package org.apache.shenyu.springboot.starter.plugin.oauth2;

import java.util.Arrays;
import java.util.List;
import java.util.concurrent.CopyOnWriteArrayList;
import org.apache.shenyu.plugin.api.ShenyuPlugin;
import org.apache.shenyu.plugin.oauth2.OAuth2Plugin;
import org.apache.shenyu.plugin.oauth2.filter.OAuth2PreFilter;
import org.springframework.beans.factory.ObjectProvider;
import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.boot.autoconfigure.security.reactive.PathRequest;
import org.springframework.context.ApplicationContext;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Conditional;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpMethod;
import org.springframework.security.authentication.ReactiveAuthenticationManager;
import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity;
import org.springframework.security.config.web.server.SecurityWebFiltersOrder;
import org.springframework.security.config.web.server.ServerHttpSecurity;
import org.springframework.security.core.userdetails.MapReactiveUserDetailsService;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.oauth2.client.ReactiveOAuth2AuthorizedClientService;
import org.springframework.security.oauth2.client.registration.ClientRegistration;
import org.springframework.security.oauth2.client.registration.InMemoryReactiveClientRegistrationRepository;
import org.springframework.security.oauth2.client.registration.ReactiveClientRegistrationRepository;
import org.springframework.security.oauth2.core.AuthorizationGrantType;
import org.springframework.security.web.server.SecurityWebFilterChain;
import org.springframework.security.web.server.util.matcher.OrServerWebExchangeMatcher;
import org.springframework.security.web.server.util.matcher.PathPatternParserServerWebExchangeMatcher;
import org.springframework.security.web.server.util.matcher.ServerWebExchangeMatcher;

@Configuration
@ConditionalOnClass({OAuth2Plugin.class})
@EnableWebFluxSecurity
/* loaded from: input_file:org/apache/shenyu/springboot/starter/plugin/oauth2/OAuth2PluginConfiguration.class */
public class OAuth2PluginConfiguration {
    private static final String DEFAULT_CLIENT_REGISTRATION_BEAN = "org.apache.shenyu.springboot.starter.plugin.oauth2.defaultReactiveClientRegistrationRepository";
    private static final List<ServerWebExchangeMatcher> MATCHERS = new CopyOnWriteArrayList();
    private static final OrServerWebExchangeMatcher OR_MATCHER;

    @Bean
    public ShenyuPlugin oAuth2Plugin(ObjectProvider<ReactiveOAuth2AuthorizedClientService> objectProvider) {
        return new OAuth2Plugin((ReactiveOAuth2AuthorizedClientService) objectProvider.getObject());
    }

    @ConditionalOnMissingBean({ReactiveAuthenticationManager.class})
    @Bean
    MapReactiveUserDetailsService userDetailsService() {
        return new MapReactiveUserDetailsService(new UserDetails[]{User.builder().username("shenyu").password("shenyu").roles(new String[]{"USER"}).disabled(true).build()});
    }

    @Bean
    public SecurityWebFilterChain getSecurityWebFilterChain(ServerHttpSecurity serverHttpSecurity, ApplicationContext applicationContext) {
        return Arrays.asList(applicationContext.getBeanNamesForType(ReactiveClientRegistrationRepository.class)).contains(DEFAULT_CLIENT_REGISTRATION_BEAN) ? serverHttpSecurity.csrf().disable().httpBasic().disable().formLogin().disable().authorizeExchange().anyExchange().permitAll().and().build() : serverHttpSecurity.csrf().disable().oauth2Login().and().httpBasic((v0) -> {
            v0.disable();
        }).oauth2Client().and().addFilterAfter(new OAuth2PreFilter(MATCHERS), SecurityWebFiltersOrder.REACTOR_CONTEXT).authorizeExchange(authorizeExchangeSpec -> {
            ((ServerHttpSecurity.AuthorizeExchangeSpec.Access) ((ServerHttpSecurity.AuthorizeExchangeSpec.Access) ((ServerHttpSecurity.AuthorizeExchangeSpec.Access) authorizeExchangeSpec.matchers(new ServerWebExchangeMatcher[]{PathRequest.toStaticResources().atCommonLocations()})).permitAll().pathMatchers(HttpMethod.OPTIONS)).permitAll().matchers(new ServerWebExchangeMatcher[]{OR_MATCHER})).authenticated().anyExchange().permitAll();
        }).build();
    }

    @Conditional({DefaultClientsConfiguredCondition.class})
    @Bean({DEFAULT_CLIENT_REGISTRATION_BEAN})
    public ReactiveClientRegistrationRepository reactiveClientRegistrationRepository() {
        ClientRegistration.Builder withRegistrationId = ClientRegistration.withRegistrationId("shenyu");
        withRegistrationId.authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE);
        withRegistrationId.tokenUri("/");
        withRegistrationId.authorizationUri("/");
        withRegistrationId.redirectUriTemplate("/");
        withRegistrationId.scope(new String[]{"read:user"});
        withRegistrationId.userInfoUri("/");
        withRegistrationId.clientId("shenyu");
        withRegistrationId.clientSecret("shenyu");
        withRegistrationId.redirectUriTemplate("{baseUrl}/login/oauth2/code/{registrationId}");
        return new InMemoryReactiveClientRegistrationRepository(new ClientRegistration[]{withRegistrationId.build()});
    }

    static {
        MATCHERS.add(new PathPatternParserServerWebExchangeMatcher("-"));
        OR_MATCHER = new OrServerWebExchangeMatcher(MATCHERS);
    }
}
