package kd.bos.openapi.base.security.auth.impl;

import java.util.Map;
import kd.bos.dataentity.resource.ResManager;
import kd.bos.dc.api.model.Account;
import kd.bos.dc.utils.AccountUtils;
import kd.bos.encrypt.EncrypterFactory;
import kd.bos.lang.Lang;
import kd.bos.logging.Log;
import kd.bos.logging.LogFactory;
import kd.bos.login.thirdauth.UserProperType;
import kd.bos.login.utils.LoginUtils;
import kd.bos.openapi.base.security.api.impl.ApiSecurityFactory;
import kd.bos.openapi.base.security.auth.AuthCheckService;
import kd.bos.openapi.base.util.ThirdAppSecurityUtil;
import kd.bos.openapi.common.constant.ApiErrorCode;
import kd.bos.openapi.common.constant.ResSystemType;
import kd.bos.openapi.common.exception.OpenApiException;
import kd.bos.openapi.common.util.CollectionUtil;
import kd.bos.openapi.common.util.StringUtil;
import kd.bos.openapi.security.model.BaseAuthInfoDto;
import kd.bos.openapi.security.model.Open3rdappsDto;
import kd.bos.service.authorize.model.AuthInfo;
import kd.bos.service.authorize.model.AuthResult;

/* loaded from: input_file:kd/bos/openapi/base/security/auth/impl/DigestAuthCheckServiceImpl.class */
public class DigestAuthCheckServiceImpl extends AbstractAuthCheckService implements AuthCheckService {
    private static final Log log = LogFactory.getLog(DigestAuthCheckServiceImpl.class);

    @Override // kd.bos.openapi.base.security.auth.AuthCheckService
    public AuthResult doAuthCheck(AuthInfo authInfo) {
        Open3rdappsDto thirdByAccountAndAppId;
        Long valueOf;
        if (authInfo == null || authInfo.getSignInfo() == null) {
            return AuthResult.fail(ResManager.loadKDString("认证不通过，参数为空", "DigestAuthCheckServiceImpl_0", ResSystemType.BASE.getType(), new Object[0]));
        }
        String accountId = StringUtil.isEmpty(authInfo.getAccountId()) ? authInfo.getSignInfo().getAccountId() : authInfo.getAccountId();
        checkDateTimeAndSignture(authInfo.getSignInfo().getSignature(), authInfo.getSignInfo().getSignatureNonce(), authInfo.getSignInfo().getDateTime(), accountId);
        AuthResult authResult = new AuthResult();
        if (!authInfo.isCommonAuth()) {
            thirdByAccountAndAppId = ThirdAppSecurityUtil.getThirdByAccountAndAppId(accountId, StringUtil.isEmpty(authInfo.getThirdAppNumber()) ? authInfo.getSignInfo().getThirdAppNumber() : authInfo.getThirdAppNumber());
            if (thirdByAccountAndAppId == null) {
                authResult.setMessage("invalidAppId");
                authResult.setStatus(false);
                return authResult;
            }
            Account accountById = AccountUtils.getAccountById(accountId);
            if (UserProperType.getUserProperTypeByString(authInfo.getUserType()) == null) {
                throw new OpenApiException(ApiErrorCode.HTTP_BAD_REQUEST, ResManager.loadKDString("参数错误:usertype参数不正确。", "DigestFilter_9", ResSystemType.KCF.getType(), new Object[0]), new Object[0]);
            }
            Map userInfoByAPIUserType = LoginUtils.getUserInfoByAPIUserType(accountById, authInfo.getUser(), authInfo.getUserType(), Lang.from(authInfo.getLanguage()));
            if (userInfoByAPIUserType == null || userInfoByAPIUserType.get("fid") == null) {
                throw new OpenApiException(ApiErrorCode.HTTP_UNAUTHORIZED, ResManager.loadKDString("您的账号在系统中不存在。", "DigestAuthCheckServiceImpl_2", ResSystemType.BASE.getType(), new Object[0]), new Object[0]);
            }
            valueOf = Long.valueOf(Long.parseLong((String) userInfoByAPIUserType.get("fid")));
        } else {
            if (StringUtil.isEmpty(authInfo.getAccessKey())) {
                return AuthResult.fail(ResManager.loadKDString("认证不通过，参数（基本认证Secret Key）为空", "DigestAuthCheckServiceImpl_0", ResSystemType.BASE.getType(), new Object[0]));
            }
            BaseAuthInfoDto baseAuthInfoBySign = ThirdAppSecurityUtil.getBaseAuthInfoBySign(accountId, EncrypterFactory.getEncrypter().encode(authInfo.getAccessKey()));
            if (!baseAuthInfoBySign.isBasicAuth()) {
                return AuthResult.fail(ResManager.loadKDString("基本认证未启用。", "DigestAuthCheckServiceImpl_5", ResSystemType.BASE.getType(), new Object[0]));
            }
            valueOf = baseAuthInfoBySign.getAgentUserId();
            if (valueOf == null || valueOf.longValue() == 0) {
                return AuthResult.fail(ResManager.loadKDString("基本认证用户不存在。", "DigestAuthCheckServiceImpl_6", ResSystemType.BASE.getType(), new Object[0]));
            }
            authInfo.setUser(baseAuthInfoBySign.getAgentUserId().toString());
            if (baseAuthInfoBySign.getThirdId() == null || baseAuthInfoBySign.getThirdId().longValue() == 0) {
                return AuthResult.fail(ResManager.loadKDString("第三方应用ID为空", "DigestAuthCheckServiceImpl_1", ResSystemType.BASE.getType(), new Object[0]));
            }
            authInfo.getSignInfo().setThirdId(baseAuthInfoBySign.getThirdId());
            authInfo.getSignInfo().setThirdAppNumber(baseAuthInfoBySign.getThirdNumber());
            thirdByAccountAndAppId = ThirdAppSecurityUtil.getThirdByAccountAndAppId(accountId, baseAuthInfoBySign.getThirdNumber());
        }
        if (thirdByAccountAndAppId.isEnableAgency() && (CollectionUtil.isEmpty(thirdByAccountAndAppId.getAgentUserIdList()) || !thirdByAccountAndAppId.getAgentUserIdList().contains(valueOf))) {
            throw new OpenApiException(ApiErrorCode.HTTP_UNAUTHORIZED, ResManager.loadKDString("第三方应用未设置代理用户或用户不在该代理用户中。", "DigestAuthCheckServiceImpl_3", ResSystemType.BASE.getType(), new Object[0]), new Object[0]);
        }
        boolean z = false;
        try {
            z = ApiSecurityFactory.getSignService().vertifySign(authInfo.getSignInfo());
        } catch (Exception e) {
            authResult.setMessage("invalidAppId");
            log.info("invalidAppId:" + e.getMessage(), e);
        }
        authResult.setStatus(z);
        authResult.setAgentUserId(valueOf);
        if (thirdByAccountAndAppId != null) {
            authResult.setThirdAppNumber(thirdByAccountAndAppId.getNumber());
            authResult.setThirdId(thirdByAccountAndAppId.getFid());
        }
        return authResult;
    }
}
