package dev.macula.boot.starter.cloud.gateway.security;

import cn.hutool.core.convert.Convert;
import dev.macula.boot.api.ApiResultCode;
import dev.macula.boot.starter.cloud.gateway.utils.ResponseUtils;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.List;
import java.util.stream.Collectors;
import javax.validation.constraints.NotNull;
import org.springframework.boot.autoconfigure.security.oauth2.resource.OAuth2ResourceServerProperties;
import org.springframework.boot.context.properties.ConfigurationProperties;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.data.redis.core.RedisTemplate;
import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity;
import org.springframework.security.config.web.server.ServerHttpSecurity;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.oauth2.core.DefaultOAuth2AuthenticatedPrincipal;
import org.springframework.security.oauth2.core.OAuth2AuthenticatedPrincipal;
import org.springframework.security.oauth2.server.resource.introspection.NimbusReactiveOpaqueTokenIntrospector;
import org.springframework.security.oauth2.server.resource.introspection.ReactiveOpaqueTokenIntrospector;
import org.springframework.security.web.server.SecurityWebFilterChain;
import org.springframework.security.web.server.ServerAuthenticationEntryPoint;
import org.springframework.security.web.server.authorization.ServerAccessDeniedHandler;
import org.springframework.web.cors.CorsConfiguration;
import org.springframework.web.cors.reactive.CorsWebFilter;
import org.springframework.web.cors.reactive.UrlBasedCorsConfigurationSource;
import org.springframework.web.util.pattern.PathPatternParser;
import reactor.core.publisher.Mono;

@ConfigurationProperties(prefix = "macula.security")
@Configuration
@EnableWebFluxSecurity
/* loaded from: input_file:dev/macula/boot/starter/cloud/gateway/security/ResourceServerConfiguration.class */
public class ResourceServerConfiguration {
    private static final List<String> DEFAULT_IGNORE_URLS = Arrays.asList("/favicon**");
    private List<String> ignoreUrls = new ArrayList();
    private List<String> onlyAuthUrls = Collections.emptyList();
    String jwtSecret = "macula_secret$terces_alucam$123456";

    @NotNull
    private final OAuth2ResourceServerProperties properties;

    @NotNull
    private final RedisTemplate redisTemplate;

    @Bean
    public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity serverHttpSecurity) {
        this.ignoreUrls.addAll(DEFAULT_IGNORE_URLS);
        ((ServerHttpSecurity.AuthorizeExchangeSpec.Access) serverHttpSecurity.oauth2ResourceServer().opaqueToken().introspector(opaqueTokenIntrospector()).and().accessDeniedHandler(accessDeniedHandler()).authenticationEntryPoint(authenticationEntryPoint()).and().authorizeExchange().pathMatchers(Convert.toStrArray(this.ignoreUrls))).permitAll().anyExchange().access(authorizationManager()).and().exceptionHandling().accessDeniedHandler(accessDeniedHandler()).authenticationEntryPoint(authenticationEntryPoint()).and().csrf().disable();
        return serverHttpSecurity.build();
    }

    @Bean
    public ReactiveOpaqueTokenIntrospector opaqueTokenIntrospector() {
        return new ReactiveOpaqueTokenIntrospector() { // from class: dev.macula.boot.starter.cloud.gateway.security.ResourceServerConfiguration.1
            final OAuth2ResourceServerProperties.Opaquetoken opaqueToken;
            final ReactiveOpaqueTokenIntrospector delegate;

            {
                this.opaqueToken = ResourceServerConfiguration.this.properties.getOpaquetoken();
                this.delegate = new NimbusReactiveOpaqueTokenIntrospector(this.opaqueToken.getIntrospectionUri(), this.opaqueToken.getClientId(), this.opaqueToken.getClientSecret());
            }

            public Mono<OAuth2AuthenticatedPrincipal> introspect(String str) {
                return this.delegate.introspect(str).map(oAuth2AuthenticatedPrincipal -> {
                    return new DefaultOAuth2AuthenticatedPrincipal(oAuth2AuthenticatedPrincipal.getName(), oAuth2AuthenticatedPrincipal.getAttributes(), extractAuthorities(oAuth2AuthenticatedPrincipal));
                });
            }

            private Collection<GrantedAuthority> extractAuthorities(OAuth2AuthenticatedPrincipal oAuth2AuthenticatedPrincipal) {
                ArrayList arrayList = new ArrayList(oAuth2AuthenticatedPrincipal.getAuthorities());
                List list = (List) oAuth2AuthenticatedPrincipal.getAttribute("authorities");
                if (list != null) {
                    arrayList.addAll((Collection) list.stream().map(str -> {
                        return new SimpleGrantedAuthority("ROLE_" + str);
                    }).collect(Collectors.toList()));
                }
                return arrayList;
            }
        };
    }

    @Bean
    public ResourceServerAuthorizationManager authorizationManager() {
        return new ResourceServerAuthorizationManager(this.redisTemplate, this.onlyAuthUrls);
    }

    @Bean
    ServerAccessDeniedHandler accessDeniedHandler() {
        return (serverWebExchange, accessDeniedException) -> {
            return Mono.defer(() -> {
                return Mono.just(serverWebExchange.getResponse());
            }).flatMap(serverHttpResponse -> {
                return ResponseUtils.writeErrorInfo(serverHttpResponse, ApiResultCode.ACCESS_UNAUTHORIZED);
            });
        };
    }

    @Bean
    ServerAuthenticationEntryPoint authenticationEntryPoint() {
        return (serverWebExchange, authenticationException) -> {
            return Mono.defer(() -> {
                return Mono.just(serverWebExchange.getResponse());
            }).flatMap(serverHttpResponse -> {
                return ResponseUtils.writeErrorInfo(serverHttpResponse, ApiResultCode.TOKEN_INVALID_OR_EXPIRED);
            });
        };
    }

    @Bean
    AddJwtFilter addJwtFilter() {
        return new AddJwtFilter(this.jwtSecret);
    }

    @Bean
    public CorsWebFilter corsWebFilter() {
        CorsConfiguration corsConfiguration = new CorsConfiguration();
        corsConfiguration.addAllowedMethod("*");
        corsConfiguration.addAllowedOrigin("*");
        corsConfiguration.addAllowedHeader("*");
        UrlBasedCorsConfigurationSource urlBasedCorsConfigurationSource = new UrlBasedCorsConfigurationSource(new PathPatternParser());
        urlBasedCorsConfigurationSource.registerCorsConfiguration("/**", corsConfiguration);
        return new CorsWebFilter(urlBasedCorsConfigurationSource);
    }

    public ResourceServerConfiguration(@NotNull OAuth2ResourceServerProperties oAuth2ResourceServerProperties, @NotNull RedisTemplate redisTemplate) {
        this.properties = oAuth2ResourceServerProperties;
        this.redisTemplate = redisTemplate;
    }

    public void setIgnoreUrls(List<String> list) {
        this.ignoreUrls = list;
    }

    public void setOnlyAuthUrls(List<String> list) {
        this.onlyAuthUrls = list;
    }

    public void setJwtSecret(String str) {
        this.jwtSecret = str;
    }
}
