package com.google.cloud.spring.autoconfigure.security;

import com.google.cloud.spring.autoconfigure.core.GcpContextAutoConfiguration;
import com.google.cloud.spring.autoconfigure.core.environment.ConditionalOnGcpEnvironment;
import com.google.cloud.spring.core.GcpEnvironment;
import com.google.cloud.spring.core.GcpProjectIdProvider;
import com.google.cloud.spring.security.iap.AppEngineAudienceProvider;
import com.google.cloud.spring.security.iap.AudienceProvider;
import com.google.cloud.spring.security.iap.AudienceValidator;
import java.util.ArrayList;
import java.util.Objects;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.boot.autoconfigure.AutoConfiguration;
import org.springframework.boot.autoconfigure.AutoConfigureAfter;
import org.springframework.boot.autoconfigure.AutoConfigureBefore;
import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.boot.autoconfigure.security.oauth2.resource.servlet.OAuth2ResourceServerAutoConfiguration;
import org.springframework.boot.context.properties.EnableConfigurationProperties;
import org.springframework.context.annotation.Bean;
import org.springframework.security.oauth2.core.DelegatingOAuth2TokenValidator;
import org.springframework.security.oauth2.jose.jws.SignatureAlgorithm;
import org.springframework.security.oauth2.jwt.Jwt;
import org.springframework.security.oauth2.jwt.JwtDecoder;
import org.springframework.security.oauth2.jwt.JwtIssuerValidator;
import org.springframework.security.oauth2.jwt.JwtTimestampValidator;
import org.springframework.security.oauth2.jwt.NimbusJwtDecoder;
import org.springframework.security.oauth2.server.resource.web.BearerTokenResolver;

@AutoConfigureBefore({OAuth2ResourceServerAutoConfiguration.class})
@EnableConfigurationProperties({IapAuthenticationProperties.class})
@AutoConfiguration
@ConditionalOnClass({AudienceValidator.class})
@AutoConfigureAfter({GcpContextAutoConfiguration.class})
@ConditionalOnProperty(value = {"spring.cloud.gcp.security.iap.enabled"}, matchIfMissing = true)
/* loaded from: input_file:com/google/cloud/spring/autoconfigure/security/IapAuthenticationAutoConfiguration.class */
public class IapAuthenticationAutoConfiguration {
    private static final Log LOGGER = LogFactory.getLog(IapAuthenticationAutoConfiguration.class);

    @ConditionalOnMissingBean
    @Bean
    public BearerTokenResolver iatTokenResolver(IapAuthenticationProperties iapAuthenticationProperties) {
        return httpServletRequest -> {
            return httpServletRequest.getHeader(iapAuthenticationProperties.getHeader());
        };
    }

    @ConditionalOnMissingBean
    @ConditionalOnProperty({"spring.cloud.gcp.security.iap.audience"})
    @Bean
    public AudienceProvider propertyBasedAudienceProvider(IapAuthenticationProperties iapAuthenticationProperties) {
        Objects.requireNonNull(iapAuthenticationProperties);
        return iapAuthenticationProperties::getAudience;
    }

    @ConditionalOnMissingBean
    @Bean
    @ConditionalOnGcpEnvironment({GcpEnvironment.APP_ENGINE_FLEXIBLE, GcpEnvironment.APP_ENGINE_STANDARD})
    public AudienceProvider appEngineBasedAudienceProvider(GcpProjectIdProvider gcpProjectIdProvider) {
        return new AppEngineAudienceProvider(gcpProjectIdProvider);
    }

    @ConditionalOnMissingBean
    @Bean
    public AudienceValidator audienceValidator(AudienceProvider audienceProvider) {
        return new AudienceValidator(audienceProvider);
    }

    @ConditionalOnMissingBean(name = {"iapJwtDelegatingValidator"})
    @Bean
    public DelegatingOAuth2TokenValidator<Jwt> iapJwtDelegatingValidator(IapAuthenticationProperties iapAuthenticationProperties, AudienceValidator audienceValidator) {
        ArrayList arrayList = new ArrayList();
        arrayList.add(new JwtTimestampValidator());
        arrayList.add(new JwtIssuerValidator(iapAuthenticationProperties.getIssuer()));
        arrayList.add(audienceValidator);
        if (LOGGER.isInfoEnabled()) {
            LOGGER.info("Audience configured for IAP JWT validation: " + audienceValidator.getAudience());
        }
        return new DelegatingOAuth2TokenValidator<>(arrayList);
    }

    @ConditionalOnMissingBean
    @Bean
    public JwtDecoder iapJwtDecoder(IapAuthenticationProperties iapAuthenticationProperties, @Qualifier("iapJwtDelegatingValidator") DelegatingOAuth2TokenValidator<Jwt> delegatingOAuth2TokenValidator) {
        NimbusJwtDecoder build = NimbusJwtDecoder.withJwkSetUri(iapAuthenticationProperties.getRegistry()).jwsAlgorithm(SignatureAlgorithm.from(iapAuthenticationProperties.getAlgorithm())).build();
        build.setJwtValidator(delegatingOAuth2TokenValidator);
        return build;
    }
}
