package io.dialob.security.aws;

import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.jwk.source.JWKSource;
import com.nimbusds.jose.proc.JWSVerificationKeySelector;
import com.nimbusds.jose.proc.SecurityContext;
import com.nimbusds.jose.util.DefaultResourceRetriever;
import com.nimbusds.jwt.proc.DefaultJWTProcessor;
import com.nimbusds.jwt.proc.JWTProcessor;
import io.dialob.common.Permissions;
import io.dialob.security.aws.elb.ElbJWKSource;
import io.dialob.security.spring.oauth2.Groups2GrantedAuthorisations;
import io.dialob.security.spring.oauth2.StreamingGrantedAuthoritiesMapper;
import io.dialob.security.spring.oauth2.UaaGroups2GroupGrantedAuthoritiesMapper;
import io.dialob.security.spring.oauth2.UsersAndGroupsService;
import io.dialob.security.spring.tenant.GrantedTenantAccessEvaluator;
import io.dialob.security.spring.tenant.MapTenantGroupToTenantGrantedAuthority;
import io.dialob.security.spring.tenant.TenantAccessEvaluator;
import io.dialob.settings.DialobSettings;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
import java.util.stream.Collectors;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Profile;
import org.springframework.security.authentication.AbstractAuthenticationToken;
import org.springframework.security.core.authority.mapping.GrantedAuthoritiesMapper;

@Profile({"aws"})
@Configuration(proxyBeanMethods = false)
/* loaded from: input_file:BOOT-INF/lib/dialob-security-aws-2.1.4.jar:io/dialob/security/aws/DialobSecurityAwsAutoConfiguration.class */
public class DialobSecurityAwsAutoConfiguration {
    @Bean
    public GrantedAuthoritiesMapper grantedAuthoritiesMapper(DialobSettings dialobSettings, Optional<UsersAndGroupsService> optional) {
        ArrayList arrayList = new ArrayList();
        Map<String, Set<String>> groupPermissions = dialobSettings.getSecurity().getGroupPermissions();
        arrayList.add(new Groups2GrantedAuthorisations(str -> {
            return (Collection) groupPermissions.getOrDefault(str, Collections.emptySet());
        }));
        arrayList.add(new MapTenantGroupToTenantGrantedAuthority(dialobSettings.getTenant().getEnv()));
        optional.ifPresent(usersAndGroupsService -> {
            arrayList.add(new UaaGroups2GroupGrantedAuthoritiesMapper(usersAndGroupsService));
        });
        return new StreamingGrantedAuthoritiesMapper(arrayList);
    }

    @Bean
    public TenantAccessEvaluator tenantAccessEvaluator() {
        return new GrantedTenantAccessEvaluator() { // from class: io.dialob.security.aws.DialobSecurityAwsAutoConfiguration.1
            @Override // io.dialob.security.spring.tenant.GrantedTenantAccessEvaluator
            protected boolean canAccessAnyTenant(AbstractAuthenticationToken abstractAuthenticationToken) {
                return abstractAuthenticationToken.getAuthorities().stream().anyMatch(grantedAuthority -> {
                    return grantedAuthority.getAuthority().equals(Permissions.ALL_TENANTS);
                });
            }
        };
    }

    @Bean
    public <C extends SecurityContext> JWTProcessor<C> awsElbJwtProcessor(DialobSettings dialobSettings, Optional<JWKSource<C>> optional) {
        JWSVerificationKeySelector jWSVerificationKeySelector = new JWSVerificationKeySelector((Set<JWSAlgorithm>) dialobSettings.getAws().getElb().getAlgorithms().stream().map(JWSAlgorithm::parse).collect(Collectors.toSet()), optional.orElseGet(() -> {
            return new ElbJWKSource("https://public-keys.auth.elb." + dialobSettings.getAws().getRegion() + ".amazonaws.com/{kid}", new DefaultResourceRetriever(5000, 5000));
        }));
        DefaultJWTProcessor defaultJWTProcessor = new DefaultJWTProcessor();
        defaultJWTProcessor.setJWSKeySelector(jWSVerificationKeySelector);
        return defaultJWTProcessor;
    }
}
