package com.github.sparkzxl.oauth.config;

import com.github.sparkzxl.core.util.SwaggerStaticResource;
import com.github.sparkzxl.oauth.component.RestAuthenticationEntryPoint;
import com.github.sparkzxl.oauth.component.RestfulAccessDeniedHandler;
import com.github.sparkzxl.oauth.filter.IgnoreUrlsRemoveJwtFilter;
import com.github.sparkzxl.oauth.properties.ResourceProperties;
import org.apache.commons.lang3.ArrayUtils;
import org.springframework.boot.context.properties.EnableConfigurationProperties;
import org.springframework.cloud.context.config.annotation.RefreshScope;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.convert.converter.Converter;
import org.springframework.security.authentication.AbstractAuthenticationToken;
import org.springframework.security.authorization.ReactiveAuthorizationManager;
import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity;
import org.springframework.security.config.web.server.SecurityWebFiltersOrder;
import org.springframework.security.config.web.server.ServerHttpSecurity;
import org.springframework.security.oauth2.jwt.Jwt;
import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationConverter;
import org.springframework.security.oauth2.server.resource.authentication.JwtGrantedAuthoritiesConverter;
import org.springframework.security.oauth2.server.resource.authentication.ReactiveJwtAuthenticationConverterAdapter;
import org.springframework.security.web.server.SecurityWebFilterChain;
import org.springframework.security.web.server.authorization.AuthorizationContext;
import reactor.core.publisher.Mono;

@EnableConfigurationProperties({ResourceProperties.class})
@Configuration
@EnableWebFluxSecurity
/* loaded from: input_file:com/github/sparkzxl/oauth/config/ResourceServerConfig.class */
public class ResourceServerConfig {
    private final ReactiveAuthorizationManager<AuthorizationContext> reactiveAuthorizationManager;

    @RefreshScope
    @Bean
    public IgnoreUrlsRemoveJwtFilter ignoreUrlsRemoveJwtFilter(ResourceProperties resourceProperties) {
        return new IgnoreUrlsRemoveJwtFilter(resourceProperties);
    }

    @RefreshScope
    @Bean
    public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity serverHttpSecurity, ResourceProperties resourceProperties, IgnoreUrlsRemoveJwtFilter ignoreUrlsRemoveJwtFilter) {
        String[] strArr = (String[]) ArrayUtils.addAll(resourceProperties.getIgnore(), SwaggerStaticResource.EXCLUDE_STATIC_PATTERNS.toArray(new String[0]));
        serverHttpSecurity.oauth2ResourceServer().jwt().jwtAuthenticationConverter(jwtAuthenticationConverter());
        RestAuthenticationEntryPoint restAuthenticationEntryPoint = new RestAuthenticationEntryPoint();
        RestfulAccessDeniedHandler restfulAccessDeniedHandler = new RestfulAccessDeniedHandler();
        serverHttpSecurity.oauth2ResourceServer().authenticationEntryPoint(restAuthenticationEntryPoint);
        serverHttpSecurity.addFilterBefore(ignoreUrlsRemoveJwtFilter, SecurityWebFiltersOrder.AUTHENTICATION);
        ((ServerHttpSecurity.AuthorizeExchangeSpec.Access) serverHttpSecurity.authorizeExchange().pathMatchers(strArr)).permitAll().anyExchange().access(this.reactiveAuthorizationManager).and().exceptionHandling().authenticationEntryPoint(restAuthenticationEntryPoint).accessDeniedHandler(restfulAccessDeniedHandler).and().csrf().disable();
        return serverHttpSecurity.build();
    }

    @Bean
    public Converter<Jwt, ? extends Mono<? extends AbstractAuthenticationToken>> jwtAuthenticationConverter() {
        JwtGrantedAuthoritiesConverter jwtGrantedAuthoritiesConverter = new JwtGrantedAuthoritiesConverter();
        jwtGrantedAuthoritiesConverter.setAuthorityPrefix("ROLE_");
        jwtGrantedAuthoritiesConverter.setAuthoritiesClaimName("authorities");
        JwtAuthenticationConverter jwtAuthenticationConverter = new JwtAuthenticationConverter();
        jwtAuthenticationConverter.setJwtGrantedAuthoritiesConverter(jwtGrantedAuthoritiesConverter);
        return new ReactiveJwtAuthenticationConverterAdapter(jwtAuthenticationConverter);
    }

    public ResourceServerConfig(ReactiveAuthorizationManager<AuthorizationContext> reactiveAuthorizationManager) {
        this.reactiveAuthorizationManager = reactiveAuthorizationManager;
    }
}
