package jnpf.filter;

import cn.dev33.satoken.SaManager;
import cn.dev33.satoken.context.SaHolder;
import cn.dev33.satoken.exception.NotLoginException;
import cn.dev33.satoken.filter.SaFilterAuthStrategy;
import cn.dev33.satoken.reactor.filter.SaReactorFilter;
import cn.dev33.satoken.router.SaRouter;
import cn.dev33.satoken.stp.StpUtil;
import cn.dev33.satoken.util.SaResult;
import jnpf.base.ActionResultCode;
import jnpf.constant.MsgCode;
import jnpf.consts.AuthConsts;
import jnpf.properties.GatewayWhite;
import jnpf.util.GatewayUtil;
import jnpf.util.ReactorUtil;
import jnpf.util.UserProvider;
import lombok.extern.slf4j.Slf4j;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.stereotype.Component;


/**
 * 网关验证token
 *
 * @author JNPF开发平台组
 * @version V3.1.0
 * @copyright 引迈信息技术有限公司（https://www.jnpfsoft.com）
 * @date 2021-03-24
 */
@Slf4j
@Configuration
@Component
public class AuthFilter {

    @Autowired
    private SaFilterAuthStrategy defaultBeforeAuthStrategy;


    // 注册 Sa-Token全局过滤器
    @Bean
    public SaReactorFilter getSaReactorFilter(GatewayWhite gatewayWhite) {
        return new SaReactorFilter()
            // 拦截地址
            .addInclude("/**")
            .setExcludeList(gatewayWhite.excludeUrl)
            // 鉴权方法：每次访问进入
            .setAuth(obj -> {
                if(log.isInfoEnabled()){
                    log.info("请求路径: {}", SaHolder.getRequest().getRequestPath());
                }
                //拦截路径
                SaRouter.match(gatewayWhite.blockUrl).match(o -> {
                    //禁止访问URL 排除白名单
                    String ip = getIpAddr();
                    for (String o1 : gatewayWhite.whiteIp) {
                        if(ip.startsWith(o1)){
                            return false;
                        }
                    }
                    log.info("非白名单IP访问限制接口：{}, {}", SaHolder.getRequest().getRequestPath(), ip);
                    return true;
                }).back(MsgCode.AD101.get());
                //测试不验证 鉴权服务重启测试模式不清除Token就够了
                //SaRouter.match((r)->"true".equals(configValueUtil.getTestVersion())).stop();
                //白名单不拦截
                SaRouter.match(gatewayWhite.whiteUrl).stop();
                //内部请求不拦截
                SaRouter.match(t->{
                    String innerToken = SaHolder.getRequest().getHeader(AuthConsts.INNER_TOKEN_KEY);
                    return UserProvider.isValidInnerToken(innerToken);
                }).stop();
                // 登录校验 -- 校验多租户管理模块TOKEN
                SaRouter.match("/api/tenant/**", r -> {
                    SaManager.getStpLogic(AuthConsts.ACCOUNT_TYPE_TENANT).checkLogin();
                    GatewayUtil.renewToken(StpUtil.getTokenValue());
                }).stop();
                // 登录校验 -- 拦截所有路由
                SaRouter.match("/**", r -> {
                    StpUtil.checkLogin();
                }).stop();
            }).setError(e -> {
                SaHolder.getResponse().addHeader("Content-Type","application/json; charset=utf-8");
                if(e instanceof NotLoginException){
                    return SaResult.error(ActionResultCode.SessionOverdue.getMessage()).setCode(ActionResultCode.SessionOverdue.getCode());
                }
                log.error(e.getMessage(), e);
                return SaResult.error(MsgCode.AD102.get()).setCode(ActionResultCode.Exception.getCode());
            })
            // 前置函数：在每次认证函数之前执行
            .setBeforeAuth(defaultBeforeAuthStrategy);
    }


    public static String getIpAddr() {
        return ReactorUtil.getIpAddr(SaHolder.getRequest());
    }


}