package com.supwisdom.insititute.token.server.security.domain.mfa.filter;

import com.alibaba.fastjson.JSONObject;
import com.supwisdom.insititute.token.server.config.domain.entity.cas.sa.Config;
import com.supwisdom.insititute.token.server.config.domain.service.ConfigRetriever;
import com.supwisdom.insititute.token.server.core.request.HttpRequestUtils;
import com.supwisdom.insititute.token.server.core.utils.UserAgentUtils;
import com.supwisdom.insititute.token.server.security.domain.attest.guard.FaceVerifyGuardRemote;
import com.supwisdom.insititute.token.server.security.domain.attest.guard.FedAuthGuardRemote;
import com.supwisdom.insititute.token.server.security.domain.attest.guard.SecureEmailGuardRemote;
import com.supwisdom.insititute.token.server.security.domain.attest.guard.SecurePhoneGuardRemote;
import com.supwisdom.insititute.token.server.security.domain.mfa.state.MfaState;
import com.supwisdom.insititute.token.server.security.domain.mfa.state.MfaStateStore;
import java.io.IOException;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang3.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.http.HttpStatus;
import org.springframework.web.filter.OncePerRequestFilter;
import org.springframework.web.servlet.tags.BindTag;

/* loaded from: input_file:BOOT-INF/lib/token-server-security-domain-1.5.7-SNAPSHOT.jar:com/supwisdom/insititute/token/server/security/domain/mfa/filter/MfaVerifyFilter.class */
public class MfaVerifyFilter extends OncePerRequestFilter {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) MfaVerifyFilter.class);
    private final ConfigRetriever casServerSaApiConfigRetriever;
    private final SecureEmailGuardRemote secureEmailGuardRemote;
    private final SecurePhoneGuardRemote securePhoneGuardRemote;
    private final FedAuthGuardRemote fedAuthGuardRemote;
    private final FaceVerifyGuardRemote faceVerifyGuardRemote;
    private final MfaStateStore mfaStateStore;

    @Override // org.springframework.web.filter.OncePerRequestFilter
    protected void doFilterInternal(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws ServletException, IOException {
        try {
            if (doVerify(httpServletRequest, httpServletResponse)) {
                filterChain.doFilter(httpServletRequest, httpServletResponse);
            } else {
                httpServletResponse.sendError(HttpStatus.BAD_REQUEST.value(), "exception.mfa.verify.error");
            }
        } catch (Exception e) {
            e.printStackTrace();
            httpServletResponse.sendError(HttpStatus.INTERNAL_SERVER_ERROR.value(), e.getMessage());
        }
    }

    private String getConfigValue(String str, String str2) {
        Config config = this.casServerSaApiConfigRetriever.getConfigs().get(str);
        return (config == null || !StringUtils.isNotBlank(config.getConfigValue())) ? str2 : config.getConfigValue();
    }

    protected boolean doVerify(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        JSONObject verify;
        String httpServletRequestUserAgent = HttpRequestUtils.getHttpServletRequestUserAgent();
        if (UserAgentUtils.isWxamp(httpServletRequestUserAgent)) {
            log.warn("MfaVerifyAction.doExecute request from wxamp, agent is {}. skip.", httpServletRequestUserAgent);
            return true;
        }
        boolean booleanValue = Boolean.valueOf(getConfigValue("tokenServer.config.mfaEnabled", "false")).booleanValue();
        if (!booleanValue) {
            log.debug("MfaVerifyAction.doExecute mfaEnabled is {}, no need to verify. skip!", Boolean.valueOf(booleanValue));
            return true;
        }
        String parameter = httpServletRequest.getParameter("mfaState");
        log.debug("MfaVerifyAction.doExecute load stateKey from Request, {}", parameter);
        if (StringUtils.isBlank(parameter)) {
            log.error("MfaVerifyAction.doExecute stateKey is blank.");
            return false;
        }
        MfaState loadState = this.mfaStateStore.loadState(parameter);
        if (loadState == null) {
            log.error("MfaVerifyAction.doExecute mfaState is null.");
            return false;
        }
        if (!loadState.isMfaNeeded()) {
            log.debug("MfaVerifyAction.doExecute mfaNeeded is {}, no need to verify. skip!", Boolean.valueOf(loadState.isMfaNeeded()));
            return true;
        }
        String username = loadState.getUsername();
        String remoteIp = loadState.getRemoteIp();
        String userAgent = loadState.getUserAgent();
        String deviceId = loadState.getDeviceId();
        String type = loadState.getType();
        String gid = loadState.getGid();
        String str = null;
        if ("secureemail".equals(type)) {
            JSONObject verify2 = this.secureEmailGuardRemote.verify(gid, username, remoteIp, userAgent, deviceId, parameter, null);
            if (verify2 != null) {
                str = verify2.getString(BindTag.STATUS_VARIABLE_NAME);
            }
        } else if ("securephone".equals(type)) {
            JSONObject verify3 = this.securePhoneGuardRemote.verify(gid, username, remoteIp, userAgent, deviceId, parameter, null);
            if (verify3 != null) {
                str = verify3.getString(BindTag.STATUS_VARIABLE_NAME);
            }
        } else if ("fedauth".equals(type)) {
            JSONObject verify4 = this.fedAuthGuardRemote.verify(gid, username, remoteIp, userAgent, deviceId, parameter, null);
            if (verify4 != null) {
                str = verify4.getString(BindTag.STATUS_VARIABLE_NAME);
            }
        } else if ("faceverify".equals(type) && (verify = this.faceVerifyGuardRemote.verify(gid, username, remoteIp, userAgent, deviceId, parameter, null)) != null) {
            str = verify.getString(BindTag.STATUS_VARIABLE_NAME);
        }
        log.debug("MfaVerifyAction.doExecute verify status, {}", str);
        this.mfaStateStore.expireState(parameter);
        if ("2".equals(str)) {
            log.info("MfaVerifyAction.doExecute verify success. status is {}", str);
            return true;
        }
        log.error("MfaVerifyAction.doExecute verify fail. status is {}", str);
        return false;
    }

    public MfaVerifyFilter(ConfigRetriever configRetriever, SecureEmailGuardRemote secureEmailGuardRemote, SecurePhoneGuardRemote securePhoneGuardRemote, FedAuthGuardRemote fedAuthGuardRemote, FaceVerifyGuardRemote faceVerifyGuardRemote, MfaStateStore mfaStateStore) {
        this.casServerSaApiConfigRetriever = configRetriever;
        this.secureEmailGuardRemote = secureEmailGuardRemote;
        this.securePhoneGuardRemote = securePhoneGuardRemote;
        this.fedAuthGuardRemote = fedAuthGuardRemote;
        this.faceVerifyGuardRemote = faceVerifyGuardRemote;
        this.mfaStateStore = mfaStateStore;
    }
}
