package org.cattleframework.oauth.authorization;

import com.nimbusds.jose.jwk.JWKSet;
import com.nimbusds.jose.jwk.RSAKey;
import com.nimbusds.jose.jwk.source.JWKSource;
import com.nimbusds.jose.proc.SecurityContext;
import java.security.KeyPair;
import org.apache.commons.codec.DecoderException;
import org.apache.commons.codec.binary.Hex;
import org.apache.commons.lang3.StringUtils;
import org.cattleframework.aop.processor.RegisterMissingBeanPostProcessor;
import org.cattleframework.db.services.ConfigService;
import org.cattleframework.db.services.TransactionService;
import org.cattleframework.exception.ExceptionWrapUtils;
import org.cattleframework.form.CommonWebProperties;
import org.cattleframework.form.authorization.service.SessionRepository;
import org.cattleframework.form.authorization.service.UserService;
import org.cattleframework.form.authorization.web.SessionCheckFilter;
import org.cattleframework.form.utils.WebUtils;
import org.cattleframework.oauth.authorization.client.RegisteredClientRepositoryEnhance;
import org.cattleframework.oauth.authorization.client.internal.RegisteredClientRepositoryEnhanceImpl;
import org.cattleframework.oauth.authorization.portal.configurers.AuthorizeServerConfigurer;
import org.cattleframework.oauth.authorization.portal.settings.AuthorizeServerSettings;
import org.cattleframework.oauth.authorization.portal.token.IdentityTokenCustomizer;
import org.cattleframework.oauth.authorization.portal.web.authentication.AuthorizationEndpointSuccessHandler;
import org.cattleframework.oauth.authorization.service.AuthorizeServerLogService;
import org.cattleframework.oauth.authorization.service.internal.AuthorizationServiceImpl;
import org.cattleframework.oauth.authorization.service.internal.AuthorizeServerLogServiceImpl;
import org.cattleframework.security.crypto.RsaUtils;
import org.cattleframework.utils.auxiliary.UuidUtils;
import org.cattleframework.utils.redis.RedisTemplateUtils;
import org.springframework.boot.autoconfigure.AutoConfiguration;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.DependsOn;
import org.springframework.core.annotation.Order;
import org.springframework.http.MediaType;
import org.springframework.security.config.Customizer;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configurers.AuthorizeHttpRequestsConfigurer;
import org.springframework.security.oauth2.jwt.JwtDecoder;
import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService;
import org.springframework.security.oauth2.server.authorization.config.annotation.web.configuration.OAuth2AuthorizationServerConfiguration;
import org.springframework.security.oauth2.server.authorization.config.annotation.web.configurers.OAuth2AuthorizationServerConfigurer;
import org.springframework.security.oauth2.server.authorization.settings.AuthorizationServerSettings;
import org.springframework.security.oauth2.server.authorization.token.JwtEncodingContext;
import org.springframework.security.oauth2.server.authorization.token.OAuth2TokenCustomizer;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint;
import org.springframework.security.web.context.SecurityContextHolderFilter;
import org.springframework.security.web.header.writers.XXssProtectionHeaderWriter;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.springframework.security.web.util.matcher.MediaTypeRequestMatcher;
import org.springframework.security.web.util.matcher.OrRequestMatcher;
import org.springframework.security.web.util.matcher.RequestMatcher;

@AutoConfiguration
/* loaded from: input_file:org/cattleframework/oauth/authorization/AuthorizeServerAutoConfiguration.class */
public class AuthorizeServerAutoConfiguration {
    private static final String SLASH = "/";

    @Bean
    @Order(Integer.MIN_VALUE)
    public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity httpSecurity, CommonWebProperties commonWebProperties, AuthorizeServerLogService authorizeServerLogService, SessionRepository sessionRepository, AuthorizeServerSettings authorizeServerSettings) throws Exception {
        OAuth2AuthorizationServerConfigurer authorizationServer = OAuth2AuthorizationServerConfigurer.authorizationServer();
        AuthorizeServerConfigurer authorizeServerConfigurer = new AuthorizeServerConfigurer();
        httpSecurity.securityMatcher(new OrRequestMatcher(new RequestMatcher[]{authorizationServer.getEndpointsMatcher(), authorizeServerConfigurer.getEndpointsMatcher()})).authorizeHttpRequests(authorizationManagerRequestMatcherRegistry -> {
            ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) authorizationManagerRequestMatcherRegistry.anyRequest()).authenticated();
        }).with(authorizationServer, oAuth2AuthorizationServerConfigurer -> {
            oAuth2AuthorizationServerConfigurer.oidc(Customizer.withDefaults()).authorizationEndpoint(oAuth2AuthorizationEndpointConfigurer -> {
                oAuth2AuthorizationEndpointConfigurer.authorizationResponseHandler(new AuthorizationEndpointSuccessHandler(authorizeServerLogService));
            });
        }).with(authorizeServerConfigurer, Customizer.withDefaults()).addFilterAfter(new SessionCheckFilter(sessionRepository), SecurityContextHolderFilter.class).oauth2ResourceServer(oAuth2ResourceServerConfigurer -> {
            oAuth2ResourceServerConfigurer.jwt(Customizer.withDefaults());
        }).exceptionHandling(exceptionHandlingConfigurer -> {
            String loginPageUri = commonWebProperties.getLoginPageUri();
            if (StringUtils.isNotBlank(commonWebProperties.getHostUrl())) {
                loginPageUri = (commonWebProperties.getHostUrl().endsWith(SLASH) ? commonWebProperties.getHostUrl().substring(0, commonWebProperties.getHostUrl().length() - 1) : commonWebProperties.getHostUrl()) + commonWebProperties.getLoginPageUri();
            }
            exceptionHandlingConfigurer.defaultAuthenticationEntryPointFor(new LoginUrlAuthenticationEntryPoint(loginPageUri), new MediaTypeRequestMatcher(new MediaType[]{MediaType.TEXT_HTML}));
        }).csrf(csrfConfigurer -> {
            csrfConfigurer.csrfTokenRepository(WebUtils.getCsrfTokenRepository(commonWebProperties.getCsrf())).ignoringRequestMatchers(new RequestMatcher[]{AntPathRequestMatcher.antMatcher(authorizeServerSettings.getOidcLogoutBackendEndpoint())});
        }).headers(headersConfigurer -> {
            headersConfigurer.frameOptions(frameOptionsConfig -> {
                frameOptionsConfig.sameOrigin();
            }).xssProtection(xXssConfig -> {
                xXssConfig.headerValue(XXssProtectionHeaderWriter.HeaderValue.ENABLED_MODE_BLOCK);
            }).contentTypeOptions(Customizer.withDefaults());
        });
        return (SecurityFilterChain) httpSecurity.build();
    }

    @ConditionalOnMissingBean
    @Bean
    public RegisteredClientRepositoryEnhance registeredClientRepository(TransactionService transactionService, UserService userService) {
        return new RegisteredClientRepositoryEnhanceImpl(transactionService, userService);
    }

    @DependsOn({"structureService"})
    @Bean
    public JWKSource<SecurityContext> jwkSource(ConfigService configService) {
        String[] strArr = (String[]) configService.getOrSaveConfig(AuthorizeServerConstants.CONFIG_JWK_KEY, () -> {
            KeyPair generateCryptoKey = RsaUtils.generateCryptoKey(2048);
            return new String[]{Hex.encodeHexString(generateCryptoKey.getPublic().getEncoded()), Hex.encodeHexString(generateCryptoKey.getPrivate().getEncoded())};
        });
        try {
            JWKSet jWKSet = new JWKSet(new RSAKey.Builder(RsaUtils.getPublicKey(Hex.decodeHex(strArr[0]))).privateKey(RsaUtils.getPrivateKey(Hex.decodeHex(strArr[1]))).keyID(UuidUtils.getUuid()).build());
            return (jWKSelector, securityContext) -> {
                return jWKSelector.select(jWKSet);
            };
        } catch (DecoderException e) {
            throw ExceptionWrapUtils.wrap(e);
        }
    }

    @Bean
    public JwtDecoder jwtDecoder(JWKSource<SecurityContext> jWKSource) {
        return OAuth2AuthorizationServerConfiguration.jwtDecoder(jWKSource);
    }

    @Bean
    public AuthorizationServerSettings authorizationServerSettings() {
        return AuthorizationServerSettings.builder().multipleIssuersAllowed(false).authorizationEndpoint("/authorize").deviceAuthorizationEndpoint("/device_authorization").deviceVerificationEndpoint("/device_verification").tokenEndpoint("/token").jwkSetEndpoint("/jwks").tokenRevocationEndpoint("/revoke").tokenIntrospectionEndpoint("/introspect").oidcClientRegistrationEndpoint("/connect/register").oidcUserInfoEndpoint("/userinfo").oidcLogoutEndpoint("/connect/logout").build();
    }

    @Bean
    public OAuth2TokenCustomizer<JwtEncodingContext> idTokenCustomizer(UserService userService) {
        return new IdentityTokenCustomizer(userService);
    }

    @ConditionalOnMissingBean
    @Bean
    public AuthorizeServerLogService authorizeServerLogService(TransactionService transactionService) {
        return new AuthorizeServerLogServiceImpl(transactionService);
    }

    @ConditionalOnMissingBean
    @Bean
    public OAuth2AuthorizationService auth2AuthorizationService(RegisteredClientRepositoryEnhance registeredClientRepositoryEnhance, RedisTemplateUtils redisTemplateUtils) {
        return new AuthorizationServiceImpl(registeredClientRepositoryEnhance, redisTemplateUtils);
    }

    @Bean
    public RegisterMissingBeanPostProcessor registerAuthorizeServerMissingBeanPostProcessor() {
        RegisterMissingBeanPostProcessor registerMissingBeanPostProcessor = new RegisterMissingBeanPostProcessor();
        registerMissingBeanPostProcessor.addBeanDefinition(AuthorizeServerSettings.class, () -> {
            return AuthorizeServerSettings.builder().m3build();
        });
        return registerMissingBeanPostProcessor;
    }
}
