package com.ella.rest.configuration;

import com.ella.frame.cache.DistributedCache;
import com.ella.frame.cache.UserDeviceUtils;
import com.ella.frame.common.errorcode.OfflineEnum;
import com.ella.frame.common.util.HeadParamTl;
import com.ella.resource.config.HeadParamUtil;
import com.ella.rest.exception.LimitDeviceException;
import com.ella.user.auth.dto.MyUserDetails;
import com.ella.user.constant.UserAccountConstant;
import java.util.Calendar;
import java.util.Collection;
import java.util.Date;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import org.apache.commons.configuration.tree.DefaultExpressionEngine;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.oauth2.client.resource.OAuth2AccessDeniedException;
import org.springframework.security.oauth2.common.DefaultOAuth2AccessToken;
import org.springframework.security.oauth2.common.OAuth2AccessToken;
import org.springframework.security.oauth2.common.exceptions.InvalidTokenException;
import org.springframework.security.oauth2.provider.ClientDetailsService;
import org.springframework.security.oauth2.provider.ClientRegistrationException;
import org.springframework.security.oauth2.provider.OAuth2Authentication;
import org.springframework.security.oauth2.provider.authentication.OAuth2AuthenticationDetails;
import org.springframework.security.oauth2.provider.authentication.OAuth2AuthenticationManager;
import org.springframework.security.oauth2.provider.token.ResourceServerTokenServices;
import org.springframework.security.oauth2.provider.token.TokenStore;
import org.springframework.util.CollectionUtils;

/* loaded from: input_file:BOOT-INF/classes/com/ella/rest/configuration/CustomOAuth2AuthenticationManager.class */
public class CustomOAuth2AuthenticationManager extends OAuth2AuthenticationManager {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) CustomOAuth2AuthenticationManager.class);
    private ResourceServerTokenServices tokenServices;
    private ClientDetailsService clientDetailsService;
    private DistributedCache distributedCache;
    private TokenStore tokenStore;
    private Integer renewHour;
    private String resourceId;

    @Override // org.springframework.security.oauth2.provider.authentication.OAuth2AuthenticationManager, org.springframework.security.authentication.AuthenticationManager
    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
        if (authentication == null) {
            log.error("Authentication fail:token not found");
            throw new InvalidTokenException("Invalid token (token not found)");
        }
        String str = (String) authentication.getPrincipal();
        log.info("method authenticate: request token is {}", str);
        OAuth2Authentication loadAuthentication = new CustomServerTokenServices(this.tokenStore).loadAuthentication(str);
        OAuth2AccessToken readAccessToken = this.tokenServices.readAccessToken(str);
        log.info("method authenticate: request accessToken is {}", readAccessToken);
        if (checkIfwillExpired(readAccessToken.getExpiration())) {
            renewToken(loadAuthentication, readAccessToken, this.renewHour.intValue());
        }
        if (loadAuthentication == null) {
            log.error("Authentication fail:Invalid token {}", str);
            throw new InvalidTokenException("Invalid token: " + str);
        }
        Set<String> resourceIds = loadAuthentication.getOAuth2Request().getResourceIds();
        if (this.resourceId != null && resourceIds != null && !resourceIds.isEmpty() && !resourceIds.contains(this.resourceId)) {
            log.error("Authentication fail:does not contain resource id {}", this.resourceId);
            throw new OAuth2AccessDeniedException("Invalid token does not contain resource id (" + this.resourceId + DefaultExpressionEngine.DEFAULT_INDEX_END);
        }
        checkClientDetails(loadAuthentication);
        if (authentication.getDetails() instanceof OAuth2AuthenticationDetails) {
            OAuth2AuthenticationDetails oAuth2AuthenticationDetails = (OAuth2AuthenticationDetails) authentication.getDetails();
            if (!oAuth2AuthenticationDetails.equals(loadAuthentication.getDetails())) {
                oAuth2AuthenticationDetails.setDecodedDetails(loadAuthentication.getDetails());
            }
        }
        loadAuthentication.setDetails(authentication.getDetails());
        loadAuthentication.setAuthenticated(true);
        limitDeviceAndOffline(loadAuthentication, readAccessToken);
        return loadAuthentication;
    }

    private boolean checkIfwillExpired(Date date) {
        Calendar calendar = Calendar.getInstance();
        calendar.add(11, this.renewHour.intValue());
        return calendar.getTime().after(date);
    }

    private void renewToken(OAuth2Authentication oAuth2Authentication, OAuth2AccessToken oAuth2AccessToken, int i) {
        DefaultOAuth2AccessToken defaultOAuth2AccessToken = (DefaultOAuth2AccessToken) oAuth2AccessToken;
        Calendar calendar = Calendar.getInstance();
        calendar.setTime(defaultOAuth2AccessToken.getExpiration());
        calendar.add(11, i);
        defaultOAuth2AccessToken.getValue();
        defaultOAuth2AccessToken.setExpiration(calendar.getTime());
        try {
            this.distributedCache.expireAt(UserAccountConstant.LAST_LOGIN_KEY + ((String) ((Map) oAuth2Authentication.getUserAuthentication().getDetails()).get("username")), calendar.getTime());
        } catch (Exception e) {
            log.error("清除用户缓存失败", (Throwable) e);
        }
        this.tokenStore.storeAccessToken(defaultOAuth2AccessToken, oAuth2Authentication);
    }

    private void checkClientDetails(OAuth2Authentication oAuth2Authentication) {
        if (this.clientDetailsService != null) {
            try {
                Set<String> scope = this.clientDetailsService.loadClientByClientId(oAuth2Authentication.getOAuth2Request().getClientId()).getScope();
                for (String str : oAuth2Authentication.getOAuth2Request().getScope()) {
                    if (!scope.contains(str)) {
                        log.error("Authentication fail:Invalid token contains disallowed scope {} for this client", str);
                        throw new OAuth2AccessDeniedException("Invalid token contains disallowed scope (" + str + ") for this client");
                    }
                }
            } catch (ClientRegistrationException e) {
                log.error("Authentication fail:{}", (Throwable) e);
                throw new OAuth2AccessDeniedException("Invalid token contains invalid client id");
            }
        }
    }

    private void limitDeviceAndOffline(OAuth2Authentication oAuth2Authentication, OAuth2AccessToken oAuth2AccessToken) {
        Authentication userAuthentication = oAuth2Authentication.getUserAuthentication();
        if (Objects.isNull(userAuthentication)) {
            log.error("method authenticate:get userAuthentication is null by token!");
            return;
        }
        MyUserDetails myUserDetails = (MyUserDetails) userAuthentication.getPrincipal();
        OfflineEnum limitDeviceCheck = new UserDeviceUtils(this.distributedCache).limitDeviceCheck(myUserDetails.getUsername(), HeadParamUtil.getHeadParamTl().getDeviceNo());
        if (Objects.nonNull(limitDeviceCheck)) {
            this.tokenStore.removeAccessToken(oAuth2AccessToken);
            log.info("method authenticate: userName {} corresponding accessToken {} is removed", myUserDetails.getUsername(), oAuth2AccessToken.getValue());
            log.info("method authenticate: removeAccessToken is {}", oAuth2AccessToken);
            throw new LimitDeviceException(limitDeviceCheck.getCode());
        }
    }

    private boolean queryAndRemove(String str, HeadParamTl headParamTl, String str2) {
        String str3 = (String) Optional.ofNullable(headParamTl.getDeviceNo()).orElse(UserAccountConstant.DEFAULT_DEVICE);
        StringBuilder sb = new StringBuilder(str);
        sb.append("#").append(str3).append("#").append(str2);
        Collection<OAuth2AccessToken> findTokensByClientIdAndUserName = this.tokenStore.findTokensByClientIdAndUserName("ellaenglish_app", sb.toString());
        if (CollectionUtils.isEmpty(findTokensByClientIdAndUserName)) {
            return true;
        }
        findTokensByClientIdAndUserName.forEach(oAuth2AccessToken -> {
            this.tokenStore.removeAccessToken(oAuth2AccessToken);
            log.info("method limitDeviceAndOffline: userName {} corresponding accessToken {} is removed", sb.toString(), oAuth2AccessToken.getValue());
        });
        return false;
    }

    public ResourceServerTokenServices getTokenServices() {
        return this.tokenServices;
    }

    public ClientDetailsService getClientDetailsService() {
        return this.clientDetailsService;
    }

    public String getResourceId() {
        return this.resourceId;
    }

    @Override // org.springframework.security.oauth2.provider.authentication.OAuth2AuthenticationManager
    public void setTokenServices(ResourceServerTokenServices resourceServerTokenServices) {
        this.tokenServices = resourceServerTokenServices;
    }

    @Override // org.springframework.security.oauth2.provider.authentication.OAuth2AuthenticationManager
    public void setClientDetailsService(ClientDetailsService clientDetailsService) {
        this.clientDetailsService = clientDetailsService;
    }

    @Override // org.springframework.security.oauth2.provider.authentication.OAuth2AuthenticationManager
    public void setResourceId(String str) {
        this.resourceId = str;
    }

    public void setTokenStore(TokenStore tokenStore) {
        this.tokenStore = tokenStore;
    }

    public void setRenewHour(Integer num) {
        this.renewHour = num;
    }

    public DistributedCache getDistributedCache() {
        return this.distributedCache;
    }

    public void setDistributedCache(DistributedCache distributedCache) {
        this.distributedCache = distributedCache;
    }
}
