package kd.bos.eye.api.sso;

import com.sun.net.httpserver.HttpExchange;
import com.sun.net.httpserver.HttpHandler;
import java.io.IOException;
import java.time.LocalDateTime;
import java.util.Map;
import kd.bos.bundle.BosRes;
import kd.bos.db.DB;
import kd.bos.encrypt.Encrypters;
import kd.bos.eye.api.healthcheck.spi.HealthCheckConfig;
import kd.bos.eye.api.loghealth.common.LogHealthConstants;
import kd.bos.eye.api.oplog.OpLogConfig;
import kd.bos.eye.api.oplog.OpLogEntity;
import kd.bos.eye.api.oplog.OpLogManager;
import kd.bos.eye.api.oplog.OpLogUtil;
import kd.bos.eye.api.oplog.OpLogger;
import kd.bos.eye.api.oplog.OpType;
import kd.bos.eye.api.sso.cosmiceye.CosmiceyeAuth;
import kd.bos.eye.api.sso.cosmiceye.CosmiceyeResponse;
import kd.bos.eye.api.unifiedmetrics.prometheus.pojo.PromResponse;
import kd.bos.eye.auth.EyeAuther;
import kd.bos.eye.util.ApiResponse;
import kd.bos.eye.util.ExchangeVueUtils;
import kd.bos.util.JSONUtils;
import kd.bos.util.StringUtils;

/* loaded from: input_file:kd/bos/eye/api/sso/SsoLoginApiHandler.class */
public class SsoLoginApiHandler implements HttpHandler {
    private static final OpLogger opLogger = OpLogManager.getLogger();
    public static final SsoLoginApiHandler instance = new SsoLoginApiHandler();

    public void handle(HttpExchange httpExchange) throws IOException {
        SsoRequeset ssoRequeset;
        Map auth;
        String str;
        String str2;
        ApiResponse apiResponse = new ApiResponse();
        String str3 = null;
        try {
            ssoRequeset = (SsoRequeset) ExchangeVueUtils.parsePostJson(httpExchange, SsoRequeset.class);
            auth = ssoRequeset.getAuth();
            str = (String) auth.get("username");
            str2 = (String) auth.get(LogHealthConstants.LOG_PASSWORD);
        } catch (Exception e) {
            apiResponse.setCode(-1);
            apiResponse.setMsg("SsoLogin exception, message: " + e.getMessage());
        }
        if (auth == null || StringUtils.isEmpty(str) || StringUtils.isEmpty(str2)) {
            throw new IllegalArgumentException("auth message is null, access denied");
        }
        if (HealthCheckConfig.checkAuth(str, Encrypters.decode(str2))) {
            String client = ssoRequeset.getClient();
            if (WhitelistVerify.isClientEnable(client)) {
                String remoteHost = OpLogUtil.getRemoteHost(httpExchange);
                if (WhitelistVerify.isClientWhite(client, remoteHost)) {
                    str3 = ssoRequeset.getToken();
                    if (StringUtils.isEmpty(str3)) {
                        apiResponse.setCode(1);
                        apiResponse.setData(null);
                        apiResponse.setMsg(BosRes.get("bos-eye", "SsoLoginHandler_2", "token为空", new Object[0]));
                    } else {
                        CosmiceyeResponse auth2 = CosmiceyeAuth.get().auth(str3);
                        if (auth2 == null) {
                            apiResponse.setCode(1);
                            apiResponse.setMsg(BosRes.get("bos-eye", "SsoLoginHandler_3", "第三方鉴权请求异常", new Object[0]));
                            opLogger.opLog(addLoginLog(httpExchange, client, false));
                        } else if (auth2.getErrcode() == 0) {
                            writeSession(str3, client);
                            apiResponse.setMsg(PromResponse.STATUS_SUCCESS);
                            apiResponse.setCode(0);
                            opLogger.opLog(addLoginLog(httpExchange, client, true));
                        } else {
                            apiResponse.setCode(Integer.valueOf(auth2.getErrcode()));
                            apiResponse.setMsg(auth2.getDescription());
                            opLogger.opLog(addLoginLog(httpExchange, client, false));
                        }
                    }
                } else {
                    apiResponse.setCode(1);
                    apiResponse.setData(null);
                    apiResponse.setMsg(BosRes.get("bos-eye", "SsoLoginHandler_1", "第三方登录白名单限制,请求ip:{0}", new Object[]{remoteHost}));
                }
            } else {
                apiResponse.setCode(1);
                apiResponse.setData(null);
                apiResponse.setMsg(BosRes.get("bos-eye", "SsoLoginHandler_0", "第三方登录未开启", new Object[0]));
            }
        } else {
            apiResponse.setCode(-1);
            apiResponse.setMsg("[ERROR] access denied,user and password doesn't match,please check monitor configuration ");
        }
        writeJson(JSONUtils.toString(apiResponse), httpExchange, str3);
    }

    private void writeSession(String str, String str2) {
        EyeAuther.createClientSession(CosmiceyeAuth.get().formatLocalToken(str), str2);
    }

    private OpLogEntity addLoginLog(HttpExchange httpExchange, String str, boolean z) {
        OpLogEntity opLogEntity = new OpLogEntity();
        opLogEntity.setId(DB.genLongId("T_MONITOR_OPLOG"));
        opLogEntity.setUserName(str);
        opLogEntity.setOpTime(LocalDateTime.now());
        opLogEntity.setClientIp(OpLogUtil.getRemoteHost(httpExchange));
        opLogEntity.setOpType(OpType.EXECUTE.getTypeDescription());
        opLogEntity.setOpObject("登录");
        if (z) {
            opLogEntity.setDescription("登录成功");
        } else {
            opLogEntity.setDescription("登录失败");
        }
        return opLogEntity;
    }

    protected void writeJson(String str, HttpExchange httpExchange, String str2) throws IOException {
        byte[] bytes = str.getBytes("UTF-8");
        httpExchange.getResponseHeaders().set("Content-Type", "text/json; charset=UTF-8");
        if (StringUtils.isNotEmpty(str2)) {
            httpExchange.getResponseHeaders().add("Set-Cookie", getSafetyToken(str2));
            httpExchange.getResponseHeaders().add(EyeAuther.CSRF_TOKEN, EyeAuther.getCsrfToken(str2));
        }
        httpExchange.sendResponseHeaders(OpLogConfig.BATCH_INSERT_SIZE, bytes.length);
        httpExchange.getResponseBody().write(bytes);
        httpExchange.close();
    }

    private String getSafetyToken(String str) {
        return Boolean.getBoolean("monitor.add.securehttponly.enable") ? EyeAuther.AUTH_TOKEN + "=" + str + ";path=/;secure;HttpOnly" : EyeAuther.AUTH_TOKEN + "=" + str + ";path=/";
    }
}
