package com.alipay.sofa.rpc.auth;

import com.alipay.common.tracer.core.holder.SofaTraceContextHolder;
import com.alipay.remoting.util.StringUtils;
import com.alipay.sofa.rpc.common.AppAuthRuleGroupManager;
import com.alipay.sofa.rpc.common.AuthConstants;
import com.alipay.sofa.rpc.common.DsrConstants;
import com.alipay.sofa.rpc.common.ProviderAuthConstants;
import com.alipay.sofa.rpc.config.DrmProviderAuthConfig;
import com.alipay.sofa.rpc.core.request.SofaRequest;
import com.alipay.sofa.rpc.dynamic.DynamicConfigManager;
import com.alipay.sofa.rpc.log.Logger;
import com.alipay.sofa.rpc.log.LoggerFactory;
import com.alipay.sofa.rpc.model.provider.AuthLogModel;
import com.alipay.sofa.rpc.model.provider.IdentifyResult;
import com.alipay.sofa.rpc.model.provider.IdentifyStatusEnum;
import com.alipay.sofa.rpc.servcegovern.utils.FieldUtils;
import com.alipay.sofa.rpc.utils.AuthConfigUtils;
import com.alipay.sofa.rpc.utils.AuthDrmDataIdUtils;
import com.alipay.sofa.rpc.utils.AuthLogUtils;
import com.alipay.sofa.rpc.utils.DrmRegisterUtils;
import com.google.common.base.Strings;
import com.google.common.collect.Lists;
import com.google.common.collect.Sets;
import java.util.ArrayList;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.regex.Pattern;

/* loaded from: input_file:com/alipay/sofa/rpc/auth/EnterpriseAuthenticator.class */
public class EnterpriseAuthenticator implements Authenticator {
    private static final Logger LOGGER = LoggerFactory.getLogger(EnterpriseAuthenticator.class);
    protected static final boolean MIST_ENABLED = AuthConstants.enabledMist();
    protected final DynamicConfigManager dynamicConfigManager;
    protected AuthVerification authVerification;
    protected AuthDrmDataIdUtils authDrmDataIdUtils = new AuthDrmDataIdUtils();
    protected AuthLogUtils authLogUtils = new AuthLogUtils();
    protected AuthConfigUtils authConfigUtils = new AuthConfigUtils();
    protected DrmProviderAuthConfig drmProviderAuthConfig = new DrmProviderAuthConfig();

    public EnterpriseAuthenticator(DynamicConfigManager dynamicConfigManager) {
        this.dynamicConfigManager = dynamicConfigManager;
        DrmRegisterUtils.registerDrmResource(this.drmProviderAuthConfig);
        if (MIST_ENABLED) {
            this.authVerification = AuthVerification.getInstance();
        }
    }

    @Override // com.alipay.sofa.rpc.auth.Authenticator
    public boolean authenticate(SofaRequest sofaRequest) {
        boolean z;
        if (!enableAuthRule()) {
            return true;
        }
        IdentifyResult forceAuthIdentify = forceAuthIdentify(sofaRequest);
        String interfaceName = getInterfaceName(sofaRequest.getTargetServiceUniqueName());
        if (verifyFailed(forceAuthIdentify)) {
            this.authLogUtils.logForAuth(parseAuthLogModel(sofaRequest, ProviderAuthConstants.FORCE_MODE, interfaceName, forceAuthIdentify).setType(Authenticator.IDENTITYVERIFY).setResult(Authenticator.RESULT_FORBIDDEN).setToken(sofaRequest.getRequestProp(AuthConstants.REQUEST_PROP_TOKEN_KEY)).setVerifiedRpcConsumerApp(sofaRequest.getRequestProp(Authenticator.HEAD_VERIFY_APP_NAME)));
            return false;
        }
        if (this.dynamicConfigManager == null) {
            LOGGER.warn("dynamicConfigManager is null, auth will return true");
            return true;
        }
        String boltDrmDataId = this.authDrmDataIdUtils.getBoltDrmDataId(sofaRequest.getTargetServiceUniqueName(), sofaRequest);
        if (Strings.isNullOrEmpty(boltDrmDataId)) {
            LOGGER.warn("targetServiceUniqueName is null, auth will return true");
            return true;
        }
        AuthRuleGroup authRuleGroup = getAuthRuleGroup(boltDrmDataId);
        if (authRuleGroup == null && this.drmProviderAuthConfig.isRejectRequestWhenNoAuthRule()) {
            return false;
        }
        AuthRule filterAuthRules = filterAuthRules(authRuleGroup);
        if (filterAuthRules == null || filterAuthRules.isEmpty()) {
            return true;
        }
        if (StringUtils.equals(Authenticator.BLACKLIST, authRuleGroup.getType())) {
            z = true;
        } else {
            if (!StringUtils.equals(Authenticator.WHITELIST, authRuleGroup.getType())) {
                return true;
            }
            z = false;
        }
        if (forceAuthIdentify == null && this.authVerification != null && isAuthRuleContainAppName(filterAuthRules)) {
            forceAuthIdentify = this.authVerification.identify(sofaRequest);
        }
        boolean z2 = false;
        AuthRule authRule = null;
        Iterator<AuthRule> it = filterAuthRules.iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            AuthRule next = it.next();
            if (matchAuthRule(sofaRequest, next, forceAuthIdentify)) {
                z2 = true;
                authRule = next;
                break;
            }
        }
        String mode = getMode(z, authRule, authRuleGroup);
        boolean isObserverMode = isObserverMode(mode);
        if (verifyFailed(forceAuthIdentify)) {
            this.authLogUtils.logForAuth(parseAuthLogModel(sofaRequest, mode, interfaceName, forceAuthIdentify).setType(Authenticator.IDENTITYVERIFY).setResult(isObserverMode ? Authenticator.RESULT_PASS : Authenticator.RESULT_FORBIDDEN).setToken(sofaRequest.getRequestProp(AuthConstants.REQUEST_PROP_TOKEN_KEY)).setVerifiedRpcConsumerApp(sofaRequest.getRequestProp(Authenticator.HEAD_VERIFY_APP_NAME)));
            return isObserverMode;
        }
        if (isPass(z, z2)) {
            return true;
        }
        if (!isLogWhenAuthRuleHit()) {
            return isObserverMode;
        }
        this.authLogUtils.logForAuth(parseAuthLogModel(sofaRequest, mode, interfaceName, forceAuthIdentify).setType(authRuleGroup.getType()).setRefRules(z ? authRule : filterAuthRules).setResult(isObserverMode ? Authenticator.RESULT_PASS : Authenticator.RESULT_FORBIDDEN).setVerifiedRpcConsumerApp(sofaRequest.getRequestProp(Authenticator.HEAD_VERIFY_APP_NAME)));
        return isObserverMode;
    }

    protected boolean isPass(boolean z, boolean z2) {
        return (z && !z2) || (!z && z2);
    }

    protected String getInterfaceName(String str) {
        int indexOf;
        if (!com.alipay.sofa.rpc.common.utils.StringUtils.isEmpty(str) && (indexOf = str.indexOf(58)) >= 0) {
            return str.substring(0, indexOf);
        }
        return str;
    }

    protected boolean matchAuthRule(SofaRequest sofaRequest, AuthRule authRule, IdentifyResult identifyResult) {
        List ruleItems = authRule.getRuleItems();
        if (ruleItems == null || ruleItems.size() == 0) {
            return false;
        }
        Iterator it = ruleItems.iterator();
        while (it.hasNext()) {
            if (!matchAuthRuleItem(sofaRequest, (AuthRuleItem) it.next(), identifyResult)) {
                return false;
            }
        }
        return true;
    }

    protected boolean matchAuthRuleItem(SofaRequest sofaRequest, AuthRuleItem authRuleItem, IdentifyResult identifyResult) {
        String type = authRuleItem.getType();
        String field = authRuleItem.getField();
        return doMatch("SYSTEM".equalsIgnoreCase(type) ? getSystemRequestValue(field, identifyResult, sofaRequest) : getCustomRequestValue(sofaRequest, field), authRuleItem.getOperation(), authRuleItem.getValue());
    }

    protected String getSystemRequestValue(String str, IdentifyResult identifyResult, SofaRequest sofaRequest) {
        Map<String, String> tagsWithStr = SofaTraceContextHolder.getSofaTraceContext().getCurrentSpan().getTagsWithStr();
        if (StringUtils.equals(str, Authenticator.KEY_SOURCE_APP_ID)) {
            return getRemoteAppName(tagsWithStr, identifyResult, sofaRequest);
        }
        if (StringUtils.equals(str, Authenticator.KEY_SOURCE_IP)) {
            return tagsWithStr.get("remote.ip");
        }
        if (StringUtils.equals(str, Authenticator.KEY_DEST_APP_ID)) {
            return tagsWithStr.get("local.app");
        }
        if (!StringUtils.equals(str, Authenticator.KEY_DEST_SERVICE_NAME)) {
            return StringUtils.equals(str, Authenticator.KEY_DEST_METHOD_NAME) ? tagsWithStr.get(FieldUtils.METHOD) : DsrConstants.DEFAULT_RPC_SERVICE_VERSION;
        }
        String str2 = tagsWithStr.get("service");
        return StringUtils.isBlank(str2) ? str2 : str2.substring(0, str2.lastIndexOf(":"));
    }

    protected String getCustomRequestValue(SofaRequest sofaRequest, String str) {
        Object requestProp = sofaRequest.getRequestProp(str);
        if (requestProp == null) {
            return null;
        }
        return String.valueOf(requestProp);
    }

    protected boolean doMatch(String str, String str2, String str3) {
        if (StringUtils.equals(str2, "EQUAL")) {
            return StringUtils.equals(str, str3);
        }
        if (StringUtils.equals(str2, "NOT_EQUAL")) {
            return !StringUtils.equals(str, str3);
        }
        if (StringUtils.equals(str2, "REGEX") && str != null) {
            return Pattern.matches(str3, str);
        }
        if (str3 == null) {
            return false;
        }
        HashSet newHashSet = Sets.newHashSet(str3.split(Authenticator.RULE_SEPARATOR));
        return StringUtils.equals(str2, "IN") ? newHashSet.contains(str) : StringUtils.equals(str2, "NOT_IN") && !newHashSet.contains(str);
    }

    protected AuthRuleGroup getAuthRuleGroup(String str) {
        AuthRuleGroup serviceAuthRule = this.dynamicConfigManager.getServiceAuthRule(str);
        return (serviceAuthRule == null || !serviceAuthRule.enable()) ? AppAuthRuleGroupManager.getInstance().getAuthRuleGroup() : serviceAuthRule;
    }

    protected boolean isAuthRuleContainAppName(List<AuthRule> list) {
        List<AuthRuleItem> ruleItems;
        Iterator<AuthRule> it = list.iterator();
        while (it.hasNext() && (ruleItems = it.next().getRuleItems()) != null && ruleItems.size() != 0) {
            for (AuthRuleItem authRuleItem : ruleItems) {
                if ("SYSTEM".equalsIgnoreCase(authRuleItem.getType()) && StringUtils.equals(authRuleItem.getField(), Authenticator.KEY_SOURCE_APP_ID)) {
                    return true;
                }
            }
        }
        return false;
    }

    protected String getRemoteAppName(Map<String, String> map, IdentifyResult identifyResult, SofaRequest sofaRequest) {
        return (identifyResult == null || identifyResult.getStatus() != IdentifyStatusEnum.SUCCESS) ? map.get("remote.app") : identifyResult.getAppName();
    }

    protected boolean isObserverModeWhitelist(AuthRuleGroup authRuleGroup) {
        List rules;
        if (!StringUtils.equals(authRuleGroup.getType(), Authenticator.WHITELIST) || (rules = authRuleGroup.getRules()) == null || rules.size() == 0) {
            return false;
        }
        Iterator it = rules.iterator();
        while (it.hasNext()) {
            if (StringUtils.equals("OBSERVER", ((AuthRule) it.next()).getMode())) {
                return true;
            }
        }
        return false;
    }

    protected String getMode(boolean z, AuthRule authRule, AuthRuleGroup authRuleGroup) {
        String str = null;
        if (z && authRule != null) {
            str = authRule.getMode();
        } else if (isObserverModeWhitelist(authRuleGroup)) {
            str = "OBSERVER";
        }
        if (Strings.isNullOrEmpty(str)) {
            str = ProviderAuthConstants.REJECT_MODE;
        }
        return str;
    }

    protected boolean isObserverMode(String str) {
        return StringUtils.equals("OBSERVER", str);
    }

    protected boolean isLogWhenAuthRuleHit() {
        String isLogWhenAuthRuleHit = this.authConfigUtils.getIsLogWhenAuthRuleHit();
        if (Strings.isNullOrEmpty(isLogWhenAuthRuleHit)) {
            return this.drmProviderAuthConfig.isAuthLogEnabledBoolean();
        }
        if (Boolean.TRUE.toString().equalsIgnoreCase(isLogWhenAuthRuleHit)) {
            return true;
        }
        if (Boolean.FALSE.toString().equalsIgnoreCase(isLogWhenAuthRuleHit)) {
            return false;
        }
        return this.drmProviderAuthConfig.isAuthLogEnabledBoolean();
    }

    protected boolean isForceAuthIdentify() {
        String isForceAuthIdentify = this.authConfigUtils.getIsForceAuthIdentify();
        if (Strings.isNullOrEmpty(isForceAuthIdentify)) {
            return this.authVerification.isForceAuthIdentify();
        }
        if (Boolean.TRUE.toString().equalsIgnoreCase(isForceAuthIdentify)) {
            return true;
        }
        if (Boolean.FALSE.toString().equalsIgnoreCase(isForceAuthIdentify)) {
            return false;
        }
        return this.authVerification.isForceAuthIdentify();
    }

    protected IdentifyResult forceAuthIdentify(SofaRequest sofaRequest) {
        if (this.authVerification == null || !isForceAuthIdentify()) {
            return null;
        }
        return this.authVerification.identify(sofaRequest);
    }

    protected List<AuthRule> filterAuthRules(AuthRuleGroup authRuleGroup) {
        List<AuthRule> rules;
        if (authRuleGroup == null || !authRuleGroup.enable() || (rules = authRuleGroup.getRules()) == null || rules.size() == 0) {
            return null;
        }
        ArrayList newArrayList = Lists.newArrayList();
        for (AuthRule authRule : rules) {
            if (authRule.enable()) {
                newArrayList.add(authRule);
            }
        }
        return newArrayList;
    }

    protected AuthLogModel parseAuthLogModel(SofaRequest sofaRequest, String str, String str2, IdentifyResult identifyResult) {
        return new AuthLogModel().setServiceInfo(sofaRequest.getTargetServiceUniqueName()).setMode(str).setInterfaceName(str2).setLogicResult(Authenticator.RESULT_FORBIDDEN).setVerifiedConsumerApp(identifyResult == null ? DsrConstants.DEFAULT_RPC_SERVICE_VERSION : identifyResult.getAppName()).setMethodName(sofaRequest.getMethodName()).setProviderApp(sofaRequest.getTargetAppName());
    }

    protected boolean verifyFailed(IdentifyResult identifyResult) {
        return identifyResult != null && identifyResult.getStatus() == IdentifyStatusEnum.REJECT;
    }

    protected boolean enableAuthRule() {
        return true;
    }
}
