package org.springframework.cloud.security.oauth2.resource;

import java.io.IOException;
import java.util.Arrays;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.boot.autoconfigure.condition.ConditionOutcome;
import org.springframework.boot.autoconfigure.condition.ConditionalOnBean;
import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingClass;
import org.springframework.boot.autoconfigure.condition.SpringBootCondition;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.ConditionContext;
import org.springframework.context.annotation.Conditional;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.OrderComparator;
import org.springframework.core.annotation.AnnotationAwareOrderComparator;
import org.springframework.core.env.Environment;
import org.springframework.core.type.AnnotatedTypeMetadata;
import org.springframework.http.HttpEntity;
import org.springframework.http.HttpHeaders;
import org.springframework.http.HttpMethod;
import org.springframework.http.HttpRequest;
import org.springframework.http.MediaType;
import org.springframework.http.client.ClientHttpRequestExecution;
import org.springframework.http.client.ClientHttpRequestInterceptor;
import org.springframework.http.client.ClientHttpResponse;
import org.springframework.security.crypto.codec.Base64;
import org.springframework.security.oauth2.client.OAuth2ClientContext;
import org.springframework.security.oauth2.client.OAuth2RestOperations;
import org.springframework.security.oauth2.client.OAuth2RestTemplate;
import org.springframework.security.oauth2.client.resource.OAuth2ProtectedResourceDetails;
import org.springframework.security.oauth2.client.token.AccessTokenRequest;
import org.springframework.security.oauth2.client.token.RequestEnhancer;
import org.springframework.security.oauth2.client.token.grant.code.AuthorizationCodeAccessTokenProvider;
import org.springframework.security.oauth2.client.token.grant.code.AuthorizationCodeResourceDetails;
import org.springframework.security.oauth2.provider.token.DefaultTokenServices;
import org.springframework.security.oauth2.provider.token.RemoteTokenServices;
import org.springframework.security.oauth2.provider.token.ResourceServerTokenServices;
import org.springframework.security.oauth2.provider.token.TokenStore;
import org.springframework.security.oauth2.provider.token.store.JwtAccessTokenConverter;
import org.springframework.security.oauth2.provider.token.store.JwtTokenStore;
import org.springframework.social.connect.ConnectionFactoryLocator;
import org.springframework.social.connect.support.OAuth2ConnectionFactory;
import org.springframework.util.MultiValueMap;
import org.springframework.util.StringUtils;
import org.springframework.web.client.ResourceAccessException;
import org.springframework.web.client.RestTemplate;

@Configuration
/* loaded from: input_file:org/springframework/cloud/security/oauth2/resource/ResourceServerTokenServicesConfiguration.class */
public class ResourceServerTokenServicesConfiguration {

    /* loaded from: input_file:org/springframework/cloud/security/oauth2/resource/ResourceServerTokenServicesConfiguration$JwtToken.class */
    private static class JwtToken extends SpringBootCondition {
        private JwtToken() {
        }

        public ConditionOutcome getMatchOutcome(ConditionContext conditionContext, AnnotatedTypeMetadata annotatedTypeMetadata) {
            return (StringUtils.hasText(conditionContext.getEnvironment().getProperty("spring.oauth2.resource.jwt.keyValue")) || StringUtils.hasText(conditionContext.getEnvironment().getProperty("spring.oauth2.resource.jwt.keyUri"))) ? ConditionOutcome.match("Public key is provided") : ConditionOutcome.noMatch("Public key is not provided");
        }
    }

    @Configuration
    @Conditional({JwtToken.class})
    /* loaded from: input_file:org/springframework/cloud/security/oauth2/resource/ResourceServerTokenServicesConfiguration$JwtTokenServicesConfiguration.class */
    protected static class JwtTokenServicesConfiguration {
        private static final Logger log = LoggerFactory.getLogger(JwtTokenServicesConfiguration.class);

        @Autowired
        private ResourceServerProperties resource;
        private RestTemplate keyUriRestTemplate = new RestTemplate();

        @Autowired(required = false)
        private List<JwtAccessTokenConverterConfigurer> configurers = Collections.emptyList();

        protected JwtTokenServicesConfiguration() {
        }

        @ConditionalOnMissingBean({ResourceServerTokenServices.class})
        @Bean
        public ResourceServerTokenServices jwtTokenServices() {
            DefaultTokenServices defaultTokenServices = new DefaultTokenServices();
            defaultTokenServices.setTokenStore(jwtTokenStore());
            return defaultTokenServices;
        }

        @Bean
        public TokenStore jwtTokenStore() {
            return new JwtTokenStore(jwtTokenEnhancer());
        }

        @Bean
        public JwtAccessTokenConverter jwtTokenEnhancer() {
            JwtAccessTokenConverter jwtAccessTokenConverter = new JwtAccessTokenConverter();
            String keyValue = this.resource.getJwt().getKeyValue();
            if (!StringUtils.hasText(keyValue)) {
                try {
                    HttpHeaders httpHeaders = new HttpHeaders();
                    if (this.resource.getClientId() != null && this.resource.getClientSecret() != null) {
                        httpHeaders.add("Authorization", "Basic " + new String(Base64.encode((this.resource.getClientId() + ":" + this.resource.getClientSecret()).getBytes())));
                    }
                    keyValue = (String) ((Map) this.keyUriRestTemplate.exchange(this.resource.getJwt().getKeyUri(), HttpMethod.GET, new HttpEntity(httpHeaders), Map.class, new Object[0]).getBody()).get("value");
                } catch (ResourceAccessException e) {
                    log.warn("Failed to fetch token key (you may need to refresh when the auth server is back)");
                }
            }
            if (StringUtils.hasText(keyValue) && !keyValue.startsWith("-----BEGIN")) {
                jwtAccessTokenConverter.setSigningKey(keyValue);
            }
            if (keyValue != null) {
                jwtAccessTokenConverter.setVerifierKey(keyValue);
            }
            AnnotationAwareOrderComparator.sort(this.configurers);
            Iterator<JwtAccessTokenConverterConfigurer> it = this.configurers.iterator();
            while (it.hasNext()) {
                it.next().configure(jwtAccessTokenConverter);
            }
            return jwtAccessTokenConverter;
        }
    }

    /* loaded from: input_file:org/springframework/cloud/security/oauth2/resource/ResourceServerTokenServicesConfiguration$NotJwtToken.class */
    private static class NotJwtToken extends SpringBootCondition {
        private JwtToken opposite = new JwtToken();

        private NotJwtToken() {
        }

        public ConditionOutcome getMatchOutcome(ConditionContext conditionContext, AnnotatedTypeMetadata annotatedTypeMetadata) {
            ConditionOutcome matchOutcome = this.opposite.getMatchOutcome(conditionContext, annotatedTypeMetadata);
            return matchOutcome.isMatch() ? ConditionOutcome.noMatch(matchOutcome.getMessage()) : ConditionOutcome.match(matchOutcome.getMessage());
        }
    }

    /* loaded from: input_file:org/springframework/cloud/security/oauth2/resource/ResourceServerTokenServicesConfiguration$NotTokenInfo.class */
    private static class NotTokenInfo extends SpringBootCondition {
        private TokenInfo opposite = new TokenInfo();

        private NotTokenInfo() {
        }

        public ConditionOutcome getMatchOutcome(ConditionContext conditionContext, AnnotatedTypeMetadata annotatedTypeMetadata) {
            ConditionOutcome matchOutcome = this.opposite.getMatchOutcome(conditionContext, annotatedTypeMetadata);
            return matchOutcome.isMatch() ? ConditionOutcome.noMatch(matchOutcome.getMessage()) : ConditionOutcome.match(matchOutcome.getMessage());
        }
    }

    @Configuration
    @Conditional({NotJwtToken.class})
    /* loaded from: input_file:org/springframework/cloud/security/oauth2/resource/ResourceServerTokenServicesConfiguration$RemoteTokenServicesConfiguration.class */
    protected static class RemoteTokenServicesConfiguration {

        @Configuration
        @ConditionalOnClass({OAuth2ConnectionFactory.class})
        @Conditional({NotTokenInfo.class})
        /* loaded from: input_file:org/springframework/cloud/security/oauth2/resource/ResourceServerTokenServicesConfiguration$RemoteTokenServicesConfiguration$SocialTokenServicesConfiguration.class */
        protected static class SocialTokenServicesConfiguration {

            @Autowired
            private ResourceServerProperties sso;

            @Autowired(required = false)
            private OAuth2ConnectionFactory<?> connectionFactory;

            @Autowired(required = false)
            @Qualifier("userInfoRestTemplate")
            private OAuth2RestOperations restTemplate;

            protected SocialTokenServicesConfiguration() {
            }

            @ConditionalOnMissingBean({ResourceServerTokenServices.class})
            @ConditionalOnBean({ConnectionFactoryLocator.class})
            @Bean
            public SpringSocialTokenServices socialTokenServices() {
                return new SpringSocialTokenServices(this.connectionFactory, this.sso.getClientId());
            }

            @ConditionalOnMissingBean({ConnectionFactoryLocator.class, ResourceServerTokenServices.class})
            @Bean
            public UserInfoTokenServices userInfoTokenServices() {
                UserInfoTokenServices userInfoTokenServices = new UserInfoTokenServices(this.sso.getUserInfoUri(), this.sso.getClientId());
                userInfoTokenServices.setRestTemplate(this.restTemplate);
                return userInfoTokenServices;
            }
        }

        @Configuration
        @Conditional({TokenInfo.class})
        /* loaded from: input_file:org/springframework/cloud/security/oauth2/resource/ResourceServerTokenServicesConfiguration$RemoteTokenServicesConfiguration$TokenInfoServicesConfiguration.class */
        protected static class TokenInfoServicesConfiguration {

            @Autowired
            private ResourceServerProperties resource;

            protected TokenInfoServicesConfiguration() {
            }

            @Bean
            protected ResourceServerTokenServices remoteTokenServices() {
                RemoteTokenServices remoteTokenServices = new RemoteTokenServices();
                remoteTokenServices.setCheckTokenEndpointUrl(this.resource.getTokenInfoUri());
                remoteTokenServices.setClientId(this.resource.getClientId());
                remoteTokenServices.setClientSecret(this.resource.getClientSecret());
                return remoteTokenServices;
            }
        }

        @ConditionalOnMissingClass(name = {"org.springframework.social.connect.support.OAuth2ConnectionFactory"})
        @Configuration
        @Conditional({NotTokenInfo.class})
        /* loaded from: input_file:org/springframework/cloud/security/oauth2/resource/ResourceServerTokenServicesConfiguration$RemoteTokenServicesConfiguration$UserInfoTokenServicesConfiguration.class */
        protected static class UserInfoTokenServicesConfiguration {

            @Autowired
            private ResourceServerProperties sso;

            @Autowired(required = false)
            @Qualifier("userInfoRestTemplate")
            private OAuth2RestOperations restTemplate;

            protected UserInfoTokenServicesConfiguration() {
            }

            @ConditionalOnMissingBean({ResourceServerTokenServices.class})
            @Bean
            public UserInfoTokenServices userInfoTokenServices() {
                UserInfoTokenServices userInfoTokenServices = new UserInfoTokenServices(this.sso.getUserInfoUri(), this.sso.getClientId());
                userInfoTokenServices.setRestTemplate(this.restTemplate);
                return userInfoTokenServices;
            }
        }

        protected RemoteTokenServicesConfiguration() {
        }
    }

    @Configuration
    /* loaded from: input_file:org/springframework/cloud/security/oauth2/resource/ResourceServerTokenServicesConfiguration$ResourceServerPropertiesConfiguration.class */
    protected static class ResourceServerPropertiesConfiguration {

        @Autowired(required = false)
        private OAuth2ProtectedResourceDetails client;

        protected ResourceServerPropertiesConfiguration() {
        }

        @Bean
        public ResourceServerProperties resourceServerProperties() {
            return new ResourceServerProperties(this.client == null ? null : this.client.getClientId(), this.client == null ? null : this.client.getClientSecret());
        }
    }

    /* loaded from: input_file:org/springframework/cloud/security/oauth2/resource/ResourceServerTokenServicesConfiguration$TokenInfo.class */
    private static class TokenInfo extends SpringBootCondition {
        private TokenInfo() {
        }

        public ConditionOutcome getMatchOutcome(ConditionContext conditionContext, AnnotatedTypeMetadata annotatedTypeMetadata) {
            Environment environment = conditionContext.getEnvironment();
            return !(!environment.resolvePlaceholders("${spring.oauth2.resource.userInfoUri:}").equals("")) ? ConditionOutcome.match("No user info provided") : ((!environment.resolvePlaceholders("${spring.oauth2.resource.tokenInfoUri:}").equals("")) && environment.resolvePlaceholders("${spring.oauth2.resource.preferTokenInfo:${OAUTH2_RESOURCE_PREFERTOKENINFO:true}}").equals("true")) ? ConditionOutcome.match("Token info endpoint is preferred and user info provided") : ConditionOutcome.noMatch("Token info endpoint is not provided");
        }
    }

    @Configuration
    /* loaded from: input_file:org/springframework/cloud/security/oauth2/resource/ResourceServerTokenServicesConfiguration$UserInfoRestTemplateConfiguration.class */
    protected static class UserInfoRestTemplateConfiguration {
        private static final AuthorizationCodeResourceDetails DEFAULT_RESOURCE_DETAILS = new AuthorizationCodeResourceDetails();

        @Autowired(required = false)
        private List<UserInfoRestTemplateCustomizer> customizers = Collections.emptyList();

        @Autowired(required = false)
        private OAuth2ProtectedResourceDetails details;

        @Autowired(required = false)
        private OAuth2ClientContext oauth2ClientContext;

        protected UserInfoRestTemplateConfiguration() {
        }

        @Bean(name = {"userInfoRestTemplate"})
        public OAuth2RestTemplate userInfoRestTemplate() {
            if (this.details == null) {
                this.details = DEFAULT_RESOURCE_DETAILS;
            }
            OAuth2RestTemplate oAuth2RestTemplate = this.oauth2ClientContext == null ? new OAuth2RestTemplate(this.details) : new OAuth2RestTemplate(this.details, this.oauth2ClientContext);
            oAuth2RestTemplate.setInterceptors(Arrays.asList(new ClientHttpRequestInterceptor() { // from class: org.springframework.cloud.security.oauth2.resource.ResourceServerTokenServicesConfiguration.UserInfoRestTemplateConfiguration.1
                public ClientHttpResponse intercept(HttpRequest httpRequest, byte[] bArr, ClientHttpRequestExecution clientHttpRequestExecution) throws IOException {
                    httpRequest.getHeaders().setAccept(Arrays.asList(MediaType.APPLICATION_JSON));
                    return clientHttpRequestExecution.execute(httpRequest, bArr);
                }
            }));
            AuthorizationCodeAccessTokenProvider authorizationCodeAccessTokenProvider = new AuthorizationCodeAccessTokenProvider();
            authorizationCodeAccessTokenProvider.setTokenRequestEnhancer(new RequestEnhancer() { // from class: org.springframework.cloud.security.oauth2.resource.ResourceServerTokenServicesConfiguration.UserInfoRestTemplateConfiguration.2
                public void enhance(AccessTokenRequest accessTokenRequest, OAuth2ProtectedResourceDetails oAuth2ProtectedResourceDetails, MultiValueMap<String, String> multiValueMap, HttpHeaders httpHeaders) {
                    httpHeaders.setAccept(Arrays.asList(MediaType.APPLICATION_JSON));
                }
            });
            oAuth2RestTemplate.setAccessTokenProvider(authorizationCodeAccessTokenProvider);
            OrderComparator.sort(this.customizers);
            Iterator<UserInfoRestTemplateCustomizer> it = this.customizers.iterator();
            while (it.hasNext()) {
                it.next().customize(oAuth2RestTemplate);
            }
            return oAuth2RestTemplate;
        }

        static {
            DEFAULT_RESOURCE_DETAILS.setClientId("<N/A>");
            DEFAULT_RESOURCE_DETAILS.setUserAuthorizationUri("Not a URI because there is no client");
            DEFAULT_RESOURCE_DETAILS.setAccessTokenUri("Not a URI because there is no client");
        }
    }
}
