package com.xdja.cssp.as.api.interceptor;

import com.xdja.cssp.as.api.Constants;
import com.xdja.cssp.as.api.interceptor.cache.SignatureNonce;
import com.xdja.cssp.as.api.interceptor.model.Request;
import com.xdja.cssp.as.api.interceptor.sort.ComparatorHeader;
import com.xdja.cssp.as.api.util.Base64Util;
import com.xdja.cssp.as.api.util.ByteUtils;
import com.xdja.cssp.as.api.util.CertUtil;
import com.xdja.cssp.as.api.util.SignUtils;
import com.xdja.cssp.as.service.ILoginService;
import com.xdja.cssp.as.service.model.Cert;
import com.xdja.cssp.restful.auth.exception.AuthException;
import com.xdja.cssp.restful.auth.exception.DuplicateRequestException;
import com.xdja.cssp.restful.auth.exception.InvalidDateException;
import com.xdja.cssp.restful.auth.exception.InvalidSnException;
import com.xdja.cssp.restful.auth.exception.NotMatchSignatureException;
import com.xdja.cssp.restful.auth.exception.NotSupportSignAlgoException;
import com.xdja.cssp.restful.auth.exception.RequestTimeoutException;
import com.xdja.cssp.restful.auth.exception.VerifySignatureException;
import com.xdja.platform.rpc.consumer.refer.DefaultServiceRefer;
import java.text.ParseException;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Enumeration;
import java.util.UUID;
import javax.servlet.http.HttpServletRequest;
import org.apache.http.message.BasicHeader;
import org.aspectj.lang.annotation.Before;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.web.context.request.RequestContextHolder;
import org.springframework.web.context.request.ServletRequestAttributes;

/* loaded from: input_file:WEB-INF/classes/com/xdja/cssp/as/api/interceptor/AuthClientInterceptor.class */
public class AuthClientInterceptor {
    private Logger logger = LoggerFactory.getLogger(getClass());
    private ILoginService service = (ILoginService) DefaultServiceRefer.getServiceRefer(ILoginService.class);
    private String hostId = Constants.HOST_ID;

    @Before("execution(public * com.xdja.cssp.as.api.AsApi.*Login(..))")
    public void authClient() {
        this.logger.debug("开始验证客户端身份");
        HttpServletRequest request = ((ServletRequestAttributes) RequestContextHolder.getRequestAttributes()).getRequest();
        Request request2 = new Request();
        String genRequestId = genRequestId();
        request2.setId(genRequestId);
        try {
            if (System.currentTimeMillis() - Constants.parseTimestamp(request.getHeader(Constants.TIMESTAMP_HEADER_NAME)).getTime() > Constants.TIMEOUT) {
                throw new RequestTimeoutException(this.hostId, genRequestId, AuthException.REQUEST_TIMEOUT, "请求时间戳超时(可能由于客户端时间不正确导致，请先校准客户端时间)");
            }
            String header = request.getHeader(Constants.SIGNATURE_NONCE_HEADER_NAME);
            if (SignatureNonce.signatureNonce.equals(header)) {
                throw new DuplicateRequestException(this.hostId, genRequestId, AuthException.DUPLICATE_REQUEST, "重复的请求");
            }
            SignatureNonce.signatureNonce = header;
            String header2 = request.getHeader(Constants.SIGNATURE_METHOD_HEADER_NAME);
            if (!header2.equals(Constants.HTTP_HEADER_SIGN_METHOD_RSA) && !header2.equals(Constants.HTTP_HEADER_SIGN_METHOD_SM2)) {
                throw new NotSupportSignAlgoException(this.hostId, genRequestId, AuthException.NOT_SUPPORT_SIGN_ALGO, "不支持的签名算法");
            }
            request2.setSignatureAlgo(header2);
            try {
                Cert queryCert = this.service.queryCert(request.getHeader(Constants.SIGNATURE_SN_HEADER_NAME), header2.equals(Constants.HTTP_HEADER_SIGN_METHOD_SM2) ? 2 : 1);
                if (null == queryCert) {
                    throw new InvalidSnException(this.hostId, genRequestId, AuthException.INVALID_SN, "无效的证书sn");
                }
                request2.setCardNo(queryCert.getCardNo());
                String method = request.getMethod();
                String servletPath = request.getServletPath();
                request2.setMethod(method);
                request2.setUri(servletPath);
                request.setAttribute("request", request2);
                ArrayList arrayList = new ArrayList();
                Enumeration headerNames = request.getHeaderNames();
                while (headerNames.hasMoreElements()) {
                    String str = (String) headerNames.nextElement();
                    if (str.startsWith(Constants.HEADER_NAME_START)) {
                        arrayList.add(new BasicHeader(str, request.getHeader(str)));
                    }
                }
                Collections.sort(arrayList, new ComparatorHeader());
                try {
                    if (!SignUtils.verifySignature(header2, CertUtil.getCertFromStr(queryCert.getCert()).getPublicKey(), Constants.generateCanonicalizeRequest(method, servletPath, arrayList, new String(ByteUtils.inputStreamToBytes(request.getInputStream()), "UTF-8")).getBytes("UTF-8"), Base64Util.getByteByBase64(request.getHeader(Constants.AUTHORIZATION_HEADER_NAME)))) {
                        throw new NotMatchSignatureException(this.hostId, genRequestId, AuthException.NOT_MATCH_SIGNATURE, "验证请求签名不匹配");
                    }
                    this.logger.debug("验证客户端身份通过");
                } catch (Exception e) {
                    this.logger.error("验证请求签名异常", (Throwable) e);
                    throw new VerifySignatureException(this.hostId, genRequestId, AuthException.VERIFY_SIGNATURE_ERROR, "验证请求签名异常", e);
                }
            } catch (IllegalArgumentException e2) {
                this.logger.error("客户端签名证书SN为空");
                throw new InvalidSnException(this.hostId, genRequestId, AuthException.INVALID_SN, "无效的证书sn");
            }
        } catch (ParseException e3) {
            this.logger.error("无效的请求时间戳", (Throwable) e3);
            throw new InvalidDateException(this.hostId, genRequestId, AuthException.INVALID_DATE, "无效的时间", e3);
        }
    }

    private String genRequestId() {
        return UUID.randomUUID().toString();
    }
}
