package cn.insmart.iam.resource.config;

import cn.insmart.iam.resource.api.handler.UnauthorizedExceptionHandler;
import cn.insmart.iam.resource.service.ClientTokenService;
import cn.insmart.iam.resource.service.impl.ClientTokenServiceImpl;
import cn.insmart.iam.resource.validator.AudienceValidator;
import cn.insmart.iam.resource.validator.HostValidator;
import java.util.ArrayList;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.boot.autoconfigure.security.oauth2.client.OAuth2ClientProperties;
import org.springframework.boot.autoconfigure.security.oauth2.resource.OAuth2ResourceServerProperties;
import org.springframework.boot.context.properties.EnableConfigurationProperties;
import org.springframework.context.annotation.Bean;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.oauth2.client.AuthorizedClientServiceOAuth2AuthorizedClientManager;
import org.springframework.security.oauth2.client.OAuth2AuthorizedClientManager;
import org.springframework.security.oauth2.client.OAuth2AuthorizedClientProvider;
import org.springframework.security.oauth2.client.OAuth2AuthorizedClientProviderBuilder;
import org.springframework.security.oauth2.client.OAuth2AuthorizedClientService;
import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
import org.springframework.security.oauth2.client.web.DefaultOAuth2AuthorizedClientManager;
import org.springframework.security.oauth2.client.web.OAuth2AuthorizedClientRepository;
import org.springframework.security.oauth2.core.DelegatingOAuth2TokenValidator;
import org.springframework.security.oauth2.jose.jws.SignatureAlgorithm;
import org.springframework.security.oauth2.jwt.JwtDecoder;
import org.springframework.security.oauth2.jwt.JwtTimestampValidator;
import org.springframework.security.oauth2.jwt.NimbusJwtDecoder;
import org.springframework.util.Assert;

@EnableConfigurationProperties({OAuthProviderProperties.class, OAuth2ResourceServerProperties.class})
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
/* loaded from: input_file:BOOT-INF/lib/iam-resource-starter-IAM.2022.2.16.5.jar:cn/insmart/iam/resource/config/ResourceServerAutoConfiguration.class */
public class ResourceServerAutoConfiguration {

    @Value("${spring.application.name}")
    private String audience;

    @Value("${spring.security.oauth2.resourceserver.jwt.jwk-set-uri}")
    private String jwkSetUri;

    @Value("${spring.security.oauth2.resourceserver.jwt.jws.algorithm:RS256}")
    private String jwsAlgorithm;
    private static ClientTokenService clientTokenService;

    public static ClientTokenService getClientTokenService() {
        Assert.notNull(clientTokenService, "clientTokenService is null");
        return clientTokenService;
    }

    @Bean
    public ResourceServerSecurityConfiguration resourceServerConfiguration() {
        return new ResourceServerSecurityConfiguration(this.audience);
    }

    @Bean
    public ClientTokenService clientTokenService(OAuthProviderProperties oAuthProviderProperties, OAuth2ClientProperties oAuth2ClientProperties, ClientRegistrationRepository clientRegistrationRepository, OAuth2AuthorizedClientService oAuth2AuthorizedClientService) {
        clientTokenService = new ClientTokenServiceImpl(oAuth2ClientProperties, oAuthProviderProperties, authorizedClientServiceOAuth2AuthorizedClientManager(clientRegistrationRepository, oAuth2AuthorizedClientService), oAuth2AuthorizedClientService);
        return clientTokenService;
    }

    @Bean
    public OAuth2AuthorizedClientManager authorizedClientManager(ClientRegistrationRepository clientRegistrationRepository, OAuth2AuthorizedClientRepository oAuth2AuthorizedClientRepository) {
        OAuth2AuthorizedClientProvider build = OAuth2AuthorizedClientProviderBuilder.builder().clientCredentials().build();
        DefaultOAuth2AuthorizedClientManager defaultOAuth2AuthorizedClientManager = new DefaultOAuth2AuthorizedClientManager(clientRegistrationRepository, oAuth2AuthorizedClientRepository);
        defaultOAuth2AuthorizedClientManager.setAuthorizedClientProvider(build);
        return defaultOAuth2AuthorizedClientManager;
    }

    public OAuth2AuthorizedClientManager authorizedClientServiceOAuth2AuthorizedClientManager(ClientRegistrationRepository clientRegistrationRepository, OAuth2AuthorizedClientService oAuth2AuthorizedClientService) {
        return new AuthorizedClientServiceOAuth2AuthorizedClientManager(clientRegistrationRepository, oAuth2AuthorizedClientService);
    }

    @Bean
    public UnauthorizedExceptionHandler accessDeniedExceptionHandler() {
        return new UnauthorizedExceptionHandler();
    }

    @ConditionalOnProperty(name = {"spring.security.oauth2.resourceserver.jwt.jwk-set-uri"})
    @Bean
    JwtDecoder jwtDecoder() {
        NimbusJwtDecoder build = NimbusJwtDecoder.withJwkSetUri(this.jwkSetUri).jwsAlgorithm(SignatureAlgorithm.from(this.jwsAlgorithm)).build();
        ArrayList arrayList = new ArrayList();
        arrayList.add(new JwtTimestampValidator());
        arrayList.add(new AudienceValidator(this.audience));
        arrayList.add(new HostValidator());
        build.setJwtValidator(new DelegatingOAuth2TokenValidator(arrayList));
        return build;
    }
}
