package cn.jdevelops.authentication.sas.server.core.config;

import cn.jdevelops.authentication.sas.server.jose.Jwks;
import cn.jdevelops.authentication.sas.server.oauth.model.mobile.MobileConverter;
import cn.jdevelops.authentication.sas.server.oauth.model.mobile.MobileProvider;
import cn.jdevelops.authentication.sas.server.oauth.model.oidc.CustomOidcConverter;
import cn.jdevelops.authentication.sas.server.oauth.model.oidc.CustomOidcProvider;
import cn.jdevelops.authentication.sas.server.oauth.model.oidc.CustomOidcUserInfoService;
import cn.jdevelops.authentication.sas.server.oauth.model.password.PasswordConverter;
import cn.jdevelops.authentication.sas.server.oauth.model.password.PasswordProvider;
import cn.jdevelops.authentication.sas.server.user.entity.AuthenticationAccount;
import cn.jdevelops.authentication.sas.server.user.service.JUserDetailsService;
import cn.jdevelops.util.authorization.error.core.CustomAuthenticationFailureHandler;
import cn.jdevelops.util.authorization.error.core.CustomExceptionTranslationFilter;
import cn.jdevelops.util.authorization.error.core.UnAccessDeniedHandler;
import cn.jdevelops.util.authorization.error.core.UnAuthenticationEntryPoint;
import com.nimbusds.jose.jwk.JWKSet;
import com.nimbusds.jose.jwk.source.JWKSource;
import com.nimbusds.jose.proc.SecurityContext;
import java.time.Instant;
import java.util.Collection;
import java.util.Date;
import java.util.Optional;
import java.util.Set;
import java.util.stream.Collectors;
import org.apache.catalina.util.StandardSessionIdGenerator;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.annotation.Order;
import org.springframework.jdbc.core.JdbcTemplate;
import org.springframework.security.config.Customizer;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.oauth2.core.AuthorizationGrantType;
import org.springframework.security.oauth2.jwt.JwtClaimsSet;
import org.springframework.security.oauth2.jwt.JwtDecoder;
import org.springframework.security.oauth2.jwt.NimbusJwtEncoder;
import org.springframework.security.oauth2.server.authorization.JdbcOAuth2AuthorizationConsentService;
import org.springframework.security.oauth2.server.authorization.JdbcOAuth2AuthorizationService;
import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationConsentService;
import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService;
import org.springframework.security.oauth2.server.authorization.OAuth2TokenType;
import org.springframework.security.oauth2.server.authorization.client.JdbcRegisteredClientRepository;
import org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository;
import org.springframework.security.oauth2.server.authorization.config.annotation.web.configuration.OAuth2AuthorizationServerConfiguration;
import org.springframework.security.oauth2.server.authorization.config.annotation.web.configurers.OAuth2AuthorizationServerConfigurer;
import org.springframework.security.oauth2.server.authorization.settings.AuthorizationServerSettings;
import org.springframework.security.oauth2.server.authorization.token.DelegatingOAuth2TokenGenerator;
import org.springframework.security.oauth2.server.authorization.token.JwtEncodingContext;
import org.springframework.security.oauth2.server.authorization.token.JwtGenerator;
import org.springframework.security.oauth2.server.authorization.token.OAuth2AccessTokenGenerator;
import org.springframework.security.oauth2.server.authorization.token.OAuth2RefreshTokenGenerator;
import org.springframework.security.oauth2.server.authorization.token.OAuth2TokenCustomizer;
import org.springframework.security.oauth2.server.authorization.token.OAuth2TokenGenerator;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.access.ExceptionTranslationFilter;
import org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint;

@Configuration
/* loaded from: input_file:cn/jdevelops/authentication/sas/server/core/config/AuthorizationServerConfig.class */
public class AuthorizationServerConfig {
    private static final Logger log = LoggerFactory.getLogger(AuthorizationServerConfig.class);
    private final JUserDetailsService jUserDetailsService;
    private final UserDetailsService userDetailsService;
    private final CustomOidcUserInfoService customOidcUserInfoService;
    private static final String CUSTOM_CONSENT_PAGE_URI = "/page/oauth2/consent";

    public AuthorizationServerConfig(JUserDetailsService jUserDetailsService, UserDetailsService userDetailsService, CustomOidcUserInfoService customOidcUserInfoService) {
        this.jUserDetailsService = jUserDetailsService;
        this.userDetailsService = userDetailsService;
        this.customOidcUserInfoService = customOidcUserInfoService;
    }

    @Bean
    @Order(1)
    public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity httpSecurity, OAuth2AuthorizationService oAuth2AuthorizationService, OAuth2TokenGenerator<?> oAuth2TokenGenerator) throws Exception {
        OAuth2AuthorizationServerConfiguration.applyDefaultSecurity(httpSecurity);
        httpSecurity.getConfigurer(OAuth2AuthorizationServerConfigurer.class).authorizationEndpoint(oAuth2AuthorizationEndpointConfigurer -> {
            oAuth2AuthorizationEndpointConfigurer.consentPage(CUSTOM_CONSENT_PAGE_URI);
        }).tokenEndpoint(oAuth2TokenEndpointConfigurer -> {
            oAuth2TokenEndpointConfigurer.accessTokenRequestConverter(new PasswordConverter()).authenticationProvider(new PasswordProvider(oAuth2AuthorizationService, oAuth2TokenGenerator));
        }).tokenEndpoint(oAuth2TokenEndpointConfigurer2 -> {
            oAuth2TokenEndpointConfigurer2.accessTokenRequestConverter(new MobileConverter()).authenticationProvider(new MobileProvider(oAuth2AuthorizationService, oAuth2TokenGenerator));
        }).tokenEndpoint(oAuth2TokenEndpointConfigurer3 -> {
            oAuth2TokenEndpointConfigurer3.errorResponseHandler(new CustomAuthenticationFailureHandler());
        }).clientAuthentication(oAuth2ClientAuthenticationConfigurer -> {
            oAuth2ClientAuthenticationConfigurer.errorResponseHandler(new CustomAuthenticationFailureHandler());
        }).oidc(oidcConfigurer -> {
            oidcConfigurer.userInfoEndpoint(oidcUserInfoEndpointConfigurer -> {
                oidcUserInfoEndpointConfigurer.userInfoRequestConverter(new CustomOidcConverter(this.customOidcUserInfoService));
                oidcUserInfoEndpointConfigurer.authenticationProvider(new CustomOidcProvider(oAuth2AuthorizationService, this.customOidcUserInfoService));
            });
        });
        httpSecurity.addFilterBefore(new CustomExceptionTranslationFilter(), ExceptionTranslationFilter.class).exceptionHandling(exceptionHandlingConfigurer -> {
            exceptionHandlingConfigurer.authenticationEntryPoint(new LoginUrlAuthenticationEntryPoint("/page/login")).authenticationEntryPoint(new UnAuthenticationEntryPoint("/page/login")).accessDeniedHandler(new UnAccessDeniedHandler());
        }).oauth2ResourceServer(oAuth2ResourceServerConfigurer -> {
            oAuth2ResourceServerConfigurer.jwt(Customizer.withDefaults());
        });
        return (SecurityFilterChain) httpSecurity.build();
    }

    @Bean
    public RegisteredClientRepository registeredClientRepository(JdbcTemplate jdbcTemplate) {
        return new JdbcRegisteredClientRepository(jdbcTemplate);
    }

    @Bean
    public OAuth2AuthorizationService authorizationService(JdbcTemplate jdbcTemplate, RegisteredClientRepository registeredClientRepository) {
        return new JdbcOAuth2AuthorizationService(jdbcTemplate, registeredClientRepository);
    }

    @Bean
    public OAuth2AuthorizationConsentService authorizationConsentService(JdbcTemplate jdbcTemplate, RegisteredClientRepository registeredClientRepository) {
        return new JdbcOAuth2AuthorizationConsentService(jdbcTemplate, registeredClientRepository);
    }

    @Bean
    public JWKSource<SecurityContext> jwkSource() {
        JWKSet jWKSet = new JWKSet(Jwks.generateRsa());
        return (jWKSelector, securityContext) -> {
            return jWKSelector.select(jWKSet);
        };
    }

    @Bean
    public JwtDecoder jwtDecoder(JWKSource<SecurityContext> jWKSource) {
        return OAuth2AuthorizationServerConfiguration.jwtDecoder(jWKSource);
    }

    @Bean
    public AuthorizationServerSettings authorizationServerSettings() {
        return AuthorizationServerSettings.builder().build();
    }

    @Bean
    OAuth2TokenGenerator<?> tokenGenerator(JWKSource<SecurityContext> jWKSource) {
        OAuth2TokenGenerator jwtGenerator = new JwtGenerator(new NimbusJwtEncoder(jWKSource));
        jwtGenerator.setJwtCustomizer(jwtCustomizer());
        return new DelegatingOAuth2TokenGenerator(new OAuth2TokenGenerator[]{jwtGenerator, new OAuth2AccessTokenGenerator(), new OAuth2RefreshTokenGenerator()});
    }

    @Bean
    public OAuth2TokenCustomizer<JwtEncodingContext> jwtCustomizer() {
        return jwtEncodingContext -> {
            Optional<AuthenticationAccount> findUserInfo = this.jUserDetailsService.findUserInfo(jwtEncodingContext.getPrincipal().getName());
            JwtClaimsSet.Builder claims = jwtEncodingContext.getClaims();
            if (jwtEncodingContext.getTokenType().equals(OAuth2TokenType.ACCESS_TOKEN)) {
                if (AuthorizationGrantType.CLIENT_CREDENTIALS.equals(jwtEncodingContext.getAuthorizationGrantType())) {
                    return;
                }
                claims.claims(map -> {
                    map.merge("scope", this.userDetailsService.loadUserByUsername(jwtEncodingContext.getPrincipal().getName()).getAuthorities(), (obj, obj2) -> {
                        Set set = (Set) ((Set) obj).stream().map(String::new).collect(Collectors.toSet());
                        ((Collection) obj2).stream().forEach(simpleGrantedAuthority -> {
                            if (set.contains(simpleGrantedAuthority.getAuthority())) {
                                return;
                            }
                            set.add(simpleGrantedAuthority.getAuthority());
                        });
                        return set;
                    });
                });
            } else if (jwtEncodingContext.getTokenType().getValue().equals("id_token")) {
                claims.claim("auth_time", Date.from(Instant.now()));
                claims.claim("sid", new StandardSessionIdGenerator().generateSessionId());
                findUserInfo.ifPresent(authenticationAccount -> {
                    claims.claim("loginName", authenticationAccount.getLoginName());
                    claims.claim("name", authenticationAccount.getNickname());
                    claims.claim("description", authenticationAccount.getDescription());
                });
            }
        };
    }
}
