package org.entur.jwt.spring.config;

import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.jwk.source.JWKSource;
import com.nimbusds.jose.proc.JWSVerificationKeySelector;
import com.nimbusds.jwt.proc.DefaultJWTProcessor;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import org.entur.jwt.spring.EnrichedJwtGrantedAuthoritiesConverter;
import org.entur.jwt.spring.JwtAuthorityEnricher;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.config.Customizer;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configurers.oauth2.server.resource.OAuth2ResourceServerConfigurer;
import org.springframework.security.oauth2.core.DelegatingOAuth2TokenValidator;
import org.springframework.security.oauth2.core.OAuth2TokenValidator;
import org.springframework.security.oauth2.jwt.Jwt;
import org.springframework.security.oauth2.jwt.JwtIssuerValidator;
import org.springframework.security.oauth2.jwt.NimbusJwtDecoder;
import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationConverter;
import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationProvider;
import org.springframework.security.oauth2.server.resource.authentication.JwtIssuerAuthenticationManagerResolver;

/* loaded from: input_file:org/entur/jwt/spring/config/EnturOauth2ResourceServerCustomizer.class */
public class EnturOauth2ResourceServerCustomizer implements Customizer<OAuth2ResourceServerConfigurer<HttpSecurity>> {
    private static Logger LOGGER = LoggerFactory.getLogger(EnturOauth2ResourceServerCustomizer.class);
    private final Map<String, JWKSource> jwkSources;
    private final List<JwtAuthorityEnricher> jwtAuthorityEnrichers;
    private final List<OAuth2TokenValidator<Jwt>> jwtValidators;

    public EnturOauth2ResourceServerCustomizer(Map<String, JWKSource> map, List<JwtAuthorityEnricher> list, List<OAuth2TokenValidator<Jwt>> list2) {
        this.jwkSources = map;
        this.jwtAuthorityEnrichers = list;
        this.jwtValidators = list2;
    }

    public void customize(OAuth2ResourceServerConfigurer<HttpSecurity> oAuth2ResourceServerConfigurer) {
        LOGGER.info("Customize " + this.jwkSources.size() + " issuers");
        HashMap hashMap = new HashMap();
        for (Map.Entry<String, JWKSource> entry : this.jwkSources.entrySet()) {
            JWKSource value = entry.getValue();
            DefaultJWTProcessor defaultJWTProcessor = new DefaultJWTProcessor();
            defaultJWTProcessor.setJWSKeySelector(new JWSVerificationKeySelector(JWSAlgorithm.Family.SIGNATURE, value));
            NimbusJwtDecoder nimbusJwtDecoder = new NimbusJwtDecoder(defaultJWTProcessor);
            nimbusJwtDecoder.setJwtValidator(getJwtValidators(entry.getKey()));
            JwtAuthenticationConverter jwtAuthenticationConverter = new JwtAuthenticationConverter();
            jwtAuthenticationConverter.setJwtGrantedAuthoritiesConverter(new EnrichedJwtGrantedAuthoritiesConverter(this.jwtAuthorityEnrichers));
            JwtAuthenticationProvider jwtAuthenticationProvider = new JwtAuthenticationProvider(nimbusJwtDecoder);
            jwtAuthenticationProvider.setJwtAuthenticationConverter(jwtAuthenticationConverter);
            String key = entry.getKey();
            Objects.requireNonNull(jwtAuthenticationProvider);
            hashMap.put(key, jwtAuthenticationProvider::authenticate);
        }
        oAuth2ResourceServerConfigurer.authenticationManagerResolver(new JwtIssuerAuthenticationManagerResolver(new IssuerAuthenticationManagerResolver(hashMap)));
    }

    private DelegatingOAuth2TokenValidator<Jwt> getJwtValidators(String str) {
        ArrayList arrayList = new ArrayList();
        arrayList.add(new JwtIssuerValidator(str));
        arrayList.addAll(this.jwtValidators);
        return new DelegatingOAuth2TokenValidator<>(arrayList);
    }
}
