package io.choerodon.resource.security;

import io.choerodon.core.oauth.CustomTokenConverter;
import io.choerodon.resource.permission.PublicPermissionOperationPlugin;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Primary;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer;
import org.springframework.security.oauth2.config.annotation.web.configuration.EnableResourceServer;
import org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfigurerAdapter;
import org.springframework.security.oauth2.config.annotation.web.configurers.ResourceServerSecurityConfigurer;
import org.springframework.security.oauth2.provider.expression.OAuth2WebSecurityExpressionHandler;
import org.springframework.security.oauth2.provider.token.DefaultTokenServices;
import org.springframework.security.oauth2.provider.token.TokenStore;
import org.springframework.security.oauth2.provider.token.store.JwtAccessTokenConverter;
import org.springframework.security.oauth2.provider.token.store.JwtTokenStore;

@EnableResourceServer
/* loaded from: input_file:io/choerodon/resource/security/JwtResourceServerConfig.class */
public class JwtResourceServerConfig extends ResourceServerConfigurerAdapter {
    private static final Logger LOGGER = LoggerFactory.getLogger(JwtResourceServerConfig.class);
    private final String key;
    private final String[] jwtIgnore;
    private OAuth2WebSecurityExpressionHandler expressionHandler;

    public JwtResourceServerConfig(@Value("${choerodon.oauth.jwt.key:choerodon}") String str, @Value("${choerodon.resource.jwt.ignore:#{null}}") String[] strArr, OAuth2WebSecurityExpressionHandler oAuth2WebSecurityExpressionHandler) {
        this.key = str;
        this.jwtIgnore = strArr;
        this.expressionHandler = oAuth2WebSecurityExpressionHandler;
    }

    public void configure(HttpSecurity httpSecurity) throws Exception {
        ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) httpSecurity.exceptionHandling().authenticationEntryPoint(new CustomAuthExceptionEntryPoint()).and().antMatcher("/**").authorizeRequests().anyRequest()).access("@jwtTokenParser.extractor(request)");
    }

    public void configure(ResourceServerSecurityConfigurer resourceServerSecurityConfigurer) {
        resourceServerSecurityConfigurer.tokenServices(tokenServices());
        resourceServerSecurityConfigurer.expressionHandler(this.expressionHandler);
    }

    @Bean
    public TokenStore tokenStore() {
        return new JwtTokenStore(accessTokenConverter());
    }

    @Bean
    public JwtAccessTokenConverter accessTokenConverter() {
        JwtAccessTokenConverter jwtAccessTokenConverter = new JwtAccessTokenConverter();
        jwtAccessTokenConverter.setAccessTokenConverter(new CustomTokenConverter());
        jwtAccessTokenConverter.setSigningKey(this.key);
        try {
            jwtAccessTokenConverter.afterPropertiesSet();
        } catch (Exception e) {
            LOGGER.warn("error.ChoerodonResourceServerConfiguration.accessTokenConverter {}", e);
        }
        return jwtAccessTokenConverter;
    }

    @Bean
    @Primary
    public DefaultTokenServices tokenServices() {
        DefaultTokenServices defaultTokenServices = new DefaultTokenServices();
        defaultTokenServices.setTokenStore(tokenStore());
        return defaultTokenServices;
    }

    @Bean
    public JwtTokenExtractor jwtTokenExtractor() {
        return new JwtTokenExtractor();
    }

    @Bean
    public JwtTokenParser jwtTokenParser(PublicPermissionOperationPlugin publicPermissionOperationPlugin) {
        return new JwtTokenParser(this.jwtIgnore, publicPermissionOperationPlugin, tokenServices(), jwtTokenExtractor());
    }
}
