package xyz.raylab.authorizationserver.configuration;

import com.fasterxml.jackson.databind.ObjectMapper;
import com.fasterxml.jackson.databind.SerializationFeature;
import com.nimbusds.jose.jwk.JWKSet;
import com.nimbusds.jose.jwk.source.JWKSource;
import com.nimbusds.jose.proc.SecurityContext;
import java.time.Duration;
import java.util.Arrays;
import java.util.List;
import java.util.Objects;
import java.util.UUID;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.annotation.Order;
import org.springframework.jdbc.core.JdbcTemplate;
import org.springframework.jdbc.core.RowMapper;
import org.springframework.jdbc.support.lob.DefaultLobHandler;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.Customizer;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.jackson2.SecurityJackson2Modules;
import org.springframework.security.oauth2.core.AuthorizationGrantType;
import org.springframework.security.oauth2.core.ClientAuthenticationMethod;
import org.springframework.security.oauth2.jwt.JwtDecoder;
import org.springframework.security.oauth2.server.authorization.JdbcOAuth2AuthorizationConsentService;
import org.springframework.security.oauth2.server.authorization.JdbcOAuth2AuthorizationService;
import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationConsentService;
import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService;
import org.springframework.security.oauth2.server.authorization.client.JdbcRegisteredClientRepository;
import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
import org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository;
import org.springframework.security.oauth2.server.authorization.config.annotation.web.configuration.OAuth2AuthorizationServerConfiguration;
import org.springframework.security.oauth2.server.authorization.config.annotation.web.configurers.OAuth2AuthorizationServerConfigurer;
import org.springframework.security.oauth2.server.authorization.jackson2.OAuth2AuthorizationServerJackson2Module;
import org.springframework.security.oauth2.server.authorization.settings.AuthorizationServerSettings;
import org.springframework.security.oauth2.server.authorization.settings.ClientSettings;
import org.springframework.security.oauth2.server.authorization.settings.TokenSettings;
import org.springframework.security.oauth2.server.authorization.token.JwtEncodingContext;
import org.springframework.security.oauth2.server.authorization.token.OAuth2TokenClaimsContext;
import org.springframework.security.oauth2.server.authorization.token.OAuth2TokenCustomizer;
import org.springframework.security.oauth2.server.authorization.token.OAuth2TokenGenerator;
import org.springframework.security.oauth2.server.authorization.web.authentication.DelegatingAuthenticationConverter;
import org.springframework.security.oauth2.server.authorization.web.authentication.OAuth2AuthorizationCodeAuthenticationConverter;
import org.springframework.security.oauth2.server.authorization.web.authentication.OAuth2ClientCredentialsAuthenticationConverter;
import org.springframework.security.oauth2.server.authorization.web.authentication.OAuth2RefreshTokenAuthenticationConverter;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.util.matcher.RequestMatcher;
import xyz.raylab.authorizationserver.configuration.properties.DefaultClientProperties;
import xyz.raylab.authorizationserver.configuration.properties.SettingsProperties;
import xyz.raylab.authorizationserver.oauth2.authentication.password.OAuth2ResourceOwnerPasswordAuthenticationConverter;
import xyz.raylab.authorizationserver.oauth2.authentication.password.OAuth2ResourceOwnerPasswordAuthenticationProvider;
import xyz.raylab.authorizationserver.oauth2.customizer.jwt.JwtCustomizerHandler;
import xyz.raylab.authorizationserver.oauth2.customizer.jwt.impl.JwtCustomizerImpl;
import xyz.raylab.authorizationserver.oauth2.customizer.token.claims.impl.OAuth2TokenClaimsCustomizerImpl;
import xyz.raylab.authorizationserver.oauth2.jose.JoseKeyGenerator;
import xyz.raylab.authorizationserver.oauth2.service.entity.UserAuthority;
import xyz.raylab.authorizationserver.oauth2.service.entity.UserPrincipal;
import xyz.raylab.authorizationserver.oauth2.service.jackson2.mixin.UserAuthorityMixin;
import xyz.raylab.authorizationserver.oauth2.service.jackson2.mixin.UserPrincipalMixin;

@Configuration(proxyBeanMethods = false)
/* loaded from: input_file:xyz/raylab/authorizationserver/configuration/OAuth2ServerConfig.class */
public class OAuth2ServerConfig {
    private final PasswordEncoder passwordEncoder;
    private final JoseKeyGenerator joseKeyGenerator;
    private final DefaultClientProperties defaultClientProperties;
    private final SettingsProperties settingsProperties;
    private static final String CUSTOM_CONSENT_PAGE_URI = "/oauth2/consent";

    @Autowired
    public OAuth2ServerConfig(PasswordEncoder passwordEncoder, JoseKeyGenerator joseKeyGenerator, DefaultClientProperties defaultClientProperties, SettingsProperties settingsProperties) {
        this.passwordEncoder = passwordEncoder;
        this.joseKeyGenerator = joseKeyGenerator;
        this.defaultClientProperties = defaultClientProperties;
        this.settingsProperties = settingsProperties;
    }

    @Bean
    @Order(Integer.MIN_VALUE)
    public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity httpSecurity) throws Exception {
        OAuth2AuthorizationServerConfigurer oAuth2AuthorizationServerConfigurer = new OAuth2AuthorizationServerConfigurer();
        httpSecurity.apply(oAuth2AuthorizationServerConfigurer.tokenEndpoint(oAuth2TokenEndpointConfigurer -> {
            oAuth2TokenEndpointConfigurer.accessTokenRequestConverter(new DelegatingAuthenticationConverter(Arrays.asList(new OAuth2AuthorizationCodeAuthenticationConverter(), new OAuth2RefreshTokenAuthenticationConverter(), new OAuth2ClientCredentialsAuthenticationConverter(), new OAuth2ResourceOwnerPasswordAuthenticationConverter())));
        }));
        oAuth2AuthorizationServerConfigurer.authorizationEndpoint(oAuth2AuthorizationEndpointConfigurer -> {
            oAuth2AuthorizationEndpointConfigurer.consentPage(CUSTOM_CONSENT_PAGE_URI);
        });
        RequestMatcher endpointsMatcher = oAuth2AuthorizationServerConfigurer.getEndpointsMatcher();
        httpSecurity.requestMatcher(endpointsMatcher).authorizeRequests(expressionInterceptUrlRegistry -> {
            ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) expressionInterceptUrlRegistry.anyRequest()).authenticated();
        }).csrf(csrfConfigurer -> {
            csrfConfigurer.ignoringRequestMatchers(new RequestMatcher[]{endpointsMatcher});
        }).apply(oAuth2AuthorizationServerConfigurer);
        httpSecurity.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
        SecurityFilterChain securityFilterChain = (SecurityFilterChain) httpSecurity.formLogin(Customizer.withDefaults()).build();
        addCustomOAuth2ResourceOwnerPasswordAuthenticationProvider(httpSecurity);
        return securityFilterChain;
    }

    @Bean
    public RegisteredClientRepository registeredClientRepository(JdbcTemplate jdbcTemplate) {
        RegisteredClient.Builder clientSecret = RegisteredClient.withId(UUID.randomUUID().toString()).clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC).authorizationGrantType(AuthorizationGrantType.REFRESH_TOKEN).authorizationGrantType(AuthorizationGrantType.PASSWORD).clientSettings(ClientSettings.builder().requireAuthorizationConsent(true).build()).tokenSettings(TokenSettings.builder().accessTokenTimeToLive(Duration.ofHours(this.defaultClientProperties.getAccessTokenTimeToLive().longValue())).refreshTokenTimeToLive(Duration.ofDays(this.defaultClientProperties.getRefreshTokenTimeToLive().longValue())).reuseRefreshTokens(true).build()).clientId(this.defaultClientProperties.getClientId()).clientSecret(this.passwordEncoder.encode(this.defaultClientProperties.getClientSecret()));
        List<String> redirectUris = this.defaultClientProperties.getRedirectUris();
        Objects.requireNonNull(clientSecret);
        redirectUris.forEach(clientSecret::redirectUri);
        if (this.defaultClientProperties.getScopes() != null) {
            List<String> scopes = this.defaultClientProperties.getScopes();
            Objects.requireNonNull(clientSecret);
            scopes.forEach(clientSecret::scope);
        }
        RegisteredClient build = clientSecret.build();
        JdbcRegisteredClientRepository jdbcRegisteredClientRepository = new JdbcRegisteredClientRepository(jdbcTemplate);
        if (jdbcRegisteredClientRepository.findByClientId(this.defaultClientProperties.getClientId()) == null) {
            jdbcRegisteredClientRepository.save(build);
        }
        return jdbcRegisteredClientRepository;
    }

    @Bean
    public OAuth2AuthorizationService authorizationService(JdbcTemplate jdbcTemplate, RegisteredClientRepository registeredClientRepository) {
        JdbcOAuth2AuthorizationService jdbcOAuth2AuthorizationService = new JdbcOAuth2AuthorizationService(jdbcTemplate, registeredClientRepository);
        RowMapper rowMapper = new JdbcOAuth2AuthorizationService.OAuth2AuthorizationRowMapper(registeredClientRepository) { // from class: xyz.raylab.authorizationserver.configuration.OAuth2ServerConfig.1CustomOAuth2AuthorizationRowMapper
            {
                getObjectMapper().configure(SerializationFeature.FAIL_ON_EMPTY_BEANS, false);
                setLobHandler(new DefaultLobHandler());
            }
        };
        ObjectMapper objectMapper = new ObjectMapper();
        objectMapper.registerModules(SecurityJackson2Modules.getModules(JdbcOAuth2AuthorizationService.class.getClassLoader()));
        objectMapper.registerModule(new OAuth2AuthorizationServerJackson2Module());
        objectMapper.addMixIn(UserAuthority.class, UserAuthorityMixin.class);
        objectMapper.addMixIn(UserPrincipal.class, UserPrincipalMixin.class);
        rowMapper.setObjectMapper(objectMapper);
        jdbcOAuth2AuthorizationService.setAuthorizationRowMapper(rowMapper);
        return jdbcOAuth2AuthorizationService;
    }

    @Bean
    public OAuth2AuthorizationConsentService authorizationConsentService(JdbcTemplate jdbcTemplate, RegisteredClientRepository registeredClientRepository) {
        return new JdbcOAuth2AuthorizationConsentService(jdbcTemplate, registeredClientRepository);
    }

    @Bean
    public JWKSource<SecurityContext> jwkSource() {
        JWKSet jWKSet = new JWKSet(this.joseKeyGenerator.generateRsaKey());
        return (jWKSelector, securityContext) -> {
            return jWKSelector.select(jWKSet);
        };
    }

    @Bean
    public JwtDecoder jwtDecoder(JWKSource<SecurityContext> jWKSource) {
        return OAuth2AuthorizationServerConfiguration.jwtDecoder(jWKSource);
    }

    @Bean
    public AuthorizationServerSettings authorizationServerSettings() {
        return AuthorizationServerSettings.builder().issuer(this.settingsProperties.getIssuer()).build();
    }

    @Bean
    public OAuth2TokenCustomizer<JwtEncodingContext> buildJwtCustomizer() {
        JwtCustomizerImpl jwtCustomizerImpl = new JwtCustomizerImpl(JwtCustomizerHandler.getJwtCustomizerHandler());
        Objects.requireNonNull(jwtCustomizerImpl);
        return jwtCustomizerImpl::customizeToken;
    }

    @Bean
    public OAuth2TokenCustomizer<OAuth2TokenClaimsContext> buildOAuth2TokenClaimsCustomizer() {
        OAuth2TokenClaimsCustomizerImpl oAuth2TokenClaimsCustomizerImpl = new OAuth2TokenClaimsCustomizerImpl();
        Objects.requireNonNull(oAuth2TokenClaimsCustomizerImpl);
        return oAuth2TokenClaimsCustomizerImpl::customizeTokenClaims;
    }

    private void addCustomOAuth2ResourceOwnerPasswordAuthenticationProvider(HttpSecurity httpSecurity) {
        httpSecurity.authenticationProvider(new OAuth2ResourceOwnerPasswordAuthenticationProvider((AuthenticationManager) httpSecurity.getSharedObject(AuthenticationManager.class), (OAuth2AuthorizationService) httpSecurity.getSharedObject(OAuth2AuthorizationService.class), (OAuth2TokenGenerator) httpSecurity.getSharedObject(OAuth2TokenGenerator.class)));
    }
}
