package net.ibizsys.central.cloud.core.sysutil;

import com.nimbusds.jose.crypto.MACVerifier;
import com.nimbusds.jose.crypto.RSASSAVerifier;
import com.nimbusds.jose.jwk.RSAKey;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import io.jsonwebtoken.Claims;
import io.jsonwebtoken.Clock;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.impl.DefaultClock;
import java.util.Date;
import java.util.function.Function;
import net.ibizsys.central.cloud.core.security.IAuthenticationUser;
import net.ibizsys.central.service.client.IWebClientRep;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.util.ObjectUtils;
import org.springframework.util.StringUtils;

/* loaded from: input_file:net/ibizsys/central/cloud/core/sysutil/JWTSysUAAUtilRuntime.class */
public class JWTSysUAAUtilRuntime extends SysUAAUtilRuntimeBase {
    private static final Log log = LogFactory.getLog(JWTSysUAAUtilRuntime.class);
    public static final String NEWRT_UAASERVICE_SIGNATUREKEY_URL = "lb://uaa-api/auths/signaturekey";
    protected static final String SIGNATURE_RSA = "RSA";
    protected static final String SIGNATURE_MAC = "MAC";
    private String secret;
    private String signature;
    private Clock clock = DefaultClock.INSTANCE;
    private boolean enableNewRTUAA = false;
    private String publicKeyString = null;

    protected String getSecret() {
        return this.secret;
    }

    protected void setSecret(String str) {
        this.secret = str;
    }

    protected Clock getClock() {
        return this.clock;
    }

    protected void setClock(Clock clock) {
        this.clock = clock;
    }

    protected boolean isEnableNewRTUAA() {
        return this.enableNewRTUAA;
    }

    protected void setEnableNewRTUAA(boolean z) {
        this.enableNewRTUAA = z;
    }

    protected String getSignature() {
        return this.signature;
    }

    protected void setSignature(String str) {
        this.signature = str;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // net.ibizsys.central.cloud.core.sysutil.SysUAAUtilRuntimeBase
    public void onPrepareDefaultSetting() throws Exception {
        setEnableNewRTUAA(getSystemRuntimeSetting().getParam(getConfigFolder() + ".newrtuaa", isEnableNewRTUAA()));
        if (!StringUtils.hasLength(getSignature())) {
            setSignature(getSystemRuntimeSetting().getParam(getConfigFolder() + ".signature", SIGNATURE_RSA));
        }
        if (!StringUtils.hasLength(getSecret())) {
            setSecret(getSystemRuntimeSetting().getParam(getConfigFolder() + ".secret", "MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBAKaTz4pgOR/p0RjlczM0dErf4ZUNziE/HJcfKDLPu77Gs2EJdDK0uGfPI3GX/eRwX9L9bTZJtz9sX2fkRqRt3gWnsMypT2P/cO/2GgtRCPHRFD7BI+Df32isEJZ6M4kD9tyKLw8Y9KuP0C20ZMMDeCrrbjMagMMrwTOM4/4eFjzVAgMBAAECgYEAnH3mj2hgolOmhg4hkOxpiGIV6lMi4OcKtAqoWDwCdHL12GbqTCytxZC7Cp+w/Wh5DZ3aeRL93c6xPsgdeaJh3kYa4ooo6b5tFHPU63VU5MBgwGzi26/6GB4GCXxGMB+SxmdigDmmPIYbXD+jO2oj1s8hj+DOE4U2fIjeZ//DumECQQDlA74KHNZlKxoWl0FoHCgcIHFBZcQWKO3puhrH7VsRYI7CVVguE57NBT6QvAmU9r32PDt64tS0Qd1sCrk4uEqtAkEAujSj/cwF4ctQZCbUoMMzK/mw8ZxW3M6VK3urbq8fyFJ2iT2aLV3jE3+tnDdpezcfnbs/9SVXeFmJpdg/L7hnyQJAQyxo1qCExmHxIgU1uyrfHPjrH2qRLIrO1gqvhkr5tkwjM59C4SkCIFLUejGdgeMp7wrVy4KzLzhOkT1H/PoZdQJAEbKxJ409veFKKcq7CPCkq3hXBg/a/a+w4+okOCfy+GJGG/M79TXoQFExWhi2MNzjZ2WFxbIf5zNzbszn7Iw1aQJBAIXpKrQ0sLxr0rFzsoHBrobPcnQeutzypQNTPkoItILVP9pWz+aUfIKnOHEC5GAdD2LPZZ/pF7ixdRd9nBab+pk=}"));
        }
        super.onPrepareDefaultSetting();
    }

    @Override // net.ibizsys.central.cloud.core.sysutil.SysUAAUtilRuntimeBase
    protected boolean onValidateToken(String str, IAuthenticationUser iAuthenticationUser) throws Throwable {
        if (!getUsernameFromToken(str).contentEquals(iAuthenticationUser.getUsername()) || getExpirationDateFromToken(str).before(this.clock.now())) {
            return false;
        }
        if (!isEnableNewRTUAA()) {
            return true;
        }
        if (ObjectUtils.isEmpty(getSignature()) || SIGNATURE_MAC.equalsIgnoreCase(getSignature())) {
            return validateTokenByMAC(str, iAuthenticationUser);
        }
        if (SIGNATURE_RSA.equalsIgnoreCase(this.signature)) {
            return validateTokenByRSA(str, iAuthenticationUser);
        }
        throw new Exception(String.format("RT验证访问令牌出错，签名暂未支持[%1$s]加密算法", this.signature));
    }

    @Override // net.ibizsys.central.cloud.core.sysutil.SysUAAUtilRuntimeBase
    protected String onGetUsernameFromToken(String str) throws Throwable {
        return !isEnableNewRTUAA() ? (String) getClaimFromToken(str, (v0) -> {
            return v0.getSubject();
        }) : SignedJWT.parse(str).getJWTClaimsSet().getSubject();
    }

    @Override // net.ibizsys.central.cloud.core.sysutil.SysUAAUtilRuntimeBase
    protected Date onGetExpirationDateFromToken(String str) throws Throwable {
        return !isEnableNewRTUAA() ? (Date) getClaimFromToken(str, (v0) -> {
            return v0.getExpiration();
        }) : SignedJWT.parse(str).getJWTClaimsSet().getExpirationTime();
    }

    protected <T> T getClaimFromToken(String str, Function<Claims, T> function) throws Throwable {
        return function.apply(getAllClaimsFromToken(str));
    }

    protected Claims getAllClaimsFromToken(String str) throws Throwable {
        return (Claims) Jwts.parser().setSigningKey(getPublicKey(getPublicKeyString())).parseClaimsJws(str).getBody();
    }

    protected boolean validateTokenByMAC(String str, IAuthenticationUser iAuthenticationUser) throws Throwable {
        if (!StringUtils.hasLength(getSecret())) {
            throw new Exception("RT token验证失败，未指定secret");
        }
        Date date = new Date();
        MACVerifier mACVerifier = new MACVerifier(getSecret());
        SignedJWT parse = SignedJWT.parse(str);
        return parse.verify(mACVerifier) && date.before(parse.getJWTClaimsSet().getExpirationTime());
    }

    protected boolean validateTokenByRSA(String str, IAuthenticationUser iAuthenticationUser) throws Throwable {
        String publicKeyString = getPublicKeyString();
        Date date = new Date();
        RSASSAVerifier rSASSAVerifier = new RSASSAVerifier(RSAKey.parse(publicKeyString));
        SignedJWT parse = SignedJWT.parse(str);
        JWTClaimsSet jWTClaimsSet = parse.getJWTClaimsSet();
        if (!parse.verify(rSASSAVerifier)) {
            return false;
        }
        if (date.after(jWTClaimsSet.getExpirationTime())) {
            throw new Exception(String.format("访问令牌已过期，令牌有效期为[%1$s]，当前时间为[%2$s]", jWTClaimsSet.getExpirationTime(), date));
        }
        return true;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // net.ibizsys.central.cloud.core.sysutil.SysUAAUtilRuntimeBase
    public String getPublicKeyString() throws Throwable {
        if (!isEnableNewRTUAA()) {
            return super.getPublicKeyString();
        }
        if (StringUtils.hasLength(this.publicKeyString)) {
            return this.publicKeyString;
        }
        try {
            IWebClientRep iWebClientRep = getSystemRuntime().getDefaultWebClient().get(NEWRT_UAASERVICE_SIGNATUREKEY_URL);
            if (iWebClientRep == null || !StringUtils.hasLength((String) iWebClientRep.getBody())) {
                throw new Exception("返回值无效");
            }
            this.publicKeyString = (String) iWebClientRep.getBody();
            return this.publicKeyString;
        } catch (Throwable th) {
            throw new Exception(String.format("请求签名密钥发生异常，%1$s", th.getMessage()), th);
        }
    }
}
