package team.sailboat.ms.ac.conf;

import com.nimbusds.jose.jwk.JWKSet;
import com.nimbusds.jose.jwk.source.JWKSource;
import com.nimbusds.jose.proc.SecurityContext;
import jakarta.annotation.PostConstruct;
import java.util.Collection;
import java.util.Collections;
import java.util.UUID;
import java.util.function.BiPredicate;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.ApplicationEventPublisher;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationEventPublisher;
import org.springframework.security.authentication.DefaultAuthenticationEventPublisher;
import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.oauth2.core.ClientAuthenticationMethod;
import org.springframework.security.oauth2.core.OAuth2Token;
import org.springframework.security.oauth2.jwt.JwtDecoder;
import org.springframework.security.oauth2.jwt.JwtEncoder;
import org.springframework.security.oauth2.jwt.NimbusJwtEncoder;
import org.springframework.security.oauth2.server.authorization.InMemoryOAuth2AuthorizationService;
import org.springframework.security.oauth2.server.authorization.OAuth2Authorization;
import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationCode;
import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService;
import org.springframework.security.oauth2.server.authorization.authentication.OAuth2ClientAuthenticationToken;
import org.springframework.security.oauth2.server.authorization.config.annotation.web.configuration.OAuth2AuthorizationServerConfiguration;
import org.springframework.security.oauth2.server.authorization.config.annotation.web.configurers.OAuth2AuthorizationServerConfigurer;
import org.springframework.security.oauth2.server.authorization.token.JwtEncodingContext;
import org.springframework.security.oauth2.server.authorization.token.JwtGenerator;
import org.springframework.security.oauth2.server.authorization.token.OAuth2TokenCustomizer;
import org.springframework.security.oauth2.server.authorization.token.OAuth2TokenGenerator;
import org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping;
import team.sailboat.commons.fan.excep.WrapException;
import team.sailboat.commons.fan.lang.Assert;
import team.sailboat.commons.ms.ac.AppAuthenticationProvider;
import team.sailboat.commons.ms.ac.IApiPredicate;
import team.sailboat.commons.ms.xca.AppCertificateType;
import team.sailboat.commons.ms.xca.AppKeySecret;
import team.sailboat.commons.ms.xca.XAppSignChecker;
import team.sailboat.ms.ac.AppConsts;
import team.sailboat.ms.ac.Jwks;
import team.sailboat.ms.ac.component.OAuth2AuthorizationCodeRequestAuthenticationProvider;
import team.sailboat.ms.ac.dbean.User;
import team.sailboat.ms.ac.oauth2server.AppSignAuthConverter;
import team.sailboat.ms.ac.server.IClientAppDataManager;
import team.sailboat.ms.ac.server.ResourceManageServer;

@Configuration
/* loaded from: input_file:team/sailboat/ms/ac/conf/OAuthServerConf.class */
public class OAuthServerConf {

    @Autowired
    ResourceManageServer mResMngServer;
    final OAuth2AuthorizationServerConfigurer mAuthorizationServerConfigurer = new OAuth2AuthorizationServerConfigurer();

    /* loaded from: input_file:team/sailboat/ms/ac/conf/OAuthServerConf$AccessTokenCustomizer.class */
    class AccessTokenCustomizer implements OAuth2TokenCustomizer<JwtEncodingContext> {
        final Logger mLogger = LoggerFactory.getLogger(getClass());
        OAuth2AuthorizationCodeRequestAuthenticationProvider mAuthCodePvd;

        AccessTokenCustomizer(OAuth2AuthorizationCodeRequestAuthenticationProvider oAuth2AuthorizationCodeRequestAuthenticationProvider) {
            this.mAuthCodePvd = oAuth2AuthorizationCodeRequestAuthenticationProvider;
        }

        public void customize(JwtEncodingContext jwtEncodingContext) {
            User user = (User) jwtEncodingContext.getPrincipal().getPrincipal();
            Collection<String> authorityCodesOfUserInClientApp = OAuthServerConf.this.mResMngServer.getClientAppDataMng().getAuthorityCodesOfUserInClientApp(user.getId(), jwtEncodingContext.getRegisteredClient().getId());
            OAuth2AuthorizationCode createAuthorizationCode = this.mAuthCodePvd.createAuthorizationCode(120);
            jwtEncodingContext.getClaims().claim("auths", authorityCodesOfUserInClientApp).claim("userId", user.getId()).claim("corsToken", createAuthorizationCode.getTokenValue());
            OAuth2Authorization build = OAuth2Authorization.from((OAuth2Authorization) jwtEncodingContext.get(OAuth2Authorization.class)).token(createAuthorizationCode).id(UUID.randomUUID().toString()).build();
            this.mLogger.info("发出token：{}", createAuthorizationCode.getTokenValue());
            this.mAuthCodePvd.getAuthorizationService().save(build);
        }
    }

    @PostConstruct
    void _init() {
        this.mAuthorizationServerConfigurer.authorizationEndpoint(oAuth2AuthorizationEndpointConfigurer -> {
            oAuth2AuthorizationEndpointConfigurer.consentPage(AppConsts.sViewPath_consent);
        });
    }

    @Bean
    IApiPredicate _apiPredicate() {
        return this.mResMngServer.getClientAppDataMng();
    }

    @Bean
    OAuth2AuthorizationServerConfigurer _oauth2AuthorizationServerConfigurer() {
        return this.mAuthorizationServerConfigurer;
    }

    @Bean
    DaoAuthenticationProvider daoAuthenticationProvider() {
        DaoAuthenticationProvider daoAuthenticationProvider = new DaoAuthenticationProvider();
        daoAuthenticationProvider.setPasswordEncoder(new BCryptPasswordEncoder());
        daoAuthenticationProvider.setUserDetailsService(this.mResMngServer.getUserDataMng());
        return daoAuthenticationProvider;
    }

    @Bean
    public JWKSource<SecurityContext> jwkSource() {
        JWKSet jWKSet = new JWKSet(Jwks.generateRsa());
        return (jWKSelector, securityContext) -> {
            return jWKSelector.select(jWKSet);
        };
    }

    @Bean
    public JwtDecoder jwtDecoder(JWKSource<SecurityContext> jWKSource) {
        return OAuth2AuthorizationServerConfiguration.jwtDecoder(jWKSource);
    }

    @Bean
    public JwtEncoder jwtEncoder(JWKSource<SecurityContext> jWKSource) {
        return new NimbusJwtEncoder(jWKSource);
    }

    @Bean
    OAuth2TokenGenerator<? extends OAuth2Token> _tokenGenerator(JwtEncoder jwtEncoder, OAuth2AuthorizationCodeRequestAuthenticationProvider oAuth2AuthorizationCodeRequestAuthenticationProvider) {
        JwtGenerator jwtGenerator = new JwtGenerator(jwtEncoder);
        jwtGenerator.setJwtCustomizer(new AccessTokenCustomizer(oAuth2AuthorizationCodeRequestAuthenticationProvider));
        return jwtGenerator;
    }

    @Bean
    AppAuthenticationProvider _appAuthenticationProvider() {
        return appCertificate -> {
            Assert.isTrue(appCertificate.getType() == AppCertificateType.AppKeySecret, "目前紧支持AppKey-AppSecret模式！", new Object[0]);
            AppKeySecret appKeySecret = (AppKeySecret) appCertificate;
            OAuth2ClientAuthenticationToken oAuth2ClientAuthenticationToken = new OAuth2ClientAuthenticationToken(appKeySecret.getAppKey(), ClientAuthenticationMethod.CLIENT_SECRET_BASIC, appKeySecret.getAppSecret(), Collections.singletonMap("converter", AppSignAuthConverter.sCUM_AppSecretSign));
            oAuth2ClientAuthenticationToken.setDetails(appKeySecret.getAppId());
            return oAuth2ClientAuthenticationToken;
        };
    }

    @Bean
    public AuthenticationEventPublisher _authenticationEventPublisher(ApplicationEventPublisher applicationEventPublisher) {
        return new DefaultAuthenticationEventPublisher(applicationEventPublisher);
    }

    @Bean
    OAuth2AuthorizationService _authorizationService() {
        return new InMemoryOAuth2AuthorizationService();
    }

    @Bean
    XAppSignChecker _appSignChecker() {
        IClientAppDataManager clientAppDataMng = this.mResMngServer.getClientAppDataMng();
        BiPredicate biPredicate = (str, httpServletRequest) -> {
            RequestMappingHandlerMapping invokableApiMapping = clientAppDataMng.getInvokableApiMapping(str);
            if (invokableApiMapping == null) {
                return false;
            }
            try {
                return invokableApiMapping.getHandler(httpServletRequest) != null;
            } catch (Exception e) {
                WrapException.wrapThrow(e);
                return false;
            }
        };
        clientAppDataMng.getClass();
        return new XAppSignChecker(biPredicate, clientAppDataMng::getClientAppByAppKey);
    }
}
