package org.entur.jwt.spring.grpc;

import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.KeySourceException;
import com.nimbusds.jose.jwk.source.JWKSource;
import com.nimbusds.jose.proc.JWSVerificationKeySelector;
import com.nimbusds.jwt.proc.DefaultJWTProcessor;
import io.grpc.Status;
import io.grpc.StatusRuntimeException;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import org.entur.jwt.spring.Auth0JwtAuthorityEnricher;
import org.entur.jwt.spring.DefaultJwtAuthorityEnricher;
import org.entur.jwt.spring.EnrichedJwtGrantedAuthoritiesConverter;
import org.entur.jwt.spring.JwkSourceMap;
import org.entur.jwt.spring.JwtAuthorityEnricher;
import org.entur.jwt.spring.JwtAutoConfiguration;
import org.entur.jwt.spring.KeycloakJwtAuthorityEnricher;
import org.entur.jwt.spring.NoUserDetailsService;
import org.entur.jwt.spring.grpc.properties.GrpcPermitAll;
import org.entur.jwt.spring.grpc.properties.GrpcServicesConfiguration;
import org.entur.jwt.spring.grpc.properties.ServiceMatcherConfiguration;
import org.entur.jwt.spring.properties.Flavours;
import org.lognet.springboot.grpc.GRpcErrorHandler;
import org.lognet.springboot.grpc.autoconfigure.ConditionalOnMissingErrorHandler;
import org.lognet.springboot.grpc.autoconfigure.GRpcAutoConfiguration;
import org.lognet.springboot.grpc.autoconfigure.security.SecurityAutoConfiguration;
import org.lognet.springboot.grpc.recovery.ErrorHandlerAdapter;
import org.lognet.springboot.grpc.recovery.GRpcExceptionHandler;
import org.lognet.springboot.grpc.recovery.GRpcExceptionScope;
import org.lognet.springboot.grpc.recovery.GRpcServiceAdvice;
import org.lognet.springboot.grpc.security.GrpcSecurity;
import org.lognet.springboot.grpc.security.GrpcSecurityConfigurerAdapter;
import org.lognet.springboot.grpc.security.GrpcServiceAuthorizationConfigurer;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.boot.autoconfigure.AutoConfigureAfter;
import org.springframework.boot.autoconfigure.AutoConfigureBefore;
import org.springframework.boot.autoconfigure.condition.ConditionalOnExpression;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.boot.context.properties.EnableConfigurationProperties;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationServiceException;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.oauth2.core.DelegatingOAuth2TokenValidator;
import org.springframework.security.oauth2.core.OAuth2TokenValidator;
import org.springframework.security.oauth2.jwt.Jwt;
import org.springframework.security.oauth2.jwt.JwtException;
import org.springframework.security.oauth2.jwt.JwtIssuerValidator;
import org.springframework.security.oauth2.jwt.NimbusJwtDecoder;
import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationConverter;
import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationProvider;

@EnableConfigurationProperties({GrpcPermitAll.class, Flavours.class})
@AutoConfigureBefore({GRpcAutoConfiguration.class, SecurityAutoConfiguration.class})
@Configuration
@AutoConfigureAfter({JwtAutoConfiguration.class})
/* loaded from: input_file:org/entur/jwt/spring/grpc/GrpcAutoConfiguration.class */
public class GrpcAutoConfiguration {
    private static Logger log = LoggerFactory.getLogger(GrpcAutoConfiguration.class);

    @ConditionalOnMissingErrorHandler(AuthenticationException.class)
    @Configuration
    /* loaded from: input_file:org/entur/jwt/spring/grpc/GrpcAutoConfiguration$DefaultAuthErrorHandlerConfiguration.class */
    static class DefaultAuthErrorHandlerConfiguration {

        @GRpcServiceAdvice
        /* loaded from: input_file:org/entur/jwt/spring/grpc/GrpcAutoConfiguration$DefaultAuthErrorHandlerConfiguration$DefaultAuthErrorHandler.class */
        public static class DefaultAuthErrorHandler extends ErrorHandlerAdapter {
            public DefaultAuthErrorHandler(Optional<GRpcErrorHandler> optional) {
                super(optional);
            }

            @GRpcExceptionHandler
            public Status handle(AuthenticationException authenticationException, GRpcExceptionScope gRpcExceptionScope) {
                if (authenticationException instanceof AuthenticationServiceException) {
                    Throwable cause = authenticationException.getCause();
                    if ((cause instanceof JwtException) && (cause.getCause() instanceof KeySourceException)) {
                        return handle(authenticationException, Status.UNAVAILABLE, gRpcExceptionScope);
                    }
                }
                return handle(authenticationException, Status.UNAUTHENTICATED, gRpcExceptionScope);
            }
        }

        DefaultAuthErrorHandlerConfiguration() {
        }
    }

    @ConditionalOnMissingErrorHandler(StatusRuntimeException.class)
    @Configuration
    /* loaded from: input_file:org/entur/jwt/spring/grpc/GrpcAutoConfiguration$DefaultStatusErrorHandlerConfiguration.class */
    static class DefaultStatusErrorHandlerConfiguration {

        @GRpcServiceAdvice
        /* loaded from: input_file:org/entur/jwt/spring/grpc/GrpcAutoConfiguration$DefaultStatusErrorHandlerConfiguration$StatusErrorHandler.class */
        public static class StatusErrorHandler extends ErrorHandlerAdapter {
            public StatusErrorHandler(Optional<GRpcErrorHandler> optional) {
                super(optional);
            }

            @GRpcExceptionHandler
            public Status handle(StatusRuntimeException statusRuntimeException, GRpcExceptionScope gRpcExceptionScope) {
                return handle(statusRuntimeException, statusRuntimeException.getStatus(), gRpcExceptionScope);
            }
        }

        DefaultStatusErrorHandlerConfiguration() {
        }
    }

    @Configuration
    @ConditionalOnExpression("${entur.jwt.enabled:true}")
    /* loaded from: input_file:org/entur/jwt/spring/grpc/GrpcAutoConfiguration$GrpcSecurityConfiguration.class */
    public static class GrpcSecurityConfiguration extends GrpcSecurityConfigurerAdapter {
        private JwkSourceMap jwkSourceMap;
        private List<JwtAuthorityEnricher> jwtAuthorityEnrichers;
        private List<OAuth2TokenValidator<Jwt>> jwtValidators;
        private GrpcPermitAll permitAll;
        private Flavours flavours;

        public GrpcSecurityConfiguration(JwkSourceMap jwkSourceMap, List<JwtAuthorityEnricher> list, List<OAuth2TokenValidator<Jwt>> list2, GrpcPermitAll grpcPermitAll, Flavours flavours) {
            this.jwkSourceMap = jwkSourceMap;
            this.jwtAuthorityEnrichers = list;
            this.jwtValidators = list2;
            this.permitAll = grpcPermitAll;
            this.flavours = flavours;
        }

        public void configure(GrpcSecurity grpcSecurity) throws Exception {
            GrpcAutoConfiguration.log.info("Configure Grpc security");
            if (this.permitAll.isActive()) {
                configureGrpcServiceMethodFilter(this.permitAll.getGrpc(), grpcSecurity);
            } else {
                grpcSecurity.authorizeRequests().anyMethod().authenticated();
            }
            List<JwtAuthorityEnricher> list = this.jwtAuthorityEnrichers;
            if (this.flavours.isEnabled()) {
                ArrayList arrayList = new ArrayList(list);
                if (this.flavours.getAuth0().isEnabled()) {
                    arrayList.add(new Auth0JwtAuthorityEnricher());
                }
                if (this.flavours.getKeycloak().isEnabled()) {
                    arrayList.add(new KeycloakJwtAuthorityEnricher());
                }
                list = arrayList;
            }
            Map jwkSources = this.jwkSourceMap.getJwkSources();
            HashMap hashMap = new HashMap(jwkSources.size() * 4);
            for (Map.Entry entry : jwkSources.entrySet()) {
                JWKSource jWKSource = (JWKSource) entry.getValue();
                DefaultJWTProcessor defaultJWTProcessor = new DefaultJWTProcessor();
                defaultJWTProcessor.setJWSKeySelector(new JWSVerificationKeySelector(JWSAlgorithm.Family.SIGNATURE, jWKSource));
                NimbusJwtDecoder nimbusJwtDecoder = new NimbusJwtDecoder(defaultJWTProcessor);
                nimbusJwtDecoder.setJwtValidator(getJwtValidators((String) entry.getKey()));
                JwtAuthenticationConverter jwtAuthenticationConverter = new JwtAuthenticationConverter();
                jwtAuthenticationConverter.setJwtGrantedAuthoritiesConverter(new EnrichedJwtGrantedAuthoritiesConverter(list));
                JwtAuthenticationProvider jwtAuthenticationProvider = new JwtAuthenticationProvider(nimbusJwtDecoder);
                jwtAuthenticationProvider.setJwtAuthenticationConverter(jwtAuthenticationConverter);
                hashMap.put((String) entry.getKey(), jwtAuthenticationProvider);
            }
            grpcSecurity.authenticationProvider(new IssuerAuthenticationProvider(hashMap));
        }

        private void configureGrpcServiceMethodFilter(GrpcServicesConfiguration grpcServicesConfiguration, GrpcSecurity grpcSecurity) throws Exception {
            GrpcServiceAuthorizationConfigurer.Registry authorizeRequests = grpcSecurity.authorizeRequests();
            HashMap hashMap = new HashMap();
            for (ServiceMatcherConfiguration serviceMatcherConfiguration : grpcServicesConfiguration.getServices()) {
                if (serviceMatcherConfiguration.isEnabled()) {
                    List<String> methods = serviceMatcherConfiguration.getMethods();
                    if (methods.contains("*")) {
                        GrpcAutoConfiguration.log.info("Allow anonymous access to all methods of GRPC service " + serviceMatcherConfiguration.getName());
                    } else {
                        GrpcAutoConfiguration.log.info("Allow anonymous access to methods " + serviceMatcherConfiguration.getMethods() + " of GRPC service " + serviceMatcherConfiguration.getName());
                    }
                    ArrayList arrayList = new ArrayList();
                    Iterator<String> it = methods.iterator();
                    while (it.hasNext()) {
                        arrayList.add(it.next().toLowerCase());
                    }
                    hashMap.put(serviceMatcherConfiguration.getName().toLowerCase(), arrayList);
                }
            }
            authorizeRequests.anyMethodExcluding(methodDescriptor -> {
                List list = (List) hashMap.get(methodDescriptor.getServiceName().toLowerCase());
                if (list == null) {
                    return false;
                }
                if (list.contains("*")) {
                    return true;
                }
                return list.contains(methodDescriptor.getBareMethodName().toLowerCase()) || list.contains(methodDescriptor.getFullMethodName().toLowerCase());
            }).authenticated();
        }

        private DelegatingOAuth2TokenValidator<Jwt> getJwtValidators(String str) {
            ArrayList arrayList = new ArrayList();
            arrayList.add(new JwtIssuerValidator(str));
            arrayList.addAll(this.jwtValidators);
            return new DelegatingOAuth2TokenValidator<>(arrayList);
        }
    }

    @ConditionalOnMissingBean({JwtAuthorityEnricher.class})
    @ConditionalOnProperty(name = {"entur.jwt.enabled"}, havingValue = "true", matchIfMissing = true)
    @Bean
    public JwtAuthorityEnricher jwtAuthorityEnricher() {
        return new DefaultJwtAuthorityEnricher();
    }

    @ConditionalOnMissingBean({UserDetailsService.class})
    @ConditionalOnProperty(name = {"entur.jwt.enabled"}, havingValue = "true", matchIfMissing = true)
    @Bean
    public UserDetailsService userDetailsService() {
        return new NoUserDetailsService();
    }
}
