package io.camunda.tasklist.webapp.security.oauth;

import io.camunda.identity.sdk.IdentityConfiguration;
import io.camunda.tasklist.webapp.security.BaseWebConfigurer;
import io.camunda.tasklist.webapp.security.TasklistProfileService;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import java.io.IOException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Profile;
import org.springframework.core.env.Environment;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.core.AuthenticationException;
import org.springframework.stereotype.Component;

@Profile({TasklistProfileService.IDENTITY_AUTH_PROFILE})
@Component
/* loaded from: input_file:BOOT-INF/classes/io/camunda/tasklist/webapp/security/oauth/IdentityOAuth2WebConfigurer.class */
public class IdentityOAuth2WebConfigurer {
    public static final String SPRING_SECURITY_OAUTH_2_RESOURCESERVER_JWT_ISSUER_URI = "spring.security.oauth2.resourceserver.jwt.issuer-uri";
    public static final String SPRING_SECURITY_OAUTH_2_RESOURCESERVER_JWT_JWK_SET_URI = "spring.security.oauth2.resourceserver.jwt.jwk-set-uri";
    public static final String JWKS_PATH = "/protocol/openid-connect/certs";
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) IdentityOAuth2WebConfigurer.class);

    @Autowired
    private Environment env;

    @Autowired
    private IdentityConfiguration identityConfiguration;

    @Autowired
    private IdentityJwt2AuthenticationTokenConverter jwtConverter;

    public void configure(HttpSecurity httpSecurity) throws Exception {
        if (isJWTEnabled()) {
            httpSecurity.oauth2ResourceServer(oAuth2ResourceServerConfigurer -> {
                oAuth2ResourceServerConfigurer.authenticationEntryPoint(this::authenticationFailure).jwt(jwtConfigurer -> {
                    jwtConfigurer.jwtAuthenticationConverter(this.jwtConverter).jwkSetUri(getJwkSetUriProperty());
                });
            });
            LOGGER.info("Enabled OAuth2 JWT access to Tasklist API");
        }
    }

    private String getJwkSetUriProperty() {
        String str;
        if (this.env.containsProperty("spring.security.oauth2.resourceserver.jwt.jwk-set-uri")) {
            str = this.env.getProperty("spring.security.oauth2.resourceserver.jwt.jwk-set-uri");
            LOGGER.info("Using value in SPRING_SECURITY_OAUTH_2_RESOURCESERVER_JWT_JWK_SET_URI for issuer authentication");
        } else {
            str = this.identityConfiguration.getIssuerBackendUrl() + "/protocol/openid-connect/certs";
            LOGGER.warn("SPRING_SECURITY_OAUTH_2_RESOURCESERVER_JWT_JWK_SET_URI is not present, building issuer authentication uri from issuer backend url.");
        }
        LOGGER.info("Using {} for issuer authentication", str);
        return str;
    }

    private void authenticationFailure(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationException authenticationException) throws IOException {
        BaseWebConfigurer.sendJSONErrorMessage(httpServletResponse, authenticationException.getMessage());
    }

    protected boolean isJWTEnabled() {
        return this.env.containsProperty("spring.security.oauth2.resourceserver.jwt.issuer-uri") || this.env.containsProperty("spring.security.oauth2.resourceserver.jwt.jwk-set-uri");
    }
}
