package com.elitesland.cloudt.authorization.api.provider.config.servlet;

import com.elitesland.cloudt.authorization.api.client.config.security.AbstractServletSecurityConfig;
import com.elitesland.cloudt.authorization.api.client.config.security.handler.DefaultAccessDeniedHandler;
import com.elitesland.cloudt.authorization.api.client.config.security.handler.DefaultAuthenticationFailureHandler;
import com.elitesland.cloudt.authorization.api.client.tool.RedisHelper;
import com.elitesland.cloudt.authorization.api.client.util.JwtUtil;
import com.elitesland.cloudt.authorization.api.provider.config.LoginSupportConfig;
import com.elitesland.cloudt.authorization.api.provider.provider.task.AutoClearExpiredTokenTask;
import com.elitesland.cloudt.authorization.api.provider.security.configurer.LoginFilterSecurityConfigurer;
import com.elitesland.cloudt.authorization.api.provider.security.configurer.OAuth2AuthorizationCodeStateFilterSecurityConfigurer;
import com.elitesland.cloudt.authorization.api.provider.security.configurer.support.LoginFilterCustomizer;
import com.elitesland.cloudt.authorization.api.provider.security.generator.token.TokenGenerator;
import com.elitesland.cloudt.authorization.api.provider.security.handler.oauth2.server.OAuth2AccessTokenResponseHandler;
import com.elitesland.cloudt.authorization.api.provider.security.handler.oauth2.server.OAuth2AuthorizationResponseHandler;
import com.elitesland.cloudt.authorization.api.provider.security.handler.oauth2.server.OAuth2ServerAuthenticationEntryPointHandler;
import com.elitesland.cloudt.authorization.api.provider.security.handler.oauth2.server.OAuth2ServerAuthenticationSuccessHandler;
import com.elitesland.cloudt.authorization.api.provider.security.handler.oauth2.server.OAuth2ServerErrorResponseHandler;
import com.elitesland.cloudt.authorization.api.provider.security.handler.oauth2.server.support.OAuth2AuthorizationCodeRequestCache;
import com.elitesland.cloudt.authorization.api.provider.security.impl.RedisOAuth2AuthorizationCodeRequestCache;
import com.elitesland.cloudt.authorization.api.provider.service.OAuth2AuthenticationService;
import com.elitesland.cloudt.authorization.api.provider.service.impl.JPAOAuth2AuthenticationServiceImpl;
import com.elitesland.cloudt.authorization.api.provider.service.impl.JpaOAuth2AuthorizationConsentService;
import com.elitesland.cloudt.authorization.api.provider.service.impl.JpaOAuth2AuthorizationService;
import com.elitesland.cloudt.authorization.api.provider.service.impl.JpaRegisteredClientRepository;
import com.elitesland.cloudt.authorization.api.provider.service.repository.OAuth2AuthenticationRepo;
import com.elitesland.cloudt.authorization.api.provider.service.repository.OAuth2AuthenticationRepoProc;
import com.elitesland.cloudt.authorization.api.provider.service.repository.OAuth2AuthorizationConsentRepo;
import com.elitesland.cloudt.authorization.api.provider.service.repository.OAuth2AuthorizationConsentRepoProc;
import com.elitesland.cloudt.authorization.api.provider.service.repository.OAuth2RegisteredClientRepo;
import com.elitesland.cloudt.authorization.api.provider.service.repository.OAuth2RegisteredClientRepoProc;
import com.elitesland.yst.security.entity.GeneralUserDetails;
import com.nimbusds.jose.jwk.RSAKey;
import com.nimbusds.jose.jwk.source.JWKSource;
import com.nimbusds.jose.proc.SecurityContext;
import java.security.Principal;
import java.time.Duration;
import java.util.function.Function;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.springframework.beans.factory.ObjectProvider;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.boot.autoconfigure.condition.ConditionalOnBean;
import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication;
import org.springframework.boot.autoconfigure.domain.EntityScan;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Import;
import org.springframework.core.annotation.Order;
import org.springframework.data.jpa.repository.JpaRepository;
import org.springframework.data.jpa.repository.config.EnableJpaRepositories;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer;
import org.springframework.security.config.annotation.web.configurers.oauth2.server.authorization.OAuth2AuthorizationServerConfigurer;
import org.springframework.security.core.Authentication;
import org.springframework.security.oauth2.core.oidc.OidcUserInfo;
import org.springframework.security.oauth2.server.authorization.OAuth2Authorization;
import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationConsentService;
import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService;
import org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository;
import org.springframework.security.oauth2.server.authorization.config.ProviderSettings;
import org.springframework.security.oauth2.server.authorization.oidc.authentication.OidcUserInfoAuthenticationContext;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.springframework.security.web.util.matcher.RequestHeaderRequestMatcher;
import org.springframework.security.web.util.matcher.RequestMatcher;
import org.springframework.util.Assert;
import org.springframework.util.StringUtils;

@EnableJpaRepositories({"com.elitesland.cloudt.authorization.api.provider.service.repository"})
@EntityScan({"com.elitesland.cloudt.authorization.api.provider.model.entity"})
@ConditionalOnProperty(prefix = "elitesland.authorization", name = {"type"}, havingValue = "oauth2_server")
@ConditionalOnWebApplication(type = ConditionalOnWebApplication.Type.SERVLET)
@Import({ServletOAuth2ClientConfig.class, ConfigOnJpa.class, LoginSupportConfig.class})
/* loaded from: input_file:com/elitesland/cloudt/authorization/api/provider/config/servlet/ServletOAuth2ServerConfig.class */
public class ServletOAuth2ServerConfig extends AbstractServletSecurityConfig {
    private static final Logger log = LogManager.getLogger(ServletOAuth2ServerConfig.class);

    @Value("${spring.security.oauth2.resourceserver.jwt.issuer-uri:#{null}}")
    private String issuerUri;
    private ObjectProvider<LoginFilterCustomizer<HttpSecurity>> loginFilterCustomizers;

    @ConditionalOnClass({JpaRepository.class})
    /* loaded from: input_file:com/elitesland/cloudt/authorization/api/provider/config/servlet/ServletOAuth2ServerConfig$ConfigOnJpa.class */
    static class ConfigOnJpa {
        ConfigOnJpa() {
        }

        @ConditionalOnMissingBean
        @Bean
        public RegisteredClientRepository registeredClientRepository(OAuth2RegisteredClientRepo oAuth2RegisteredClientRepo, OAuth2RegisteredClientRepoProc oAuth2RegisteredClientRepoProc) {
            return new JpaRegisteredClientRepository(oAuth2RegisteredClientRepo, oAuth2RegisteredClientRepoProc);
        }

        @ConditionalOnMissingBean
        @Bean
        public OAuth2AuthorizationService authorizationService(RegisteredClientRepository registeredClientRepository, OAuth2AuthenticationRepo oAuth2AuthenticationRepo, OAuth2AuthenticationRepoProc oAuth2AuthenticationRepoProc) {
            return new JpaOAuth2AuthorizationService(registeredClientRepository, oAuth2AuthenticationRepo, oAuth2AuthenticationRepoProc);
        }

        @ConditionalOnMissingBean
        @Bean
        public OAuth2AuthorizationConsentService authorizationConsentService(RegisteredClientRepository registeredClientRepository, OAuth2AuthorizationConsentRepo oAuth2AuthorizationConsentRepo, OAuth2AuthorizationConsentRepoProc oAuth2AuthorizationConsentRepoProc) {
            return new JpaOAuth2AuthorizationConsentService(registeredClientRepository, oAuth2AuthorizationConsentRepo, oAuth2AuthorizationConsentRepoProc);
        }

        @ConditionalOnMissingBean
        @Bean
        public OAuth2AuthenticationService oAuth2AuthenticationService(OAuth2AuthenticationRepoProc oAuth2AuthenticationRepoProc) {
            return new JPAOAuth2AuthenticationServiceImpl(oAuth2AuthenticationRepoProc);
        }
    }

    @ConditionalOnMissingBean(name = {"authorizationServerSecurityFilterChain"})
    @Bean({"authorizationServerSecurityFilterChain"})
    @Order(Integer.MIN_VALUE)
    public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity httpSecurity, ProviderSettings providerSettings, OAuth2AuthorizationCodeRequestCache oAuth2AuthorizationCodeRequestCache) throws Exception {
        DefaultAuthenticationFailureHandler defaultAuthenticationFailureHandler = new DefaultAuthenticationFailureHandler();
        OAuth2ServerAuthenticationEntryPointHandler oAuth2ServerAuthenticationEntryPointHandler = new OAuth2ServerAuthenticationEntryPointHandler(oAuth2AuthorizationCodeRequestCache, providerSettings.getAuthorizationEndpoint());
        DefaultAccessDeniedHandler defaultAccessDeniedHandler = new DefaultAccessDeniedHandler();
        OAuth2AuthorizationServerConfigurer oAuth2AuthorizationServerConfigurer = new OAuth2AuthorizationServerConfigurer();
        RequestMatcher endpointsMatcher = oAuth2AuthorizationServerConfigurer.getEndpointsMatcher();
        oAuth2AuthorizationServerConfigurer.authorizationEndpoint(oAuth2AuthorizationEndpointConfigurer -> {
            oAuth2AuthorizationEndpointConfigurer.errorResponseHandler(new OAuth2ServerErrorResponseHandler()).authorizationResponseHandler(new OAuth2AuthorizationResponseHandler());
        }).clientAuthentication(oAuth2ClientAuthenticationConfigurer -> {
            oAuth2ClientAuthenticationConfigurer.errorResponseHandler(defaultAuthenticationFailureHandler);
        }).tokenEndpoint(oAuth2TokenEndpointConfigurer -> {
            oAuth2TokenEndpointConfigurer.errorResponseHandler(defaultAuthenticationFailureHandler).accessTokenResponseHandler(new OAuth2AccessTokenResponseHandler());
        }).oidc(oidcConfigurer -> {
            oidcConfigurer.userInfoEndpoint(oidcUserInfoEndpointConfigurer -> {
                oidcUserInfoEndpointConfigurer.userInfoMapper(oidcUserInfoMapper());
            });
        });
        httpSecurity.requestMatcher(endpointsMatcher).authorizeRequests(expressionInterceptUrlRegistry -> {
            ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) expressionInterceptUrlRegistry.anyRequest()).authenticated();
        }).apply(oAuth2AuthorizationServerConfigurer).and().apply(new OAuth2AuthorizationCodeStateFilterSecurityConfigurer()).and().exceptionHandling(exceptionHandlingConfigurer -> {
            if (StringUtils.hasText(this.authorizationProperties.getLoginPage())) {
                exceptionHandlingConfigurer.defaultAuthenticationEntryPointFor(oAuth2ServerAuthenticationEntryPointHandler, new RequestHeaderRequestMatcher("X-Auth-Redirect", "false")).defaultAuthenticationEntryPointFor(new LoginUrlAuthenticationEntryPoint(this.authorizationProperties.getLoginPage()), new AntPathRequestMatcher("/**"));
            } else {
                exceptionHandlingConfigurer.authenticationEntryPoint(oAuth2ServerAuthenticationEntryPointHandler);
            }
            exceptionHandlingConfigurer.accessDeniedHandler(defaultAccessDeniedHandler);
        });
        httpSecurity.oauth2ResourceServer(super.oauth2ResourceServer());
        if (Boolean.FALSE.equals(this.authorizationProperties.getCsrfEnabled())) {
            httpSecurity.csrf().disable();
        } else {
            httpSecurity.csrf().ignoringRequestMatchers(new RequestMatcher[]{endpointsMatcher});
        }
        corsConfiguration(httpSecurity);
        return (SecurityFilterChain) httpSecurity.build();
    }

    @ConditionalOnMissingBean(name = {"defaultSecurityFilterChain"})
    @Bean({"defaultSecurityFilterChain"})
    public SecurityFilterChain defaultSecurityFilterChain(HttpSecurity httpSecurity, ProviderSettings providerSettings, TokenGenerator tokenGenerator, OAuth2AuthorizationCodeRequestCache oAuth2AuthorizationCodeRequestCache, RegisteredClientRepository registeredClientRepository, OAuth2AuthorizationService oAuth2AuthorizationService) throws Exception {
        OAuth2ServerAuthenticationSuccessHandler oAuth2ServerAuthenticationSuccessHandler = new OAuth2ServerAuthenticationSuccessHandler(providerSettings.getAuthorizationEndpoint(), this.authorizationProperties, oAuth2AuthorizationCodeRequestCache, registeredClientRepository, oAuth2AuthorizationService);
        oAuth2ServerAuthenticationSuccessHandler.setTokenGenerator(tokenGenerator);
        oAuth2ServerAuthenticationSuccessHandler.setAuthenticationCallable(getDelegateAuthenticationCallable());
        super.defaultSecurityConfig(httpSecurity).apply(new LoginFilterSecurityConfigurer(this.loginFilterCustomizers)).successHandler(oAuth2ServerAuthenticationSuccessHandler).failureHandler(new DefaultAuthenticationFailureHandler());
        return (SecurityFilterChain) httpSecurity.build();
    }

    @ConditionalOnMissingBean
    @ConditionalOnBean({RedisHelper.class})
    @Bean
    public OAuth2AuthorizationCodeRequestCache oAuth2AuthorizationCodeRequestCache(RedisHelper redisHelper) {
        return new RedisOAuth2AuthorizationCodeRequestCache(redisHelper);
    }

    @Bean
    public JWKSource<SecurityContext> jwkSource(RSAKey rSAKey) {
        return JwtUtil.generateJwkSource(rSAKey);
    }

    @Bean
    public ProviderSettings providerSettings() {
        Assert.hasText(this.issuerUri, "spring.security.oauth2.resourceserver.jwt.issuer-uri不可为空");
        return ProviderSettings.builder().issuer(this.issuerUri).build();
    }

    @ConditionalOnBean({OAuth2AuthenticationService.class})
    @Bean
    public AutoClearExpiredTokenTask autoClearExpiredTokenTask(OAuth2AuthenticationService oAuth2AuthenticationService) {
        return new AutoClearExpiredTokenTask(oAuth2AuthenticationService, Duration.ofHours(2L));
    }

    @Autowired
    public void setLoginFilterCustomizers(ObjectProvider<LoginFilterCustomizer<HttpSecurity>> objectProvider) {
        this.loginFilterCustomizers = objectProvider;
    }

    private Function<OidcUserInfoAuthenticationContext, OidcUserInfo> oidcUserInfoMapper() {
        return oidcUserInfoAuthenticationContext -> {
            OAuth2Authorization authorization = oidcUserInfoAuthenticationContext.getAuthorization();
            Object principal = ((Authentication) authorization.getAttribute(Principal.class.getName())).getPrincipal();
            if (!(principal instanceof GeneralUserDetails)) {
                return OidcUserInfo.builder().subject(authorization.getPrincipalName()).build();
            }
            GeneralUserDetails generalUserDetails = (GeneralUserDetails) principal;
            return OidcUserInfo.builder().subject(generalUserDetails.getUsername()).phoneNumber(generalUserDetails.getUser().getMobile()).email(generalUserDetails.getUser().getEmail()).claim("yst_un", generalUserDetails.getUsername()).claim("yst_ui", generalUserDetails.getUserId()).claim("yst_ti", generalUserDetails.getTenantId()).build();
        };
    }
}
