package eu.openanalytics.containerproxy.security;

import java.util.Arrays;
import java.util.Map;
import javax.inject.Inject;
import javax.servlet.http.HttpServletRequest;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.env.Environment;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.core.Authentication;
import org.springframework.security.oauth2.config.annotation.web.configuration.EnableResourceServer;
import org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfigurerAdapter;
import org.springframework.security.oauth2.config.annotation.web.configurers.ResourceServerSecurityConfigurer;
import org.springframework.security.oauth2.provider.authentication.BearerTokenExtractor;
import org.springframework.security.oauth2.provider.token.DefaultAccessTokenConverter;
import org.springframework.security.oauth2.provider.token.DefaultTokenServices;
import org.springframework.security.oauth2.provider.token.DefaultUserAuthenticationConverter;
import org.springframework.security.oauth2.provider.token.ResourceServerTokenServices;
import org.springframework.security.oauth2.provider.token.TokenStore;
import org.springframework.security.oauth2.provider.token.store.JwtAccessTokenConverter;
import org.springframework.security.oauth2.provider.token.store.jwk.JwkTokenStore;

@EnableResourceServer
@Configuration
@ConditionalOnProperty(name = {"proxy.oauth2.resource-id"})
/* loaded from: input_file:BOOT-INF/lib/containerproxy-0.8.1.jar:eu/openanalytics/containerproxy/security/APISecurityConfig.class */
public class APISecurityConfig extends ResourceServerConfigurerAdapter {

    @Inject
    private Environment environment;

    /* loaded from: input_file:BOOT-INF/lib/containerproxy-0.8.1.jar:eu/openanalytics/containerproxy/security/APISecurityConfig$CookieTokenExtractor.class */
    private static class CookieTokenExtractor extends BearerTokenExtractor {
        private CookieTokenExtractor() {
        }

        /* JADX INFO: Access modifiers changed from: protected */
        @Override // org.springframework.security.oauth2.provider.authentication.BearerTokenExtractor
        public String extractToken(HttpServletRequest httpServletRequest) {
            String extractToken = super.extractToken(httpServletRequest);
            if (extractToken == null && httpServletRequest.getCookies() != null) {
                extractToken = (String) Arrays.stream(httpServletRequest.getCookies()).filter(cookie -> {
                    return cookie.getName().equals("access_token");
                }).findAny().map(cookie2 -> {
                    return cookie2.getValue();
                }).orElse(null);
            }
            return extractToken;
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    @Override // org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfigurerAdapter, org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfigurer
    public void configure(HttpSecurity httpSecurity) throws Exception {
        ((HttpSecurity) httpSecurity.antMatcher("/api/**").authorizeRequests().anyRequest().authenticated().and()).httpBasic();
    }

    @Override // org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfigurerAdapter, org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfigurer
    public void configure(ResourceServerSecurityConfigurer resourceServerSecurityConfigurer) throws Exception {
        resourceServerSecurityConfigurer.tokenExtractor(new CookieTokenExtractor()).resourceId(this.environment.getProperty("proxy.oauth2.resource-id"));
    }

    @Bean
    public JwtAccessTokenConverter jwtAccessTokenConverter() {
        JwtAccessTokenConverter jwtAccessTokenConverter = new JwtAccessTokenConverter();
        DefaultAccessTokenConverter defaultAccessTokenConverter = new DefaultAccessTokenConverter();
        defaultAccessTokenConverter.setUserTokenConverter(new DefaultUserAuthenticationConverter() { // from class: eu.openanalytics.containerproxy.security.APISecurityConfig.1
            @Override // org.springframework.security.oauth2.provider.token.DefaultUserAuthenticationConverter, org.springframework.security.oauth2.provider.token.UserAuthenticationConverter
            public Authentication extractAuthentication(Map<String, ?> map) {
                Authentication extractAuthentication = super.extractAuthentication(map);
                return extractAuthentication == null ? new UsernamePasswordAuthenticationToken(String.valueOf(map.get("sub")), "N/A", null) : extractAuthentication;
            }
        });
        jwtAccessTokenConverter.setAccessTokenConverter(defaultAccessTokenConverter);
        return jwtAccessTokenConverter;
    }

    @ConditionalOnMissingBean({TokenStore.class})
    @Bean
    public TokenStore jwkTokenStore() {
        return new JwkTokenStore(this.environment.getProperty("proxy.oauth2.jwks-url"), jwtAccessTokenConverter());
    }

    @ConditionalOnMissingBean({ResourceServerTokenServices.class})
    @Bean
    public DefaultTokenServices jwkTokenServices(TokenStore tokenStore) {
        DefaultTokenServices defaultTokenServices = new DefaultTokenServices();
        defaultTokenServices.setTokenStore(tokenStore);
        return defaultTokenServices;
    }
}
