package dev.macula.boot.starter.security.config;

import dev.macula.boot.api.ApiResultCode;
import dev.macula.boot.starter.security.utils.ResponseUtils;
import java.io.UnsupportedEncodingException;
import java.security.KeyFactory;
import java.security.interfaces.RSAPublicKey;
import java.security.spec.X509EncodedKeySpec;
import java.util.Base64;
import java.util.Collection;
import javax.crypto.spec.SecretKeySpec;
import org.springframework.beans.BeansException;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.boot.autoconfigure.security.oauth2.resource.IssuerUriCondition;
import org.springframework.boot.autoconfigure.security.oauth2.resource.KeyValueCondition;
import org.springframework.boot.autoconfigure.security.oauth2.resource.OAuth2ResourceServerProperties;
import org.springframework.context.ApplicationContext;
import org.springframework.context.ApplicationContextAware;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Conditional;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.convert.converter.Converter;
import org.springframework.security.authentication.AbstractAuthenticationToken;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.oauth2.jose.jws.SignatureAlgorithm;
import org.springframework.security.oauth2.jwt.Jwt;
import org.springframework.security.oauth2.jwt.JwtDecoder;
import org.springframework.security.oauth2.jwt.JwtDecoders;
import org.springframework.security.oauth2.jwt.JwtValidators;
import org.springframework.security.oauth2.jwt.NimbusJwtDecoder;
import org.springframework.security.oauth2.jwt.SupplierJwtDecoder;
import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationToken;
import org.springframework.security.oauth2.server.resource.authentication.JwtGrantedAuthoritiesConverter;
import org.springframework.security.web.AuthenticationEntryPoint;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.access.AccessDeniedHandler;

@Configuration
/* loaded from: input_file:dev/macula/boot/starter/security/config/ResourceServerConfiguration.class */
public class ResourceServerConfiguration implements ApplicationContextAware {

    @Value("${spring.security.oauth2.resourceserver.jwt.secret:macula_secret$terces_alucam$123456}")
    String jwtSecret;
    private final OAuth2ResourceServerProperties properties;
    private ApplicationContext applicationContext;

    @Bean
    public SecurityFilterChain filterChain(HttpSecurity httpSecurity) throws Exception {
        httpSecurity.oauth2ResourceServer().jwt().decoder((JwtDecoder) this.applicationContext.getBean(JwtDecoder.class)).jwtAuthenticationConverter(jwtAuthenticationConverter()).and().accessDeniedHandler(accessDeniedHandler()).authenticationEntryPoint(authenticationEntryPoint());
        ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) httpSecurity.authorizeRequests().anyRequest()).authenticated().and().exceptionHandling().accessDeniedHandler(accessDeniedHandler()).authenticationEntryPoint(authenticationEntryPoint());
        return (SecurityFilterChain) httpSecurity.build();
    }

    @Bean
    AccessDeniedHandler accessDeniedHandler() {
        return (httpServletRequest, httpServletResponse, accessDeniedException) -> {
            ResponseUtils.writeErrorInfo(httpServletResponse, ApiResultCode.TOKEN_ACCESS_FORBIDDEN);
        };
    }

    @Bean
    AuthenticationEntryPoint authenticationEntryPoint() {
        return (httpServletRequest, httpServletResponse, authenticationException) -> {
            ResponseUtils.writeErrorInfo(httpServletResponse, ApiResultCode.TOKEN_INVALID_OR_EXPIRED);
        };
    }

    @Bean
    public Converter<Jwt, AbstractAuthenticationToken> jwtAuthenticationConverter() {
        return new Converter<Jwt, AbstractAuthenticationToken>() { // from class: dev.macula.boot.starter.security.config.ResourceServerConfiguration.1
            private JwtGrantedAuthoritiesConverter jwtGrantedAuthoritiesConverter = new JwtGrantedAuthoritiesConverter();

            public final AbstractAuthenticationToken convert(Jwt jwt) {
                return new JwtAuthenticationToken(jwt, extractAuthorities(jwt));
            }

            private Collection<GrantedAuthority> extractAuthorities(Jwt jwt) {
                Collection<GrantedAuthority> convert = this.jwtGrantedAuthoritiesConverter.convert(jwt);
                this.jwtGrantedAuthoritiesConverter.setAuthoritiesClaimName("authorities");
                this.jwtGrantedAuthoritiesConverter.setAuthorityPrefix("ROLE_");
                convert.addAll(this.jwtGrantedAuthoritiesConverter.convert(jwt));
                return convert;
            }
        };
    }

    @ConditionalOnProperty(name = {"spring.security.oauth2.resourceserver.jwt.jwk-set-uri"})
    @Bean
    JwtDecoder jwtDecoderByJwkKeySetUri() {
        OAuth2ResourceServerProperties.Jwt jwt = this.properties.getJwt();
        NimbusJwtDecoder build = NimbusJwtDecoder.withJwkSetUri(jwt.getJwkSetUri()).jwsAlgorithm(SignatureAlgorithm.from(jwt.getJwsAlgorithm())).build();
        String issuerUri = jwt.getIssuerUri();
        if (issuerUri != null) {
            build.setJwtValidator(JwtValidators.createDefaultWithIssuer(issuerUri));
        }
        return build;
    }

    @Conditional({KeyValueCondition.class})
    @Bean
    JwtDecoder jwtDecoderByPublicKeyValue() throws Exception {
        OAuth2ResourceServerProperties.Jwt jwt = this.properties.getJwt();
        return NimbusJwtDecoder.withPublicKey((RSAPublicKey) KeyFactory.getInstance("RSA").generatePublic(new X509EncodedKeySpec(getKeySpec(jwt.readPublicKey())))).signatureAlgorithm(SignatureAlgorithm.from(jwt.getJwsAlgorithm())).build();
    }

    private byte[] getKeySpec(String str) {
        return Base64.getMimeDecoder().decode(str.replace("-----BEGIN PUBLIC KEY-----", "").replace("-----END PUBLIC KEY-----", ""));
    }

    @Conditional({IssuerUriCondition.class})
    @Bean
    SupplierJwtDecoder jwtDecoderByIssuerUri() {
        OAuth2ResourceServerProperties.Jwt jwt = this.properties.getJwt();
        return new SupplierJwtDecoder(() -> {
            return JwtDecoders.fromIssuerLocation(jwt.getIssuerUri());
        });
    }

    @ConditionalOnMissingBean({JwtDecoder.class})
    @Conditional({SecretCondition.class})
    @Bean
    JwtDecoder jwtDecoderBySecret() throws UnsupportedEncodingException {
        byte[] bytes = this.jwtSecret.getBytes("UTF-8");
        return NimbusJwtDecoder.withSecretKey(new SecretKeySpec(bytes, 0, bytes.length, "HMACSHA256")).build();
    }

    public void setApplicationContext(ApplicationContext applicationContext) throws BeansException {
        this.applicationContext = applicationContext;
    }

    public ResourceServerConfiguration(OAuth2ResourceServerProperties oAuth2ResourceServerProperties) {
        this.properties = oAuth2ResourceServerProperties;
    }
}
