DWApplicationMessageResourceBundleUtils;
import com.digiwin.gateway.service.permission.config.DWServicePermissionConfig;
import com.digiwin.gateway.service.permission.util.DWAPIPermissionUtil;
import com.digiwin.gateway.service.permission.util.DWSecurityRequestUtil;
import com.digiwin.service.permission.auth.DWAuthorizationVerifier;
import com.digiwin.service.permission.auth.DWIAMAuthorizationVerifier;
import com.digiwin.service.permission.auth.param.SubscriptionApiPermissionParam;
import com.digiwin.service.permission.auth.param.TenantPermissionParam;
import com.digiwin.service.permission.auth.param.UserPermissionParam;
import com.digiwin.service.permission.util.EAIServiceInfoUtil;
import com.google.gson.Gson;
import java.io.IOException;
import java.util.HashMap;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.http.HttpStatus;
import org.springframework.web.context.request.RequestContextHolder;
import org.springframework.web.context.request.ServletRequestAttributes;

/* loaded from: input_file:com/digiwin/gateway/service/permission/DWServicePermissionFilter.class */
public class DWServicePermissionFilter implements Filter {
    private static final Log log = LogFactory.getLog(DWServicePermissionFilter.class);
    static final String ERROR_CODE = "10905";

    @Autowired
    @Qualifier("dw-service-permission-config")
    DWServicePermissionConfig servicePermissionConfig;

    @Autowired
    @Qualifier("dw-api-permission-util")
    DWAPIPermissionUtil dwapiPermissionUtil;
    DWAuthorizationVerifier authorizationVerifier = new DWIAMAuthorizationVerifier();

    public void init(FilterConfig filterConfig) throws ServletException {
    }

    public void destroy() {
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        boolean z = false;
        Object attribute = httpServletRequest.getAttribute("isDWMethodAllowAnonymous");
        if (null != attribute) {
            z = ((Boolean) attribute).booleanValue();
        }
        if (!z) {
            if (!this.dwapiPermissionUtil.shouldCheckPermission(((DWTargetAPI) httpServletRequest.getAttribute("targetAPI")).getMethod().getMethod())) {
                boolean isValidUserPermission = this.servicePermissionConfig.isValidUserPermission();
                boolean isValidTenantPermission = this.servicePermissionConfig.isValidTenantPermission();
                boolean isUserVerified = DWSecurityContext.getSecurityContext().isUserVerified();
                log.debug(String.format("調用鏈路中是否驗證過用戶級服務權限：%s，要驗證用戶服務權限：%s，要驗證租戶服務權限：%s", Boolean.valueOf(isUserVerified), Boolean.valueOf(isValidUserPermission), Boolean.valueOf(isValidTenantPermission)));
                boolean z2 = false;
                if (isValidUserPermission) {
                    z2 = !isUserVerified ? validUserPermission(httpServletRequest, httpServletResponse) : validTenantPermission(httpServletRequest, httpServletResponse);
                } else if (isValidTenantPermission) {
                    log.debug("驗證租戶級別的服務權限！！！");
                    z2 = validTenantPermission(httpServletRequest, httpServletResponse);
                }
                if (z2) {
                    return;
                }
            } else if (validSubscriptionPermission(httpServletRequest, httpServletResponse)) {
                return;
            }
        }
        DWSecurityContext.getSecurityContext().setAppToken(this.servicePermissionConfig.getAppToken());
        filterChain.doFilter(servletRequest, servletResponse);
    }

    private boolean validUserPermission(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        log.debug("*** 開始驗證用戶服務權限 ***");
        DWSecurityContext securityContext = DWSecurityContext.getSecurityContext();
        Map profile = securityContext.getProfile();
        String appId = this.servicePermissionConfig.getAppId();
        String path = getPath(httpServletRequest);
        String method = httpServletRequest.getMethod();
        String header = httpServletRequest.getHeader("digi-middleware-auth-app");
        if (Objects.isNull(header)) {
            header = this.servicePermissionConfig.getAppToken();
        }
        String str = null;
        Set<String> tableNames = DWSecurityRequestUtil.getTableNames(httpServletRequest);
        if (!tableNames.isEmpty()) {
            str = ((String[]) tableNames.toArray(new String[0]))[0];
        }
        UserPermissionParam userPermissionParam = new UserPermissionParam();
        userPermissionParam.setAppId(appId);
        userPermissionParam.setPath(path);
        userPermissionParam.setMethod(method);
        userPermissionParam.setAppToken(header);
        userPermissionParam.setTableName(str);
        userPermissionParam.setTenantId(Objects.toString(profile.get("tenantId")));
        userPermissionParam.setTenantSid(Long.valueOf(Long.parseLong(Objects.toString(profile.get("tenantSid")))));
        userPermissionParam.setUserId(Objects.toString(profile.get("userId")));
        userPermissionParam.setUserSid(Long.valueOf(Long.parseLong(Objects.toString(profile.get("userSid")))));
        try {
            log.debug(String.format("參數 => %s, 調用IAM進行用戶服務權限驗證。", userPermissionParam));
            Map verifyUserServicePermission = this.authorizationVerifier.verifyUserServicePermission(this.servicePermissionConfig.getRamHostUrl(), userPermissionParam);
            securityContext.setUserVerified();
            DWSecurityContext.setSecurityContext(securityContext);
            log.debug(String.format("IAM進行用戶服務權限驗證結果 => %s", verifyUserServicePermission));
            return false;
        } catch (Exception e) {
            generateErrorResponse(httpServletResponse, e.getMessage(), DWApplicationMessageResourceBundleUtils.getApplicationResourceBundle(ERROR_CODE, ERROR_CODE, new Object[]{appId, path, method}));
            return true;
        }
    }

    private boolean validTenantPermission(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        log.debug("*** 開始驗證租戶服務權限 ***");
        DWSecurityContext securityContext = DWSecurityContext.getSecurityContext();
        Map profile = securityContext.getProfile();
        String appId = this.servicePermissionConfig.getAppId();
        String path = getPath(httpServletRequest);
        String method = httpServletRequest.getMethod();
        String appToken = securityContext.getAppToken();
        if (Objects.isNull(appToken)) {
            appToken = httpServletRequest.getHeader("digi-middleware-auth-app");
        }
        TenantPermissionParam tenantPermissionParam = new TenantPermissionParam();
        tenantPermissionParam.setAppId(appId);
        tenantPermissionParam.setPath(path);
        tenantPermissionParam.setMethod(method);
        tenantPermissionParam.setAppToken(appToken);
        tenantPermissionParam.setTenantId(Objects.toString(profile.get("tenantId")));
        tenantPermissionParam.setTenantSid(Long.valueOf(Long.parseLong(Objects.toString(profile.get("tenantSid")))));
        try {
            log.debug(String.format("參數 => %s, 調用IAM進行租戶級別服務權限驗證。", tenantPermissionParam));
            log.debug(String.format("IAM進行租戶級別服務權限驗證結果 => %s", this.authorizationVerifier.verifyTenantServicePermission(this.servicePermissionConfig.getRamHostUrl(), tenantPermissionParam)));
            return false;
        } catch (Exception e) {
            generateErrorResponse(httpServletResponse, e.getMessage(), DWApplicationMessageResourceBundleUtils.getApplicationResourceBundle(ERROR_CODE, ERROR_CODE, new Object[]{appId, path, method}));
            return true;
        }
    }

    private boolean validSubscriptionPermission(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        log.debug("*** 開始訂閱API服務權限检查 ***");
        DWSecurityContext securityContext = DWSecurityContext.getSecurityContext();
        Map profile = securityContext.getProfile();
        String appId = this.servicePermissionConfig.getAppId();
        String path = getPath(httpServletRequest);
        String method = httpServletRequest.getMethod();
        String header = httpServletRequest.getHeader("digi-middleware-auth-app");
        if (Objects.isNull(header)) {
            header = securityContext.getAppToken();
        }
        if (Objects.isNull(header)) {
            log.warn("request header 和 securityContext 中都沒有拿到請求方的appToken!!!");
        }
        String header2 = httpServletRequest.getHeader("token");
        if (Objects.isNull(header2)) {
            header2 = httpServletRequest.getHeader("digi-middleware-auth-user");
        }
        if (Objects.isNull(header2)) {
            log.warn("request header都沒有拿到請求方的userToken!!!");
        }
        HashMap hashMap = new HashMap();
        hashMap.put("digi-middleware-auth-isv-id", httpServletRequest.getHeader("digi-middleware-auth-isv-id"));
        hashMap.put("digi-middleware-auth-isv-sign-arg", httpServletRequest.getHeader("digi-middleware-auth-isv-sign-arg"));
        hashMap.put("digi-middleware-auth-secret-key", httpServletRequest.getHeader("digi-middleware-auth-secret-key"));
        SubscriptionApiPermissionParam subscriptionApiPermissionParam = new SubscriptionApiPermissionParam();
        subscriptionApiPermissionParam.setAppId(appId);
        subscriptionApiPermissionParam.setPath(path);
        subscriptionApiPermissionParam.setMethod(method);
        subscriptionApiPermissionParam.setAppToken(header);
        subscriptionApiPermissionParam.setTenantId(Objects.toString(profile.get("tenantId")));
        subscriptionApiPermissionParam.setTenantSid(Long.valueOf(Long.parseLong(Objects.toString(profile.get("tenantSid")))));
        subscriptionApiPermissionParam.setUserId(Objects.toString(profile.get("userId")));
        subscriptionApiPermissionParam.setUserSid(Long.valueOf(Long.parseLong(Objects.toString(profile.get("userSid")))));
        subscriptionApiPermissionParam.setUserToken(header2);
        subscriptionApiPermissionParam.setAuthMode(this.servicePermissionConfig.getAuthorizationMode());
        try {
            log.info("### 調用RAM進行訂閱API服務權限驗證 header => " + hashMap + ", 參數 => " + subscriptionApiPermissionParam + "。");
            log.info("### RAM進行訂閱API服務權限驗證結果 => " + this.authorizationVerifier.verifySubscriptionApiPermission(this.servicePermissionConfig.getRamHostUrl(), hashMap, subscriptionApiPermissionParam));
            return false;
        } catch (Exception e) {
            String message = e.getMessage();
            String string = DWApplicationMessageResourceBundleUtils.getString(ERROR_CODE, new Object[]{appId, path, method});
            log.error("### RAM進行訂閱API服務權限驗證失敗!", e);
            generateErrorResponse(httpServletResponse, message, string);
            return true;
        }
    }

    private String getPath(HttpServletRequest httpServletRequest) {
        ServletRequestAttributes requestAttributes = RequestContextHolder.getRequestAttributes();
        String requestURI = Objects.nonNull(requestAttributes) ? requestAttributes.getRequest().getRequestURI() : "";
        Object attribute = httpServletRequest.getAttribute("origin-url");
        if (Objects.nonNull(attribute)) {
            requestURI = attribute.toString();
        }
        String eaiServiceName = getEaiServiceName(httpServletRequest);
        if (Objects.nonNull(eaiServiceName) && requestURI.endsWith("/eai")) {
            requestURI = eaiServiceName;
        }
        return requestURI;
    }

    private String getEaiServiceName(HttpServletRequest httpServletRequest) {
        String header = httpServletRequest.getHeader("digi-service");
        if (Objects.isNull(header)) {
            return null;
        }
        return EAIServiceInfoUtil.getServiceName(header);
    }

    private void generateErrorResponse(HttpServletResponse httpServletResponse, String str, String str2) throws IOException {
        Gson gson = new Gson();
        HashMap hashMap = new HashMap();
        hashMap.put("sourceId", "DAP");
        hashMap.put("errorType", "Business");
        hashMap.put("errorCode", ERROR_CODE);
        hashMap.put("errorMessage", str2);
        Map map = (Map) gson.fromJson(str, Map.class);
        HashMap hashMap2 = new HashMap();
        hashMap2.put("sourceAPI", map);
        hashMap.put("errorInstructors", hashMap2);
        String json = gson.toJson(hashMap);
        httpServletResponse.setHeader("Content-Type", "application/json");
        httpServletResponse.setStatus(HttpStatus.UNAUTHORIZED.value());
        httpServletResponse.getOutputStream().write(json.getBytes());
    }
}
