package com.huawei.dap.auth.rest.auth.impl;

import com.huawei.dap.auth.rest.auth.AuthConst;
import com.huawei.dap.auth.rest.auth.algo.AuthAlgo;
import com.huawei.dap.auth.rest.auth.algo.AuthException;
import com.huawei.dap.auth.rest.auth.algo.AuthRequest;
import com.huawei.dap.auth.rest.auth.hmac.SignChecker;
import com.huawei.dap.auth.rest.auth.hmac.SignMaker;
import com.huawei.dap.auth.rest.context.RestContext;
import com.huawei.dap.auth.rest.response.CommonErrorCode;
import com.huawei.dap.auth.security.multi.Keys;
import com.huawei.dap.auth.security.multi.KeysFactory;
import com.huawei.dap.auth.security.util.HmacAlg;
import java.util.Date;
import java.util.Map;
import java.util.concurrent.TimeUnit;
import org.apache.commons.lang3.StringUtils;
import org.slf4j.Logger;

/* loaded from: input_file:com/huawei/dap/auth/rest/auth/impl/HmacSha256AuthAlgo.class */
public class HmacSha256AuthAlgo implements AuthAlgo {
    private static final long DEFAULT_MAX_TIME_DIFF_IN_MINUTES = 5;
    private static final long ALWAYS_ALLOWED_TIME_DIFF = -1;
    private static int SC_BAD_REQUEST = 400;
    private static int SC_UNAUTHORIZED = 401;
    private static int SC_FORBIDDEN = 403;
    private final Logger logger;
    private final KeysFactory keyFactory;
    private final long maxTimeDiff;

    public HmacSha256AuthAlgo(KeysFactory keysFactory, Logger logger) {
        this(keysFactory, DEFAULT_MAX_TIME_DIFF_IN_MINUTES, logger);
    }

    public HmacSha256AuthAlgo(KeysFactory keysFactory, long j, Logger logger) {
        this.logger = logger;
        this.keyFactory = keysFactory;
        this.maxTimeDiff = j == ALWAYS_ALLOWED_TIME_DIFF ? ALWAYS_ALLOWED_TIME_DIFF : TimeUnit.MINUTES.toMillis(j);
    }

    private void checkReplayAttack(String str) throws AuthException {
        try {
            if (StringUtils.isEmpty(str)) {
                throw new AuthException("TimestampMissed", SC_BAD_REQUEST, CommonErrorCode.INVALID_TIMESTAMP);
            }
            long abs = Math.abs(new Date().getTime() - Long.parseLong(str));
            if (this.maxTimeDiff != ALWAYS_ALLOWED_TIME_DIFF && abs > this.maxTimeDiff) {
                throw new AuthException("TimestampMoreEarlierOrLater", SC_FORBIDDEN, CommonErrorCode.INVALID_TIMESTAMP);
            }
        } catch (NumberFormatException e) {
            throw new AuthException("TimestampInvalidFormat", SC_BAD_REQUEST, CommonErrorCode.INVALID_TIMESTAMP);
        }
    }

    private void checkSignature(AuthRequest authRequest, String str, Map<String, String> map) throws AuthException {
        String str2 = map.get(AuthConst.AUTH_PARAM_SIGNATURE);
        if (StringUtils.isEmpty(str2)) {
            throw new AuthException("SignatureMissed", SC_FORBIDDEN, CommonErrorCode.INVALID_SIGNATURE);
        }
        Keys key = this.keyFactory.getKey(str);
        if (key == null) {
            this.logger.error("Can't get keys for {}", str);
            throw new AuthException("AppIDInvalid", SC_BAD_REQUEST, CommonErrorCode.INVALID_APPID);
        }
        SignChecker signChecker = new SignChecker(new HmacStrBuilder(authRequest).toString(), str2, HmacAlg.HMAC_SHA256);
        if (!key.handle(signChecker)) {
            throw new AuthException("SignatureInvalid", SC_FORBIDDEN, CommonErrorCode.INVALID_SIGNATURE);
        }
        RestContext.getOrSetCurrent().setAuthKeyVersion(signChecker.getValue());
    }

    @Override // com.huawei.dap.auth.rest.auth.algo.AuthAlgo
    public void handleServer(AuthRequest authRequest) throws AuthException {
        Map<String, String> authParams = authRequest.getAuthParams();
        if (authParams == null) {
            this.logger.error("Invalid authentication request without appid.");
            throw new AuthException("AppIDMissed", SC_UNAUTHORIZED, CommonErrorCode.INVALID_APPID);
        }
        String str = authParams.get(AuthConst.AUTH_PARAM_APPID);
        if (StringUtils.isEmpty(str)) {
            this.logger.error("Invalid authentication request without appid.");
            throw new AuthException("AppIDMissed", SC_UNAUTHORIZED, CommonErrorCode.INVALID_APPID);
        }
        RestContext.getOrSetCurrent().setAppId(str);
        checkReplayAttack(authParams.get(AuthConst.AUTH_PARAM_TIMESTAMP));
        checkSignature(authRequest, str, authParams);
    }

    @Override // com.huawei.dap.auth.rest.auth.algo.AuthAlgo
    public void handleClient(AuthRequest authRequest, String str) throws AuthException {
        Keys key = this.keyFactory.getKey(str);
        if (key == null) {
            this.logger.error("Can't get keys for {}", str);
            throw new AuthException("AppIDInvalid", SC_BAD_REQUEST, CommonErrorCode.INVALID_APPID);
        }
        SignMaker signMaker = new SignMaker(new HmacStrBuilder(authRequest).toString(), "", HmacAlg.HMAC_SHA256);
        if (key.handle(signMaker)) {
            authRequest.getAuthParams().put(AuthConst.AUTH_PARAM_SIGNATURE, signMaker.getValue());
        }
    }
}
