package com.alibaba.nacos.plugin.auth.impl;

import com.alibaba.nacos.auth.config.NacosAuthConfig;
import com.alibaba.nacos.auth.config.NacosAuthConfigHolder;
import com.alibaba.nacos.common.utils.StringUtils;
import com.alibaba.nacos.plugin.auth.api.AuthResult;
import com.alibaba.nacos.plugin.auth.api.IdentityContext;
import com.alibaba.nacos.plugin.auth.api.Permission;
import com.alibaba.nacos.plugin.auth.api.Resource;
import com.alibaba.nacos.plugin.auth.constant.ActionTypes;
import com.alibaba.nacos.plugin.auth.constant.ApiType;
import com.alibaba.nacos.plugin.auth.exception.AccessException;
import com.alibaba.nacos.plugin.auth.impl.authenticate.IAuthenticationManager;
import com.alibaba.nacos.plugin.auth.impl.constant.AuthConstants;
import com.alibaba.nacos.plugin.auth.impl.users.NacosUser;
import com.alibaba.nacos.plugin.auth.spi.server.AuthPluginService;
import com.alibaba.nacos.sys.utils.ApplicationUtils;
import java.util.Collection;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import org.springframework.http.HttpStatus;

/* loaded from: input_file:com/alibaba/nacos/plugin/auth/impl/NacosAuthPluginService.class */
public class NacosAuthPluginService implements AuthPluginService {
    private static final List<String> IDENTITY_NAMES = new LinkedList<String>() { // from class: com.alibaba.nacos.plugin.auth.impl.NacosAuthPluginService.1
        {
            add(AuthConstants.AUTHORIZATION_HEADER);
            add("accessToken");
            add(AuthConstants.PARAM_USERNAME);
            add(AuthConstants.PARAM_PASSWORD);
        }
    };
    protected IAuthenticationManager authenticationManager;

    public Collection<String> identityNames() {
        return IDENTITY_NAMES;
    }

    public boolean enableAuth(ActionTypes actionTypes, String str) {
        return true;
    }

    public AuthResult validateIdentity(IdentityContext identityContext, Resource resource) {
        try {
            return AuthResult.successResult(validateUser(identityContext));
        } catch (AccessException e) {
            return AuthResult.failureResult(HttpStatus.UNAUTHORIZED.value(), e.getErrMsg());
        }
    }

    private NacosUser validateUser(IdentityContext identityContext) throws AccessException {
        NacosUser authenticate;
        checkNacosAuthManager();
        String resolveToken = resolveToken(identityContext);
        if (StringUtils.isNotBlank(resolveToken)) {
            authenticate = this.authenticationManager.authenticate(resolveToken);
        } else {
            authenticate = this.authenticationManager.authenticate((String) identityContext.getParameter(AuthConstants.PARAM_USERNAME), (String) identityContext.getParameter(AuthConstants.PARAM_PASSWORD));
        }
        identityContext.setParameter(AuthConstants.NACOS_USER_KEY, authenticate);
        identityContext.setParameter("identity_id", authenticate.getUserName());
        return authenticate;
    }

    private String resolveToken(IdentityContext identityContext) {
        String str = (String) identityContext.getParameter(AuthConstants.AUTHORIZATION_HEADER, AuthConstants.DEFAULT_TOKEN_SECRET_KEY);
        return (StringUtils.isNotBlank(str) && str.startsWith(AuthConstants.TOKEN_PREFIX)) ? str.substring(AuthConstants.TOKEN_PREFIX.length()) : (String) identityContext.getParameter("accessToken", AuthConstants.DEFAULT_TOKEN_SECRET_KEY);
    }

    public AuthResult validateAuthority(IdentityContext identityContext, Permission permission) {
        try {
            NacosUser nacosUser = (NacosUser) identityContext.getParameter(AuthConstants.NACOS_USER_KEY);
            this.authenticationManager.authorize(permission, nacosUser);
            return AuthResult.successResult(nacosUser);
        } catch (AccessException e) {
            return AuthResult.failureResult(HttpStatus.FORBIDDEN.value(), e.getErrMsg());
        }
    }

    public String getAuthServiceName() {
        return "nacos";
    }

    public boolean isLoginEnabled() {
        return NacosAuthConfigHolder.getInstance().getNacosAuthConfigByScope(ApiType.CONSOLE_API.name()).isAuthEnabled();
    }

    public boolean isAdminRequest() {
        boolean z = false;
        Iterator it = NacosAuthConfigHolder.getInstance().getAllNacosAuthConfig().iterator();
        while (it.hasNext()) {
            z |= ((NacosAuthConfig) it.next()).isAuthEnabled();
        }
        return z && !((IAuthenticationManager) ApplicationUtils.getBean(IAuthenticationManager.class)).hasGlobalAdminRole();
    }

    protected void checkNacosAuthManager() {
        if (null == this.authenticationManager) {
            this.authenticationManager = (IAuthenticationManager) ApplicationUtils.getBean(IAuthenticationManager.class);
        }
    }
}
