package com.xforceplus.ultraman.bocp.uc.sureness.processor;

import com.usthe.sureness.processor.BaseProcessor;
import com.usthe.sureness.processor.exception.DisabledAccountException;
import com.usthe.sureness.processor.exception.ExpiredCredentialsException;
import com.usthe.sureness.processor.exception.IncorrectCredentialsException;
import com.usthe.sureness.processor.exception.SurenessAuthenticationException;
import com.usthe.sureness.processor.exception.SurenessAuthorizationException;
import com.usthe.sureness.processor.exception.UnauthorizedException;
import com.usthe.sureness.processor.exception.UnknownAccountException;
import com.usthe.sureness.provider.SurenessAccount;
import com.usthe.sureness.provider.SurenessAccountProvider;
import com.usthe.sureness.subject.Subject;
import com.usthe.sureness.subject.support.JwtSubject;
import com.usthe.sureness.subject.support.SinglePrincipalMap;
import com.xforceplus.tenant.security.token.domain.TokenUser;
import com.xforceplus.ultraman.bocp.uc.common.BocpUcConstant;
import com.xforceplus.ultraman.bocp.uc.enums.UcSource;
import com.xforceplus.ultraman.bocp.uc.enums.UcType;
import com.xforceplus.ultraman.bocp.uc.pojo.auth.UcAuthUser;
import com.xforceplus.ultraman.bocp.uc.sureness.subject.LocalJwtSubject;
import com.xforceplus.ultraman.bocp.uc.util.PaasJwtExecutor;
import com.xforceplus.ultraman.bocp.uc.util.UserInfoParseUtil;
import com.xforceplus.ultraman.bocp.uc.util.XforceJwtUtils;
import io.jsonwebtoken.ExpiredJwtException;
import io.jsonwebtoken.MalformedJwtException;
import io.jsonwebtoken.UnsupportedJwtException;
import io.jsonwebtoken.security.SignatureException;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.stream.Stream;
import org.apache.commons.lang3.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/xforceplus/ultraman/bocp/uc/sureness/processor/LocalJwtProcessor.class */
public class LocalJwtProcessor extends BaseProcessor {
    private static final Logger log = LoggerFactory.getLogger(LocalJwtProcessor.class);
    private SurenessAccountProvider accountProvider;

    public boolean canSupportSubjectClass(Class<?> cls) {
        return cls == LocalJwtSubject.class;
    }

    public Class<?> getSupportSubjectClass() {
        return LocalJwtSubject.class;
    }

    public Subject authenticated(Subject subject) throws SurenessAuthenticationException {
        JwtSubject.Builder ownRoles;
        String str = (String) subject.getCredential();
        try {
            UcAuthUser ucAuthUser = new UcAuthUser();
            if (XforceJwtUtils.PAAS_ISSUER.equals(PaasJwtExecutor.parseIssuerFromToken(str))) {
                ucAuthUser.setSource(UcSource.NATIVE);
                Map<String, String> decode = PaasJwtExecutor.decode(str, XforceJwtUtils.PAAS_ISSUER);
                if (decode.containsKey(BocpUcConstant.SUBJECT_TYPE) && BocpUcConstant.PAAS_CLIENT_TYPE.equals(decode.get(BocpUcConstant.SUBJECT_TYPE))) {
                    ucAuthUser.setType(UcType.CLIENT);
                    String str2 = decode.get(BocpUcConstant.USER_ID_KEY);
                    SurenessAccount loadAccount = this.accountProvider.loadAccount(str2);
                    if (null == loadAccount) {
                        throw new UnknownAccountException("客户端账号不存在");
                    }
                    ownRoles = JwtSubject.builder(subject).setPrincipal(str2).setOwnRoles(loadAccount.getOwnRoles());
                } else {
                    ucAuthUser = (UcAuthUser) UserInfoParseUtil.parseUserInfo(PaasJwtExecutor.parseUserInfoFromClaims(decode), UcAuthUser.class);
                    ucAuthUser.setType(UcType.USER);
                    ownRoles = JwtSubject.builder(subject).setPrincipal(ucAuthUser.getLoginName()).setOwnRoles(UserInfoParseUtil.getRoleCodes(ucAuthUser));
                }
            } else {
                ucAuthUser.setSource(UcSource.XFORCEPLUS);
                Map<String, String> decode2 = PaasJwtExecutor.decode(str);
                if (decode2.containsKey(BocpUcConstant.SUBJECT_TYPE) && BocpUcConstant.XFORCE_CLIENT_TYPE.equals(decode2.get(BocpUcConstant.SUBJECT_TYPE))) {
                    ucAuthUser.setType(UcType.CLIENT);
                    String str3 = decode2.get(BocpUcConstant.USER_ID_KEY);
                    SurenessAccount loadAccount2 = this.accountProvider.loadAccount(str3);
                    if (null == loadAccount2) {
                        throw new UnknownAccountException("客户端账号不存在");
                    }
                    ownRoles = JwtSubject.builder(subject).setPrincipal(str3).setOwnRoles(loadAccount2.getOwnRoles());
                } else {
                    TokenUser tokenUser = (TokenUser) UserInfoParseUtil.parseUserInfo(PaasJwtExecutor.parseUserInfoFromClaims(decode2), TokenUser.class);
                    ucAuthUser.setType(UcType.USER);
                    ucAuthUser.setId(tokenUser.getId());
                    ucAuthUser.setLoginName(tokenUser.getLoginName());
                    ucAuthUser.setUserName(tokenUser.getUserName());
                    ucAuthUser.setEmail(tokenUser.getEmail());
                    ucAuthUser.setPhone(tokenUser.getMobile());
                    SurenessAccount surenessAccount = getSurenessAccount(tokenUser.getEmail(), tokenUser.getMobile());
                    ownRoles = JwtSubject.builder(subject).setPrincipal(ucAuthUser.getLoginName()).setOwnRoles((List) Optional.ofNullable(surenessAccount).map(surenessAccount2 -> {
                        return surenessAccount.getOwnRoles();
                    }).orElse(null));
                }
            }
            SinglePrincipalMap singlePrincipalMap = new SinglePrincipalMap();
            singlePrincipalMap.put(BocpUcConstant.USER_INFO_KEY, ucAuthUser);
            ownRoles.setPrincipalMap(singlePrincipalMap);
            return ownRoles.build();
        } catch (SignatureException | UnsupportedJwtException | MalformedJwtException | IllegalArgumentException e) {
            if (log.isDebugEnabled()) {
                log.debug("jwtProcessor authenticated fail, user: {}, jwt: {}", subject.getPrincipal(), str);
            }
            throw new IncorrectCredentialsException("token认证失败:" + e.getMessage());
        } catch (ExpiredJwtException e2) {
            if (log.isDebugEnabled()) {
                log.debug("jwtProcessor authenticated expired, user: {}, jwt: {}", subject.getPrincipal(), str);
            }
            throw new ExpiredCredentialsException("token过期");
        }
    }

    public void authorized(Subject subject) throws SurenessAuthorizationException {
        List list;
        List list2 = (List) subject.getOwnRoles();
        if ((null == list2 || !list2.contains(BocpUcConstant.DEFAULT_PLAT_ROOT_ROLE)) && null != (list = (List) subject.getSupportRoles())) {
            if (null != list2) {
                Stream stream = list.stream();
                list2.getClass();
                if (stream.anyMatch((v1) -> {
                    return r1.contains(v1);
                })) {
                    return;
                }
            }
            throw new UnauthorizedException("当前请求没有访问权限");
        }
    }

    public void setAccountProvider(SurenessAccountProvider surenessAccountProvider) {
        this.accountProvider = surenessAccountProvider;
    }

    private SurenessAccount getSurenessAccount(String str, String str2) {
        SurenessAccount surenessAccount = null;
        if (StringUtils.isNotBlank(str)) {
            surenessAccount = this.accountProvider.loadAccount(str);
            if (null != surenessAccount) {
                return surenessAccount;
            }
        }
        if (StringUtils.isNotBlank(str2)) {
            surenessAccount = this.accountProvider.loadAccount(str);
        }
        if (null == surenessAccount) {
            throw new UnknownAccountException("账号不存在");
        }
        if (surenessAccount.isDisabledAccount()) {
            throw new DisabledAccountException("账号已停用");
        }
        return surenessAccount;
    }
}
