package cn.insmart.iam.resource.service.impl;

import cn.insmart.fx.common.lang.util.Message;
import cn.insmart.fx.common.lang.util.NumberUtils;
import cn.insmart.fx.common.lang.util.StringUtils;
import cn.insmart.iam.resource.config.OAuthProviderProperties;
import cn.insmart.iam.resource.service.ClientTokenService;
import com.alibaba.fastjson.JSONObject;
import java.time.Instant;
import java.util.Objects;
import java.util.concurrent.locks.ReadWriteLock;
import java.util.concurrent.locks.ReentrantReadWriteLock;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.boot.autoconfigure.security.oauth2.client.OAuth2ClientProperties;
import org.springframework.http.HttpEntity;
import org.springframework.http.HttpHeaders;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.oauth2.client.OAuth2AuthorizeRequest;
import org.springframework.security.oauth2.client.OAuth2AuthorizedClient;
import org.springframework.security.oauth2.client.OAuth2AuthorizedClientManager;
import org.springframework.security.oauth2.client.OAuth2AuthorizedClientService;
import org.springframework.security.oauth2.core.OAuth2AccessToken;
import org.springframework.util.Assert;
import org.springframework.util.LinkedMultiValueMap;
import org.springframework.web.client.RestTemplate;

/* loaded from: input_file:cn/insmart/iam/resource/service/impl/ClientTokenServiceImpl.class */
public class ClientTokenServiceImpl implements ClientTokenService {
    private static final String REGISTRATION_ID = "in-smart-iam";
    private volatile Instant tokenRefreshTime = Instant.MIN;
    private volatile String token = null;
    private final ReadWriteLock lock = new ReentrantReadWriteLock();
    private final RestTemplate restTemplate = new RestTemplate();
    private final OAuth2ClientProperties clientProperties;
    private final OAuthProviderProperties providerProperties;
    private final OAuth2AuthorizedClientManager authorizedClientManager;
    private final OAuth2AuthorizedClientService authorizedClientService;
    private static final Logger log = LoggerFactory.getLogger(ClientTokenServiceImpl.class);
    private static final int EARLY_REFRESH_SECONDS = NumberUtils.nextInt(300, 1800);

    public ClientTokenServiceImpl(OAuth2ClientProperties oAuth2ClientProperties, OAuthProviderProperties oAuthProviderProperties, OAuth2AuthorizedClientManager oAuth2AuthorizedClientManager, OAuth2AuthorizedClientService oAuth2AuthorizedClientService) {
        this.clientProperties = oAuth2ClientProperties;
        this.providerProperties = oAuthProviderProperties;
        this.authorizedClientManager = oAuth2AuthorizedClientManager;
        this.authorizedClientService = oAuth2AuthorizedClientService;
    }

    @Override // cn.insmart.iam.resource.service.ClientTokenService
    public String getToken() {
        log.debug("get service token");
        try {
            this.lock.readLock().lock();
            if (this.tokenRefreshTime.isBefore(Instant.now())) {
                log.debug("token is null or expire, need to login!");
                try {
                    this.lock.readLock().unlock();
                    this.lock.writeLock().lock();
                    if (this.tokenRefreshTime.isBefore(Instant.now())) {
                        if (!this.tokenRefreshTime.equals(Instant.MIN)) {
                            reLogin();
                        }
                        OAuth2AccessToken login = login();
                        Assert.notNull(login, "access token is null");
                        this.tokenRefreshTime = ((Instant) Objects.requireNonNull(login.getExpiresAt(), "token expires at is null")).plusSeconds(-EARLY_REFRESH_SECONDS);
                        this.token = login.getTokenValue();
                        log.info("iam token {}, expires at {} refresh at {}", new Object[]{this.token, login.getExpiresAt(), this.tokenRefreshTime});
                    } else {
                        log.debug("token exist, other thread login?");
                    }
                    this.lock.readLock().lock();
                    this.lock.writeLock().unlock();
                } catch (Throwable th) {
                    this.lock.readLock().lock();
                    this.lock.writeLock().unlock();
                    throw th;
                }
            } else {
                log.debug("token exist, use it!");
            }
            return this.token;
        } finally {
            this.lock.readLock().unlock();
        }
    }

    private OAuth2AccessToken login() {
        log.debug("service login");
        OAuth2ClientProperties.Registration registration = (OAuth2ClientProperties.Registration) this.clientProperties.getRegistration().get(REGISTRATION_ID);
        Assert.notNull(registration, Message.of("registration {} is required!", new Object[]{REGISTRATION_ID}));
        OAuth2AuthorizedClient authorize = this.authorizedClientManager.authorize(OAuth2AuthorizeRequest.withClientRegistrationId(REGISTRATION_ID).principal(new UsernamePasswordAuthenticationToken(registration.getClientId(), registration.getClientSecret())).build());
        Assert.notNull(authorize, "authorized client is null");
        OAuth2AccessToken accessToken = authorize.getAccessToken();
        Assert.notNull(accessToken, "access token is null!");
        if (log.isDebugEnabled()) {
            log.debug("service login success, token {}", StringUtils.mask(accessToken.getTokenValue()));
        }
        String tokenExchangeUri = this.providerProperties.getProvider().get(registration.getProvider()).getTokenExchangeUri();
        Assert.hasText(tokenExchangeUri, "token exchange uri is blank!");
        log.debug("service token exchange, uri {}", tokenExchangeUri);
        HttpHeaders httpHeaders = new HttpHeaders();
        httpHeaders.setBasicAuth(registration.getClientId(), registration.getClientSecret());
        LinkedMultiValueMap linkedMultiValueMap = new LinkedMultiValueMap();
        linkedMultiValueMap.add("token", accessToken.getTokenValue());
        JSONObject jSONObject = (JSONObject) this.restTemplate.postForObject(tokenExchangeUri, new HttpEntity(linkedMultiValueMap, httpHeaders), JSONObject.class, new Object[0]);
        Assert.isTrue(jSONObject != null && jSONObject.containsKey("token"), "token exchange error!");
        String string = jSONObject.getString("token");
        if (log.isDebugEnabled()) {
            log.debug("service token exchange success, token {} expire at{}", StringUtils.mask(string), accessToken.getExpiresAt());
        }
        return new OAuth2AccessToken(accessToken.getTokenType(), string, accessToken.getIssuedAt(), accessToken.getExpiresAt(), accessToken.getScopes());
    }

    @Override // cn.insmart.iam.resource.service.ClientTokenService
    public void reLogin() {
        log.info("set re-login status");
        try {
            this.lock.writeLock().lock();
            this.authorizedClientService.removeAuthorizedClient(REGISTRATION_ID, ((OAuth2ClientProperties.Registration) this.clientProperties.getRegistration().get(REGISTRATION_ID)).getClientId());
            this.token = null;
            this.tokenRefreshTime = Instant.MIN;
        } finally {
            this.lock.writeLock().unlock();
        }
    }
}
