package datart.security.manager.shiro;

import com.alibaba.fastjson.JSONObject;
import com.jzt.jk.redis.util.RedisUtils;
import datart.core.base.exception.BaseException;
import datart.core.base.exception.Exceptions;
import datart.core.common.MessageResolver;
import datart.core.entity.User;
import datart.core.mappers.ext.UserMapperExt;
import datart.security.base.JwtToken;
import datart.security.base.PasswordToken;
import datart.security.base.Permission;
import datart.security.base.RoleType;
import datart.security.exception.AuthException;
import datart.security.exception.PermissionDeniedException;
import datart.security.manager.DatartSecurityManager;
import datart.security.manager.PermissionDataCache;
import datart.security.util.JwtUtils;
import java.util.Arrays;
import java.util.HashSet;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.StringJoiner;
import javax.annotation.PostConstruct;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.authz.AuthorizationException;
import org.apache.shiro.mgt.SecurityManager;
import org.apache.shiro.subject.Subject;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.crypto.bcrypt.BCrypt;
import org.springframework.stereotype.Component;

@Component("datartSecurityManager")
/* loaded from: input_file:datart/security/manager/shiro/ShiroSecurityManager.class */
public class ShiroSecurityManager implements DatartSecurityManager {
    private static final Logger log = LoggerFactory.getLogger(ShiroSecurityManager.class);
    final MessageResolver messageResolver;
    private final UserMapperExt userMapper;
    private final PermissionDataCache permissionDataCache;
    private final SecurityManager securityManager;
    private final RedisUtils redisUtils;

    public ShiroSecurityManager(MessageResolver messageResolver, UserMapperExt userMapperExt, PermissionDataCache permissionDataCache, SecurityManager securityManager, RedisUtils redisUtils) {
        this.redisUtils = redisUtils;
        this.messageResolver = messageResolver;
        this.userMapper = userMapperExt;
        this.permissionDataCache = permissionDataCache;
        this.securityManager = securityManager;
    }

    @Override // datart.security.manager.DatartSecurityManager
    public void login(PasswordToken passwordToken) throws RuntimeException {
        logoutCurrent();
        User selectByNameOrEmailOrPhone = this.userMapper.selectByNameOrEmailOrPhone(passwordToken.getSubject());
        if (selectByNameOrEmailOrPhone == null) {
            Exceptions.tr(BaseException.class, "login.fail", new String[0]);
        }
        if (!selectByNameOrEmailOrPhone.getActive().booleanValue()) {
            Exceptions.tr(BaseException.class, "message.user.not.active", new String[0]);
        }
        Subject subject = SecurityUtils.getSubject();
        UsernamePasswordToken usernamePasswordToken = new UsernamePasswordToken(passwordToken.getSubject(), passwordToken.getPassword());
        try {
            if (log.isDebugEnabled()) {
                log.info("执行shiro登陆开始...subject={},subject={}", subject, formatSubject(subject));
            }
            subject.login(usernamePasswordToken);
            if (log.isDebugEnabled()) {
                log.info("执行shiro登陆结束...subject={},subject={}", subject, formatSubject(subject));
            }
        } catch (Exception e) {
            log.error("Login error ({})", passwordToken.getSubject());
            Exceptions.msg("login.fail", new String[0]);
        }
    }

    @Override // datart.security.manager.DatartSecurityManager
    public boolean validateUser(String str, String str2) throws AuthException {
        User selectByNameOrEmailOrPhone = this.userMapper.selectByNameOrEmailOrPhone(str);
        if (selectByNameOrEmailOrPhone == null) {
            return false;
        }
        return BCrypt.checkpw(str2, selectByNameOrEmailOrPhone.getPassword()) || Objects.equals(str2, selectByNameOrEmailOrPhone.getPassword());
    }

    @Override // datart.security.manager.DatartSecurityManager
    public String login(String str) throws AuthException {
        JwtToken jwtToken = JwtUtils.toJwtToken(str);
        if (!JwtUtils.validTimeout(jwtToken)) {
            Exceptions.tr(AuthException.class, "login.session.timeout", new String[0]);
        }
        User selectByNameOrEmailOrPhone = this.userMapper.selectByNameOrEmailOrPhone(jwtToken.getSubject());
        if (selectByNameOrEmailOrPhone == null) {
            Exceptions.tr(AuthException.class, "login.session.timeout", new String[0]);
        }
        if (!selectByNameOrEmailOrPhone.getActive().booleanValue()) {
            Exceptions.tr(BaseException.class, "message.user.not.active", new String[0]);
        }
        if (jwtToken.getPwdHash() != selectByNameOrEmailOrPhone.getPassword().hashCode()) {
            Exceptions.tr(BaseException.class, "login.fail.pwd.hash", new String[0]);
        }
        PasswordToken passwordToken = new PasswordToken(selectByNameOrEmailOrPhone.getUsername(), selectByNameOrEmailOrPhone.getPassword(), Long.valueOf(System.currentTimeMillis()));
        login(passwordToken);
        return JwtUtils.toJwtString(passwordToken);
    }

    @Override // datart.security.manager.DatartSecurityManager
    public void logoutCurrent() {
        this.permissionDataCache.clear();
        Subject subject = SecurityUtils.getSubject();
        if (log.isDebugEnabled()) {
            log.info("执行shiro退出开始..subject={},subject={}", subject, formatSubject(subject));
        }
        if (subject != null) {
            subject.logout();
        }
        if (log.isDebugEnabled()) {
            log.info("执行shiro退出结束...subject={},subject={}", subject, formatSubject(subject));
        }
    }

    @Override // datart.security.manager.DatartSecurityManager
    public boolean isAuthenticated() {
        return SecurityUtils.getSubject().isAuthenticated();
    }

    @Override // datart.security.manager.DatartSecurityManager
    public void requireAllPermissions(Permission... permissionArr) throws PermissionDeniedException {
        for (Permission permission : permissionArr) {
            Boolean cachedPermission = this.permissionDataCache.getCachedPermission(permission);
            if (cachedPermission != null) {
                if (cachedPermission.booleanValue()) {
                    return;
                } else {
                    Exceptions.e(new AuthorizationException());
                }
            }
            Set<String> shiroPermissionString = toShiroPermissionString(permission.getOrgId(), permission.getRoleId(), permission.getResourceType(), permission.getResourceId(), permission.getPermission());
            try {
                this.permissionDataCache.setCurrentOrg(permission.getOrgId());
                SecurityUtils.getSubject().checkPermissions((String[]) shiroPermissionString.toArray(new String[0]));
                this.permissionDataCache.setPermissionCache(permission, true);
            } catch (AuthorizationException e) {
                log.warn("User permission denied. User-{} Permission-{}", getCurrentUser() != null ? getCurrentUser().getUsername() : "none", permission);
                this.permissionDataCache.setPermissionCache(permission, false);
                Exceptions.tr(PermissionDeniedException.class, "message.security.permission-denied", new String[0]);
            }
        }
    }

    @Override // datart.security.manager.DatartSecurityManager
    public void requireAnyPermission(Permission... permissionArr) throws PermissionDeniedException {
        if (Arrays.stream(permissionArr).anyMatch(permission -> {
            if (permission == null) {
                return false;
            }
            Boolean cachedPermission = this.permissionDataCache.getCachedPermission(permission);
            if (cachedPermission != null) {
                if (cachedPermission.booleanValue()) {
                    return true;
                }
                Exceptions.e(new AuthorizationException());
            }
            Set<String> shiroPermissionString = toShiroPermissionString(permission.getOrgId(), permission.getRoleId(), permission.getResourceType(), permission.getResourceId(), permission.getPermission());
            try {
                this.permissionDataCache.setCurrentOrg(permission.getOrgId());
                SecurityUtils.getSubject().checkPermissions((String[]) shiroPermissionString.toArray(new String[0]));
                this.permissionDataCache.setPermissionCache(permission, true);
                return true;
            } catch (AuthorizationException e) {
                log.warn("User permission denied. User-{} Permission-{}", getCurrentUser() != null ? getCurrentUser().getUsername() : "none", permission);
                this.permissionDataCache.setPermissionCache(permission, false);
                return false;
            }
        })) {
            return;
        }
        Exceptions.tr(PermissionDeniedException.class, "message.security.permission-denied", new String[0]);
    }

    @Override // datart.security.manager.DatartSecurityManager
    public void requireOrgOwner(String str) throws PermissionDeniedException {
        try {
            this.permissionDataCache.setCurrentOrg(str);
            SecurityUtils.getSubject().checkRole(toShiroRoleString(RoleType.ORG_OWNER.name(), str));
        } catch (AuthorizationException e) {
            log.warn("User permission denied. User-{} Role-{}", getCurrentUser() != null ? getCurrentUser().getUsername() : "none", RoleType.ORG_OWNER.name());
            Exceptions.tr(PermissionDeniedException.class, "message.security.permission-denied", new String[0]);
        }
    }

    @Override // datart.security.manager.DatartSecurityManager
    public boolean isOrgOwner(String str) {
        this.permissionDataCache.setCurrentOrg(str);
        return SecurityUtils.getSubject().hasRole(toShiroRoleString(RoleType.ORG_OWNER.name(), str));
    }

    @Override // datart.security.manager.DatartSecurityManager
    public Map<Permission, Boolean> getPermissions() {
        return this.permissionDataCache.getCachedPermission();
    }

    @Override // datart.security.manager.DatartSecurityManager
    public boolean hasPermission(Permission... permissionArr) {
        for (Permission permission : permissionArr) {
            log.info("hasPermission permission={}", JSONObject.toJSONString(permission));
            Boolean cachedPermission = this.permissionDataCache.getCachedPermission(permission);
            log.info("hasPermission getCachedPermission permitted={}", JSONObject.toJSONString(cachedPermission));
            if (cachedPermission != null) {
                return cachedPermission.booleanValue();
            }
            Set<String> shiroPermissionString = toShiroPermissionString(permission.getOrgId(), permission.getRoleId(), permission.getResourceType(), permission.getResourceId(), permission.getPermission());
            try {
                this.permissionDataCache.setCurrentOrg(permission.getOrgId());
                log.info("hasPermission checkPermissions req={}", JSONObject.toJSONString(shiroPermissionString.toArray(new String[0])));
                SecurityUtils.getSubject().checkPermissions((String[]) shiroPermissionString.toArray(new String[0]));
                log.info("hasPermission checkPermissions 通过");
                this.permissionDataCache.setPermissionCache(permission, true);
            } catch (AuthorizationException e) {
                log.debug("User permission denied. User-{} Permission-{}", getCurrentUser() != null ? getCurrentUser().getUsername() : "none", permission);
                this.permissionDataCache.setPermissionCache(permission, false);
                return false;
            }
        }
        return true;
    }

    @Override // datart.security.manager.DatartSecurityManager
    public User getCurrentUser() {
        Subject subject = SecurityUtils.getSubject();
        if (log.isDebugEnabled()) {
            log.info("获取当前登录用户结束...subject={},subject={}", subject, formatSubject(subject));
        }
        return (User) subject.getPrincipal();
    }

    @Override // datart.security.manager.DatartSecurityManager
    public void runAs(String str) {
        User selectByNameOrEmailOrPhone = this.userMapper.selectByNameOrEmailOrPhone(str);
        login(new PasswordToken(selectByNameOrEmailOrPhone.getUsername(), selectByNameOrEmailOrPhone.getPassword(), Long.valueOf(System.currentTimeMillis())));
    }

    @Override // datart.security.manager.DatartSecurityManager
    public void releaseRunAs() {
        logoutCurrent();
    }

    public static String toShiroRoleString(String str, String str2) {
        return str + "." + str2;
    }

    public static Set<String> toShiroPermissionString(String str, String str2, String str3, String str4, int i) {
        HashSet hashSet = new HashSet();
        for (String str5 : expand2StringPermissions(i)) {
            StringJoiner stringJoiner = new StringJoiner(":");
            stringJoiner.add(str).add(str2 != null ? str2 : "*").add(str3).add(str5).add(str4);
            hashSet.add(stringJoiner.toString());
        }
        return hashSet;
    }

    public static String toShiroPermissionString(String str, String str2, String str3, String str4) {
        StringJoiner stringJoiner = new StringJoiner(":");
        stringJoiner.add(str).add(str2).add(str4).add(str3);
        return stringJoiner.toString();
    }

    public static Set<String> expand2StringPermissions(int i) {
        HashSet hashSet = new HashSet();
        if (i == 0) {
            hashSet.add("DISABLE");
            return hashSet;
        }
        if ((1 & i) == 1) {
            hashSet.add("ENABLE");
        }
        if ((2 & i) == 2) {
            hashSet.add("READ");
        }
        if ((6 & i) == 6) {
            hashSet.add("MANAGE");
        }
        if ((10 & i) == 10) {
            hashSet.add("GRANT");
        }
        if ((34 & i) == 34) {
            hashSet.add("DOWNLOAD");
        }
        if ((66 & i) == 66) {
            hashSet.add("SHARE");
        }
        return hashSet;
    }

    @PostConstruct
    public void initSecurityManager() {
        SecurityUtils.setSecurityManager(this.securityManager);
    }

    private String formatSubject(Subject subject) {
        if (subject == null) {
            return null;
        }
        return "";
    }
}
