package com.foresealife.iam.client.filter.cas;

import com.foresealife.iam.client.api.IamServiceFactory;
import com.foresealife.iam.client.cache.CacheLoader;
import com.foresealife.iam.client.cache.LocalCache;
import com.foresealife.iam.client.config.IamConfig;
import com.foresealife.iam.client.config.IamConfigFactory;
import com.foresealife.iam.client.emum.IamCasLogoutStatus;
import com.foresealife.iam.client.filter.cookie.ExtendCookie;
import com.foresealife.iam.client.filter.security.RoleBasedAclFilter;
import com.foresealife.iam.client.util.http.ClientConfig;
import com.foresealife.iam.client.util.http.HttpGetServletPath;
import com.foresealife.iam.client.util.http.RestClient;
import com.foresealife.iam.client.util.http.RestClientFactory;
import java.io.IOException;
import java.net.URLEncoder;
import java.security.KeyManagementException;
import java.security.NoSuchAlgorithmException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashMap;
import java.util.List;
import java.util.UUID;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import repack.org.springframework.util.AntPathMatcher;

/* loaded from: input_file:com/foresealife/iam/client/filter/cas/IamCasFilter.class */
public class IamCasFilter implements Filter {
    protected static Logger log = Logger.getLogger(IamCasFilter.class.getName());
    private static IamConfig config = IamConfigFactory.getInstance().getConfig();
    private static final String SERVICE_VALIDATE_URI = "/oauth2/serviceValidate";
    private static final String SERVICE_LOGOUT_URI = "/oauth2/logout";
    private static final String HEARTBEATS_URI = "/oauth2/verify";
    private LocalCache<String, Boolean> stringSizeCache;
    private RestClient restClient;
    private String separator = "``";
    private String cookieName = "iam-cas-login-status";
    private List<String> ignoreRquestSuffix = new ArrayList();
    private List<String> ignoreRquestUrl = new ArrayList();
    private AntPathMatcher pathMatcher;

    public void init(FilterConfig filterConfig) throws ServletException {
        try {
            initRestClient();
            initLocalCache();
            this.ignoreRquestSuffix = Arrays.asList(config.getIgnoreRquestSuffix().split(","));
            this.pathMatcher = new AntPathMatcher();
        } catch (Exception e) {
            log.log(Level.SEVERE, "IamCasFilter init error,", (Throwable) e);
        }
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        HttpSession session = httpServletRequest.getSession(false);
        this.ignoreRquestUrl = IamServiceFactory.getInstance().getUnitService().getCasIgnoreUrlFromApi();
        if (ignoreRequest(httpServletRequest)) {
            filterChain.doFilter(httpServletRequest, httpServletResponse);
            return;
        }
        String servletPath = HttpGetServletPath.getServletPath(httpServletRequest);
        ExtendCookie extendCookie = new ExtendCookie(httpServletRequest, httpServletResponse);
        if (session != null && session.getAttribute("isLogin") != null) {
            alreadyLogged(httpServletRequest, httpServletResponse, servletPath, filterChain, extendCookie);
            return;
        }
        String value = extendCookie.getValue(this.cookieName);
        if (value == null) {
            notLogged(httpServletRequest, httpServletResponse, servletPath, filterChain);
            return;
        }
        if ("true".equals(value)) {
            extendCookie.delCookie(this.cookieName);
            IamCasLogoutStatus iamCasLogoutStatus = IamCasLogoutStatus.session_failure;
            if (servletPath.equals(config.getCasLogoutUri())) {
                iamCasLogoutStatus = IamCasLogoutStatus.logout;
            }
            logout(httpServletRequest, httpServletResponse, SERVICE_LOGOUT_URI, filterChain, iamCasLogoutStatus);
        }
    }

    public void destroy() {
        this.restClient = null;
    }

    private void alreadyLogged(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str, FilterChain filterChain, ExtendCookie extendCookie) throws IOException, ServletException {
        if (str.equals(config.getCasLogoutUri())) {
            extendCookie.delCookie(this.cookieName);
            logout(httpServletRequest, httpServletResponse, str, filterChain, IamCasLogoutStatus.logout);
        } else if (casHeartbeat(httpServletRequest)) {
            filterChain.doFilter(new IAMHttpServletRequestWrapper(httpServletRequest), httpServletResponse);
        } else {
            extendCookie.delCookie(this.cookieName);
            logout(httpServletRequest, httpServletResponse, str, filterChain, IamCasLogoutStatus.forced_offline);
        }
    }

    private void logout(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str, FilterChain filterChain, IamCasLogoutStatus iamCasLogoutStatus) {
        try {
            try {
                String str2 = config.getCasUrl() + SERVICE_LOGOUT_URI + "?state=" + config.getCasState() + "&clientId=" + config.getPrincipal() + "&logoutStatus=" + iamCasLogoutStatus.getCode();
                if ("XMLHttpRequest".equals(httpServletRequest.getHeader("X-Requested-With"))) {
                    ajaxRedirect(httpServletResponse, str2);
                } else {
                    if (str.equals(config.getCasLogoutUri()) && !str.equals(SERVICE_LOGOUT_URI)) {
                        filterChain.doFilter(httpServletRequest, new IAMHttpServletResponseWrapper(httpServletResponse));
                    }
                    sendRedirect(httpServletResponse, str2);
                }
                removeSession(httpServletRequest);
            } catch (Exception e) {
                log.log(Level.SEVERE, "log out error,", (Throwable) e);
                removeSession(httpServletRequest);
            }
        } catch (Throwable th) {
            removeSession(httpServletRequest);
            throw th;
        }
    }

    private void notLogged(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str, FilterChain filterChain) throws IOException, ServletException {
        VerificationTicketResp casServiceValidate = casServiceValidate(str, httpServletRequest);
        if (!casServiceValidate.isSuccess()) {
            log.log(Level.WARNING, "Illegal request;requestURI={0}", str);
            String str2 = config.getCasUrl() + "/oauth/authorize?state=" + config.getCasState() + "&clientId=" + config.getPrincipal();
            if (null != casServiceValidate.getErrMsg() && !"".equals(casServiceValidate.getErrMsg())) {
                str2 = str2 + "&errMsg=" + URLEncoder.encode(casServiceValidate.getErrMsg(), "utf-8");
            }
            if ("XMLHttpRequest".equals(httpServletRequest.getHeader("X-Requested-With"))) {
                ajaxRedirect(httpServletResponse, str2);
                return;
            } else {
                sendRedirect(httpServletResponse, str2);
                return;
            }
        }
        HttpSession session = httpServletRequest.getSession(true);
        session.setAttribute("account", casServiceValidate.getAccount());
        session.setAttribute("accessCode", casServiceValidate.getAccessCode());
        session.setAttribute("isLogin", true);
        String upperCase = UUID.randomUUID().toString().replaceAll("-", "").toUpperCase();
        session.setAttribute("csrftoken", upperCase);
        if (casServiceValidate.isHeartbeats()) {
            session.setAttribute("heartbeats", Boolean.valueOf(casServiceValidate.isHeartbeats()));
        }
        ExtendCookie extendCookie = new ExtendCookie(httpServletRequest, httpServletResponse);
        extendCookie.addCookie(this.cookieName, "true", -1);
        extendCookie.addCookie("csrftoken", upperCase);
        filterChain.doFilter(new IAMHttpServletRequestWrapper(httpServletRequest), httpServletResponse);
    }

    private VerificationTicketResp casServiceValidate(String str, HttpServletRequest httpServletRequest) {
        String state;
        VerificationTicketResp verificationTicketResp = new VerificationTicketResp();
        String parameter = httpServletRequest.getParameter("ticket");
        if (str.equals(config.getCasLoginUri()) && parameter != null && parameter.trim().length() > 0) {
            String str2 = config.getCasUrl() + SERVICE_VALIDATE_URI;
            HashMap hashMap = new HashMap();
            hashMap.put("clientId", config.getPrincipal());
            hashMap.put("ticket", parameter);
            hashMap.put("state", config.getCasState());
            try {
                verificationTicketResp = (VerificationTicketResp) this.restClient.post(str2, hashMap, VerificationTicketResp.class);
                if (verificationTicketResp.isSuccess() && config.getCasState() != null && ((state = verificationTicketResp.getState()) == null || !config.getCasState().equals(state))) {
                    verificationTicketResp.setErrMsg("验证信息不通过,请联系系统管理员");
                    return verificationTicketResp;
                }
            } catch (Exception e) {
                log.log(Level.SEVERE, String.format("request error,url=%s,params=%s", str2, hashMap.toString()), (Throwable) e);
                verificationTicketResp.setErrMsg("系统出错,请联系管理员");
            }
        }
        return verificationTicketResp;
    }

    private boolean casHeartbeat(HttpServletRequest httpServletRequest) {
        HttpSession session = httpServletRequest.getSession(false);
        if (session == null) {
            return false;
        }
        if (session.getAttribute("heartbeats") == null) {
            return true;
        }
        Object attribute = session.getAttribute("accessCode");
        Object attribute2 = session.getAttribute("account");
        boolean booleanValue = this.stringSizeCache.get(attribute2 + this.separator + attribute).booleanValue();
        log.log(Level.INFO, "load casHeartbeat value,accessCode={0},account={1},result={2}", new Object[]{attribute, attribute2, Boolean.valueOf(booleanValue)});
        return booleanValue;
    }

    private void initLocalCache() {
        this.stringSizeCache = new LocalCache<>(new CacheLoader<String, Boolean>() { // from class: com.foresealife.iam.client.filter.cas.IamCasFilter.1
            @Override // com.foresealife.iam.client.cache.CacheLoader
            public Boolean load(String str) {
                boolean z = false;
                if (str != null && str.indexOf(IamCasFilter.this.separator) != -1) {
                    String str2 = str.split(IamCasFilter.this.separator)[1];
                    String str3 = str.split(IamCasFilter.this.separator)[0];
                    String str4 = IamCasFilter.config.getCasUrl() + IamCasFilter.HEARTBEATS_URI;
                    HashMap hashMap = new HashMap();
                    hashMap.put("clientId", IamCasFilter.config.getPrincipal());
                    hashMap.put("accessCode", str2);
                    hashMap.put("account", str3);
                    try {
                        HeartbeatResp heartbeatResp = (HeartbeatResp) IamCasFilter.this.restClient.post(str4, hashMap, HeartbeatResp.class);
                        if (heartbeatResp != null) {
                            if (heartbeatResp.isSuccess()) {
                                z = true;
                            }
                        }
                    } catch (Exception e) {
                        IamCasFilter.log.log(Level.SEVERE, String.format("request error,url=%s,params=%s", str4, hashMap.toString()), (Throwable) e);
                    }
                }
                IamCasFilter.log.log(Level.INFO, "load cache,key={0},result={1}", new Object[]{str, Boolean.valueOf(z)});
                return Boolean.valueOf(z);
            }
        }, 10000, 10000);
    }

    private void ajaxRedirect(HttpServletResponse httpServletResponse, String str) {
        httpServletResponse.setHeader("REDIRECT", "REDIRECT");
        httpServletResponse.setHeader("REDIRECT_PATH", str);
        httpServletResponse.setStatus(401);
    }

    private void initRestClient() throws NoSuchAlgorithmException, KeyManagementException {
        this.restClient = RestClientFactory.getInstance().getRestClient(new ClientConfig(30));
    }

    private void removeSession(HttpServletRequest httpServletRequest) {
        try {
            if (httpServletRequest.getSession(false) != null) {
                httpServletRequest.getSession(false).invalidate();
            }
        } catch (Exception e) {
            log.log(Level.SEVERE, "session invalidate error,", (Throwable) e);
        }
    }

    private void sendRedirect(HttpServletResponse httpServletResponse, String str) {
        httpServletResponse.setContentType("text/html;charset=utf-8");
        httpServletResponse.setHeader("Cache-Control", "no-cache");
        httpServletResponse.setHeader("Pragma", "no-cache");
        httpServletResponse.setHeader("Access-Control-Allow-Origin", RoleBasedAclFilter.ANY_METHOD);
        httpServletResponse.setDateHeader("expires", -1L);
        httpServletResponse.setStatus(302);
        httpServletResponse.setHeader("Location", str);
    }

    private boolean ignoreRequest(HttpServletRequest httpServletRequest) {
        String servletPath = HttpGetServletPath.getServletPath(httpServletRequest);
        if (this.ignoreRquestUrl.contains(servletPath)) {
            return true;
        }
        if (servletPath.contains(".")) {
            if (this.ignoreRquestSuffix.contains(servletPath.substring(servletPath.lastIndexOf(46) + 1).toLowerCase())) {
                return true;
            }
        }
        for (String str : this.ignoreRquestUrl) {
            if (this.pathMatcher.isPattern(str) && this.pathMatcher.match(str, servletPath)) {
                return true;
            }
        }
        return false;
    }
}
