package project.web.admin.filter;

import java.io.IOException;
import java.util.ArrayList;
import java.util.Date;
import java.util.Enumeration;
import java.util.List;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.RequestDispatcher;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;

import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.web.context.ContextLoader;
import org.springframework.web.context.WebApplicationContext;

import kernel.util.DateUtils;
import kernel.util.StringUtils;
import kernel.web.PageActionSupport;
import project.syspara.Syspara;
import project.syspara.SysparaService;
import security.SecUser;
import security.SecurityAppUserHolder;
import security.SecurityContext;
import security.internal.SecUserService;
import util.IpUtil;

public class AllRequestFilter extends PageActionSupport implements Filter  {

	private Logger logger = LoggerFactory.getLogger(AllRequestFilter.class);
	
	/**
	 * url 白名单
	 */
	private List<String> urls = new ArrayList<String>();
	/**
	 * 操作不打日志url
	 */
	private List<String> opNoLogUrls = new ArrayList<String>();
	@Override
	public void destroy() {
	}

	@Override
	public void doFilter(ServletRequest request, ServletResponse response, FilterChain filterChain)
			throws IOException, ServletException {
		
		ServletRequest oldRequest = request;
		ServletResponse oldResponse = response;
		HttpServletRequest httpServletRequest = (HttpServletRequest)request;
		
		WebApplicationContext wac = ContextLoader.getCurrentWebApplicationContext();
		SysparaService sysparaService =(SysparaService) wac.getBean("sysparaService");
		
		// 检查IP黑名单
		Syspara blackListSyspara = sysparaService.find("blacklist_ip");
		String requestIP = this.getIp(httpServletRequest);
		if(blackListSyspara != null && !StringUtils.isEmptyString(blackListSyspara.getValue())) {
			if (!checkBlackListIP(blackListSyspara.getValue(), requestIP)) {
				logger.error("黑名单IP,参数{}", requestIP);
				return;
			}
		}
		
		String ip = this.getIp(httpServletRequest);
		if (!IpUtil.isCorrectIpRegular(ip)) {
			logger.error("校验IP不合法,参数{}", ip);
			return;
		}
		
		// 白名单直接过滤，非action请求直接过滤
		String servletPath = httpServletRequest.getServletPath();
		if(urls.contains(servletPath) || !".action".equals(servletPath.substring(servletPath.length()-7))) {
			filterChain.doFilter(oldRequest, oldResponse);
			return;
		}
		
		SecUserService secUserService =(SecUserService) wac.getBean("secUserService");
		Syspara syspara = sysparaService.find("filter_ip");
		
		String usernameLogin = getUsername_login(httpServletRequest);
		if(StringUtils.isEmptyString(usernameLogin)) {//未登录时不操作
			filterChain.doFilter(oldRequest, oldResponse);
			return;
		}
		SecUser secUser = secUserService.findUserByLoginName(usernameLogin);
		if(!StringUtils.isEmptyString(secUser.getPartyId())) {//代理商不验证
			filterChain.doFilter(oldRequest, oldResponse);
			return;
		}
		
		if(syspara != null && !StringUtils.isEmptyString(syspara.getValue())) {
			checkIP(syspara,request);
		}
		
		Syspara para = sysparaService.find("open_google_auth_code");
		if (null == para || para.getValue().equals("true")) {
			if(checkOperaIp(httpServletRequest, response, secUser)) {
				// 不记录日志直接返回
				if(opNoLogUrls.contains(httpServletRequest.getServletPath())) {
					return ;
				}
				RequestDispatcher requestDispatcher = request.getRequestDispatcher("/include/google_auth_code.jsp"); 
				request.setAttribute("check_opera_ip", "ture");
				request.setAttribute("username", getUsername_login(httpServletRequest));
				requestDispatcher.forward(request, response); 
				return;
			}
		}
		
		if (checkParameter(httpServletRequest)) {
			return;
		}
		
		filterChain.doFilter(oldRequest, oldResponse);
	}
	
	/**
	 * 请求参数中包含"script"的过滤
	 */
	private boolean checkParameter(HttpServletRequest request) {
		
		Enumeration<String> enu = request.getParameterNames();
		while (enu.hasMoreElements()) {
			String paraName = (String) enu.nextElement();
			String value = request.getParameter(paraName).toLowerCase();
			if (value.indexOf("script") != -1) {
				System.out.println("请求参数中包含script的过滤,参数：" + request.getParameter(paraName) + "请求地址：" + request.getServletPath());
				return true;
			}
		}
		
		Enumeration heads = request.getHeaderNames();
		while (heads.hasMoreElements()) {
			String headName = String.valueOf(heads.nextElement());
			String value = request.getHeader(headName).toLowerCase();
			if (value.indexOf("<script") != -1) {
				System.out.println("head参数中包含script的过滤,参数：" + request.getHeader(headName) + "请求地址：" + request.getServletPath());
				return true;
			}
		}
		
		return false;
	}
	
	/**
	 * 验证是否是白名单
	 */
	private void checkIP(Syspara syspara,ServletRequest request) {
		HttpServletRequest httpServletRequest = (HttpServletRequest)request;
		String loginIp = this.getIp(httpServletRequest);
		String[] loginIpParts = loginIp.split("\\.");
		String ips = syspara.getValue();
		String[] ipsArrs = ips.split(",");
		//[192.188.1.*,192.188.2.*]
		int index=0;
		for(String ip:ipsArrs) {
			String[] ipParts = ip.split("\\.");
			for (int i = 0; i < ipParts.length; i++) {
				if(ipParts[i].equals(loginIpParts[i])||"*".equals(ipParts[i])) {//匹配
					index++;
				}else {//不匹配
					break;
				}
			}
			if(index==4) {//存在完全匹配的ip地址池
				break;
			}else {//每次和新的地址匹配都重置
				index=0;
			}
		}
		if(index!=4) {//全部地址池匹配完，没有与登录ip相符的
			logger.info("filter fail,time:{},ip:{},request uri:{}",
					new Object[]{DateUtils.dateToStr(new Date(), DateUtils.DF_yyyyMMddHHmmss),loginIp,httpServletRequest.getRequestURI()});
            throw new RuntimeException();
		}
	}
	
	/**
	 * 验证是否是黑名单
	 */
	private boolean checkBlackListIP(String ips, String requestIP) {
		String[] ipsArrs = ips.split(",");
		for(String ip : ipsArrs) {
			if(requestIP.equals(ip)) {
				return false;
			}
		}
		return true;
	}
	
	/**
	 * 验证操作的ip和登录的是否相同
	 */
	private boolean checkOperaIp(HttpServletRequest httpServletRequest, ServletResponse response,SecUser secUser) throws ServletException, IOException {
		
		String operaIp = this.getIp(httpServletRequest);
		
		if(!operaIp.equals(secUser.getLogin_ip())) {
			if(opNoLogUrls.contains(httpServletRequest.getServletPath())) {//不记录日志直接返回
				return true;
			}
			logger.info("last login ip different with opera ip ,login user:{},opera time:{},opera ip:{},request uri:{},"
					+ "last login ip:{},last login time:{}",
					new Object[]{secUser.getUsername(),DateUtils.dateToStr(new Date(), DateUtils.DF_yyyyMMddHHmmss),operaIp,httpServletRequest.getRequestURI(),
							secUser.getLogin_ip(),DateUtils.dateToStr(secUser.getLast_loginTime(), DateUtils.DF_yyyyMMddHHmmss)});
			return true;
		}
		return false;
	}
	
	@Override
	public void init(FilterConfig arg0) throws ServletException {
		urls.add("/normal/adminGoogleAuthAction!checkGoogleAuthCodeForLogin.action");
		urls.add("/js/jquery.min.js");
		
		//登录界面所需
		urls.add("/login.jsp");
		urls.add("/www/css/local.css");
		urls.add("/www/css/styles.css");
		urls.add("/css/font-awesome.min.css");
		
		opNoLogUrls.add("/normal/adminTipAction!getTips.action");
		opNoLogUrls.add("/normal/adminTipAction!getNewTips.action");
		opNoLogUrls.add("/public/adminOnlineChatAction!userlist.action");
		opNoLogUrls.add("/public/adminOnlineChatAction!list.action");
		opNoLogUrls.add("/public/adminOnlineChatAction!unread.action");
		opNoLogUrls.add("/public/adminOnlineChatAction!getUserInfo.action");
		opNoLogUrls.add("/public/adminOnlineChatAction!getOnlineChatMessage.action");
	}
	
	public String getUsername_login(HttpServletRequest httpServletRequest) {

		HttpSession session = httpServletRequest.getSession();
		Object object = session.getAttribute("SPRING_SECURITY_CONTEXT");
		if (object != null) {
			return ((SecurityContext) object).getUsername();
		}
		return SecurityAppUserHolder.gettUsername();
	}
}