package com.sankuai.sjst.rms.ls.common.filter;

import com.google.common.io.g;
import com.sankuai.ng.common.time.b;
import com.sankuai.sjst.local.server.annotation.LsFilter;
import com.sankuai.sjst.local.server.config.context.HostContext;
import com.sankuai.sjst.local.server.utils.CryptoUtil;
import com.sankuai.sjst.local.server.utils.DateUtils;
import com.sankuai.sjst.local.server.utils.StringUtils;
import com.sankuai.sjst.local.sever.http.filter.LocalServerFilter;
import com.sankuai.sjst.rms.ls.common.context.RequestContext;
import com.sankuai.sjst.rms.ls.common.crypto.SecureUtil;
import com.sankuai.sjst.rms.ls.common.exception.RmsException;
import com.sankuai.sjst.rms.ls.common.msg.constants.LsExceptionCode;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.util.regex.Pattern;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.ServletInputStream;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import javax.servlet.http.HttpServletResponse;
import lombok.Generated;
import org.slf4j.c;
import org.slf4j.d;

@LsFilter(exclude = "/api/monitor/.*", priority = 994000)
/* loaded from: classes8.dex */
public class SignFilter extends LocalServerFilter {
    private static final String POST_METHOD = "POST";
    private static final String PUT_METHOD = "PUT";
    private static final String SIGN = "sign";
    public static final String SKIP_CHECK = "ls-skip-sign-check";
    private static final String TOKEN = "token";

    @Generated
    private static final c log = d.a((Class<?>) SignFilter.class);
    private static final Long TWO_MIN = 120L;
    private static Pattern PATTERN = Pattern.compile("&sign=.*?$");

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: classes8.dex */
    public class SignHttpServletRequestWrapper extends HttpServletRequestWrapper {
        private byte[] data;

        public SignHttpServletRequestWrapper(HttpServletRequest httpServletRequest) {
            super(httpServletRequest);
            try {
                ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
                g.a((InputStream) httpServletRequest.getInputStream(), (OutputStream) byteArrayOutputStream);
                this.data = byteArrayOutputStream.toByteArray();
            } catch (IOException e) {
                SignFilter.log.error("sign copy inputstream error", (Throwable) e);
                throw new RmsException(LsExceptionCode.SYSTEM_ERROR);
            }
        }

        public String getBodyString() {
            return new String(this.data);
        }

        public ServletInputStream getInputStream() throws IOException {
            final ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(this.data);
            return new ServletInputStream() { // from class: com.sankuai.sjst.rms.ls.common.filter.SignFilter.SignHttpServletRequestWrapper.1
                public int read() throws IOException {
                    return byteArrayInputStream.read();
                }
            };
        }
    }

    private boolean check(SignHttpServletRequestWrapper signHttpServletRequestWrapper) {
        String parameter = signHttpServletRequestWrapper.getParameter("token");
        if (!isValidToken(parameter)) {
            log.warn("sign check token is invalid: {} now: {}", parameter, Long.valueOf(DateUtils.getTime()));
            throw new RmsException(LsExceptionCode.SIGNATURE_TOKEN_ERROR);
        }
        String parameter2 = signHttpServletRequestWrapper.getParameter("sign");
        if (!isValidSign(signHttpServletRequestWrapper)) {
            log.warn("sign check sign is invalid: {}", parameter2);
            return Boolean.FALSE.booleanValue();
        }
        if (isJsonBody(signHttpServletRequestWrapper)) {
            return isValidBodySign(signHttpServletRequestWrapper.getBodyString(), parameter2, parameter);
        }
        return (isValidUrlSign(signHttpServletRequestWrapper, parameter2) ? Boolean.TRUE : Boolean.FALSE).booleanValue();
    }

    private boolean isJsonBody(HttpServletRequest httpServletRequest) {
        String method = httpServletRequest.getMethod();
        String contentType = httpServletRequest.getContentType();
        return (method.equalsIgnoreCase("POST") || method.equalsIgnoreCase("PUT")) && StringUtils.isNotEmpty(contentType) && contentType.replace(" ", "").equalsIgnoreCase("application/json;charset=utf-8");
    }

    private boolean isValidBodySign(String str, String str2, String str3) {
        String HmacSHA1 = CryptoUtil.HmacSHA1(str + str3, SecureUtil.getLSSignKey());
        boolean equalsIgnoreCase = StringUtils.equalsIgnoreCase(HmacSHA1, str2);
        if (!equalsIgnoreCase) {
            log.warn("check body sign failed, body={}, actualSign={}, expectSign={}, token={}", str, str2, HmacSHA1, str3);
        }
        return equalsIgnoreCase;
    }

    private boolean isValidSign(HttpServletRequest httpServletRequest) {
        String queryString = StringUtils.isNotEmpty(httpServletRequest.getQueryString()) ? httpServletRequest.getQueryString() : "";
        return queryString.indexOf("&sign") == queryString.lastIndexOf("&");
    }

    private boolean isValidToken(String str) {
        if (StringUtils.isBlank(str)) {
            return Boolean.FALSE.booleanValue();
        }
        long parseLong = Long.parseLong(str);
        long time = DateUtils.getTime() / 1000;
        if (!(Math.abs(time - parseLong) <= TWO_MIN.longValue() && parseLong > 0)) {
            log.warn("token验证失败, token={}, time={}, now={}", str, Long.valueOf(parseLong), Long.valueOf(time));
            log.info("retry sync time");
            b.a().c();
            time = DateUtils.getTime() / 1000;
        }
        return Math.abs(time - parseLong) <= TWO_MIN.longValue() && parseLong > 0;
    }

    private boolean isValidUrlSign(HttpServletRequest httpServletRequest, String str) {
        String queryString = httpServletRequest.getQueryString();
        String replaceAll = StringUtils.isEmpty(queryString) ? "" : PATTERN.matcher(queryString).replaceAll("");
        String HmacSHA1 = CryptoUtil.HmacSHA1(replaceAll, SecureUtil.getLSSignKey());
        boolean equalsIgnoreCase = StringUtils.equalsIgnoreCase(HmacSHA1, str);
        if (!equalsIgnoreCase) {
            log.warn("check url sign failed, queryString={}, actualSign={}, expectSign={}", replaceAll, str, HmacSHA1);
        }
        return equalsIgnoreCase;
    }

    @Override // com.sankuai.sjst.local.sever.http.filter.LocalServerFilter
    public void filter(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws IOException, ServletException {
        if (StringUtils.isNotBlank(RequestContext.getThirdPartyAppToken())) {
            filterChain.doFilter(httpServletRequest, httpServletResponse);
            return;
        }
        if (!HostContext.getAppEnv().getEnv().isOnline() && StringUtils.isNotBlank(httpServletRequest.getHeader(SKIP_CHECK))) {
            filterChain.doFilter(httpServletRequest, httpServletResponse);
            return;
        }
        SignHttpServletRequestWrapper signHttpServletRequestWrapper = new SignHttpServletRequestWrapper(httpServletRequest);
        if (check(signHttpServletRequestWrapper)) {
            filterChain.doFilter(signHttpServletRequestWrapper, httpServletResponse);
        } else {
            log.warn("check sign fail, url={}, body={}", signHttpServletRequestWrapper.getRequestURL(), signHttpServletRequestWrapper.getBodyString());
            throw new RmsException(LsExceptionCode.SIGNATURE_ERROR);
        }
    }
}
