package org.georchestra.gateway.security.oauth2;

import com.nimbusds.jwt.JWTParser;
import java.lang.reflect.Field;
import java.net.URI;
import java.nio.charset.StandardCharsets;
import java.text.ParseException;
import java.util.Arrays;
import java.util.Collections;
import java.util.Map;
import java.util.stream.Collectors;
import javax.crypto.spec.SecretKeySpec;
import org.georchestra.gateway.security.ServerHttpSecurityCustomizer;
import org.georchestra.gateway.security.ldap.LdapConfigProperties;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.boot.context.properties.EnableConfigurationProperties;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Profile;
import org.springframework.http.client.reactive.ReactorClientHttpConnector;
import org.springframework.security.config.web.server.ServerHttpSecurity;
import org.springframework.security.oauth2.client.endpoint.OAuth2AuthorizationCodeGrantRequest;
import org.springframework.security.oauth2.client.endpoint.ReactiveOAuth2AccessTokenResponseClient;
import org.springframework.security.oauth2.client.endpoint.WebClientReactiveAuthorizationCodeTokenResponseClient;
import org.springframework.security.oauth2.client.oidc.userinfo.OidcReactiveOAuth2UserService;
import org.springframework.security.oauth2.client.oidc.web.server.logout.OidcClientInitiatedServerLogoutSuccessHandler;
import org.springframework.security.oauth2.client.registration.ClientRegistration;
import org.springframework.security.oauth2.client.registration.InMemoryReactiveClientRegistrationRepository;
import org.springframework.security.oauth2.client.userinfo.DefaultReactiveOAuth2UserService;
import org.springframework.security.oauth2.jose.jws.MacAlgorithm;
import org.springframework.security.oauth2.jwt.BadJwtException;
import org.springframework.security.oauth2.jwt.Jwt;
import org.springframework.security.oauth2.jwt.NimbusReactiveJwtDecoder;
import org.springframework.security.oauth2.jwt.ReactiveJwtDecoderFactory;
import org.springframework.security.web.server.authentication.logout.ServerLogoutSuccessHandler;
import org.springframework.web.reactive.function.client.WebClient;
import reactor.netty.http.client.HttpClient;
import reactor.netty.transport.ProxyProvider;

@EnableConfigurationProperties({OAuth2ProxyConfigProperties.class, OpenIdConnectCustomClaimsConfigProperties.class, LdapConfigProperties.class, ExtendedOAuth2ClientProperties.class})
@Configuration(proxyBeanMethods = false)
/* loaded from: input_file:BOOT-INF/classes/org/georchestra/gateway/security/oauth2/OAuth2Configuration.class */
public class OAuth2Configuration {
    private static final Logger log = LoggerFactory.getLogger("org.georchestra.gateway.security.oauth2");

    @Value("${georchestra.gateway.logoutUrl:/?logout}")
    private String georchestraLogoutUrl;

    /* loaded from: input_file:BOOT-INF/classes/org/georchestra/gateway/security/oauth2/OAuth2Configuration$OAuth2AuthenticationCustomizer.class */
    public static final class OAuth2AuthenticationCustomizer implements ServerHttpSecurityCustomizer {
        @Override // org.springframework.security.config.Customizer
        public void customize(ServerHttpSecurity serverHttpSecurity) {
            OAuth2Configuration.log.info("Enabling authentication support using an OAuth 2.0 and/or OpenID Connect 1.0 Provider");
            serverHttpSecurity.oauth2Login();
        }
    }

    @Profile({"!test"})
    @Bean
    ServerLogoutSuccessHandler oidcLogoutSuccessHandler(InMemoryReactiveClientRegistrationRepository inMemoryReactiveClientRegistrationRepository, ExtendedOAuth2ClientProperties extendedOAuth2ClientProperties) {
        inMemoryReactiveClientRegistrationRepository.forEach(clientRegistration -> {
            if (!clientRegistration.getProviderDetails().getConfigurationMetadata().isEmpty() || extendedOAuth2ClientProperties.getProvider().get(clientRegistration.getRegistrationId()) == null || extendedOAuth2ClientProperties.getProvider().get(clientRegistration.getRegistrationId()).getEndSessionUri() == null) {
                return;
            }
            try {
                Field declaredField = ClientRegistration.ProviderDetails.class.getDeclaredField("configurationMetadata");
                declaredField.setAccessible(true);
                declaredField.set(clientRegistration.getProviderDetails(), Collections.singletonMap("end_session_endpoint", extendedOAuth2ClientProperties.getProvider().get(clientRegistration.getRegistrationId()).getEndSessionUri()));
            } catch (IllegalAccessException | NoSuchFieldException e) {
                throw new RuntimeException(e);
            }
        });
        OidcClientInitiatedServerLogoutSuccessHandler oidcClientInitiatedServerLogoutSuccessHandler = new OidcClientInitiatedServerLogoutSuccessHandler(inMemoryReactiveClientRegistrationRepository);
        oidcClientInitiatedServerLogoutSuccessHandler.setPostLogoutRedirectUri("{baseUrl}/login?logout");
        oidcClientInitiatedServerLogoutSuccessHandler.setLogoutSuccessUrl(URI.create(this.georchestraLogoutUrl));
        return oidcClientInitiatedServerLogoutSuccessHandler;
    }

    @Bean
    ServerHttpSecurityCustomizer oauth2LoginEnablingCustomizer() {
        return new OAuth2AuthenticationCustomizer();
    }

    @Bean
    OAuth2UserMapper oAuth2GeorchestraUserUserMapper() {
        return new OAuth2UserMapper();
    }

    @Bean
    OpenIdConnectUserMapper openIdConnectGeorchestraUserUserMapper(OpenIdConnectCustomClaimsConfigProperties openIdConnectCustomClaimsConfigProperties) {
        return new OpenIdConnectUserMapper(openIdConnectCustomClaimsConfigProperties);
    }

    @Bean
    public ReactiveOAuth2AccessTokenResponseClient<OAuth2AuthorizationCodeGrantRequest> reactiveOAuth2AccessTokenResponseClient(@Qualifier("oauth2WebClient") WebClient webClient) {
        WebClientReactiveAuthorizationCodeTokenResponseClient webClientReactiveAuthorizationCodeTokenResponseClient = new WebClientReactiveAuthorizationCodeTokenResponseClient();
        webClientReactiveAuthorizationCodeTokenResponseClient.setWebClient(webClient);
        return webClientReactiveAuthorizationCodeTokenResponseClient;
    }

    @Bean
    public ReactiveJwtDecoderFactory<ClientRegistration> idTokenDecoderFactory(@Qualifier("oauth2WebClient") WebClient webClient) {
        return clientRegistration -> {
            return str -> {
                NimbusReactiveJwtDecoder build;
                try {
                    MacAlgorithm from = MacAlgorithm.from(JWTParser.parse(str).getHeader().getAlgorithm().getName());
                    if (from != null) {
                        byte[] bytes = clientRegistration.getClientSecret().getBytes(StandardCharsets.UTF_8);
                        if (bytes.length < 64) {
                            bytes = Arrays.copyOf(bytes, 64);
                        }
                        build = NimbusReactiveJwtDecoder.withSecretKey(new SecretKeySpec(bytes, from.getName())).macAlgorithm(from).build();
                    } else {
                        build = NimbusReactiveJwtDecoder.withJwkSetUri(clientRegistration.getProviderDetails().getJwkSetUri()).webClient(webClient).build();
                    }
                    return build.decode(str).map(jwt -> {
                        return new Jwt(jwt.getTokenValue(), jwt.getIssuedAt(), jwt.getExpiresAt(), jwt.getHeaders(), removeNullClaims(jwt.getClaims()));
                    });
                } catch (ParseException e) {
                    throw new BadJwtException("An error occurred while attempting to decode the Jwt: " + e.getMessage(), e);
                }
            };
        };
    }

    private Map<String, Object> removeNullClaims(Map<String, Object> map) {
        return (Map) map.entrySet().stream().filter(entry -> {
            return entry.getValue() != null;
        }).collect(Collectors.toMap(entry2 -> {
            return (String) entry2.getKey();
        }, entry3 -> {
            return entry3.getValue();
        }));
    }

    @Bean
    public DefaultReactiveOAuth2UserService reactiveOAuth2UserService(@Qualifier("oauth2WebClient") WebClient webClient) {
        DefaultReactiveOAuth2UserService defaultReactiveOAuth2UserService = new DefaultReactiveOAuth2UserService();
        defaultReactiveOAuth2UserService.setWebClient(webClient);
        return defaultReactiveOAuth2UserService;
    }

    @Bean
    public OidcReactiveOAuth2UserService oidcReactiveOAuth2UserService(DefaultReactiveOAuth2UserService defaultReactiveOAuth2UserService) {
        OidcReactiveOAuth2UserService oidcReactiveOAuth2UserService = new OidcReactiveOAuth2UserService();
        oidcReactiveOAuth2UserService.setOauth2UserService(defaultReactiveOAuth2UserService);
        return oidcReactiveOAuth2UserService;
    }

    @Bean({"oauth2WebClient"})
    public WebClient oauth2WebClient(OAuth2ProxyConfigProperties oAuth2ProxyConfigProperties) {
        HttpClient proxyWithSystemProperties;
        String host = oAuth2ProxyConfigProperties.getHost();
        Integer port = oAuth2ProxyConfigProperties.getPort();
        String username = oAuth2ProxyConfigProperties.getUsername();
        String password = oAuth2ProxyConfigProperties.getPassword();
        HttpClient create = HttpClient.create();
        if (!oAuth2ProxyConfigProperties.isEnabled()) {
            log.info("Oauth2 client will use HTTP proxy from System properties if provided");
            proxyWithSystemProperties = create.proxyWithSystemProperties();
        } else {
            if (host == null || port == null) {
                throw new IllegalStateException("OAuth2 client HTTP proxy is enabled, but host and port not provided");
            }
            log.info("Oauth2 client will use HTTP proxy {}:{}", host, port);
            proxyWithSystemProperties = create.proxy(typeSpec -> {
                typeSpec.type(ProxyProvider.Proxy.HTTP).host(host).port(port.intValue()).username(username).password(str -> {
                    return password;
                });
            });
        }
        return WebClient.builder().clientConnector(new ReactorClientHttpConnector(proxyWithSystemProperties)).build();
    }
}
