package cn.home1.cloud.config.server.security;

import com.auth0.jwt.JWT;
import com.auth0.jwt.JWTVerifier;
import com.auth0.jwt.algorithms.Algorithm;
import com.google.common.base.Preconditions;
import com.google.common.collect.ImmutableMap;
import java.security.SecureRandom;
import java.util.Iterator;
import java.util.regex.Pattern;
import javax.annotation.PostConstruct;
import org.apache.commons.lang3.RandomStringUtils;
import org.apache.commons.lang3.StringUtils;
import org.joda.time.DateTime;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.cloud.config.server.encryption.TextEncryptorLocator;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.encrypt.TextEncryptor;
import org.springframework.security.crypto.password.PasswordEncoder;

/* loaded from: input_file:cn/home1/cloud/config/server/security/ConfigSecurity.class */
public class ConfigSecurity {
    static final String TOKEN_PREFIX = "{token}";
    private static final int BCRYPT_STRENGTH = -1;
    private static final String TOKEN_CLAIM = "encrypted";
    private static final int TOKEN_EXPIRE_DAYS = 1825;
    private static final String TOKEN_ISSUER = "config-server";
    private final PasswordEncoder passwordEncoder = new BCryptPasswordEncoder(BCRYPT_STRENGTH);
    private TextEncryptor encryptor;
    private Algorithm hmacAlgorithm;

    @Value("${spring.cloud.config.encrypt.hmac-secret:secret}")
    private String hmacSecret;
    private JWTVerifier hmacVerifier;

    @Value("${security.basic.enabled:true}")
    private Boolean securityEnabled;
    private static final Logger log = LoggerFactory.getLogger(ConfigSecurity.class);
    private static final Pattern CONCAT_PATTERN = Pattern.compile(":");

    static String decryptProperty(String str, TextEncryptor textEncryptor) {
        return (StringUtils.isNotBlank(str) && str.startsWith("{cipher}")) ? textEncryptor.decrypt(str.replaceAll("\\{[^}]+\\}", "")) : str;
    }

    @Autowired
    public void setEncryptorLocator(TextEncryptorLocator textEncryptorLocator) {
        this.encryptor = textEncryptorLocator.locate(ImmutableMap.of());
    }

    @PostConstruct
    public void init() {
        this.hmacAlgorithm = Algorithm.HMAC256(this.hmacSecret);
        this.hmacVerifier = JWT.require(this.hmacAlgorithm).withIssuer(TOKEN_ISSUER).build();
    }

    public String encryptParentPassword(String str, String str2, String str3) {
        Preconditions.checkArgument(StringUtils.isNotBlank(str), "blank application");
        Preconditions.checkArgument(StringUtils.isNotBlank(str), "blank parentApplication");
        Preconditions.checkArgument(StringUtils.isNotBlank(str), "blank parentPassword");
        String sign = JWT.create().withIssuer(TOKEN_ISSUER).withClaim(TOKEN_CLAIM, this.encryptor.encrypt(RandomStringUtils.random(16, 0, 0, true, true, (char[]) null, new SecureRandom()) + ":" + this.passwordEncoder.encode(str) + ":" + this.passwordEncoder.encode(str2) + ":" + this.passwordEncoder.encode(str3))).withExpiresAt(DateTime.now().plusDays(TOKEN_EXPIRE_DAYS).toDate()).sign(this.hmacAlgorithm);
        log.info("Granted parent ({}) config access for application '{}', token: '{}'.", new Object[]{str2, str, sign});
        return TOKEN_PREFIX + sign;
    }

    public Boolean verifyParentPassword(String str, String str2, String str3, String str4) {
        Boolean isPasswordMatch;
        if (this.securityEnabled.booleanValue()) {
            String decryptProperty = decryptProperty(str4);
            if (!StringUtils.isNotEmpty(str) || !StringUtils.isNotEmpty(str3)) {
                isPasswordMatch = (StringUtils.isNotEmpty(str) && StringUtils.isNotEmpty(str2)) ? isPasswordMatch(decryptProperty, str3) : Boolean.FALSE;
            } else if (str3.startsWith(TOKEN_PREFIX)) {
                Iterator<String> it = CONCAT_PATTERN.splitAsStream(this.encryptor.decrypt(this.hmacVerifier.verify(str3.replace(TOKEN_PREFIX, "")).getClaim(TOKEN_CLAIM).asString())).iterator();
                it.next();
                try {
                    isPasswordMatch = Boolean.valueOf(this.passwordEncoder.matches(str, it.next()) && this.passwordEncoder.matches(str2, it.next()) && this.passwordEncoder.matches(decryptProperty, it.next()));
                } catch (Exception e) {
                    return Boolean.FALSE;
                }
            } else {
                isPasswordMatch = isPasswordMatch(decryptProperty, decryptProperty(str3));
            }
        } else {
            isPasswordMatch = Boolean.valueOf(StringUtils.isNotEmpty(str) && StringUtils.isNotEmpty(str2));
        }
        return isPasswordMatch;
    }

    Boolean isPasswordMatch(String str, String str2) {
        return Boolean.valueOf((str != null ? str : "").equals(str2 != null ? str2 : ""));
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public String decryptProperty(String str) {
        return decryptProperty(str, this.encryptor);
    }

    public void setEncryptor(TextEncryptor textEncryptor) {
        this.encryptor = textEncryptor;
    }

    public void setHmacSecret(String str) {
        this.hmacSecret = str;
    }

    public void setSecurityEnabled(Boolean bool) {
        this.securityEnabled = bool;
    }
}
