package pl.decerto.hyperon.common.security.oauth2;

import java.util.HashMap;
import java.util.List;
import java.util.stream.Collectors;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.core.Authentication;
import org.springframework.security.oauth2.client.authentication.OAuth2AuthenticationToken;
import org.springframework.security.oauth2.core.OAuth2TokenValidator;
import org.springframework.security.oauth2.core.oidc.OidcIdToken;
import org.springframework.security.oauth2.jwt.Jwt;
import org.springframework.security.oauth2.jwt.JwtClaimValidator;
import org.springframework.security.oauth2.jwt.JwtTimestampValidator;
import org.springframework.stereotype.Component;
import pl.decerto.hyperon.common.security.AbstractAuthorizationManager;
import pl.decerto.hyperon.common.security.AccessGateway;
import pl.decerto.hyperon.common.security.MppUserDetails;

@OAuth2PropertyCondition
@Component
/* loaded from: input_file:pl/decerto/hyperon/common/security/oauth2/OAuth2AuthorizationManager.class */
public class OAuth2AuthorizationManager extends AbstractAuthorizationManager {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) OAuth2AuthorizationManager.class);
    private static final String SCOPE = "scope";
    private final AccessGateway accessGateway;
    private final JwtClaimValidator<List<String>> audienceValidator;
    private final JwtTimestampValidator jwtTimestampValidator;

    @Override // pl.decerto.hyperon.common.security.AbstractAuthorizationManager
    protected boolean tryAuthorize(Authentication authentication) {
        HyperonOidcUserDetails hyperonOidcUserDetails = (HyperonOidcUserDetails) authentication.getPrincipal();
        boolean z = validateRequiredTokenFields(hyperonOidcUserDetails) && isUserAuthorized(hyperonOidcUserDetails.getHyperonUserDetails());
        log.trace("Authorization, isSuccess={}.", Boolean.valueOf(z));
        return z;
    }

    private boolean isUserAuthorized(MppUserDetails mppUserDetails) {
        return this.accessGateway.authorizeUser(mppUserDetails, mppUserDetails.getUsername()).isSuccess();
    }

    private boolean validateRequiredTokenFields(HyperonOidcUserDetails hyperonOidcUserDetails) {
        Jwt jwt = getJwt(hyperonOidcUserDetails, hyperonOidcUserDetails.getIdToken());
        return isValidationSucceed(this.audienceValidator, jwt) && isValidationSucceed(this.jwtTimestampValidator, jwt);
    }

    private <T extends OAuth2TokenValidator<Jwt>> boolean isValidationSucceed(T t, Jwt jwt) {
        return !t.validate(jwt).hasErrors();
    }

    private Jwt getJwt(HyperonOidcUserDetails hyperonOidcUserDetails, OidcIdToken oidcIdToken) {
        HashMap hashMap = new HashMap(oidcIdToken.getClaims());
        if (!oidcIdToken.getClaims().containsKey("scope")) {
            hashMap.put("scope", hyperonOidcUserDetails.getAuthorities().stream().map((v0) -> {
                return v0.getAuthority();
            }).collect(Collectors.toUnmodifiableList()));
        }
        return Jwt.withTokenValue(oidcIdToken.getTokenValue()).issuer(oidcIdToken.getIssuer().toString()).issuedAt(oidcIdToken.getIssuedAt()).expiresAt(oidcIdToken.getExpiresAt()).claims(map -> {
            map.putAll(hashMap);
        }).headers(map2 -> {
            map2.putAll(hashMap);
        }).build();
    }

    @Override // pl.decerto.hyperon.common.security.AbstractAuthorizationManager
    protected boolean authenticationObjectTypeMatches(Authentication authentication) {
        return authentication instanceof OAuth2AuthenticationToken;
    }

    public OAuth2AuthorizationManager(AccessGateway accessGateway, JwtClaimValidator<List<String>> jwtClaimValidator, JwtTimestampValidator jwtTimestampValidator) {
        this.accessGateway = accessGateway;
        this.audienceValidator = jwtClaimValidator;
        this.jwtTimestampValidator = jwtTimestampValidator;
    }
}
