package kd.bos.openapi.base.security.api.impl;

import com.alibaba.fastjson.JSON;
import kd.bos.context.RequestContext;
import kd.bos.dataentity.resource.ResManager;
import kd.bos.logging.Log;
import kd.bos.logging.LogFactory;
import kd.bos.openapi.base.acl.ApilAclManager;
import kd.bos.openapi.base.acl.IplimitManager;
import kd.bos.openapi.base.limit.LimitFlowRuleConfigUtil;
import kd.bos.openapi.base.model.IpinfoModel;
import kd.bos.openapi.base.security.auth.AuthCheckService;
import kd.bos.openapi.base.security.auth.impl.AuthHandleServiceFactory;
import kd.bos.openapi.base.security.auth.impl.JwtAuthCheckServiceImpl;
import kd.bos.openapi.common.constant.ApiErrorCode;
import kd.bos.openapi.common.constant.ResSystemType;
import kd.bos.openapi.common.exception.OpenApiException;
import kd.bos.openapi.common.model.IpTypeEnum;
import kd.bos.openapi.common.util.IPWhiteListUtil;
import kd.bos.openapi.common.util.OpenJsonUtil;
import kd.bos.openapi.common.util.StringUtil;
import kd.bos.service.authorize.ApiAuthService;
import kd.bos.service.authorize.model.ApiCommonResult;
import kd.bos.service.authorize.model.ApiIpInfo;
import kd.bos.service.authorize.model.AuthInfo;
import kd.bos.service.authorize.model.AuthResult;
import kd.bos.service.authorize.model.AuthTypeEnum;
import kd.bos.service.authorize.model.JwtInfo;

/* loaded from: input_file:kd/bos/openapi/base/security/api/impl/ApiAuthServiceImpl.class */
public class ApiAuthServiceImpl implements ApiAuthService {
    private static final Log log = LogFactory.getLog(ApiAuthServiceImpl.class);

    public AuthResult auth(AuthInfo authInfo) {
        AuthResult fail;
        try {
            if (ApiSecurityFactory.isSecurityLogOpen()) {
                log.info("--------ApiAuthServiceImpl traceId:" + RequestContext.get().getTraceId());
                logInfo(authInfo);
            }
            fail = AuthHandleServiceFactory.getInstance(authInfo.getAuthType()).doAuthCheck(authInfo);
        } catch (Exception e) {
            String str = "traceId:" + RequestContext.get().getTraceId() + " auth error:" + e.getMessage();
            log.error(str, e);
            fail = AuthResult.fail(str);
        }
        if (ApiSecurityFactory.isSecurityLogOpen()) {
            log.info("--------ApiAuthServiceImpl traceId:" + RequestContext.get().getTraceId() + " auth result:" + JSON.toJSONString(fail));
        }
        if (!fail.isStatus()) {
            log.warn("--------ApiAuthServiceImpl traceId:" + RequestContext.get().getTraceId() + " auth result failed, message:" + fail.getMessage());
        }
        return fail;
    }

    private void logInfo(AuthInfo authInfo) {
        if (authInfo == null) {
            return;
        }
        StringBuilder sb = new StringBuilder();
        sb.append("--------params:");
        sb.append(" accountId:").append(authInfo.getAccountId());
        sb.append(" tenantId:").append(authInfo.getTenantId());
        sb.append(" authType:").append(authInfo.getAuthType());
        sb.append(" thirdAppNumber:").append(authInfo.getThirdAppNumber());
        sb.append(" thirdAppId:").append(authInfo.getThirdId());
        sb.append(" signInfo:").append(OpenJsonUtil.toJson(authInfo.getSignInfo()));
        log.info(sb.toString());
    }

    public <T> String generateJWTToken(JwtInfo<T> jwtInfo) {
        AuthCheckService authHandleServiceFactory = AuthHandleServiceFactory.getInstance(AuthTypeEnum.AUTH_JWT.getId());
        if (authHandleServiceFactory instanceof JwtAuthCheckServiceImpl) {
            return ((JwtAuthCheckServiceImpl) authHandleServiceFactory).generateJWTToken(jwtInfo);
        }
        throw new OpenApiException(ApiErrorCode.HTTP_INTERNAL_ERROR, "the authCheckService is not jwtAuthService.", new Object[0]);
    }

    public ApiCommonResult checkIP(ApiIpInfo apiIpInfo) {
        boolean checkClientIpv6Valid;
        if (apiIpInfo == null) {
            return ApiCommonResult.getFailResult(ApiErrorCode.Data_Invalid.getStatusCode(), ResManager.loadKDString("非法参数", "ApiAuthServiceImpl_0", ResSystemType.BASE.getType(), new Object[0]));
        }
        String ip = apiIpInfo.getIp();
        if (IPWhiteListUtil.LOCAL_IP_127.equals(ip) || IPWhiteListUtil.LOCAL_IP.equals(ip)) {
            return ApiCommonResult.getSuccessResult("0", ResManager.loadKDString("本地开发直接返回", "ApiAuthServiceImpl_1", ResSystemType.BASE.getType(), new Object[0]));
        }
        if (StringUtil.isEmpty(ip)) {
            return ApiCommonResult.getFailResult(ApiErrorCode.Data_Invalid.getStatusCode(), String.format(ResManager.loadKDString("%s 参数为空", "ApiAuthServiceImpl_2", ResSystemType.BASE.getType(), new Object[0]), "IP"));
        }
        if (StringUtil.isEmpty(apiIpInfo.getThirdAppNumber())) {
            return ApiCommonResult.getFailResult(ApiErrorCode.Data_Invalid.getStatusCode(), String.format(ResManager.loadKDString("%s 参数为空", "ApiAuthServiceImpl_2", ResSystemType.BASE.getType(), new Object[0]), "thirdAppNumber"));
        }
        if (StringUtil.isEmpty(apiIpInfo.getAccountId())) {
            return ApiCommonResult.getFailResult(ApiErrorCode.Data_Invalid.getStatusCode(), String.format(ResManager.loadKDString("%s 参数为空", "ApiAuthServiceImpl_2", ResSystemType.BASE.getType(), new Object[0]), "accountId"));
        }
        Long thirdIdByNum = ApilAclManager.getThirdIdByNum(apiIpInfo.getThirdAppNumber(), apiIpInfo.getAccountId());
        if (thirdIdByNum == null || thirdIdByNum.longValue() == 0) {
            return ApiCommonResult.getFailResult(ApiErrorCode.Data_Invalid.getStatusCode(), String.format(ResManager.loadKDString("根据第三方应用编码：%1$s 和数据中心：%2$s 找不到第三方应用，请检查。", "ApiAuthServiceImpl_3", ResSystemType.BASE.getType(), new Object[0]), apiIpInfo.getThirdAppNumber(), apiIpInfo.getAccountId()));
        }
        IpinfoModel ipInfoModelFromCacheByAccountId = IplimitManager.getIpInfoModelFromCacheByAccountId(thirdIdByNum.toString(), apiIpInfo.getAccountId());
        if (!ipInfoModelFromCacheByAccountId.isNoLimitAccess()) {
            IpTypeEnum ipType = IPWhiteListUtil.getIpType(ip);
            if (IpTypeEnum.IPV4 == ipType) {
                checkClientIpv6Valid = checkClientIpValid(ipInfoModelFromCacheByAccountId, ip);
            } else {
                if (IpTypeEnum.IPV6 != ipType) {
                    throw new OpenApiException(ApiErrorCode.HTTP_FORBIDDEN, "invalid ipType for ip:" + ip, new Object[0]);
                }
                checkClientIpv6Valid = checkClientIpv6Valid(ipInfoModelFromCacheByAccountId, ip);
            }
            if (!checkClientIpv6Valid) {
                String str = ip;
                if (ip.contains(IPWhiteListUtil.LOCAL_IP_127)) {
                    str = ip.replaceAll(IPWhiteListUtil.LOCAL_IP_127, "");
                }
                throw new OpenApiException(ApiErrorCode.HTTP_FORBIDDEN, String.format("Client's IP: %s is not in white IP list", str), new Object[0]);
            }
        }
        return ApiCommonResult.getSuccessResult("0", "OK");
    }

    private boolean checkClientIpValid(IpinfoModel ipinfoModel, String str) {
        boolean z = false;
        String[] split = str.split(LimitFlowRuleConfigUtil.SPLIT);
        if (split != null && split.length > 0) {
            for (String str2 : split) {
                if (!StringUtil.isEmpty(str2) && !IPWhiteListUtil.LOCAL_IP_127.equals(str2.trim())) {
                    z = IPWhiteListUtil.checkIp(str2.trim(), ipinfoModel.getMapList());
                    if (z) {
                        break;
                    }
                }
            }
        }
        return z;
    }

    private boolean checkClientIpv6Valid(IpinfoModel ipinfoModel, String str) {
        boolean z = false;
        String[] split = str.split(LimitFlowRuleConfigUtil.SPLIT);
        if (split != null && split.length > 0) {
            String str2 = split[0];
            if (StringUtil.isNotEmpty(str2) && !IPWhiteListUtil.LOCAL_IP_127.equals(str2.trim())) {
                z = IPWhiteListUtil.checkIpv6(str2.trim(), ipinfoModel.getMapIPv6WhiteList());
            }
        }
        return z;
    }
}
