package com.c4_soft.springaddons.security.oidc.starter.reactive.resourceserver;

import com.c4_soft.springaddons.security.oidc.OpenidClaimSet;
import com.c4_soft.springaddons.security.oidc.starter.OpenidProviderPropertiesResolver;
import com.c4_soft.springaddons.security.oidc.starter.properties.NotAConfiguredOpenidProviderException;
import com.c4_soft.springaddons.security.oidc.starter.properties.SpringAddonsOidcProperties;
import com.c4_soft.springaddons.security.oidc.starter.properties.condition.bean.CookieCsrfCondition;
import com.c4_soft.springaddons.security.oidc.starter.properties.condition.bean.DefaultAuthenticationManagerResolverCondition;
import com.c4_soft.springaddons.security.oidc.starter.properties.condition.bean.DefaultCorsWebFilterCondition;
import com.c4_soft.springaddons.security.oidc.starter.properties.condition.bean.DefaultJwtAbstractAuthenticationTokenConverterCondition;
import com.c4_soft.springaddons.security.oidc.starter.properties.condition.bean.DefaultOpaqueTokenAuthenticationConverterCondition;
import com.c4_soft.springaddons.security.oidc.starter.properties.condition.bean.IsIntrospectingResourceServerCondition;
import com.c4_soft.springaddons.security.oidc.starter.properties.condition.bean.IsJwtDecoderResourceServerCondition;
import com.c4_soft.springaddons.security.oidc.starter.properties.condition.configuration.IsNotServlet;
import com.c4_soft.springaddons.security.oidc.starter.properties.condition.configuration.IsOidcResourceServerCondition;
import com.c4_soft.springaddons.security.oidc.starter.reactive.ReactiveConfigurationSupport;
import com.c4_soft.springaddons.security.oidc.starter.reactive.ReactiveSpringAddonsOidcBeans;
import java.time.Instant;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Date;
import java.util.Map;
import org.springframework.boot.autoconfigure.AutoConfiguration;
import org.springframework.boot.autoconfigure.ImportAutoConfiguration;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.boot.autoconfigure.security.oauth2.resource.OAuth2ResourceServerProperties;
import org.springframework.boot.autoconfigure.web.ServerProperties;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Conditional;
import org.springframework.core.annotation.Order;
import org.springframework.core.convert.converter.Converter;
import org.springframework.security.authentication.AbstractAuthenticationToken;
import org.springframework.security.authentication.ReactiveAuthenticationManagerResolver;
import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity;
import org.springframework.security.config.web.server.ServerHttpSecurity;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.oauth2.core.OAuth2AccessToken;
import org.springframework.security.oauth2.jwt.Jwt;
import org.springframework.security.oauth2.server.resource.authentication.BearerTokenAuthentication;
import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationToken;
import org.springframework.security.oauth2.server.resource.introspection.OAuth2IntrospectionAuthenticatedPrincipal;
import org.springframework.security.oauth2.server.resource.introspection.ReactiveOpaqueTokenAuthenticationConverter;
import org.springframework.security.oauth2.server.resource.introspection.ReactiveOpaqueTokenIntrospector;
import org.springframework.security.web.server.SecurityWebFilterChain;
import org.springframework.security.web.server.csrf.CsrfToken;
import org.springframework.web.cors.reactive.CorsWebFilter;
import org.springframework.web.server.ServerWebExchange;
import org.springframework.web.server.WebFilter;
import reactor.core.publisher.Mono;

@EnableWebFluxSecurity
@AutoConfiguration
@ImportAutoConfiguration({ReactiveSpringAddonsOidcBeans.class})
@Conditional({IsOidcResourceServerCondition.class, IsNotServlet.class})
/* loaded from: input_file:com/c4_soft/springaddons/security/oidc/starter/reactive/resourceserver/ReactiveSpringAddonsOidcResourceServerBeans.class */
public class ReactiveSpringAddonsOidcResourceServerBeans {
    @Conditional({IsJwtDecoderResourceServerCondition.class})
    @Order(Integer.MAX_VALUE)
    @Bean
    SecurityWebFilterChain springAddonsJwtResourceServerSecurityFilterChain(ServerHttpSecurity serverHttpSecurity, ServerProperties serverProperties, SpringAddonsOidcProperties springAddonsOidcProperties, ResourceServerAuthorizeExchangeSpecPostProcessor resourceServerAuthorizeExchangeSpecPostProcessor, ResourceServerReactiveHttpSecurityPostProcessor resourceServerReactiveHttpSecurityPostProcessor, ReactiveAuthenticationManagerResolver<ServerWebExchange> reactiveAuthenticationManagerResolver) {
        serverHttpSecurity.oauth2ResourceServer(oAuth2ResourceServerSpec -> {
            oAuth2ResourceServerSpec.authenticationManagerResolver(reactiveAuthenticationManagerResolver);
        });
        ReactiveConfigurationSupport.configureResourceServer(serverHttpSecurity, serverProperties, springAddonsOidcProperties, resourceServerAuthorizeExchangeSpecPostProcessor, resourceServerReactiveHttpSecurityPostProcessor);
        return serverHttpSecurity.build();
    }

    @Conditional({IsIntrospectingResourceServerCondition.class})
    @Order(Integer.MAX_VALUE)
    @Bean
    SecurityWebFilterChain springAddonsIntrospectingResourceServerSecurityFilterChain(ServerHttpSecurity serverHttpSecurity, ServerProperties serverProperties, SpringAddonsOidcProperties springAddonsOidcProperties, ResourceServerAuthorizeExchangeSpecPostProcessor resourceServerAuthorizeExchangeSpecPostProcessor, ResourceServerReactiveHttpSecurityPostProcessor resourceServerReactiveHttpSecurityPostProcessor, ReactiveOpaqueTokenAuthenticationConverter reactiveOpaqueTokenAuthenticationConverter, ReactiveOpaqueTokenIntrospector reactiveOpaqueTokenIntrospector) {
        serverHttpSecurity.oauth2ResourceServer(oAuth2ResourceServerSpec -> {
            oAuth2ResourceServerSpec.opaqueToken(opaqueTokenSpec -> {
                opaqueTokenSpec.introspector(reactiveOpaqueTokenIntrospector);
                opaqueTokenSpec.authenticationConverter(reactiveOpaqueTokenAuthenticationConverter);
            });
        });
        ReactiveConfigurationSupport.configureResourceServer(serverHttpSecurity, serverProperties, springAddonsOidcProperties, resourceServerAuthorizeExchangeSpecPostProcessor, resourceServerReactiveHttpSecurityPostProcessor);
        return serverHttpSecurity.build();
    }

    @ConditionalOnMissingBean
    @Bean
    ResourceServerAuthorizeExchangeSpecPostProcessor authorizePostProcessor() {
        return authorizeExchangeSpec -> {
            return authorizeExchangeSpec.anyExchange().authenticated();
        };
    }

    @ConditionalOnMissingBean
    @Bean
    ResourceServerReactiveHttpSecurityPostProcessor httpPostProcessor() {
        return serverHttpSecurity -> {
            return serverHttpSecurity;
        };
    }

    @ConditionalOnMissingBean
    @Bean
    SpringAddonsReactiveJwtDecoderFactory springAddonsJwtDecoderFactory() {
        return new DefaultSpringAddonsReactiveJwtDecoderFactory();
    }

    @Conditional({DefaultAuthenticationManagerResolverCondition.class})
    @Bean
    ReactiveAuthenticationManagerResolver<ServerWebExchange> authenticationManagerResolver(OpenidProviderPropertiesResolver openidProviderPropertiesResolver, SpringAddonsReactiveJwtDecoderFactory springAddonsReactiveJwtDecoderFactory, Converter<Jwt, ? extends Mono<? extends AbstractAuthenticationToken>> converter) {
        return new SpringAddonsReactiveJwtAuthenticationManagerResolver(openidProviderPropertiesResolver, springAddonsReactiveJwtDecoderFactory, converter);
    }

    @ConditionalOnMissingBean(name = {"csrfCookieWebFilter"})
    @Conditional({CookieCsrfCondition.class})
    @Bean
    WebFilter csrfCookieWebFilter() {
        return (serverWebExchange, webFilterChain) -> {
            return ((Mono) serverWebExchange.getAttributeOrDefault(CsrfToken.class.getName(), Mono.empty())).doOnSuccess(csrfToken -> {
            }).then(webFilterChain.filter(serverWebExchange));
        };
    }

    @Conditional({DefaultJwtAbstractAuthenticationTokenConverterCondition.class})
    @Bean
    ReactiveJwtAbstractAuthenticationTokenConverter jwtAuthenticationConverter(Converter<Map<String, Object>, Collection<? extends GrantedAuthority>> converter, OpenidProviderPropertiesResolver openidProviderPropertiesResolver) {
        return jwt -> {
            return Mono.just(new JwtAuthenticationToken(jwt, (Collection) converter.convert(jwt.getClaims()), new OpenidClaimSet(jwt.getClaims(), openidProviderPropertiesResolver.resolve(jwt.getClaims()).orElseThrow(() -> {
                return new NotAConfiguredOpenidProviderException(jwt.getClaims());
            }).getUsernameClaim()).getName()));
        };
    }

    @Conditional({DefaultOpaqueTokenAuthenticationConverterCondition.class})
    @Bean
    ReactiveOpaqueTokenAuthenticationConverter introspectionAuthenticationConverter(Converter<Map<String, Object>, Collection<? extends GrantedAuthority>> converter, SpringAddonsOidcProperties springAddonsOidcProperties, OAuth2ResourceServerProperties oAuth2ResourceServerProperties) {
        return (str, oAuth2AuthenticatedPrincipal) -> {
            return Mono.just(new BearerTokenAuthentication(new OAuth2IntrospectionAuthenticatedPrincipal(new OpenidClaimSet(oAuth2AuthenticatedPrincipal.getAttributes(), springAddonsOidcProperties.getOps().stream().filter(openidProviderProperties -> {
                return oAuth2ResourceServerProperties.getOpaquetoken().getIntrospectionUri().contains(openidProviderProperties.getIss().toString());
            }).findAny().orElse(springAddonsOidcProperties.getOps().get(0)).getUsernameClaim()).getName(), oAuth2AuthenticatedPrincipal.getAttributes(), oAuth2AuthenticatedPrincipal.getAuthorities()), new OAuth2AccessToken(OAuth2AccessToken.TokenType.BEARER, str, toInstant(oAuth2AuthenticatedPrincipal.getAttribute("iat")), toInstant(oAuth2AuthenticatedPrincipal.getAttribute("exp"))), (Collection) converter.convert(oAuth2AuthenticatedPrincipal.getAttributes())));
        };
    }

    @Conditional({DefaultCorsWebFilterCondition.class})
    @Bean
    CorsWebFilter corsFilter(SpringAddonsOidcProperties springAddonsOidcProperties) {
        ArrayList arrayList = new ArrayList(springAddonsOidcProperties.getCors());
        arrayList.addAll(springAddonsOidcProperties.getResourceserver().getCors());
        return ReactiveConfigurationSupport.getCorsFilterBean(arrayList);
    }

    private static final Instant toInstant(Object obj) {
        if (obj == null) {
            return null;
        }
        if (obj instanceof Instant) {
            return (Instant) obj;
        }
        if (obj instanceof Date) {
            return ((Date) obj).toInstant();
        }
        if (obj instanceof Integer) {
            return Instant.ofEpochSecond(((Integer) obj).longValue());
        }
        if (obj instanceof Long) {
            return Instant.ofEpochSecond(((Long) obj).longValue());
        }
        return null;
    }
}
