package com.alibaba.nacos.naming.acl;

import com.alibaba.nacos.core.utils.WebUtils;
import com.alibaba.nacos.naming.core.DomainsManager;
import com.alibaba.nacos.naming.misc.Switch;
import com.alibaba.nacos.naming.misc.SwitchDomain;
import com.alibaba.nacos.naming.misc.UtilsAndCommons;
import java.security.AccessControlException;
import java.util.Map;
import javax.servlet.http.HttpServletRequest;
import org.apache.commons.lang3.ArrayUtils;
import org.apache.commons.lang3.StringUtils;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;

@Component
/* loaded from: input_file:com/alibaba/nacos/naming/acl/AuthChecker.class */
public class AuthChecker {

    @Autowired
    private DomainsManager domainsManager;
    private static String[] APP_WHITE_LIST = new String[0];
    private static String[] TOKEN_WHITE_LIST = {"traffic-scheduling@midware"};

    public void doRaftAuth(HttpServletRequest httpServletRequest) throws Exception {
        String parameter = httpServletRequest.getParameter("token");
        if (StringUtils.equals(UtilsAndCommons.SUPER_TOKEN, parameter)) {
            return;
        }
        String header = httpServletRequest.getHeader("Client-Version");
        if (!StringUtils.startsWith(header, UtilsAndCommons.NACOS_SERVER_HEADER)) {
            throw new IllegalAccessException("illegal access,agent= " + header + ", token=" + parameter);
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v54, types: [com.alibaba.nacos.naming.core.Domain] */
    public void doAuth(Map<String, String[]> map, HttpServletRequest httpServletRequest) throws Exception {
        String optional = WebUtils.optional(httpServletRequest, "namespaceId", UtilsAndCommons.getDefaultNamespaceId());
        String optional2 = WebUtils.optional(httpServletRequest, "name", "");
        if (StringUtils.isEmpty(optional2)) {
            optional2 = WebUtils.optional(httpServletRequest, "dom", "");
        }
        if (StringUtils.isEmpty(optional2)) {
            optional2 = WebUtils.optional(httpServletRequest, "tag", "");
        }
        SwitchDomain dom = (httpServletRequest.getRequestURI().equals("/v1/ns/api/updateSwitch") || httpServletRequest.getRequestURI().equals("/v1/ns/api/setWeight4AllIPs")) ? Switch.getDom() : this.domainsManager.getDomain(optional, optional2);
        if (dom == null && !httpServletRequest.getRequestURI().equals("/v1/ns/api/setWeight4AllIPs")) {
            throw new IllegalStateException("auth failed, dom does not exist: " + optional2);
        }
        String parameter = httpServletRequest.getParameter("token");
        String parameter2 = httpServletRequest.getParameter("auth");
        String parameter3 = httpServletRequest.getParameter("userName");
        if (StringUtils.isEmpty(parameter2) && StringUtils.isEmpty(parameter)) {
            throw new IllegalArgumentException("provide 'authInfo' or 'token' to access this dom");
        }
        if ((dom != null && StringUtils.equals(dom.getToken(), parameter)) || ArrayUtils.contains(TOKEN_WHITE_LIST, parameter) || ArrayUtils.contains(APP_WHITE_LIST, parameter3)) {
            return;
        }
        AuthInfo fromString = AuthInfo.fromString(parameter2, WebUtils.getAcceptEncoding(httpServletRequest));
        if (fromString == null) {
            throw new IllegalAccessException("invalid token or malformed auth info");
        }
        if (!ArrayUtils.contains(APP_WHITE_LIST, fromString.getAppKey())) {
            throw new AccessControlException("un-registered SDK app");
        }
        if (!dom.getOwners().contains(fromString.getOperator()) && !Switch.getMasters().contains(fromString.getOperator())) {
            throw new AccessControlException("dom already exists and you're not among the owners");
        }
    }
}
