package com.alibaba.nacos.console.security.nacos;

import com.alibaba.nacos.api.remote.request.Request;
import com.alibaba.nacos.auth.AuthManager;
import com.alibaba.nacos.auth.exception.AccessException;
import com.alibaba.nacos.auth.model.Permission;
import com.alibaba.nacos.auth.model.User;
import com.alibaba.nacos.common.utils.StringUtils;
import com.alibaba.nacos.config.server.auth.RoleInfo;
import com.alibaba.nacos.console.security.nacos.roles.NacosRoleServiceImpl;
import com.alibaba.nacos.console.security.nacos.users.NacosUser;
import com.alibaba.nacos.core.utils.Loggers;
import io.jsonwebtoken.ExpiredJwtException;
import java.util.Iterator;
import java.util.List;
import javax.servlet.http.HttpServletRequest;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.stereotype.Component;

@Component
/* loaded from: input_file:com/alibaba/nacos/console/security/nacos/NacosAuthManager.class */
public class NacosAuthManager implements AuthManager {
    private static final String TOKEN_PREFIX = "Bearer ";
    private static final String PARAM_USERNAME = "username";
    private static final String PARAM_PASSWORD = "password";

    @Autowired
    private JwtTokenManager tokenManager;

    @Autowired
    private AuthenticationManager authenticationManager;

    @Autowired
    private NacosRoleServiceImpl roleService;

    public User login(Object obj) throws AccessException {
        HttpServletRequest httpServletRequest = (HttpServletRequest) obj;
        String resolveToken = resolveToken(httpServletRequest);
        if (StringUtils.isBlank(resolveToken)) {
            throw new AccessException("user not found!");
        }
        try {
            this.tokenManager.validateToken(resolveToken);
            Authentication authentication = this.tokenManager.getAuthentication(resolveToken);
            SecurityContextHolder.getContext().setAuthentication(authentication);
            String name = authentication.getName();
            NacosUser nacosUser = new NacosUser();
            nacosUser.setUserName(name);
            nacosUser.setToken(resolveToken);
            List<RoleInfo> roles = this.roleService.getRoles(name);
            if (roles != null) {
                Iterator<RoleInfo> it = roles.iterator();
                while (true) {
                    if (!it.hasNext()) {
                        break;
                    }
                    if (it.next().getRole().equals(NacosRoleServiceImpl.GLOBAL_ADMIN_ROLE)) {
                        nacosUser.setGlobalAdmin(true);
                        break;
                    }
                }
            }
            httpServletRequest.setAttribute("nacosuser", nacosUser);
            return nacosUser;
        } catch (ExpiredJwtException e) {
            throw new AccessException("token expired!");
        } catch (Exception e2) {
            throw new AccessException("token invalid!");
        }
    }

    public User loginRemote(Object obj) throws AccessException {
        String resolveToken = resolveToken((Request) obj);
        if (StringUtils.isBlank(resolveToken)) {
            throw new AccessException("user not found!");
        }
        try {
            this.tokenManager.validateToken(resolveToken);
            Authentication authentication = this.tokenManager.getAuthentication(resolveToken);
            SecurityContextHolder.getContext().setAuthentication(authentication);
            String name = authentication.getName();
            NacosUser nacosUser = new NacosUser();
            nacosUser.setUserName(name);
            nacosUser.setToken(resolveToken);
            List<RoleInfo> roles = this.roleService.getRoles(name);
            if (roles != null) {
                Iterator<RoleInfo> it = roles.iterator();
                while (true) {
                    if (!it.hasNext()) {
                        break;
                    }
                    if (it.next().getRole().equals(NacosRoleServiceImpl.GLOBAL_ADMIN_ROLE)) {
                        nacosUser.setGlobalAdmin(true);
                        break;
                    }
                }
            }
            return nacosUser;
        } catch (ExpiredJwtException e) {
            throw new AccessException("token expired!");
        } catch (Exception e2) {
            throw new AccessException("token invalid!");
        }
    }

    public void auth(Permission permission, User user) throws AccessException {
        if (Loggers.AUTH.isDebugEnabled()) {
            Loggers.AUTH.debug("auth permission: {}, user: {}", permission, user);
        }
        if (!this.roleService.hasPermission(user.getUserName(), permission)) {
            throw new AccessException("authorization failed!");
        }
    }

    private String resolveToken(HttpServletRequest httpServletRequest) throws AccessException {
        String header = httpServletRequest.getHeader(NacosAuthConfig.AUTHORIZATION_HEADER);
        if (StringUtils.isNotBlank(header) && header.startsWith("Bearer ")) {
            return header.substring(7);
        }
        String parameter = httpServletRequest.getParameter("accessToken");
        if (StringUtils.isBlank(parameter)) {
            parameter = resolveTokenFromUser(httpServletRequest.getParameter(PARAM_USERNAME), httpServletRequest.getParameter(PARAM_PASSWORD));
        }
        return parameter;
    }

    private String resolveToken(Request request) throws AccessException {
        String header = request.getHeader(NacosAuthConfig.AUTHORIZATION_HEADER);
        if (StringUtils.isNotBlank(header) && header.startsWith("Bearer ")) {
            return header.substring(7);
        }
        String header2 = request.getHeader("accessToken");
        if (StringUtils.isBlank(header2)) {
            header2 = resolveTokenFromUser(request.getHeader(PARAM_USERNAME), request.getHeader(PARAM_PASSWORD));
        }
        return header2;
    }

    private String resolveTokenFromUser(String str, String str2) throws AccessException {
        try {
            Authentication authenticate = this.authenticationManager.authenticate(new UsernamePasswordAuthenticationToken(str, str2));
            return this.tokenManager.createToken((null == authenticate || StringUtils.isBlank(authenticate.getName())) ? str : authenticate.getName());
        } catch (AuthenticationException e) {
            throw new AccessException("unknown user!");
        }
    }
}
