package net.n2oapp.platform.security.autoconfigure;

import java.util.Collections;
import java.util.Map;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.boot.context.properties.EnableConfigurationProperties;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Scope;
import org.springframework.context.annotation.ScopedProxyMode;
import org.springframework.security.core.authority.mapping.SimpleAttributes2GrantedAuthoritiesMapper;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.oauth2.client.DefaultOAuth2ClientContext;
import org.springframework.security.oauth2.client.OAuth2ClientContext;
import org.springframework.security.oauth2.client.resource.OAuth2ProtectedResourceDetails;
import org.springframework.security.oauth2.client.token.DefaultAccessTokenRequest;
import org.springframework.security.oauth2.client.token.grant.client.ClientCredentialsResourceDetails;
import org.springframework.security.oauth2.common.DefaultOAuth2AccessToken;
import org.springframework.security.oauth2.common.OAuth2AccessToken;
import org.springframework.security.oauth2.common.exceptions.InvalidTokenException;
import org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfigurer;
import org.springframework.security.oauth2.provider.OAuth2Authentication;
import org.springframework.security.oauth2.provider.authentication.OAuth2AuthenticationDetails;
import org.springframework.security.oauth2.provider.token.DefaultAccessTokenConverter;
import org.springframework.security.oauth2.provider.token.DefaultTokenServices;
import org.springframework.security.oauth2.provider.token.ResourceServerTokenServices;
import org.springframework.security.oauth2.provider.token.TokenStore;
import org.springframework.security.oauth2.provider.token.UserAuthenticationConverter;
import org.springframework.security.oauth2.provider.token.store.JwtClaimsSetVerifier;
import org.springframework.security.oauth2.provider.token.store.jwk.JwkTokenStore;
import org.springframework.util.Assert;

@EnableConfigurationProperties({N2oPlatformSecurityProperties.class})
@Configuration
/* loaded from: input_file:net/n2oapp/platform/security/autoconfigure/SecurityAutoConfiguration.class */
public class SecurityAutoConfiguration {
    private N2oPlatformSecurityProperties securityProperties;

    public SecurityAutoConfiguration(N2oPlatformSecurityProperties n2oPlatformSecurityProperties) {
        this.securityProperties = n2oPlatformSecurityProperties;
    }

    @Scope(value = "request", proxyMode = ScopedProxyMode.INTERFACES)
    @Bean
    public PlatformRestTemplate oauth2RestTemplate(OAuth2ClientContext oAuth2ClientContext, OAuth2ProtectedResourceDetails oAuth2ProtectedResourceDetails) {
        PlatformRestTemplate platformRestTemplate = new PlatformRestTemplate(oAuth2ProtectedResourceDetails, oAuth2ClientContext);
        platformRestTemplate.setRetryBadAccessTokens(false);
        platformRestTemplate.setCheckTokenExpired(this.securityProperties.isCheckTokenExpired());
        return platformRestTemplate;
    }

    @Scope(value = "request", proxyMode = ScopedProxyMode.INTERFACES)
    @Bean
    public DefaultOAuth2ClientContext oauth2ClientContext(PlatformAccessTokenConverter platformAccessTokenConverter) {
        DefaultOAuth2ClientContext defaultOAuth2ClientContext = new DefaultOAuth2ClientContext(new DefaultAccessTokenRequest());
        OAuth2Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        if (authentication instanceof OAuth2Authentication) {
            Object details = authentication.getDetails();
            if (details instanceof OAuth2AuthenticationDetails) {
                String tokenValue = ((OAuth2AuthenticationDetails) details).getTokenValue();
                if (Boolean.FALSE.equals(Boolean.valueOf(this.securityProperties.isCheckTokenExpired()))) {
                    defaultOAuth2ClientContext.setAccessToken(new DefaultOAuth2AccessToken(tokenValue));
                } else {
                    defaultOAuth2ClientContext.setAccessToken(platformAccessTokenConverter.extractAccessToken(tokenValue, platformAccessTokenConverter.decode(tokenValue)));
                }
            }
        }
        return defaultOAuth2ClientContext;
    }

    @Bean
    public PlatformAccessTokenConverter platformAccessTokenConverter(UserAuthenticationConverter userAuthenticationConverter) {
        PlatformAccessTokenConverter platformAccessTokenConverter = new PlatformAccessTokenConverter();
        platformAccessTokenConverter.setUserTokenConverter(userAuthenticationConverter);
        return platformAccessTokenConverter;
    }

    @Bean
    public OAuth2ProtectedResourceDetails clientCredentialsResourceDetails() {
        ClientCredentialsResourceDetails clientCredentialsResourceDetails = new ClientCredentialsResourceDetails();
        clientCredentialsResourceDetails.setClientId(this.securityProperties.getClientId());
        clientCredentialsResourceDetails.setClientSecret(this.securityProperties.getClientSecret());
        clientCredentialsResourceDetails.setAccessTokenUri(this.securityProperties.getAccessTokenUri());
        return clientCredentialsResourceDetails;
    }

    @ConditionalOnMissingBean
    @Bean
    public UserAuthenticationConverter n2oPlatformAuthenticationConverter() {
        SimpleAttributes2GrantedAuthoritiesMapper simpleAttributes2GrantedAuthoritiesMapper = new SimpleAttributes2GrantedAuthoritiesMapper();
        simpleAttributes2GrantedAuthoritiesMapper.setAttributePrefix(this.securityProperties.getAuthoritiesPrefix());
        simpleAttributes2GrantedAuthoritiesMapper.setConvertAttributeToUpperCase(this.securityProperties.isAuthoritiesUpperCase());
        simpleAttributes2GrantedAuthoritiesMapper.setConvertAttributeToLowerCase(this.securityProperties.isAuthoritiesLowerCase());
        return new N2oPlatformAuthenticationConverter(this.securityProperties.getUsernameKey(), this.securityProperties.getAuthoritiesKey(), simpleAttributes2GrantedAuthoritiesMapper);
    }

    @Bean
    public ResourceServerTokenServices tokenServices(final TokenStore tokenStore) {
        DefaultTokenServices defaultTokenServices = Boolean.FALSE.equals(Boolean.valueOf(this.securityProperties.isCheckTokenExpired())) ? new DefaultTokenServices() { // from class: net.n2oapp.platform.security.autoconfigure.SecurityAutoConfiguration.1
            public OAuth2Authentication loadAuthentication(String str) {
                OAuth2AccessToken readAccessToken = tokenStore.readAccessToken(str);
                if (readAccessToken == null) {
                    throw new InvalidTokenException("Invalid access token: " + str);
                }
                OAuth2Authentication readAuthentication = tokenStore.readAuthentication(readAccessToken);
                if (readAuthentication == null) {
                    throw new InvalidTokenException("Invalid access token: " + str);
                }
                return readAuthentication;
            }
        } : new DefaultTokenServices();
        defaultTokenServices.setTokenStore(tokenStore);
        defaultTokenServices.setSupportRefreshToken(true);
        return defaultTokenServices;
    }

    @ConditionalOnMissingBean
    @Bean
    public TokenStore tokenStore(UserAuthenticationConverter userAuthenticationConverter) {
        DefaultAccessTokenConverter defaultAccessTokenConverter = new DefaultAccessTokenConverter() { // from class: net.n2oapp.platform.security.autoconfigure.SecurityAutoConfiguration.2
            public OAuth2Authentication extractAuthentication(Map<String, ?> map) {
                if (Boolean.FALSE.equals(Boolean.valueOf(SecurityAutoConfiguration.this.securityProperties.isCheckAud()))) {
                    map.remove("aud");
                }
                return super.extractAuthentication(map);
            }
        };
        defaultAccessTokenConverter.setUserTokenConverter(userAuthenticationConverter);
        Assert.hasText(this.securityProperties.getKeySetUri(), "Set property `n2o.platform.security.key-set-uri`");
        return new JwkTokenStore(Collections.singletonList(this.securityProperties.getKeySetUri()), defaultAccessTokenConverter, (JwtClaimsSetVerifier) null);
    }

    @ConditionalOnMissingBean({ResourceServerConfigurer.class})
    @Bean
    public ResourceServerConfigurer n2oPlatformResourceServer() {
        N2oPlatformResourceServerConfigurerAdapter n2oPlatformResourceServerConfigurerAdapter = new N2oPlatformResourceServerConfigurerAdapter();
        n2oPlatformResourceServerConfigurerAdapter.setSecurityProperties(this.securityProperties);
        return n2oPlatformResourceServerConfigurerAdapter;
    }
}
