package io.camunda.tasklist.webapp.security.oauth;

import io.camunda.tasklist.property.ClientProperties;
import io.camunda.tasklist.property.TasklistProperties;
import io.camunda.tasklist.util.CollectionUtil;
import io.camunda.tasklist.webapp.security.WebSecurityConfig;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.Collections;
import java.util.List;
import java.util.Map;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Profile;
import org.springframework.core.convert.converter.Converter;
import org.springframework.core.env.Environment;
import org.springframework.security.authentication.AbstractAuthenticationToken;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.oauth2.jwt.Jwt;
import org.springframework.security.oauth2.server.resource.InvalidBearerTokenException;
import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationConverter;
import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationToken;
import org.springframework.stereotype.Component;

@Profile({"!identity-auth"})
@Component
/* loaded from: input_file:io/camunda/tasklist/webapp/security/oauth/OAuth2WebConfigurer.class */
public class OAuth2WebConfigurer {
    public static final String SPRING_SECURITY_OAUTH_2_RESOURCESERVER_JWT_ISSUER_URI = "spring.security.oauth2.resourceserver.jwt.issuer-uri";
    public static final String SPRING_SECURITY_OAUTH_2_RESOURCESERVER_JWT_JWK_SET_URI = "spring.security.oauth2.resourceserver.jwt.jwk-set-uri";
    private static final Logger LOGGER = LoggerFactory.getLogger(OAuth2WebConfigurer.class);

    @Autowired
    private Environment env;

    @Autowired
    private TasklistProperties config;
    private final CustomJwtAuthenticationConverter jwtConverter = new CustomJwtAuthenticationConverter();

    /* loaded from: input_file:io/camunda/tasklist/webapp/security/oauth/OAuth2WebConfigurer$CustomJwtAuthenticationConverter.class */
    class CustomJwtAuthenticationConverter implements Converter<Jwt, AbstractAuthenticationToken> {
        public static final String AUDIENCE = "aud";
        public static final String CLUSTER_ID = "https://camunda.com/clusterId";
        private final JwtAuthenticationConverter delegate = new JwtAuthenticationConverter();

        CustomJwtAuthenticationConverter() {
        }

        public AbstractAuthenticationToken convert(Jwt jwt) {
            JwtAuthenticationToken convert = this.delegate.convert(jwt);
            if (isValid(convert.getTokenAttributes())) {
                return convert;
            }
            throw new InvalidBearerTokenException("JWT payload validation failed");
        }

        private boolean isValid(Map<String, Object> map) {
            try {
                String audience = getAudience(map);
                String clusterId = getClusterId(map);
                ClientProperties client = OAuth2WebConfigurer.this.config.getClient();
                if (client.getAudience().equals(audience)) {
                    if (client.getClusterId().equals(clusterId)) {
                        return true;
                    }
                }
                return false;
            } catch (Exception e) {
                OAuth2WebConfigurer.LOGGER.warn("Validation of JWT payload failed. Request is not authenticated.");
                return false;
            }
        }

        private String getClusterId(Map<String, Object> map) {
            return (String) map.get(CLUSTER_ID);
        }

        private String getAudience(Map<String, Object> map) {
            return (String) CollectionUtil.firstOrDefault((List) CollectionUtil.getOrDefaultFromMap(map, AUDIENCE, Collections.emptyList()), (Object) null);
        }
    }

    public void configure(HttpSecurity httpSecurity) throws Exception {
        if (isJWTEnabled()) {
            httpSecurity.oauth2ResourceServer(oAuth2ResourceServerConfigurer -> {
                oAuth2ResourceServerConfigurer.authenticationEntryPoint(this::authenticationFailure).jwt(jwtConfigurer -> {
                    jwtConfigurer.jwtAuthenticationConverter(this.jwtConverter);
                });
            });
            LOGGER.info("Enabled OAuth2 JWT access to REST API");
        }
    }

    private void authenticationFailure(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationException authenticationException) throws IOException {
        httpServletRequest.getSession().invalidate();
        WebSecurityConfig.sendJSONErrorMessage(httpServletResponse, authenticationException.getMessage());
    }

    protected boolean isJWTEnabled() {
        return this.env.containsProperty("spring.security.oauth2.resourceserver.jwt.issuer-uri") || this.env.containsProperty("spring.security.oauth2.resourceserver.jwt.jwk-set-uri");
    }
}
