package com.alibaba.nacos.core.auth;

import com.alibaba.nacos.api.exception.NacosException;
import com.alibaba.nacos.api.remote.request.Request;
import com.alibaba.nacos.api.remote.request.RequestMeta;
import com.alibaba.nacos.api.remote.response.Response;
import com.alibaba.nacos.auth.GrpcProtocolAuthService;
import com.alibaba.nacos.auth.annotation.Secured;
import com.alibaba.nacos.auth.config.AuthConfigs;
import com.alibaba.nacos.common.utils.ExceptionUtil;
import com.alibaba.nacos.core.context.RequestContext;
import com.alibaba.nacos.core.context.RequestContextHolder;
import com.alibaba.nacos.core.remote.AbstractRequestFilter;
import com.alibaba.nacos.core.utils.Loggers;
import com.alibaba.nacos.plugin.auth.api.IdentityContext;
import com.alibaba.nacos.plugin.auth.api.Permission;
import com.alibaba.nacos.plugin.auth.api.Resource;
import com.alibaba.nacos.plugin.auth.exception.AccessException;
import java.lang.reflect.Method;
import org.springframework.stereotype.Component;

@Component
/* loaded from: input_file:com/alibaba/nacos/core/auth/RemoteRequestAuthFilter.class */
public class RemoteRequestAuthFilter extends AbstractRequestFilter {
    private final AuthConfigs authConfigs;
    private final GrpcProtocolAuthService protocolAuthService;

    public RemoteRequestAuthFilter(AuthConfigs authConfigs) {
        this.authConfigs = authConfigs;
        this.protocolAuthService = new GrpcProtocolAuthService(authConfigs);
        this.protocolAuthService.initialize();
    }

    @Override // com.alibaba.nacos.core.remote.AbstractRequestFilter
    public Response filter(Request request, RequestMeta requestMeta, Class cls) throws NacosException {
        try {
            Method handleMethod = getHandleMethod(cls);
            if (handleMethod.isAnnotationPresent(Secured.class) && this.authConfigs.isAuthEnabled()) {
                if (Loggers.AUTH.isDebugEnabled()) {
                    Loggers.AUTH.debug("auth start, request: {}", request.getClass().getSimpleName());
                }
                Secured annotation = handleMethod.getAnnotation(Secured.class);
                if (!this.protocolAuthService.enableAuth(annotation)) {
                    return null;
                }
                request.putHeader("X-Real-IP", requestMeta.getClientIp());
                Resource parseResource = this.protocolAuthService.parseResource(request, annotation);
                IdentityContext parseIdentity = this.protocolAuthService.parseIdentity(request);
                boolean validateIdentity = this.protocolAuthService.validateIdentity(parseIdentity, parseResource);
                RequestContext context = RequestContextHolder.getContext();
                context.getAuthContext().setIdentityContext(parseIdentity);
                context.getAuthContext().setResource(parseResource);
                if (null == context.getAuthContext().getAuthResult()) {
                    context.getAuthContext().setAuthResult(Boolean.valueOf(validateIdentity));
                }
                if (!validateIdentity) {
                    throw new AccessException("Validate Identity failed.");
                }
                if (!this.protocolAuthService.validateAuthority(parseIdentity, new Permission(parseResource, annotation.action().toString()))) {
                    throw new AccessException("Validate Authority failed.");
                }
            }
            return null;
        } catch (AccessException e) {
            if (Loggers.AUTH.isDebugEnabled()) {
                Loggers.AUTH.debug("access denied, request: {}, reason: {}", request.getClass().getSimpleName(), e.getErrMsg());
            }
            Response defaultResponseInstance = getDefaultResponseInstance(cls);
            defaultResponseInstance.setErrorInfo(403, e.getErrMsg());
            return defaultResponseInstance;
        } catch (Exception e2) {
            Response defaultResponseInstance2 = getDefaultResponseInstance(cls);
            defaultResponseInstance2.setErrorInfo(500, ExceptionUtil.getAllExceptionMsg(e2));
            return defaultResponseInstance2;
        }
    }
}
