package com.elitescloud.cloudt.authorization.api.provider.config.servlet;

import com.elitescloud.cloudt.authorization.api.client.config.security.AbstractServletSecurityConfig;
import com.elitescloud.cloudt.authorization.api.client.config.security.handler.DefaultAccessDeniedHandler;
import com.elitescloud.cloudt.authorization.api.client.config.security.handler.DelegateAuthenticationCallable;
import com.elitescloud.cloudt.authorization.api.client.config.support.AuthenticationCallable;
import com.elitescloud.cloudt.authorization.api.client.token.AbstractCustomAuthenticationToken;
import com.elitescloud.cloudt.authorization.api.client.tool.RedisHelper;
import com.elitescloud.cloudt.authorization.api.client.util.JwtUtil;
import com.elitescloud.cloudt.authorization.api.provider.config.LoginSupportConfig;
import com.elitescloud.cloudt.authorization.api.provider.config.servlet.oauth2.OAuth2AuthorizationCodeRequestCache;
import com.elitescloud.cloudt.authorization.api.provider.config.servlet.oauth2.OAuth2AuthorizationCodeUserVerifier;
import com.elitescloud.cloudt.authorization.api.provider.config.servlet.oauth2.configurer.OAuth2AuthorizationCodeStateFilterSecurityConfigurer;
import com.elitescloud.cloudt.authorization.api.provider.config.servlet.oauth2.configurer.OAuth2AuthorizationCodeUserSecurityConfigurer;
import com.elitescloud.cloudt.authorization.api.provider.config.servlet.oauth2.handler.OAuth2AccessTokenResponseHandler;
import com.elitescloud.cloudt.authorization.api.provider.config.servlet.oauth2.handler.OAuth2AuthenticationFailHandler;
import com.elitescloud.cloudt.authorization.api.provider.config.servlet.oauth2.handler.OAuth2AuthorizationErrorResponseHandler;
import com.elitescloud.cloudt.authorization.api.provider.config.servlet.oauth2.handler.OAuth2AuthorizationResponseHandler;
import com.elitescloud.cloudt.authorization.api.provider.config.servlet.oauth2.handler.OAuth2ServerAuthenticationFailureHandler;
import com.elitescloud.cloudt.authorization.api.provider.config.servlet.oauth2.handler.OAuth2ServerAuthenticationSuccessHandler;
import com.elitescloud.cloudt.authorization.api.provider.config.servlet.oauth2.handler.OAuth2ServerJsonAuthenticationEntryPointHandler;
import com.elitescloud.cloudt.authorization.api.provider.config.servlet.oauth2.handler.OAuth2ServerLoginUrlAuthenticationEntryPointHandler;
import com.elitescloud.cloudt.authorization.api.provider.config.servlet.oauth2.handler.OAuth2ServerLogoutRedirectHandler;
import com.elitescloud.cloudt.authorization.api.provider.security.configurer.LoginFilterSecurityConfigurer;
import com.elitescloud.cloudt.authorization.api.provider.security.configurer.support.LoginFilterCustomizer;
import com.elitescloud.cloudt.authorization.api.provider.security.generator.token.TokenGenerator;
import com.elitescloud.cloudt.authorization.api.provider.security.impl.RedisOAuth2AuthorizationCodeRequestCache;
import com.elitescloud.cloudt.authorization.sdk.resolver.UniqueRequestResolver;
import com.elitescloud.cloudt.authorization.sdk.resolver.impl.DefaultUniquestResolver;
import com.elitescloud.cloudt.security.entity.GeneralUserDetails;
import com.nimbusds.jose.jwk.RSAKey;
import com.nimbusds.jose.jwk.source.JWKSource;
import com.nimbusds.jose.proc.SecurityContext;
import java.security.Principal;
import java.util.function.Function;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.springframework.beans.factory.ObjectProvider;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Import;
import org.springframework.core.annotation.Order;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer;
import org.springframework.security.oauth2.core.oidc.OidcUserInfo;
import org.springframework.security.oauth2.server.authorization.OAuth2Authorization;
import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService;
import org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository;
import org.springframework.security.oauth2.server.authorization.config.annotation.web.configurers.OAuth2AuthorizationServerConfigurer;
import org.springframework.security.oauth2.server.authorization.oidc.authentication.OidcUserInfoAuthenticationContext;
import org.springframework.security.oauth2.server.authorization.settings.AuthorizationServerSettings;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.savedrequest.RequestCache;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.springframework.security.web.util.matcher.RequestHeaderRequestMatcher;
import org.springframework.security.web.util.matcher.RequestMatcher;
import org.springframework.util.StringUtils;

@ConditionalOnProperty(prefix = "elitesland.authorization", name = {"type"}, havingValue = "oauth2_server")
@ConditionalOnWebApplication(type = ConditionalOnWebApplication.Type.SERVLET)
@Import({LoginSupportConfig.class})
/* loaded from: input_file:com/elitescloud/cloudt/authorization/api/provider/config/servlet/ServletOAuth2ServerConfig.class */
public class ServletOAuth2ServerConfig extends AbstractServletSecurityConfig {
    private static final Logger a = LogManager.getLogger(ServletOAuth2ServerConfig.class);
    private ObjectProvider<LoginFilterCustomizer<HttpSecurity>> b;
    private ObjectProvider<OAuth2AuthorizationCodeUserVerifier> c;
    private final UniqueRequestResolver d = getOAuth2UniqueRequestResolver();

    @ConditionalOnMissingBean(name = {"authorizationServerSecurityFilterChain"})
    @Bean({"authorizationServerSecurityFilterChain"})
    @Order(Integer.MIN_VALUE)
    public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity httpSecurity, OAuth2AuthorizationCodeRequestCache oAuth2AuthorizationCodeRequestCache, AuthorizationServerSettings authorizationServerSettings, RegisteredClientRepository registeredClientRepository) throws Exception {
        RequestCache requestCache = AbstractServletSecurityConfig.getRequestCache();
        OAuth2AuthenticationFailHandler oAuth2AuthenticationFailHandler = new OAuth2AuthenticationFailHandler();
        OAuth2ServerJsonAuthenticationEntryPointHandler oAuth2ServerJsonAuthenticationEntryPointHandler = new OAuth2ServerJsonAuthenticationEntryPointHandler(oAuth2AuthorizationCodeRequestCache, authorizationServerSettings.getAuthorizationEndpoint());
        oAuth2ServerJsonAuthenticationEntryPointHandler.setUniqueRequestResolver(this.d);
        DefaultAccessDeniedHandler defaultAccessDeniedHandler = new DefaultAccessDeniedHandler();
        OAuth2AuthorizationErrorResponseHandler oAuth2AuthorizationErrorResponseHandler = new OAuth2AuthorizationErrorResponseHandler();
        OAuth2AuthorizationServerConfigurer oAuth2AuthorizationServerConfigurer = new OAuth2AuthorizationServerConfigurer();
        RequestMatcher endpointsMatcher = oAuth2AuthorizationServerConfigurer.getEndpointsMatcher();
        oAuth2AuthorizationServerConfigurer.authorizationEndpoint(oAuth2AuthorizationEndpointConfigurer -> {
            oAuth2AuthorizationEndpointConfigurer.errorResponseHandler(oAuth2AuthorizationErrorResponseHandler).authorizationResponseHandler(new OAuth2AuthorizationResponseHandler());
        }).clientAuthentication(oAuth2ClientAuthenticationConfigurer -> {
            oAuth2ClientAuthenticationConfigurer.errorResponseHandler(oAuth2AuthenticationFailHandler);
        }).tokenEndpoint(oAuth2TokenEndpointConfigurer -> {
            oAuth2TokenEndpointConfigurer.errorResponseHandler(oAuth2AuthenticationFailHandler).accessTokenResponseHandler(new OAuth2AccessTokenResponseHandler());
        }).oidc(oidcConfigurer -> {
            oidcConfigurer.userInfoEndpoint(oidcUserInfoEndpointConfigurer -> {
                oidcUserInfoEndpointConfigurer.userInfoMapper(a());
            });
        });
        httpSecurity.requestMatcher(endpointsMatcher).authorizeRequests(expressionInterceptUrlRegistry -> {
            ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) expressionInterceptUrlRegistry.anyRequest()).authenticated();
        }).csrf(csrfConfigurer -> {
            if (Boolean.FALSE.equals(this.authorizationProperties.getCsrfEnabled())) {
                csrfConfigurer.disable();
            } else {
                csrfConfigurer.ignoringRequestMatchers(new RequestMatcher[]{endpointsMatcher});
            }
        }).apply(oAuth2AuthorizationServerConfigurer).and().apply(new OAuth2AuthorizationCodeStateFilterSecurityConfigurer(authorizationServerSettings)).uniqueRequestResolver(this.d).and().apply(new OAuth2AuthorizationCodeUserSecurityConfigurer(authorizationServerSettings)).userVerifiers(this.c).and().exceptionHandling(exceptionHandlingConfigurer -> {
            if (StringUtils.hasText(this.authorizationProperties.getLoginPage())) {
                OAuth2ServerLoginUrlAuthenticationEntryPointHandler oAuth2ServerLoginUrlAuthenticationEntryPointHandler = new OAuth2ServerLoginUrlAuthenticationEntryPointHandler(this.authorizationProperties.getLoginPage(), registeredClientRepository, oAuth2AuthorizationCodeRequestCache);
                oAuth2ServerLoginUrlAuthenticationEntryPointHandler.setUniqueRequestResolver(this.d);
                oAuth2ServerLoginUrlAuthenticationEntryPointHandler.setRequestCache(requestCache);
                exceptionHandlingConfigurer.defaultAuthenticationEntryPointFor(oAuth2ServerJsonAuthenticationEntryPointHandler, new RequestHeaderRequestMatcher("X-Auth-Redirect", "false")).defaultAuthenticationEntryPointFor(oAuth2ServerLoginUrlAuthenticationEntryPointHandler, new AntPathRequestMatcher("/**"));
            } else {
                exceptionHandlingConfigurer.authenticationEntryPoint(oAuth2ServerJsonAuthenticationEntryPointHandler);
            }
            exceptionHandlingConfigurer.accessDeniedHandler(defaultAccessDeniedHandler);
        });
        httpSecurity.oauth2ResourceServer(super.oauth2ResourceServer());
        corsConfiguration(httpSecurity);
        return (SecurityFilterChain) httpSecurity.build();
    }

    @ConditionalOnMissingBean(name = {"defaultSecurityFilterChain"})
    @Bean({"defaultSecurityFilterChain"})
    public SecurityFilterChain defaultSecurityFilterChain(HttpSecurity httpSecurity, TokenGenerator tokenGenerator, OAuth2AuthorizationCodeRequestCache oAuth2AuthorizationCodeRequestCache, RegisteredClientRepository registeredClientRepository, OAuth2AuthorizationService oAuth2AuthorizationService, AuthorizationServerSettings authorizationServerSettings) throws Exception {
        RequestCache requestCache = AbstractServletSecurityConfig.getRequestCache();
        OAuth2ServerAuthenticationSuccessHandler oAuth2ServerAuthenticationSuccessHandler = new OAuth2ServerAuthenticationSuccessHandler(authorizationServerSettings.getAuthorizationEndpoint(), this.authorizationProperties, oAuth2AuthorizationCodeRequestCache, registeredClientRepository, oAuth2AuthorizationService);
        oAuth2ServerAuthenticationSuccessHandler.setTokenGenerator(tokenGenerator);
        DelegateAuthenticationCallable delegateAuthenticationCallable = getDelegateAuthenticationCallable();
        oAuth2ServerAuthenticationSuccessHandler.setAuthenticationCallable(delegateAuthenticationCallable);
        oAuth2ServerAuthenticationSuccessHandler.setUniqueRequestResolver(this.d);
        oAuth2ServerAuthenticationSuccessHandler.setRequestCache(requestCache);
        OAuth2ServerAuthenticationFailureHandler oAuth2ServerAuthenticationFailureHandler = new OAuth2ServerAuthenticationFailureHandler(delegateAuthenticationCallable, oAuth2AuthorizationCodeRequestCache);
        oAuth2ServerAuthenticationFailureHandler.setUniqueRequestResolver(this.d);
        oAuth2ServerAuthenticationFailureHandler.setRequestCache(requestCache);
        super.defaultSecurityConfig(httpSecurity).apply(new LoginFilterSecurityConfigurer(this.b)).successHandler(oAuth2ServerAuthenticationSuccessHandler).failureHandler(oAuth2ServerAuthenticationFailureHandler);
        return (SecurityFilterChain) httpSecurity.build();
    }

    @ConditionalOnMissingBean
    @Bean
    public OAuth2AuthorizationCodeRequestCache oAuth2AuthorizationCodeRequestCache(RedisHelper redisHelper) {
        return new RedisOAuth2AuthorizationCodeRequestCache(redisHelper);
    }

    @Bean
    public JWKSource<SecurityContext> jwkSource(RSAKey rSAKey) {
        return JwtUtil.generateJwkSource(rSAKey);
    }

    @Bean
    public AuthorizationServerSettings authorizationServerSettings() {
        AuthorizationServerSettings.Builder builder = AuthorizationServerSettings.builder();
        if (StringUtils.hasText(this.authorizationProperties.getIssuerUrl())) {
            builder.issuer(this.authorizationProperties.getIssuerUrl());
        }
        return builder.build();
    }

    @Autowired
    public void setLoginFilterCustomizers(ObjectProvider<LoginFilterCustomizer<HttpSecurity>> objectProvider) {
        this.b = objectProvider;
    }

    @Autowired
    public void setAuth2AuthorizeUserVerifiers(ObjectProvider<OAuth2AuthorizationCodeUserVerifier> objectProvider) {
        this.c = objectProvider;
    }

    @Bean
    public AuthenticationCallable oauth2AuthenticationCallable() {
        return new a(this);
    }

    @Bean
    public OAuth2ServerLogoutRedirectHandler oAuth2ServerLogoutRedirectHandler(OAuth2AuthorizationCodeRequestCache oAuth2AuthorizationCodeRequestCache, RegisteredClientRepository registeredClientRepository) {
        OAuth2ServerLogoutRedirectHandler oAuth2ServerLogoutRedirectHandler = new OAuth2ServerLogoutRedirectHandler(registeredClientRepository, this.authorizationProperties, oAuth2AuthorizationCodeRequestCache);
        oAuth2ServerLogoutRedirectHandler.setRequestCache(AbstractServletSecurityConfig.getRequestCache());
        oAuth2ServerLogoutRedirectHandler.setUniqueRequestResolver(this.d);
        return oAuth2ServerLogoutRedirectHandler;
    }

    public static UniqueRequestResolver getOAuth2UniqueRequestResolver() {
        DefaultUniquestResolver defaultUniquestResolver = new DefaultUniquestResolver("X-OAuth2-Urq");
        defaultUniquestResolver.setCookieMaxAge(-1);
        return defaultUniquestResolver;
    }

    private Function<OidcUserInfoAuthenticationContext, OidcUserInfo> a() {
        return oidcUserInfoAuthenticationContext -> {
            OAuth2Authorization authorization = oidcUserInfoAuthenticationContext.getAuthorization();
            Object attribute = authorization.getAttribute(Principal.class.getName());
            if (!(attribute instanceof AbstractCustomAuthenticationToken)) {
                return OidcUserInfo.builder().subject(authorization.getPrincipalName()).build();
            }
            AbstractCustomAuthenticationToken abstractCustomAuthenticationToken = (AbstractCustomAuthenticationToken) attribute;
            GeneralUserDetails generalUserDetails = (GeneralUserDetails) abstractCustomAuthenticationToken.getPrincipal();
            return OidcUserInfo.builder().subject(generalUserDetails.getUsername()).name(generalUserDetails.getUser().getPrettyName()).phoneNumber(generalUserDetails.getUser().getMobile()).email(generalUserDetails.getUser().getEmail()).claim("cloudt_ui", generalUserDetails.getUserId()).claim("cloudt_tl", abstractCustomAuthenticationToken.getTerminal()).build();
        };
    }
}
