package kd.bos.openapi.base.security.auth.impl;

import com.alibaba.fastjson.JSON;
import java.util.Date;
import kd.bos.context.RequestContext;
import kd.bos.dataentity.resource.ResManager;
import kd.bos.encrypt.EncrypterFactory;
import kd.bos.logging.Log;
import kd.bos.logging.LogFactory;
import kd.bos.login.utils.DateUtils;
import kd.bos.openapi.base.security.api.impl.ApiSecurityFactory;
import kd.bos.openapi.base.security.auth.AuthCheckService;
import kd.bos.openapi.base.util.DistributeCacheUtil;
import kd.bos.openapi.base.util.ShaSignUtils;
import kd.bos.openapi.base.util.ThirdAppSecurityUtil;
import kd.bos.openapi.common.constant.ApiErrorCode;
import kd.bos.openapi.common.constant.ResSystemType;
import kd.bos.openapi.common.exception.OpenApiException;
import kd.bos.openapi.common.util.DateUtil;
import kd.bos.openapi.common.util.EncryptUtil;
import kd.bos.openapi.common.util.StringUtil;
import kd.bos.openapi.security.ApiSecurityService;
import kd.bos.openapi.security.CertKeyUtil;
import kd.bos.openapi.security.model.BaseAuthInfoDto;
import kd.bos.openapi.security.model.CertificateInfo;
import kd.bos.openapi.security.model.EncryptionEnum;
import kd.bos.openapi.security.model.Open3rdappsDto;
import kd.bos.openapi.security.model.RequestSecurityDto;
import kd.bos.service.authorize.model.AuthInfo;
import kd.bos.service.authorize.model.AuthResult;
import kd.bos.util.StringUtils;

/* loaded from: input_file:kd/bos/openapi/base/security/auth/impl/SignAuthCheckServiceImpl.class */
public class SignAuthCheckServiceImpl implements AuthCheckService {
    private static final Log log = LogFactory.getLog(SignAuthCheckServiceImpl.class);
    private static final String SIGNATURE_TIME_RANGE_MINUTES = "signature_time_range_minutes";

    @Override // kd.bos.openapi.base.security.auth.AuthCheckService
    public AuthResult doAuthCheck(AuthInfo authInfo) {
        if (authInfo == null || StringUtil.isEmpty(authInfo.getAccessKey())) {
            return AuthResult.fail(ResManager.loadKDString("认证不通过，参数为空", "SignAuthCheckServiceImpl_0", ResSystemType.BASE.getType(), new Object[0]));
        }
        BaseAuthInfoDto baseAuthInfoBySign = ThirdAppSecurityUtil.getBaseAuthInfoBySign(authInfo.getAccountId(), EncrypterFactory.getEncrypter().encode(authInfo.getAccessKey()));
        if (baseAuthInfoBySign == null || baseAuthInfoBySign.getThirdId() == null) {
            return AuthResult.fail(ResManager.loadKDString("认证不通过，请检查OpenApiSign", "SignAuthCheckServiceImpl_3", ResSystemType.BASE.getType(), new Object[0]));
        }
        AuthResult authResult = new AuthResult();
        authResult.setThirdId(baseAuthInfoBySign.getThirdId());
        authResult.setThirdAppNumber(baseAuthInfoBySign.getThirdNumber());
        authResult.setAgentUserId(baseAuthInfoBySign.getAgentUserId());
        try {
            Open3rdappsDto thirdByAccountAndThirdId = ThirdAppSecurityUtil.getThirdByAccountAndThirdId(authInfo.getAccountId(), authResult.getThirdId());
            if (thirdByAccountAndThirdId == null || thirdByAccountAndThirdId.getSignType() == null) {
                throw new OpenApiException(ApiErrorCode.Data_Invalid, "the thirdApp or thirdApp's signType  is null", new Object[0]);
            }
            if (!thirdByAccountAndThirdId.isSignAuthEnable()) {
                return AuthResult.fail(ResManager.loadKDString("认证不通过，未启动签名认证", "SignAuthCheckServiceImpl_5", ResSystemType.BASE.getType(), new Object[0]));
            }
            if ((!thirdByAccountAndThirdId.isEncryptAllApi() && thirdByAccountAndThirdId.getEncryptApiMap().isEmpty()) || (!thirdByAccountAndThirdId.isEncryptAllApi() && !thirdByAccountAndThirdId.isEncryptApi(authInfo.getUrl()))) {
                return AuthResult.fail(ResManager.loadKDString("认证不通过，未配置加密API列表", "SignAuthCheckServiceImpl_6", ResSystemType.BASE.getType(), new Object[0]));
            }
            if (StringUtil.isEmpty(authInfo.getSignInfo().getContent())) {
                return AuthResult.fail(ResManager.loadKDString("认证不通过，参数content为空", "SignAuthCheckServiceImpl_10", ResSystemType.BASE.getType(), new Object[0]));
            }
            boolean z = false;
            boolean z2 = true;
            ApiSecurityService apiSecurityService = ApiSecurityFactory.getApiSecurityService();
            RequestSecurityDto requestSecurityDto = (RequestSecurityDto) JSON.toJavaObject(JSON.parseObject(authInfo.getSignInfo().getContent()), RequestSecurityDto.class);
            if (requestSecurityDto == null) {
                return AuthResult.fail(ResManager.loadKDString("认证不通过，参数为空", "SignAuthCheckServiceImpl_1", ResSystemType.BASE.getType(), new Object[0]));
            }
            CertificateInfo certificateInfo = (CertificateInfo) thirdByAccountAndThirdId.getCertMaps().get(CertKeyUtil.getCertKey("5", "0"));
            CertificateInfo certificateInfo2 = (CertificateInfo) thirdByAccountAndThirdId.getCertMaps().get(CertKeyUtil.getCertKey("5", "1"));
            switch (thirdByAccountAndThirdId.getSignType().intValue()) {
                case 1:
                    String decode = EncryptUtil.decode(thirdByAccountAndThirdId.getSignShaKey());
                    String signature = requestSecurityDto.getSignature();
                    String timestamp = requestSecurityDto.getTimestamp();
                    String signatureNonce = requestSecurityDto.getSignatureNonce();
                    checkDateTimeAndSignture(requestSecurityDto, authInfo.getAccountId());
                    requestSecurityDto.setSignature((String) null);
                    z = signature.equalsIgnoreCase(ApiSecurityFactory.getSignService().signBySha256(ShaSignUtils.getSignatureString(timestamp, signatureNonce, JSON.toJSONString(requestSecurityDto)).toString(), decode));
                    break;
                case 2:
                    z2 = "1".equals(StringUtil.isEmpty(authInfo.getSense()) ? "1" : authInfo.getSense());
                    String signature2 = requestSecurityDto.getSignature();
                    requestSecurityDto.setSignature((String) null);
                    z = JSON.toJSONString(requestSecurityDto).equalsIgnoreCase(z2 ? apiSecurityService.unSignByPublicKey(signature2, certificateInfo2.getPublicKeyBase64()) : apiSecurityService.unSignByPublicKey(signature2, certificateInfo.getPublicKeyBase64()));
                    break;
            }
            if (!z) {
                return AuthResult.fail(ResManager.loadKDString("签名认证失败", "SignAuthCheckServiceImpl_4", ResSystemType.BASE.getType(), new Object[0]));
            }
            String str = "";
            switch (thirdByAccountAndThirdId.getSignType().intValue()) {
                case 1:
                    str = apiSecurityService.unSignByPrivateKey(requestSecurityDto.getDgtlEnvlp(), certificateInfo.getPrivateKeyBase64());
                    break;
                case 2:
                    if (!z2) {
                        str = apiSecurityService.unSignByPrivateKey(requestSecurityDto.getDgtlEnvlp(), certificateInfo2.getPrivateKeyBase64());
                        break;
                    } else {
                        str = apiSecurityService.unSignByPrivateKey(requestSecurityDto.getDgtlEnvlp(), certificateInfo.getPrivateKeyBase64());
                        break;
                    }
            }
            String decrypt = apiSecurityService.decrypt(requestSecurityDto.getEncryptData(), EncryptionEnum.getEncryption(thirdByAccountAndThirdId.getEncryption()), str);
            authResult.setStatus(true);
            authResult.setData(decrypt);
            DistributeCacheUtil.setCacheByKey("SignAuthRequestCache", RequestContext.get().getTraceId(), authInfo.getSignInfo().getContent(), authInfo.getAccountId(), 10);
            return authResult;
        } catch (Exception e) {
            String loadKDString = ResManager.loadKDString("签名认证失败:{0}", "SignAuthCheckServiceImpl_4", ResSystemType.BASE.getType(), new Object[]{e.getMessage()});
            log.error("SignAuthCheckServiceImpl error:" + e.getMessage(), e);
            return AuthResult.fail(loadKDString);
        }
    }

    private void checkDateTimeAndSignture(RequestSecurityDto requestSecurityDto, String str) {
        if (StringUtil.isEmpty(requestSecurityDto.getSignature())) {
            throw new OpenApiException(ApiErrorCode.Data_Invalid, ResManager.loadKDString("参数错误:缺少signature参数。", "SignAuthCheckServiceImpl_12", "bos-open-base", new Object[0]), new Object[0]);
        }
        if (StringUtil.isEmpty(requestSecurityDto.getSignatureNonce())) {
            throw new OpenApiException(ApiErrorCode.Data_Invalid, ResManager.loadKDString("参数错误:缺少signatureNonce参数。", "SignAuthCheckServiceImpl_7", "bos-open-base", new Object[0]), new Object[0]);
        }
        if (StringUtil.isEmpty(requestSecurityDto.getTimestamp())) {
            throw new OpenApiException(ApiErrorCode.Data_Invalid, ResManager.loadKDString("参数错误:缺少timestamp参数。", "SignAuthCheckServiceImpl_8", "bos-open-base", new Object[0]), new Object[0]);
        }
        Date time = StringUtils.isNumericString(requestSecurityDto.getTimestamp()) ? DateUtil.getTime(requestSecurityDto.getTimestamp()) : DateUtils.parseDateTime(requestSecurityDto.getTimestamp(), "yyyy-MM-dd HH:mm:ss");
        if (time == null) {
            throw new OpenApiException(ApiErrorCode.Data_Invalid, ResManager.loadKDString("参数错误:timestamp参数不是正确的日期格式，正确的格式是：{0}", "SignAuthCheckServiceImpl_9", "bos-open-base", new Object[]{"yyyy-MM-dd HH:mm:ss"}), new Object[0]);
        }
        int signRangeMinutes = getSignRangeMinutes(str);
        if (Math.abs(new Date().getTime() - time.getTime()) / 60000 > signRangeMinutes) {
            throw new OpenApiException(ApiErrorCode.Data_Invalid, ResManager.loadKDString("参数错误:timestamp参数不在正确的时间范围。", "SignAuthCheckServiceImpl_10", "bos-open-base", new Object[0]), new Object[0]);
        }
        String cacheByKey = DistributeCacheUtil.getCacheByKey("SignAuthCheck", requestSecurityDto.getSignatureNonce(), str);
        if (StringUtil.isNotEmpty(cacheByKey)) {
            throw new OpenApiException(ApiErrorCode.Data_Invalid, ResManager.loadKDString("本次参数signatureNonce:{0}已经调用过了，不需要重复调用。", "SignAuthCheckServiceImpl_11", "bos-open-base", new Object[]{cacheByKey}), new Object[0]);
        }
        DistributeCacheUtil.setCacheByKey("SignAuthCheck", requestSecurityDto.getSignatureNonce(), requestSecurityDto.getSignatureNonce(), str, signRangeMinutes * 60);
    }

    private int getSignRangeMinutes(String str) {
        int i = 10;
        String property = System.getProperty(str + "_" + SIGNATURE_TIME_RANGE_MINUTES);
        if (org.apache.commons.lang3.StringUtils.isEmpty(property)) {
            property = System.getProperty(SIGNATURE_TIME_RANGE_MINUTES);
        }
        if (org.apache.commons.lang3.StringUtils.isNotEmpty(property)) {
            try {
                i = Integer.parseInt(property);
            } catch (Exception e) {
                log.error("getSignRangeMinutes:" + e.getMessage(), e);
            }
        }
        return i;
    }
}
