package com.appleframework.rop.security;

import com.appleframework.rop.MessageFormat;
import com.appleframework.rop.RopContext;
import com.appleframework.rop.RopException;
import com.appleframework.rop.RopRequestContext;
import com.appleframework.rop.ServiceMethodHandler;
import com.appleframework.rop.annotation.HttpAction;
import com.appleframework.rop.config.SystemParameterNames;
import com.appleframework.rop.impl.DefaultServiceAccessController;
import com.appleframework.rop.impl.SimpleRopRequestContext;
import com.appleframework.rop.marshaller.MessageMarshallerUtils;
import com.appleframework.rop.request.UploadFileUtils;
import com.appleframework.rop.session.Session;
import com.appleframework.rop.session.SessionManager;
import com.appleframework.rop.utils.RopUtils;
import java.util.HashMap;
import java.util.Iterator;
import java.util.LinkedHashMap;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.validation.FieldError;
import org.springframework.validation.ObjectError;

/* loaded from: input_file:com/appleframework/rop/security/DefaultSecurityManager.class */
public class DefaultSecurityManager implements SecurityManager {
    protected Logger logger = LoggerFactory.getLogger(getClass());
    protected ServiceAccessController serviceAccessController = new DefaultServiceAccessController();
    protected AppSecretManager appSecretManager = new FileBaseAppSecretManager();
    protected SessionManager sessionManager;
    protected InvokeTimesController invokeTimesController;
    protected FileUploadController fileUploadController;
    private static final Map<String, SubErrorType> INVALIDE_CONSTRAINT_SUBERROR_MAPPINGS = new LinkedHashMap();

    @Override // com.appleframework.rop.security.SecurityManager
    public MainError validateSystemParameters(RopRequestContext ropRequestContext) {
        RopContext ropContext = ropRequestContext.getRopContext();
        if (ropRequestContext.getAppKey() == null) {
            return MainErrors.getError(MainErrorType.MISSING_APP_KEY, ropRequestContext.getLocale(), ropRequestContext.getMethod(), ropRequestContext.getVersion(), SystemParameterNames.getAppKey());
        }
        if (!this.appSecretManager.isValidAppKey(ropRequestContext.getAppKey())) {
            return MainErrors.getError(MainErrorType.INVALID_APP_KEY, ropRequestContext.getLocale(), ropRequestContext.getMethod(), ropRequestContext.getVersion(), ropRequestContext.getAppKey());
        }
        MainError checkSession = checkSession(ropRequestContext);
        if (checkSession != null) {
            return checkSession;
        }
        if (ropRequestContext.getMethod() == null) {
            return MainErrors.getError(MainErrorType.MISSING_METHOD, ropRequestContext.getLocale(), SystemParameterNames.getMethod());
        }
        if (!ropContext.isValidMethod(ropRequestContext.getMethod())) {
            return MainErrors.getError(MainErrorType.INVALID_METHOD, ropRequestContext.getLocale(), ropRequestContext.getMethod());
        }
        if (ropRequestContext.getVersion() == null) {
            return MainErrors.getError(MainErrorType.MISSING_VERSION, ropRequestContext.getLocale(), ropRequestContext.getMethod(), SystemParameterNames.getVersion());
        }
        if (!ropContext.isValidVersion(ropRequestContext.getMethod(), ropRequestContext.getVersion())) {
            return MainErrors.getError(MainErrorType.UNSUPPORTED_VERSION, ropRequestContext.getLocale(), ropRequestContext.getMethod(), ropRequestContext.getVersion());
        }
        MainError checkSign = checkSign(ropRequestContext);
        if (checkSign != null) {
            return checkSign;
        }
        if (ropRequestContext.getServiceMethodDefinition().isObsoleted()) {
            return MainErrors.getError(MainErrorType.METHOD_OBSOLETED, ropRequestContext.getLocale(), ropRequestContext.getMethod(), ropRequestContext.getVersion());
        }
        MainError validateHttpAction = validateHttpAction(ropRequestContext);
        if (validateHttpAction != null) {
            return validateHttpAction;
        }
        if (MessageFormat.isValidFormat(ropRequestContext.getFormat())) {
            return null;
        }
        return MainErrors.getError(MainErrorType.INVALID_FORMAT, ropRequestContext.getLocale(), ropRequestContext.getMethod(), ropRequestContext.getVersion(), ropRequestContext.getFormat());
    }

    @Override // com.appleframework.rop.security.SecurityManager
    public MainError validateOther(RopRequestContext ropRequestContext) {
        MainError checkServiceAccessAllow = checkServiceAccessAllow(ropRequestContext);
        if (checkServiceAccessAllow != null) {
            return checkServiceAccessAllow;
        }
        MainError checkInvokeTimesLimit = checkInvokeTimesLimit(ropRequestContext);
        if (checkInvokeTimesLimit != null) {
            return checkInvokeTimesLimit;
        }
        MainError checkUploadFile = checkUploadFile(ropRequestContext);
        if (checkUploadFile != null) {
            return checkUploadFile;
        }
        MainError validateBusinessParams = validateBusinessParams(ropRequestContext);
        if (validateBusinessParams != null) {
            return validateBusinessParams;
        }
        return null;
    }

    private MainError checkUploadFile(RopRequestContext ropRequestContext) {
        ServiceMethodHandler serviceMethodHandler = ropRequestContext.getServiceMethodHandler();
        if (serviceMethodHandler == null || !serviceMethodHandler.hasUploadFiles()) {
            return null;
        }
        Iterator<String> it = serviceMethodHandler.getUploadFileFieldNames().iterator();
        while (it.hasNext()) {
            String paramValue = ropRequestContext.getParamValue(it.next());
            if (paramValue != null) {
                if (paramValue.indexOf("@") < 0) {
                    return MainErrors.getError(MainErrorType.UPLOAD_FAIL, ropRequestContext.getLocale(), ropRequestContext.getMethod(), ropRequestContext.getVersion(), "MESSAGE_VALID:not contain '@'.");
                }
                if (!this.fileUploadController.isAllowFileType(UploadFileUtils.getFileType(paramValue))) {
                    return MainErrors.getError(MainErrorType.UPLOAD_FAIL, ropRequestContext.getLocale(), ropRequestContext.getMethod(), ropRequestContext.getVersion(), "FILE_TYPE_NOT_ALLOW:the valid file types is:" + this.fileUploadController.getAllowFileTypes());
                }
                if (this.fileUploadController.isExceedMaxSize(UploadFileUtils.decode(paramValue).length)) {
                    return MainErrors.getError(MainErrorType.UPLOAD_FAIL, ropRequestContext.getLocale(), ropRequestContext.getMethod(), ropRequestContext.getVersion(), "EXCEED_MAX_SIZE:" + this.fileUploadController.getMaxSize() + "k");
                }
            }
        }
        return null;
    }

    @Override // com.appleframework.rop.security.SecurityManager
    public void setInvokeTimesController(InvokeTimesController invokeTimesController) {
        this.invokeTimesController = invokeTimesController;
    }

    @Override // com.appleframework.rop.security.SecurityManager
    public void setServiceAccessController(ServiceAccessController serviceAccessController) {
        this.serviceAccessController = serviceAccessController;
    }

    @Override // com.appleframework.rop.security.SecurityManager
    public void setAppSecretManager(AppSecretManager appSecretManager) {
        this.appSecretManager = appSecretManager;
    }

    @Override // com.appleframework.rop.security.SecurityManager
    public void setSessionManager(SessionManager sessionManager) {
        this.sessionManager = sessionManager;
    }

    @Override // com.appleframework.rop.security.SecurityManager
    public void setFileUploadController(FileUploadController fileUploadController) {
        this.fileUploadController = fileUploadController;
    }

    private MainError checkInvokeTimesLimit(RopRequestContext ropRequestContext) {
        if (this.invokeTimesController.isAppInvokeFrequencyExceed(ropRequestContext.getAppKey())) {
            return MainErrors.getError(MainErrorType.EXCEED_APP_INVOKE_FREQUENCY_LIMITED, ropRequestContext.getLocale(), new Object[0]);
        }
        if (this.invokeTimesController.isAppInvokeLimitExceed(ropRequestContext.getAppKey())) {
            return MainErrors.getError(MainErrorType.EXCEED_APP_INVOKE_LIMITED, ropRequestContext.getLocale(), new Object[0]);
        }
        if (this.invokeTimesController.isSessionInvokeLimitExceed(ropRequestContext.getAppKey(), ropRequestContext.getSessionId())) {
            return MainErrors.getError(MainErrorType.EXCEED_SESSION_INVOKE_LIMITED, ropRequestContext.getLocale(), new Object[0]);
        }
        if (this.invokeTimesController.isUserInvokeLimitExceed(ropRequestContext.getAppKey(), ropRequestContext.getSession())) {
            return MainErrors.getError(MainErrorType.EXCEED_USER_INVOKE_LIMITED, ropRequestContext.getLocale(), new Object[0]);
        }
        return null;
    }

    private MainError validateHttpAction(RopRequestContext ropRequestContext) {
        MainError mainError = null;
        HttpAction[] httpAction = ropRequestContext.getServiceMethodDefinition().getHttpAction();
        if (httpAction.length > 0) {
            boolean z = false;
            int length = httpAction.length;
            int i = 0;
            while (true) {
                if (i >= length) {
                    break;
                }
                if (httpAction[i] == ropRequestContext.getHttpAction()) {
                    z = true;
                    break;
                }
                i++;
            }
            if (!z) {
                mainError = MainErrors.getError(MainErrorType.HTTP_ACTION_NOT_ALLOWED, ropRequestContext.getLocale(), ropRequestContext.getMethod(), ropRequestContext.getVersion(), ropRequestContext.getHttpAction());
            }
        }
        return mainError;
    }

    public ServiceAccessController getServiceAccessController() {
        return this.serviceAccessController;
    }

    public AppSecretManager getAppSecretManager() {
        return this.appSecretManager;
    }

    private MainError checkServiceAccessAllow(RopRequestContext ropRequestContext) {
        if (!getServiceAccessController().isAppGranted(ropRequestContext.getAppKey(), ropRequestContext.getMethod(), ropRequestContext.getVersion())) {
            MainError mainError = SubErrors.getMainError(SubErrorType.ISV_INVALID_PERMISSION, ropRequestContext.getLocale(), new Object[0]);
            mainError.addSubError(SubErrors.getSubError(SubErrorType.ISV_INVALID_PERMISSION.value(), SubErrorType.ISV_INVALID_PERMISSION.value(), ropRequestContext.getLocale(), new Object[0]));
            if (mainError != null && this.logger.isErrorEnabled()) {
                this.logger.debug("未向ISV开放该服务的执行权限(" + ropRequestContext.getMethod() + ")");
            }
            return mainError;
        }
        if (getServiceAccessController().isUserGranted(ropRequestContext.getSession(), ropRequestContext.getMethod(), ropRequestContext.getVersion())) {
            return null;
        }
        MainError error = MainErrors.getError(MainErrorType.INSUFFICIENT_USER_PERMISSIONS, ropRequestContext.getLocale(), ropRequestContext.getMethod(), ropRequestContext.getVersion());
        error.addSubError(SubErrors.getSubError(SubErrorType.ISV_INVALID_PERMISSION.value(), SubErrorType.ISV_INVALID_PERMISSION.value(), ropRequestContext.getLocale(), new Object[0]));
        if (error != null && this.logger.isErrorEnabled()) {
            this.logger.debug("未向会话用户开放该服务的执行权限(" + ropRequestContext.getMethod() + ")");
        }
        return error;
    }

    private MainError validateBusinessParams(RopRequestContext ropRequestContext) {
        List<ObjectError> list = (List) ropRequestContext.getAttribute(SimpleRopRequestContext.SPRING_VALIDATE_ERROR_ATTRNAME);
        if (list == null || list.size() <= 0) {
            return null;
        }
        return toMainErrorOfSpringValidateErrors(list, ropRequestContext.getLocale(), ropRequestContext);
    }

    private MainError checkSign(RopRequestContext ropRequestContext) {
        if (this.logger.isInfoEnabled()) {
            this.logger.info(MessageMarshallerUtils.getMessage(ropRequestContext.getAllParams(), MessageFormat.json));
        }
        if (!ropRequestContext.isSignEnable()) {
            if (!this.logger.isDebugEnabled()) {
                return null;
            }
            this.logger.warn("{}{}服务方法未开启签名", ropRequestContext.getMethod(), ropRequestContext.getVersion());
            return null;
        }
        if (ropRequestContext.getServiceMethodDefinition().isIgnoreSign()) {
            if (!this.logger.isWarnEnabled()) {
                return null;
            }
            this.logger.warn(ropRequestContext.getMethod() + "忽略了签名");
            return null;
        }
        if (ropRequestContext.getSign() == null) {
            return MainErrors.getError(MainErrorType.MISSING_SIGNATURE, ropRequestContext.getLocale(), ropRequestContext.getMethod(), ropRequestContext.getVersion(), SystemParameterNames.getSign());
        }
        List<String> ignoreSignFieldNames = ropRequestContext.getServiceMethodHandler().getIgnoreSignFieldNames();
        String appKey = SystemParameterNames.getAppKey();
        String version = SystemParameterNames.getVersion();
        String format = SystemParameterNames.getFormat();
        String locale = SystemParameterNames.getLocale();
        String method = SystemParameterNames.getMethod();
        ignoreSignFieldNames.add(appKey);
        ignoreSignFieldNames.add(version);
        ignoreSignFieldNames.add(format);
        ignoreSignFieldNames.add(locale);
        ignoreSignFieldNames.add(method);
        HashMap hashMap = new HashMap();
        for (Map.Entry<String, String> entry : ropRequestContext.getAllParams().entrySet()) {
            if (!ignoreSignFieldNames.contains(entry.getKey())) {
                hashMap.put(entry.getKey(), entry.getValue());
            }
        }
        String secret = getAppSecretManager().getSecret(ropRequestContext.getAppKey());
        if (secret == null) {
            throw new RopException("无法获取" + ropRequestContext.getAppKey() + "对应的密钥");
        }
        String sign = RopUtils.sign(hashMap, appKey, secret);
        if (this.logger.isInfoEnabled()) {
            this.logger.info("sign.value=" + sign + ",context.sign=" + ropRequestContext.getSign());
        }
        if (sign.equalsIgnoreCase(ropRequestContext.getSign())) {
            return null;
        }
        if (this.logger.isErrorEnabled()) {
            this.logger.error(ropRequestContext.getAppKey() + "的签名不合法，请检查 : " + sign);
        }
        return MainErrors.getError(MainErrorType.INVALID_SIGNATURE, ropRequestContext.getLocale(), ropRequestContext.getMethod(), ropRequestContext.getVersion());
    }

    private MainError checkSession(RopRequestContext ropRequestContext) {
        if (ropRequestContext.getServiceMethodHandler() == null || !ropRequestContext.getServiceMethodHandler().getServiceMethodDefinition().isNeedInSession()) {
            return null;
        }
        if (ropRequestContext.getSessionId() == null) {
            return MainErrors.getError(MainErrorType.MISSING_SESSION, ropRequestContext.getLocale(), ropRequestContext.getMethod(), ropRequestContext.getVersion(), SystemParameterNames.getSessionId());
        }
        if (isValidSession(ropRequestContext)) {
            return null;
        }
        return MainErrors.getError(MainErrorType.INVALID_SESSION, ropRequestContext.getLocale(), ropRequestContext.getMethod(), ropRequestContext.getVersion(), ropRequestContext.getSessionId());
    }

    private boolean isValidSession(RopRequestContext ropRequestContext) {
        Session session = this.sessionManager.getSession(ropRequestContext.getSessionId());
        if (session != null) {
            ropRequestContext.setSession(session);
            return true;
        }
        if (!this.logger.isDebugEnabled()) {
            return false;
        }
        this.logger.debug(ropRequestContext.getSessionId() + "会话不存在，请检查。");
        return false;
    }

    private MainError toMainErrorOfSpringValidateErrors(List<ObjectError> list, Locale locale, RopRequestContext ropRequestContext) {
        return hastSubErrorType(list, SubErrorType.ISV_MISSING_PARAMETER) ? getBusinessParameterMainError(list, locale, SubErrorType.ISV_MISSING_PARAMETER, ropRequestContext) : hastSubErrorType(list, SubErrorType.ISV_PARAMETERS_MISMATCH) ? getBusinessParameterMainError(list, locale, SubErrorType.ISV_PARAMETERS_MISMATCH, ropRequestContext) : getBusinessParameterMainError(list, locale, SubErrorType.ISV_INVALID_PARAMETE, ropRequestContext);
    }

    private boolean hastSubErrorType(List<ObjectError> list, SubErrorType subErrorType) {
        Iterator<ObjectError> it = list.iterator();
        while (it.hasNext()) {
            FieldError fieldError = (ObjectError) it.next();
            if (fieldError instanceof FieldError) {
                FieldError fieldError2 = fieldError;
                if (INVALIDE_CONSTRAINT_SUBERROR_MAPPINGS.containsKey(fieldError2.getCode()) && INVALIDE_CONSTRAINT_SUBERROR_MAPPINGS.get(fieldError2.getCode()) == subErrorType) {
                    return true;
                }
            }
        }
        return false;
    }

    private MainError getBusinessParameterMainError(List<ObjectError> list, Locale locale, SubErrorType subErrorType, RopRequestContext ropRequestContext) {
        MainError mainError = SubErrors.getMainError(subErrorType, locale, ropRequestContext.getMethod(), ropRequestContext.getVersion());
        Iterator<ObjectError> it = list.iterator();
        while (it.hasNext()) {
            FieldError fieldError = (ObjectError) it.next();
            if (fieldError instanceof FieldError) {
                FieldError fieldError2 = fieldError;
                SubErrorType subErrorType2 = INVALIDE_CONSTRAINT_SUBERROR_MAPPINGS.get(fieldError2.getCode());
                if (subErrorType2 == subErrorType) {
                    mainError.addSubError(SubErrors.getSubError(SubErrors.getSubErrorCode(subErrorType2, fieldError2.getField(), fieldError2.getRejectedValue()), subErrorType2.value(), locale, fieldError2.getField(), fieldError2.getRejectedValue()));
                }
            }
        }
        return mainError;
    }

    static {
        INVALIDE_CONSTRAINT_SUBERROR_MAPPINGS.put("typeMismatch", SubErrorType.ISV_PARAMETERS_MISMATCH);
        INVALIDE_CONSTRAINT_SUBERROR_MAPPINGS.put("NotNull", SubErrorType.ISV_MISSING_PARAMETER);
        INVALIDE_CONSTRAINT_SUBERROR_MAPPINGS.put("NotEmpty", SubErrorType.ISV_INVALID_PARAMETE);
        INVALIDE_CONSTRAINT_SUBERROR_MAPPINGS.put("Size", SubErrorType.ISV_INVALID_PARAMETE);
        INVALIDE_CONSTRAINT_SUBERROR_MAPPINGS.put("Range", SubErrorType.ISV_INVALID_PARAMETE);
        INVALIDE_CONSTRAINT_SUBERROR_MAPPINGS.put("Pattern", SubErrorType.ISV_INVALID_PARAMETE);
        INVALIDE_CONSTRAINT_SUBERROR_MAPPINGS.put("Min", SubErrorType.ISV_INVALID_PARAMETE);
        INVALIDE_CONSTRAINT_SUBERROR_MAPPINGS.put("Max", SubErrorType.ISV_INVALID_PARAMETE);
        INVALIDE_CONSTRAINT_SUBERROR_MAPPINGS.put("DecimalMin", SubErrorType.ISV_INVALID_PARAMETE);
        INVALIDE_CONSTRAINT_SUBERROR_MAPPINGS.put("DecimalMax", SubErrorType.ISV_INVALID_PARAMETE);
        INVALIDE_CONSTRAINT_SUBERROR_MAPPINGS.put("Digits", SubErrorType.ISV_INVALID_PARAMETE);
        INVALIDE_CONSTRAINT_SUBERROR_MAPPINGS.put("Past", SubErrorType.ISV_INVALID_PARAMETE);
        INVALIDE_CONSTRAINT_SUBERROR_MAPPINGS.put("Future", SubErrorType.ISV_INVALID_PARAMETE);
        INVALIDE_CONSTRAINT_SUBERROR_MAPPINGS.put("AssertFalse", SubErrorType.ISV_INVALID_PARAMETE);
    }
}
