package com.huawei.fusionstage.middleware.dtm.sercurity.aksk;

import com.huawei.fusionstage.middleware.dtm.common.configuration.PropertiesUtils;
import com.huawei.fusionstage.middleware.dtm.common.exception.AuthenticateException;
import com.huawei.fusionstage.middleware.dtm.common.exception.ConfigException;
import com.huawei.fusionstage.middleware.dtm.common.exception.PropertiesInvalidException;
import com.huawei.fusionstage.middleware.dtm.common.logger.DTMLoggerFactory;
import com.huawei.fusionstage.middleware.dtm.common.module.DynamicModuleLoaderUtil;
import com.huawei.fusionstage.middleware.dtm.common.module.config.IScProxyOperator;
import com.huawei.fusionstage.middleware.dtm.sercurity.AbstractDtmSecurity;
import com.huawei.fusionstage.middleware.dtm.sercurity.aksk.iam.IamAccount;
import com.huawei.fusionstage.middleware.dtm.sercurity.aksk.iam.IamAuthcator;
import com.huawei.fusionstage.middleware.dtm.sercurity.aksk.iam.IamToken;
import com.huawei.fusionstage.middleware.dtm.sercurity.aksk.utils.HttpUtil;
import com.huawei.fusionstage.middleware.dtm.sercurity.aksk.utils.SignUtils;
import com.huawei.fusionstage.middleware.dtm.sercurity.aksk.utils.StringUtils;
import com.huawei.fusionstage.middleware.dtm.sercurity.aksk.utils.TcpSignUtils;
import com.huawei.fusionstage.middleware.dtm.sercurity.aksk.utils.TokenUtils;
import java.lang.invoke.MethodHandles;
import java.util.HashMap;
import java.util.Map;
import java.util.concurrent.ConcurrentHashMap;
import org.json.JSONObject;
import org.slf4j.Logger;

/* loaded from: input_file:com/huawei/fusionstage/middleware/dtm/sercurity/aksk/AkSkSecurity.class */
public class AkSkSecurity {
    private static final Logger logger = DTMLoggerFactory.getLogger(MethodHandles.lookup().lookupClass());
    private static final Map<String, JSONObject> TOKEN_CACHE = new ConcurrentHashMap();
    private static final IScProxyOperator SC_PROXY_OPERATOR = (IScProxyOperator) DynamicModuleLoaderUtil.getDynamicModuleSingleton(IScProxyOperator.class);
    private static IamAuthcator authcator = new IamAuthcator(PropertiesUtils.getStringProperty(ConstantsDef.GLOBAL_IAM_ENDPOINT));
    private static IamAccount iamAdminAccount = new IamAccount(PropertiesUtils.getStringProperty(ConstantsDef.IAM_ADMIN_USER), PropertiesUtils.getStringProperty(ConstantsDef.IAM_ADMIN_USER_PASSWD), PropertiesUtils.getStringProperty(ConstantsDef.IAM_BUSSINESS_KEY), ConstantsDef.OP_SERVICE);

    private static boolean checkClientProperties() throws PropertiesInvalidException {
        if (!PropertiesUtils.getStringProperty(ConstantsDef.IAM_AUTHENTICATE, "off").equalsIgnoreCase("on")) {
            return false;
        }
        PropertiesUtils.assertHasStringProperty(ConstantsDef.AK);
        PropertiesUtils.assertHasStringProperty(ConstantsDef.SK);
        PropertiesUtils.assertHasStringProperty(ConstantsDef.PROJECT_ID);
        PropertiesUtils.assertHasStringProperty(ConstantsDef.DTM_APP_NAME);
        return true;
    }

    public static Map<String, String> getClientAuthInfo() throws PropertiesInvalidException {
        boolean checkClientProperties = checkClientProperties();
        HashMap hashMap = new HashMap();
        if (checkClientProperties) {
            try {
                String stringProperty = PropertiesUtils.getStringProperty(ConstantsDef.AK);
                String stringProperty2 = PropertiesUtils.getStringProperty(ConstantsDef.SK);
                String stringProperty3 = PropertiesUtils.getStringProperty(ConstantsDef.PROJECT_ID);
                String stringProperty4 = PropertiesUtils.getStringProperty(ConstantsDef.DTM_APP_NAME);
                String valueOf = String.valueOf(System.currentTimeMillis());
                String signRequest = TcpSignUtils.signRequest(stringProperty, stringProperty2, valueOf, stringProperty3, stringProperty4);
                hashMap.put(ConstantsDef.AK, stringProperty);
                hashMap.put(ConstantsDef.TIME_STAMP, valueOf);
                hashMap.put(ConstantsDef.PROJECT_ID, stringProperty3);
                hashMap.put(ConstantsDef.DTM_APP_NAME, stringProperty4);
                hashMap.put(ConstantsDef.AK_SK_SIGN, signRequest);
            } catch (Exception e) {
                throw new PropertiesInvalidException(e.getMessage(), e);
            }
        }
        return hashMap;
    }

    private static boolean checkServerProperties() throws PropertiesInvalidException {
        if (!PropertiesUtils.getStringProperty(ConstantsDef.IAM_AUTHENTICATE, "off").equalsIgnoreCase("on")) {
            return false;
        }
        PropertiesUtils.assertHasStringProperty(ConstantsDef.GLOBAL_IAM_ENDPOINT);
        PropertiesUtils.assertHasStringProperty(ConstantsDef.IAM_ADMIN_USER);
        PropertiesUtils.assertHasStringProperty(ConstantsDef.IAM_ADMIN_USER_PASSWD);
        PropertiesUtils.assertHasStringProperty(ConstantsDef.IAM_BUSSINESS_KEY);
        return true;
    }

    public static void checkAuthInfo(Map<String, String> map) throws AuthenticateException {
        try {
            if (checkServerProperties()) {
                if (!map.containsKey(ConstantsDef.AK) || !map.containsKey(ConstantsDef.DTM_APP_NAME) || !map.containsKey(ConstantsDef.PROJECT_ID) || !map.containsKey(ConstantsDef.AK_SK_SIGN) || !map.containsKey(ConstantsDef.TIME_STAMP)) {
                    logger.error("auth infos not complete.");
                    throw new AuthenticateException("auth infos not complete");
                }
                String str = map.get(ConstantsDef.AK);
                String str2 = map.get(ConstantsDef.DTM_APP_NAME);
                String str3 = map.get(ConstantsDef.PROJECT_ID);
                if (SignUtils.isAkLocked(str)) {
                    SignUtils.onFailed(str);
                    throw new AuthenticateException("the user ak: " + str + " is locked.");
                }
                try {
                    verifySignInfo(map);
                    SignUtils.onSucceed(str);
                    logger.info("the user ak:{} sign ok", str);
                    try {
                        validateToken(getTokenByAk(map), str3, str2, SC_PROXY_OPERATOR.getOrderDtmAppName(str3));
                    } catch (ConfigException e) {
                        throw new AuthenticateException(e.getMessage());
                    }
                } catch (AuthenticateException e2) {
                    SignUtils.onFailed(str);
                    throw e2;
                }
            }
        } catch (PropertiesInvalidException e3) {
            throw new AuthenticateException(e3.getMessage());
        }
    }

    private static boolean checkManagerAuthInfo(Map<String, String> map) throws AuthenticateException {
        if (!map.getOrDefault(ConstantsDef.IAM_AUTHENTICATE, "off").equalsIgnoreCase("on")) {
            return false;
        }
        AbstractDtmSecurity.assertContainKey(map, ConstantsDef.GLOBAL_IAM_ENDPOINT);
        AbstractDtmSecurity.assertContainKey(map, ConstantsDef.IAM_SIGN_PEM_FILE);
        AbstractDtmSecurity.assertContainKey(map, ConstantsDef.IAM_CA_PEM_FILE);
        AbstractDtmSecurity.assertContainKey(map, ConstantsDef.TOKEN);
        AbstractDtmSecurity.assertContainKey(map, ConstantsDef.DTM_APP_NAME);
        AbstractDtmSecurity.assertContainKey(map, ConstantsDef.ORDER_DTM_APP_NAME);
        AbstractDtmSecurity.assertContainKey(map, ConstantsDef.PROJECT_ID);
        return true;
    }

    public static void validateTokenBlocking(Map<String, String> map) throws AuthenticateException {
        if (checkManagerAuthInfo(map)) {
            String str = map.get(ConstantsDef.TOKEN);
            String str2 = map.get(ConstantsDef.PROJECT_ID);
            String str3 = map.get(ConstantsDef.DTM_APP_NAME);
            String str4 = map.get(ConstantsDef.ORDER_DTM_APP_NAME);
            JSONObject decodeToken = decodeToken(str, map.get(ConstantsDef.GLOBAL_IAM_ENDPOINT), map.get(ConstantsDef.IAM_CA_PEM_FILE), map.get(ConstantsDef.IAM_SIGN_PEM_FILE));
            validateToken(TokenUtils.parseToken(str, decodeToken), str2, str3, str4);
            TOKEN_CACHE.put(str, decodeToken);
        }
    }

    public static JSONObject decodeToken(String str, String str2, String str3, String str4) throws AuthenticateException {
        String decodeToken;
        if (TokenUtils.checkPkiTokenInCache(TOKEN_CACHE, str)) {
            return TOKEN_CACHE.get(str);
        }
        try {
            decodeToken = TokenUtils.decodeToken(str, str4, false);
        } catch (AuthenticateException e) {
            try {
                logger.info("start download iam pem");
                downloadPemFileBlocking(str2, str3, str4);
                decodeToken = TokenUtils.decodeToken(str, str4, false);
            } catch (Exception e2) {
                throw new AuthenticateException("download iam pem file failed:" + e2.getMessage());
            }
        }
        return new JSONObject(decodeToken);
    }

    private static void downloadPemFileBlocking(String str, String str2, String str3) throws Exception {
        HashMap hashMap = new HashMap();
        hashMap.put("accept", "application/json");
        hashMap.put(HttpUtil.CONTENT_TYPE_HEAD_FIELD, "application/json; charset=utf8");
        hashMap.put("connection", "Keep-Alive");
        HttpUtil.downloadFileAsync(str, ConstantsDef.CA_URL, hashMap, str2);
        HttpUtil.downloadFileAsync(str, ConstantsDef.SIGNING_URL, hashMap, str3);
    }

    private static void verifySignInfo(Map<String, String> map) throws AuthenticateException {
        String str = map.get(ConstantsDef.AK);
        String str2 = map.get(ConstantsDef.PROJECT_ID);
        String str3 = map.get(ConstantsDef.TIME_STAMP);
        String str4 = map.get(ConstantsDef.AK_SK_SIGN);
        String str5 = map.get(ConstantsDef.DTM_APP_NAME);
        logger.info("current auth infos:{}, {}, {}, {}, {}", new Object[]{str, str2, str3, str4, str5});
        if (StringUtils.checkStringEmpty(str, str2)) {
            throw new AuthenticateException("ak or projectId is null or empty.");
        }
        try {
            if (TcpSignUtils.signRequest(str, authcator.getSkByAk(str, iamAdminAccount, true).getSecretKey(), str3, str2, str5).equals(str4)) {
                return;
            }
            logger.info("verify ak:{} sign info failed", str);
            throw new AuthenticateException("verify ak/sk sign info failed");
        } catch (Exception e) {
            throw new AuthenticateException(e.getMessage(), e);
        }
    }

    private static IamToken getTokenByAk(Map<String, String> map) throws AuthenticateException {
        String str = map.get(ConstantsDef.AK);
        return authcator.getTokenByAk(map.get(ConstantsDef.PROJECT_ID), str, iamAdminAccount, true);
    }

    private static void validateToken(IamToken iamToken, String str, String str2, String str3) throws AuthenticateException {
        TokenUtils.checkDtmAppName(str3, str, str2);
        TokenUtils.checkProjectId(iamToken.getProjectId(), str);
        TokenUtils.checkRole(iamToken.getRoles());
    }

    public static IamToken getLicenseToken(IamAuthcator iamAuthcator, IamAccount iamAccount) throws AuthenticateException {
        return iamAuthcator.getTokenByPwd(null, iamAccount, true);
    }
}
