package cn.insmart.iam.gateway.service.impl;

import cn.insmart.fx.common.lang.util.Message;
import cn.insmart.iam.gateway.config.OAuthProviderProperties;
import cn.insmart.iam.gateway.service.ClientTokenService;
import com.alibaba.fastjson.JSONObject;
import java.time.Duration;
import java.time.Instant;
import java.util.Objects;
import java.util.concurrent.locks.ReadWriteLock;
import java.util.concurrent.locks.ReentrantReadWriteLock;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.boot.autoconfigure.security.oauth2.client.OAuth2ClientProperties;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.oauth2.client.OAuth2AuthorizeRequest;
import org.springframework.security.oauth2.client.ReactiveOAuth2AuthorizedClientManager;
import org.springframework.security.oauth2.core.OAuth2AccessToken;
import org.springframework.stereotype.Service;
import org.springframework.util.Assert;
import org.springframework.web.reactive.function.BodyInserters;
import org.springframework.web.reactive.function.client.WebClient;
import reactor.core.publisher.Mono;

@Service
/* loaded from: input_file:cn/insmart/iam/gateway/service/impl/ClientTokenServiceImpl.class */
public class ClientTokenServiceImpl implements ClientTokenService {
    private static final Logger log = LoggerFactory.getLogger(ClientTokenServiceImpl.class);
    private volatile Instant tokenExpireTime = null;
    private volatile String token = null;
    private final ReadWriteLock lock = new ReentrantReadWriteLock();
    private static final String REGISTRATION_ID = "in-smart-iam";
    private static final String TOKEN_KEY = "token";
    private final OAuth2ClientProperties clientProperties;
    private final OAuthProviderProperties providerProperties;
    private final ReactiveOAuth2AuthorizedClientManager clientManager;

    public ClientTokenServiceImpl(OAuth2ClientProperties oAuth2ClientProperties, OAuthProviderProperties oAuthProviderProperties, ReactiveOAuth2AuthorizedClientManager reactiveOAuth2AuthorizedClientManager) {
        this.clientProperties = oAuth2ClientProperties;
        this.providerProperties = oAuthProviderProperties;
        this.clientManager = reactiveOAuth2AuthorizedClientManager;
    }

    @Override // cn.insmart.iam.gateway.service.ClientTokenService
    public Mono<String> getToken() {
        log.debug("get service token");
        try {
            this.lock.readLock().lock();
            if (this.tokenExpireTime != null && this.tokenExpireTime.isAfter(Instant.now())) {
                log.debug("token exist, use it!");
                Mono<String> just = Mono.just(this.token);
                this.lock.readLock().unlock();
                return just;
            }
            try {
                this.lock.readLock().unlock();
                this.lock.writeLock().lock();
                if (this.tokenExpireTime == null || !this.tokenExpireTime.isAfter(Instant.now())) {
                    Mono<String> flatMap = login().flatMap(oAuth2AccessToken -> {
                        log.debug("login success");
                        this.tokenExpireTime = oAuth2AccessToken.getExpiresAt();
                        this.token = oAuth2AccessToken.getTokenValue();
                        log.debug("login success {}", this.token);
                        return Mono.just(this.token);
                    });
                    this.lock.readLock().unlock();
                    return flatMap;
                }
                log.debug("token exist, other thread login?");
                Mono<String> just2 = Mono.just(this.token);
                this.lock.readLock().unlock();
                return just2;
            } finally {
                this.lock.writeLock().unlock();
                this.lock.readLock().lock();
            }
        } catch (Throwable th) {
            this.lock.readLock().unlock();
            throw th;
        }
    }

    private Mono<OAuth2AccessToken> login() {
        log.debug("service login");
        OAuth2ClientProperties.Registration registration = (OAuth2ClientProperties.Registration) this.clientProperties.getRegistration().get(REGISTRATION_ID);
        Assert.notNull(registration, Message.of("registration {} is required!", new Object[]{REGISTRATION_ID}));
        OAuth2AuthorizeRequest build = OAuth2AuthorizeRequest.withClientRegistrationId(REGISTRATION_ID).principal(new UsernamePasswordAuthenticationToken(registration.getClientId(), registration.getClientSecret())).build();
        log.info("ready to login");
        return this.clientManager.authorize(build).map((v0) -> {
            return v0.getAccessToken();
        }).flatMap(oAuth2AccessToken -> {
            log.info("login success {}", oAuth2AccessToken);
            String tokenExchangeUri = this.providerProperties.getProvider().get(registration.getProvider()).getTokenExchangeUri();
            Assert.hasText(tokenExchangeUri, "token exchange uri is blank!");
            log.debug("service token exchange, uri {}", tokenExchangeUri);
            return WebClient.create().post().uri(tokenExchangeUri, new Object[0]).headers(httpHeaders -> {
                httpHeaders.setBasicAuth(registration.getClientId(), registration.getClientSecret());
            }).body(BodyInserters.fromFormData(TOKEN_KEY, oAuth2AccessToken.getTokenValue())).retrieve().bodyToMono(JSONObject.class).timeout(Duration.ofSeconds(3L)).map(jSONObject -> {
                Assert.isTrue(jSONObject.containsKey(TOKEN_KEY), Message.of("token exchange error! response {}", new Object[]{jSONObject}));
                return new OAuth2AccessToken(oAuth2AccessToken.getTokenType(), jSONObject.getString(TOKEN_KEY), oAuth2AccessToken.getIssuedAt() == null ? null : oAuth2AccessToken.getIssuedAt().plusSeconds(-60L), ((Instant) Objects.requireNonNull(oAuth2AccessToken.getExpiresAt())).plusSeconds(-60L), oAuth2AccessToken.getScopes());
            });
        });
    }
}
