package pl.decerto.hyperon.common.security.oauth2;

import java.time.Duration;
import java.time.temporal.ChronoUnit;
import java.util.List;
import org.springframework.boot.context.properties.ConfigurationPropertiesScan;
import org.springframework.boot.context.properties.EnableConfigurationProperties;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.Customizer;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer;
import org.springframework.security.oauth2.client.registration.ClientRegistration;
import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
import org.springframework.security.oauth2.client.registration.InMemoryClientRegistrationRepository;
import org.springframework.security.oauth2.jwt.JwtClaimValidator;
import org.springframework.security.oauth2.jwt.JwtTimestampValidator;
import org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter;
import org.springframework.web.filter.ForwardedHeaderFilter;

@EnableConfigurationProperties
@OAuth2PropertyCondition
@Configuration
@ConfigurationPropertiesScan
/* loaded from: input_file:pl/decerto/hyperon/common/security/oauth2/OAuth2SecurityConfiguration.class */
public class OAuth2SecurityConfiguration {
    private final HyperonSecurityOAuth2Properties properties;

    @OAuth2PropertyCondition
    @EnableWebSecurity
    /* loaded from: input_file:pl/decerto/hyperon/common/security/oauth2/OAuth2SecurityConfiguration$OAuth2LoginSecurityConfig.class */
    public static class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {
        protected void configure(HttpSecurity httpSecurity) throws Exception {
            httpSecurity.authorizeRequests(expressionInterceptUrlRegistry -> {
                ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) expressionInterceptUrlRegistry.antMatchers(new String[]{"/login"})).permitAll().antMatchers(new String[]{"/app/**"})).authenticated().antMatchers(new String[]{"/api/**"})).authenticated();
            }).oauth2Login(Customizer.withDefaults()).oauth2ResourceServer((v0) -> {
                v0.jwt();
            }).addFilterBefore(new ForwardedHeaderFilter(), WebAsyncManagerIntegrationFilter.class).exceptionHandling().and().csrf().disable();
        }
    }

    @Bean
    public ClientRegistrationRepository clientRegistrationRepository() {
        return new InMemoryClientRegistrationRepository(this.properties.getClientRegistrations());
    }

    @Bean
    public JwtClaimValidator<List<String>> audienceValidator() {
        ClientRegistration clientRegistration = this.properties.getClientRegistrations().get(0);
        return new JwtClaimValidator<>("aud", list -> {
            return list.contains(clientRegistration.getClientId());
        });
    }

    @Bean
    public JwtTimestampValidator jwtTimestampValidator() {
        return new JwtTimestampValidator(Duration.of(Long.parseLong(this.properties.getClients().get(0).getTokenLiveTime()), ChronoUnit.SECONDS));
    }

    public HyperonSecurityOAuth2Properties getProperties() {
        return this.properties;
    }

    public OAuth2SecurityConfiguration(HyperonSecurityOAuth2Properties hyperonSecurityOAuth2Properties) {
        this.properties = hyperonSecurityOAuth2Properties;
    }
}
