package net.n2oapp.security.admin.auth.server;

import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.jwk.JWKSet;
import com.nimbusds.jose.jwk.KeyUse;
import com.nimbusds.jose.jwk.RSAKey;
import java.security.KeyFactory;
import java.security.KeyPair;
import java.security.NoSuchAlgorithmException;
import java.security.interfaces.RSAPrivateKey;
import java.security.interfaces.RSAPublicKey;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.PKCS8EncodedKeySpec;
import java.security.spec.X509EncodedKeySpec;
import java.util.Base64;
import java.util.Set;
import net.minidev.json.JSONObject;
import net.n2oapp.security.admin.api.service.ClientService;
import net.n2oapp.security.admin.auth.server.logout.OIDCBackChannelLogoutHandler;
import net.n2oapp.security.auth.common.LogoutHandler;
import org.springframework.beans.factory.ObjectProvider;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.boot.autoconfigure.condition.ConditionalOnExpression;
import org.springframework.boot.autoconfigure.security.oauth2.authserver.AuthorizationServerProperties;
import org.springframework.boot.context.properties.ConfigurationProperties;
import org.springframework.boot.context.properties.EnableConfigurationProperties;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.io.ClassPathResource;
import org.springframework.security.core.context.SecurityContext;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.jwt.crypto.sign.RsaSigner;
import org.springframework.security.oauth2.config.annotation.configurers.ClientDetailsServiceConfigurer;
import org.springframework.security.oauth2.config.annotation.web.configuration.AuthorizationServerConfigurerAdapter;
import org.springframework.security.oauth2.config.annotation.web.configuration.EnableAuthorizationServer;
import org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerEndpointsConfigurer;
import org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerSecurityConfigurer;
import org.springframework.security.oauth2.provider.OAuth2Authentication;
import org.springframework.security.oauth2.provider.token.AccessTokenConverter;
import org.springframework.security.oauth2.provider.token.TokenStore;
import org.springframework.security.oauth2.provider.token.store.JwtAccessTokenConverter;
import org.springframework.security.oauth2.provider.token.store.JwtTokenStore;
import org.springframework.security.oauth2.provider.token.store.KeyStoreKeyFactory;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;
import org.springframework.web.servlet.ModelAndView;

@Configuration
@EnableAuthorizationServer
/* loaded from: input_file:net/n2oapp/security/admin/auth/server/OAuthServerConfiguration.class */
public class OAuthServerConfiguration {

    @Configuration
    /* loaded from: input_file:net/n2oapp/security/admin/auth/server/OAuthServerConfiguration$AuthorizationSecurityConfigurer.class */
    private static class AuthorizationSecurityConfigurer extends AuthorizationServerConfigurerAdapter {
        private final TokenStore tokenStore;
        private final AccessTokenConverter tokenConverter;
        private final AuthorizationServerProperties properties;
        private final GatewayService gatewayService;
        private final UserDetailsService userDetailsService;

        public AuthorizationSecurityConfigurer(ObjectProvider<TokenStore> objectProvider, ObjectProvider<AccessTokenConverter> objectProvider2, AuthorizationServerProperties authorizationServerProperties, GatewayService gatewayService, UserDetailsService userDetailsService) {
            this.tokenStore = (TokenStore) objectProvider.getIfAvailable();
            this.tokenConverter = (AccessTokenConverter) objectProvider2.getIfAvailable();
            this.properties = authorizationServerProperties;
            this.gatewayService = gatewayService;
            this.userDetailsService = userDetailsService;
        }

        public void configure(ClientDetailsServiceConfigurer clientDetailsServiceConfigurer) throws Exception {
            clientDetailsServiceConfigurer.withClientDetails(this.gatewayService);
        }

        public void configure(AuthorizationServerEndpointsConfigurer authorizationServerEndpointsConfigurer) {
            authorizationServerEndpointsConfigurer.redirectResolver(new RedirectResolverImpl());
            authorizationServerEndpointsConfigurer.userDetailsService(this.userDetailsService);
            if (this.tokenConverter != null) {
                authorizationServerEndpointsConfigurer.accessTokenConverter(this.tokenConverter);
            }
            if (this.tokenStore != null) {
                authorizationServerEndpointsConfigurer.tokenStore(this.tokenStore);
            }
        }

        public void configure(AuthorizationServerSecurityConfigurer authorizationServerSecurityConfigurer) {
            authorizationServerSecurityConfigurer.passwordEncoder(new PasswordEncoder() { // from class: net.n2oapp.security.admin.auth.server.OAuthServerConfiguration.AuthorizationSecurityConfigurer.1
                public String encode(CharSequence charSequence) {
                    return charSequence.toString();
                }

                public boolean matches(CharSequence charSequence, String str) {
                    return str.equals(charSequence.toString());
                }
            });
            if (this.properties.getCheckTokenAccess() != null) {
                authorizationServerSecurityConfigurer.checkTokenAccess(this.properties.getCheckTokenAccess());
            }
            if (this.properties.getTokenKeyAccess() != null) {
                authorizationServerSecurityConfigurer.tokenKeyAccess(this.properties.getTokenKeyAccess());
            }
            if (this.properties.getRealm() != null) {
                authorizationServerSecurityConfigurer.realm(this.properties.getRealm());
            }
        }
    }

    @ConfigurationProperties(prefix = "access.auth.keystore")
    /* loaded from: input_file:net/n2oapp/security/admin/auth/server/OAuthServerConfiguration$KeystoreProperties.class */
    private static class KeystoreProperties {
        private String password;
        private String keyId;

        private KeystoreProperties() {
        }

        public String getPassword() {
            return this.password;
        }

        public String getKeyId() {
            return this.keyId;
        }

        public void setPassword(String str) {
            this.password = str;
        }

        public void setKeyId(String str) {
            this.keyId = str;
        }
    }

    @EnableConfigurationProperties({KeystoreProperties.class})
    @Configuration
    /* loaded from: input_file:net/n2oapp/security/admin/auth/server/OAuthServerConfiguration$TokenStoreConfiguration.class */
    static class TokenStoreConfiguration {

        @Value("${access.token.include-claims:}")
        private Set<String> tokenIncludeClaims;

        @Value("${access.jwt.signing-key:#{null}}")
        private String signingKey;

        @Value("${access.jwt.verifier-key:#{null}}")
        private String verifierKey;

        @Autowired
        private KeystoreProperties properties;

        @Controller
        /* loaded from: input_file:net/n2oapp/security/admin/auth/server/OAuthServerConfiguration$TokenStoreConfiguration$IndexController.class */
        public static class IndexController {

            @Value("${access.auth.authenticated-user-redirect-url}")
            String redirectTo;

            @RequestMapping({"/"})
            public ModelAndView index() {
                ModelAndView modelAndView = new ModelAndView();
                SecurityContext context = SecurityContextHolder.getContext();
                if (context != null && (context.getAuthentication() instanceof OAuth2Authentication)) {
                    modelAndView.setViewName("forward:alreadyLogged.html");
                } else if ("/".equals(this.redirectTo)) {
                    modelAndView.setViewName("forward:index.html");
                } else {
                    modelAndView.setViewName("redirect:" + this.redirectTo);
                }
                return modelAndView;
            }
        }

        @RestController
        /* loaded from: input_file:net/n2oapp/security/admin/auth/server/OAuthServerConfiguration$TokenStoreConfiguration$JwkSetRestController.class */
        public static class JwkSetRestController {

            @Autowired
            private JWKSet jwkSet;

            @GetMapping({"/oauth/certs"})
            public JSONObject certs() {
                return this.jwkSet.toJSONObject();
            }
        }

        TokenStoreConfiguration() {
        }

        @Bean
        public TokenStore tokenStore(JwtAccessTokenConverter jwtAccessTokenConverter) {
            return new JwtTokenStore(jwtAccessTokenConverter);
        }

        @Bean
        @ConditionalOnExpression("!T(org.springframework.util.StringUtils).isEmpty('${access.jwt.signing-key:}') && !T(org.springframework.util.StringUtils).isEmpty('${access.jwt.verifier-key:}')")
        public KeyPair keyPairFromPem() throws NoSuchAlgorithmException, InvalidKeySpecException {
            String strip = this.signingKey.strip();
            String strip2 = this.verifierKey.strip();
            String replace = strip.replace("\n", "").replace("-----BEGIN PRIVATE KEY-----", "").replace("-----END PRIVATE KEY-----", "");
            String replace2 = strip2.replace("\n", "").replace("-----BEGIN PUBLIC KEY-----", "").replace("-----END PUBLIC KEY-----", "");
            KeyFactory keyFactory = KeyFactory.getInstance("RSA");
            return new KeyPair((RSAPublicKey) keyFactory.generatePublic(new X509EncodedKeySpec(Base64.getDecoder().decode(replace2))), keyFactory.generatePrivate(new PKCS8EncodedKeySpec(Base64.getDecoder().decode(replace))));
        }

        @Bean
        @ConditionalOnExpression("T(org.springframework.util.StringUtils).isEmpty('${access.jwt.signing-key:}') && T(org.springframework.util.StringUtils).isEmpty('${access.jwt.verifier-key:}')")
        public KeyPair keyPairFromJKS() {
            return new KeyStoreKeyFactory(new ClassPathResource("keystore/gateway.jks"), this.properties.getPassword().toCharArray()).getKeyPair("gateway");
        }

        @Bean
        public AccessTokenEnhancer accessTokenConverter(KeyPair keyPair) {
            AccessTokenEnhancer accessTokenEnhancer = new AccessTokenEnhancer();
            accessTokenEnhancer.setKeyPair(keyPair);
            accessTokenEnhancer.setAccessTokenConverter(new GatewayAccessTokenConverter(Boolean.valueOf(this.tokenIncludeClaims.contains("roles")), Boolean.valueOf(this.tokenIncludeClaims.contains("permissions")), Boolean.valueOf(this.tokenIncludeClaims.contains("systems"))));
            accessTokenEnhancer.setKid(this.properties.getKeyId());
            return accessTokenEnhancer;
        }

        @Bean
        public JWKSet jwkSet(KeyPair keyPair) {
            return new JWKSet(new RSAKey.Builder((RSAPublicKey) keyPair.getPublic()).keyUse(KeyUse.SIGNATURE).algorithm(JWSAlgorithm.RS256).keyID(this.properties.getKeyId()).build());
        }
    }

    @Bean
    public LogoutHandler logoutHandler(KeyPair keyPair, ClientService clientService) {
        return new OIDCBackChannelLogoutHandler(new RsaSigner((RSAPrivateKey) keyPair.getPrivate()), clientService);
    }
}
