package com.taobao.hsf.plugins.spas;

import com.taobao.hsf.ServiceMetadataAware;
import com.taobao.hsf.annotation.Order;
import com.taobao.hsf.configuration.Config;
import com.taobao.hsf.configuration.ConfigService;
import com.taobao.hsf.domain.HSFRequest;
import com.taobao.hsf.domain.HSFResponse;
import com.taobao.hsf.domain.ResponseStatus;
import com.taobao.hsf.invocation.Invocation;
import com.taobao.hsf.invocation.InvocationHandler;
import com.taobao.hsf.invocation.RPCResult;
import com.taobao.hsf.invocation.filter.ServerFilter;
import com.taobao.hsf.io.stream.Stream;
import com.taobao.hsf.logger.LoggerInit;
import com.taobao.hsf.model.ProviderServiceModel;
import com.taobao.hsf.model.metadata.ServiceMetadata;
import com.taobao.hsf.monitor.MonitorService;
import com.taobao.hsf.rpc.generic.GenericInvocationServerFilter;
import com.taobao.hsf.util.AppInfoUtils;
import com.taobao.hsf.util.AttributeKey;
import com.taobao.hsf.util.HSFConstants;
import com.taobao.hsf.util.HSFServiceContainer;
import com.taobao.hsf.util.concurrent.DefaultListenableFuture;
import com.taobao.hsf.util.concurrent.Futures;
import com.taobao.hsf.util.concurrent.ListenableFuture;
import com.taobao.hsf.util.concurrent.SettableFuture;
import com.taobao.middleware.logger.Logger;
import com.taobao.middleware.logger.support.LoggerHelper;
import com.taobao.spas.sdk.common.service.AuthParams;
import com.taobao.spas.sdk.common.service.SignParams;
import com.taobao.spas.sdk.common.service.SpasAuthorityResult;
import com.taobao.spas.sdk.common.sign.SigningAlgorithm;
import com.taobao.spas.sdk.service.SpasSdkServiceFacade;
import java.text.MessageFormat;

@Order(400)
/* loaded from: input_file:lib/hsf-feature-spas-2.2.8.2.jar:com/taobao/hsf/plugins/spas/SpasServerFilter.class */
public class SpasServerFilter implements ServerFilter, ServiceMetadataAware {
    private MonitorService monitorService = (MonitorService) HSFServiceContainer.getInstance(MonitorService.class);
    private SpasBizRepo spasBizRepo = (SpasBizRepo) HSFServiceContainer.getInstance(SpasBizRepo.class);
    private boolean ignoreMtopHttpRequest = config.getBoolean("hsf.ignore.verify.mtop.http.request", true);
    private ServiceMetadata serviceMetadata;
    private static final Logger LOGGER = LoggerInit.LOGGER;
    private static final AttributeKey EAGLEEYE_TRACE_ID_KEY = Invocation.ATTRIBUTE_NAMESPACE.getOrCreate("_eagleeye_trace_id");
    private static Config config = ((ConfigService) HSFServiceContainer.getInstance(ConfigService.class)).getConfig();
    private static final String RESOURCE_PREFIX_KEY = "spas.resource.prefix.key";
    private static final String RESOURCE_PREFIX = config.getString(RESOURCE_PREFIX_KEY, "acs:hsf::");
    private static final String SIGN_ALGORITHM = config.getString("hsf.sign.algorithm", "HmacSHA1");

    @Override // com.taobao.hsf.invocation.filter.RPCFilter
    public ListenableFuture<RPCResult> invoke(InvocationHandler invocationHandler, Invocation invocation) throws Throwable {
        boolean verifySignature;
        if (!this.serviceMetadata.isNeedAuth() || (this.ignoreMtopHttpRequest && invocation.get(Invocation.IS_MTOP_HTTP_REQUET_KEY) != null)) {
            return invocationHandler.invoke(invocation);
        }
        HSFRequest hsfRequest = invocation.getHsfRequest();
        String targetServiceUniqueName = hsfRequest.getTargetServiceUniqueName();
        String methodName = hsfRequest.getMethodName();
        String peerIP = invocation.getPeerIP();
        String str = (String) hsfRequest.getRequestProp(HSFConstants.SPAS_SIGNATURE);
        String str2 = (String) hsfRequest.getRequestProp(HSFConstants.ACCESS_KEY);
        String str3 = (String) hsfRequest.getRequestProp(HSFConstants.CONSUMER_APP_NAME);
        String str4 = (String) hsfRequest.getRequestProp(HSFConstants.SPAS_VERSION);
        Object requestProp = hsfRequest.getRequestProp(HSFConstants.TIME_STAMP);
        if (str2 == null || str == null) {
            LOGGER.warn("client [" + peerIP + "] doesn't send its ak or signature, please check client's spas_sdk.log to find out if ak/sk is set");
        }
        Object obj = invocation.get(Invocation.STREAM_KEY);
        if (obj == null) {
            verifySignature = verifySignature(invocation, str, str2, str3, str4, requestProp);
        } else if (((Stream) obj).attributeMap().get(Stream.STREAM_IDENTIFIED_KEY) == null) {
            verifySignature = verifySignature(invocation, str, str2, str3, str4, requestProp);
            if (verifySignature) {
                ((Stream) obj).attributeMap().put(Stream.STREAM_IDENTIFIED_KEY, Boolean.TRUE);
            }
        } else {
            verifySignature = true;
        }
        if (!verifySignature) {
            String format = MessageFormat.format("[HSF-Provider] App [{0}] failed to verify the caller signature [{1}] for [{2}] [{3}] from client [{4}]", AppInfoUtils.getAppName(), str, targetServiceUniqueName, methodName, peerIP);
            LOGGER.error("HSF-0082", LoggerHelper.getErrorCodeStr("HSF", "HSF-0082", "BIZ", format));
            return spasFail(targetServiceUniqueName, methodName, peerIP, format);
        }
        SpasAuthorityResult checkPermission = checkPermission(invocation, str2, str3, str4, peerIP);
        if (checkPermission.getResult()) {
            return invocationHandler.invoke(invocation);
        }
        String format2 = MessageFormat.format("[HSF-Provider] Authority authentication failure for [{0}] [{1}] from client [{2}], error message: [{3}: {4}]", targetServiceUniqueName, methodName, peerIP, checkPermission.getMessage());
        LOGGER.error("HSF-0082", LoggerHelper.getErrorCodeStr("HSF", "HSF-0082", "BIZ", format2));
        return spasFail(targetServiceUniqueName, methodName, peerIP, format2);
    }

    private SettableFuture<RPCResult> spasFail(String str, String str2, String str3, String str4) {
        if (this.monitorService != null) {
            this.monitorService.add("HSF-SPAS-REJECTED-SPAS", str, str2, str3, 1L, 1L);
        }
        LOGGER.warn(str4);
        HSFResponse hSFResponse = new HSFResponse();
        hSFResponse.setStatus(ResponseStatus.PERMISSION_VERIFY_REJECT);
        hSFResponse.setErrorMsg(str4);
        hSFResponse.setErrorType("SPAS");
        RPCResult rPCResult = new RPCResult();
        rPCResult.setHsfResponse(hSFResponse);
        DefaultListenableFuture createSettableFuture = Futures.createSettableFuture();
        createSettableFuture.set(rPCResult);
        return createSettableFuture;
    }

    private boolean verifySignature(Invocation invocation, String str, String str2, String str3, String str4, Object obj) {
        SignParams signParams = new SignParams();
        signParams.signature = str;
        signParams.accessKey = str2;
        signParams.restrictName = str3;
        signParams.version = str4;
        signParams.algorithm = SigningAlgorithm.valueOf(SIGN_ALGORITHM);
        signParams.serverName = config.getString(SpasServiceComponent.SPAS_ID_KEY, this.serviceMetadata.getApplicationModel().getName());
        if (obj != null) {
            signParams.data = obj.toString();
        } else if (invocation.get(GenericInvocationServerFilter.IS_GENERIC_KEY) != null) {
            signParams.data = invocation.getTargetServiceUniqueName() + "#$invoke";
        } else {
            signParams.data = invocation.getTargetServiceUniqueName() + "#" + invocation.getMethodName();
        }
        return SpasSdkServiceFacade.verifySignature(signParams);
    }

    private SpasAuthorityResult checkPermission(Invocation invocation, String str, String str2, String str3, String str4) {
        ProviderServiceModel serviceModel = invocation.getServerInvocationContext().getServiceModel();
        String actionName = this.spasBizRepo.getActionName(invocation.getServerInvocationContext().getMethodModel().getMethod());
        String str5 = RESOURCE_PREFIX + invocation.getTargetServiceUniqueName() + ":" + serviceModel.getMetadata().getGroup();
        AuthParams authParams = new AuthParams();
        authParams.accessKey = str;
        authParams.resource = str5;
        authParams.action = actionName;
        authParams.restrictName = str2;
        authParams.version = str3;
        authParams.logInfo = str4;
        authParams.extraLog = (String) invocation.get(EAGLEEYE_TRACE_ID_KEY);
        authParams.serverName = config.getString(SpasServiceComponent.SPAS_ID_KEY, this.serviceMetadata.getApplicationModel().getName());
        return SpasSdkServiceFacade.checkPermissionDetail(authParams);
    }

    @Override // com.taobao.hsf.invocation.filter.RPCFilter
    public void onResponse(Invocation invocation, RPCResult rPCResult) {
    }

    @Override // com.taobao.hsf.ServiceMetadataAware
    public void setServiceMetadata(ServiceMetadata serviceMetadata) {
        this.serviceMetadata = serviceMetadata;
    }
}
