package y9.oauth2.resource.filter;

import java.io.IOException;
import java.net.URI;
import java.nio.charset.StandardCharsets;
import java.util.Collections;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import net.risesoft.model.Person;
import net.risesoft.y9.Y9LoginPersonHolder;
import net.risesoft.y9.json.Y9JacksonUtil;
import org.apache.commons.lang3.StringUtils;
import org.springframework.core.env.Environment;
import org.springframework.http.HttpHeaders;
import org.springframework.http.HttpMethod;
import org.springframework.http.HttpStatus;
import org.springframework.http.MediaType;
import org.springframework.http.RequestEntity;
import org.springframework.http.ResponseEntity;
import org.springframework.kafka.core.KafkaTemplate;
import org.springframework.web.client.RestTemplate;
import org.springframework.web.context.WebApplicationContext;
import org.springframework.web.context.support.WebApplicationContextUtils;
import org.springframework.web.filter.OncePerRequestFilter;
import y9.oauth2.resource.model.OAuth20IntrospectionAccessTokenResponse;
import y9.oauth2.resource.model.UserInfo;
import y9.oauth2.resource.model.UserProfile;

/* loaded from: input_file:y9/oauth2/resource/filter/Y9Oauth2ResourceFilter.class */
public class Y9Oauth2ResourceFilter extends OncePerRequestFilter {
    private WebApplicationContext ctx = null;
    private Environment env = null;
    private RestTemplate restTemplate = new RestTemplate();
    private String introspectionUri = "";
    private String profileUri = "";
    private boolean tokenCachedInSession = false;
    private String clientId = "";
    private String clientSecret = "";
    private boolean saveOnlineMessage = false;
    private KafkaTemplate<String, Object> y9KafkaTemplate;

    protected void initFilterBean() throws ServletException {
        super.initFilterBean();
    }

    protected void doFilterInternal(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws ServletException, IOException {
        UserInfo userInfo;
        if (this.env == null) {
            this.ctx = WebApplicationContextUtils.getWebApplicationContext(httpServletRequest.getServletContext());
            this.env = this.ctx.getEnvironment();
            this.clientId = this.env.getProperty("y9.feature.oauth2.resource.opaque.client-id");
            this.clientSecret = this.env.getProperty("y9.feature.oauth2.resource.opaque.client-secret");
            this.introspectionUri = this.env.getProperty("y9.feature.oauth2.resource.opaque.introspection-uri");
            this.profileUri = this.env.getProperty("y9.feature.oauth2.resource.opaque.profile-uri");
            this.tokenCachedInSession = Boolean.parseBoolean(this.env.getProperty("y9.feature.oauth2.resource.opaque.tokenCachedInSession", "false"));
            if ("true".equals(this.env.getProperty("y9.feature.oauth2.resource.saveOnlineMessage"))) {
                this.saveOnlineMessage = true;
                if (this.y9KafkaTemplate == null) {
                    this.y9KafkaTemplate = (KafkaTemplate) this.ctx.getBean(KafkaTemplate.class);
                }
            }
        }
        try {
            try {
                HttpSession session = httpServletRequest.getSession(false);
                String str = session != null ? (String) session.getAttribute("access_token") : null;
                String accessTokenFromRequest = getAccessTokenFromRequest(httpServletRequest);
                if (accessTokenFromRequest == null) {
                    status401Unauthorized(httpServletResponse);
                    return;
                }
                boolean z = !this.tokenCachedInSession;
                if (!z && !accessTokenFromRequest.equals(str)) {
                    z = true;
                }
                if (z) {
                    try {
                        ResponseEntity<OAuth20IntrospectionAccessTokenResponse> invokeIntrospectEndpoint = invokeIntrospectEndpoint(accessTokenFromRequest);
                        OAuth20IntrospectionAccessTokenResponse oAuth20IntrospectionAccessTokenResponse = (OAuth20IntrospectionAccessTokenResponse) invokeIntrospectEndpoint.getBody();
                        if (!oAuth20IntrospectionAccessTokenResponse.isActive()) {
                            this.logger.trace("Did not validate token since it is inactive");
                            status401Unauthorized(httpServletResponse);
                            return;
                        }
                        if (invokeIntrospectEndpoint.getStatusCodeValue() != 200) {
                            status401Unauthorized(httpServletResponse);
                            return;
                        }
                        try {
                            userInfo = (UserInfo) Y9JacksonUtil.readValue(oAuth20IntrospectionAccessTokenResponse.getAttr(), UserInfo.class);
                        } catch (Exception e) {
                            userInfo = (UserInfo) Y9JacksonUtil.readValue((String) invokeProfileEndpoint(accessTokenFromRequest).getBody(), UserInfo.class);
                        }
                        if (userInfo != null) {
                            if (session == null) {
                                session = httpServletRequest.getSession(true);
                            }
                            session.setAttribute("access_token", accessTokenFromRequest);
                            session.setAttribute("userInfo", userInfo);
                            session.setAttribute("loginName", userInfo.getLoginName());
                            Person person = toPerson(userInfo);
                            session.setAttribute("loginPerson", person);
                            Y9LoginPersonHolder.setTenantId(userInfo.getTenantID());
                            Y9LoginPersonHolder.setTenantName(userInfo.getTenantName());
                            Y9LoginPersonHolder.setTenantLoginName(userInfo.getTenantLoginName());
                            Y9LoginPersonHolder.setPerson(person);
                            Y9LoginPersonHolder.setDeptId(person.getParentID());
                            remoteSaveUserOnline(httpServletRequest.getRequestURL().toString(), person);
                        }
                    } catch (Exception e2) {
                        status401Unauthorized(httpServletResponse);
                        return;
                    }
                }
                filterChain.doFilter(httpServletRequest, httpServletResponse);
            } catch (Exception e3) {
                throw e3;
            }
        } finally {
            Y9LoginPersonHolder.clear();
        }
    }

    private void status401Unauthorized(HttpServletResponse httpServletResponse) {
        httpServletResponse.addHeader("WWW-Authenticate", "Bearer realm=\"risesoft\"");
        httpServletResponse.setStatus(HttpStatus.UNAUTHORIZED.value());
    }

    private ResponseEntity<OAuth20IntrospectionAccessTokenResponse> invokeIntrospectEndpoint(String str) {
        HttpHeaders httpHeaders = new HttpHeaders();
        httpHeaders.setAccept(Collections.singletonList(MediaType.APPLICATION_JSON));
        httpHeaders.setContentType(MediaType.APPLICATION_FORM_URLENCODED);
        httpHeaders.setBasicAuth(this.clientId, this.clientSecret, StandardCharsets.UTF_8);
        return this.restTemplate.exchange(new RequestEntity(httpHeaders, HttpMethod.POST, URI.create(String.valueOf(this.introspectionUri) + "?token=" + str)), OAuth20IntrospectionAccessTokenResponse.class);
    }

    private ResponseEntity<String> invokeProfileEndpoint(String str) {
        HttpHeaders httpHeaders = new HttpHeaders();
        httpHeaders.setAccept(Collections.singletonList(MediaType.APPLICATION_JSON));
        httpHeaders.set("Authorization", "Bearer " + str);
        return this.restTemplate.exchange(new RequestEntity(httpHeaders, HttpMethod.GET, URI.create(String.valueOf(this.profileUri) + "?access_token=" + str)), String.class);
    }

    private UserInfo toUserInfo(UserProfile userProfile) {
        UserInfo userInfo = new UserInfo();
        userInfo.setCAID((String) userProfile.getAttributes().get("CAID"));
        userInfo.setEmail((String) userProfile.getAttributes().get("email"));
        userInfo.setGuidPath((String) userProfile.getAttributes().get("guidPath"));
        userInfo.setIsValidateIE((String) userProfile.getAttributes().get("isValidateIE"));
        userInfo.setLoginName((String) userProfile.getAttributes().get("loginName"));
        userInfo.setLoginType((String) userProfile.getAttributes().get("loginType"));
        userInfo.setMobile((String) userProfile.getAttributes().get("mobile"));
        userInfo.setOriginal(Integer.valueOf(Integer.parseInt(String.valueOf(userProfile.getAttributes().get("original")))));
        userInfo.setOriginalID((String) userProfile.getAttributes().get("originalID"));
        userInfo.setParentID((String) userProfile.getAttributes().get("parentID"));
        userInfo.setPersonID((String) userProfile.getAttributes().get("personID"));
        userInfo.setSex(Integer.valueOf(Integer.parseInt(String.valueOf(userProfile.getAttributes().get("sex")))));
        userInfo.setTenantID((String) userProfile.getAttributes().get("tenantID"));
        userInfo.setTenantLoginName((String) userProfile.getAttributes().get("tenantLoginName"));
        userInfo.setTenantName((String) userProfile.getAttributes().get("tenantName"));
        userInfo.setTenantManager(Boolean.valueOf(String.valueOf(userProfile.getAttributes().get("tenantManager"))));
        userInfo.setAvator((String) userProfile.getAttributes().get("avator"));
        userInfo.setRoles((String) userProfile.getAttributes().get("roles"));
        return userInfo;
    }

    private Person toPerson(UserInfo userInfo) {
        Person person = new Person();
        person.setCAID(userInfo.getCAID());
        person.setEmail(userInfo.getEmail());
        person.setGuidPath(userInfo.getGuidPath());
        person.setName(userInfo.getName());
        person.setLoginName(userInfo.getLoginName());
        person.setMobile(userInfo.getMobile());
        person.setOriginal(userInfo.getOriginal());
        person.setOriginalID(userInfo.getOriginalID());
        person.setParentID(userInfo.getParentID());
        person.setId(userInfo.getPersonID());
        person.setSex(userInfo.getSex());
        person.setTenantID(userInfo.getTenantID());
        person.setTenantManager(userInfo.getTenantManager());
        person.setAvator(userInfo.getAvator());
        person.setRoles(userInfo.getRoles());
        person.setDn(userInfo.getDn());
        person.setPersonType(userInfo.getPersonType());
        return person;
    }

    private String getAccessTokenFromRequest(HttpServletRequest httpServletRequest) {
        String parameter = httpServletRequest.getParameter("access_token");
        if (StringUtils.isBlank(parameter)) {
            String header = httpServletRequest.getHeader("Authorization");
            if (StringUtils.isNotBlank(header) && header.startsWith("Bearer ")) {
                parameter = header.substring("Bearer ".length());
            }
        }
        return parameter;
    }

    private void remoteSaveUserOnline(String str, Person person) {
        if (person == null || !this.saveOnlineMessage) {
            return;
        }
        try {
            String writeValueAsString = Y9JacksonUtil.writeValueAsString(person);
            if (this.y9KafkaTemplate != null) {
                this.y9KafkaTemplate.send("y9_userOnline_message", writeValueAsString);
                this.logger.debug("保存用户在线成功.");
            }
        } catch (Exception e) {
            e.printStackTrace();
            this.logger.debug("保存用户在线失败." + e.getMessage());
        }
    }
}
