package org.zodiac.security.http.reactive.interceptor;

import java.time.Duration;
import java.util.Collections;
import java.util.Date;
import java.util.List;
import java.util.stream.Collectors;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.http.server.reactive.ServerHttpRequest;
import org.springframework.http.server.reactive.ServerHttpResponse;
import org.springframework.lang.NonNull;
import org.springframework.util.AntPathMatcher;
import org.springframework.web.server.ServerWebExchange;
import org.springframework.web.server.WebFilter;
import org.springframework.web.server.WebFilterChain;
import org.zodiac.commons.crypto.Digests;
import org.zodiac.commons.util.Func;
import org.zodiac.commons.util.JsonUtil;
import org.zodiac.commons.util.web.ReactiveRequests;
import org.zodiac.commons.web.model.SimpleHttpMethod;
import org.zodiac.security.config.SecurityHttpInfo;
import org.zodiac.security.http.SignSecure;
import org.zodiac.security.http.reactive.ReactiveResponseProvider;
import org.zodiac.security.registry.SecurityRegistry;
import reactor.core.publisher.Mono;

/* loaded from: input_file:org/zodiac/security/http/reactive/interceptor/SignInterceptor.class */
public class SignInterceptor implements WebFilter {
    private static final String TIMESTAMP = "timestamp";
    private static final String NONCE = "nonce";
    private static final String SIGNATURE = "signature";
    private static final String SHA1 = "sha1";
    private static final String MD5 = "md5";
    private final SecurityRegistry securityRegistry;
    private final SecurityHttpInfo securityHttpInfo;
    private List<SignSecure> signSecures;
    private List<String> excludePathPatterns;
    private static final Logger LOG = LoggerFactory.getLogger(SignInterceptor.class);
    private static final AntPathMatcher ANT_PATH_MATCHER = new AntPathMatcher();
    private static final Integer SECOND_MIN = 0;
    private static final Integer SECOND_MAX = 10;

    public SignInterceptor(SecurityRegistry securityRegistry, SecurityHttpInfo securityHttpInfo) {
        this.securityRegistry = securityRegistry;
        this.securityHttpInfo = securityHttpInfo;
        if (!this.securityRegistry.isSignEnabled() && !this.securityHttpInfo.isSignEnabled()) {
            this.signSecures = Collections.emptyList();
            this.excludePathPatterns = Collections.emptyList();
            return;
        }
        this.signSecures = this.securityRegistry.addSignPatterns(this.securityHttpInfo.getSign()).getSignSecures();
        if (this.signSecures.size() <= 0) {
            this.excludePathPatterns = Collections.emptyList();
        } else {
            this.securityRegistry.excludePathPatterns((List<String>) this.signSecures.stream().map((v0) -> {
                return v0.getPattern();
            }).collect(Collectors.toList()));
            this.excludePathPatterns = this.securityRegistry.getExcludePatterns();
        }
    }

    public Mono<Void> filter(@NonNull ServerWebExchange serverWebExchange, @NonNull WebFilterChain webFilterChain) {
        if (this.securityRegistry.isSignEnabled() || this.securityHttpInfo.isSignEnabled()) {
            ServerHttpRequest request = serverWebExchange.getRequest();
            ServerHttpResponse response = serverWebExchange.getResponse();
            if (!((Boolean) this.signSecures.stream().filter(signSecure -> {
                return checkAuth(request, signSecure);
            }).findFirst().map(signSecure2 -> {
                return Boolean.valueOf(checkSign(request, signSecure2.getCrypto()));
            }).orElse(Boolean.TRUE)).booleanValue()) {
                LOG.warn("授权认证失败，请求接口：{}，请求IP：{}，请求参数：{}", new Object[]{ReactiveRequests.getRequestUrl(request), ReactiveRequests.getIpAddress(request), JsonUtil.object2json(request.getQueryParams())});
                return ReactiveResponseProvider.writeWith(response);
            }
        }
        return webFilterChain.filter(serverWebExchange);
    }

    private boolean checkAuth(ServerHttpRequest serverHttpRequest, SignSecure signSecure) {
        return checkMethod(serverHttpRequest, signSecure.getMethod()) && checkPath(serverHttpRequest, signSecure.getPattern());
    }

    private boolean checkMethod(ServerHttpRequest serverHttpRequest, SimpleHttpMethod simpleHttpMethod) {
        return simpleHttpMethod == SimpleHttpMethod.ALL || (simpleHttpMethod != null && simpleHttpMethod == SimpleHttpMethod.of(serverHttpRequest.getMethod().name()));
    }

    private boolean checkPath(ServerHttpRequest serverHttpRequest, String str) {
        String str2 = "";
        String value = serverHttpRequest.getPath().value();
        if (value != null && value.length() > 0) {
            str2 = str2 + value;
        }
        return this.excludePathPatterns.contains(str) || ANT_PATH_MATCHER.match(str, str2);
    }

    private boolean checkSign(ServerHttpRequest serverHttpRequest, String str) {
        if (serverHttpRequest == null) {
            return false;
        }
        try {
            String first = serverHttpRequest.getHeaders().getFirst(TIMESTAMP);
            long seconds = Duration.between(new Date(Func.toLong(first)).toInstant(), new Date().toInstant()).getSeconds();
            if (seconds < SECOND_MIN.intValue() || seconds > SECOND_MAX.intValue()) {
                LOG.warn("授权认证失败，错误信息：{}", "请求时间戳非法");
                return false;
            }
            String first2 = serverHttpRequest.getHeaders().getFirst(NONCE);
            return (str.equals(MD5) ? Digests.md5Hex(first + first2) : str.equals(SHA1) ? Digests.sha1Hex(first + first2) : Digests.sha1Hex(first + first2)).equalsIgnoreCase(serverHttpRequest.getHeaders().getFirst(SIGNATURE));
        } catch (Exception e) {
            LOG.warn("授权认证失败，错误信息：{}", e.getMessage());
            return false;
        }
    }
}
