package eu.openanalytics.containerproxy.auth.impl.oidc;

import eu.openanalytics.containerproxy.auth.impl.oidc.redis.RedisOAuth2AuthorizedClientService;
import eu.openanalytics.containerproxy.util.EnvironmentUtils;
import java.util.Collections;
import java.util.HashSet;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import javax.inject.Inject;
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.env.Environment;
import org.springframework.security.oauth2.client.InMemoryOAuth2AuthorizedClientService;
import org.springframework.security.oauth2.client.OAuth2AuthorizedClientManager;
import org.springframework.security.oauth2.client.OAuth2AuthorizedClientService;
import org.springframework.security.oauth2.client.oidc.authentication.OidcIdTokenDecoderFactory;
import org.springframework.security.oauth2.client.registration.ClientRegistration;
import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
import org.springframework.security.oauth2.client.registration.InMemoryClientRegistrationRepository;
import org.springframework.security.oauth2.client.web.AuthenticatedPrincipalOAuth2AuthorizedClientRepository;
import org.springframework.security.oauth2.client.web.DefaultOAuth2AuthorizedClientManager;
import org.springframework.security.oauth2.client.web.OAuth2AuthorizedClientRepository;
import org.springframework.security.oauth2.core.AuthorizationGrantType;
import org.springframework.security.oauth2.core.ClientAuthenticationMethod;
import org.springframework.security.oauth2.jose.jws.SignatureAlgorithm;
import org.springframework.security.oauth2.jwt.JwtDecoderFactory;

@Configuration
@ConditionalOnProperty(name = {"proxy.authentication"}, havingValue = "openid")
/* loaded from: input_file:BOOT-INF/lib/containerproxy-1.2.0.jar:eu/openanalytics/containerproxy/auth/impl/oidc/OpenIDConfiguration.class */
public class OpenIDConfiguration {
    public static final String REG_ID = "shinyproxy";
    public static final String PROP_OPENID_JWKS_SIGNATURE_ALGORITHM = "proxy.openid.jwks-signature-algorithm";
    public static final String PROP_DEFAULT_ALGORITHM = "RS256";
    public static final String PROP_INCLUDE_DEFAULT_SCOPES = "proxy.openid.include-default-scopes";
    public static final String PROP_ENFORCE_HTTPS_REDIRECT_URI = "proxy.openid.enforce-https-redirect-uri";

    @Inject
    private Environment environment;

    @Bean
    public OAuth2AuthorizedClientService oAuth2AuthorizedClientService() {
        return this.environment.getProperty("proxy.store-mode", "None").equals("Redis") ? new RedisOAuth2AuthorizedClientService() : new InMemoryOAuth2AuthorizedClientService(clientRegistrationRepository());
    }

    @Bean
    public ClientRegistrationRepository clientRegistrationRepository() {
        HashSet hashSet = new HashSet();
        if (((Boolean) this.environment.getProperty(PROP_INCLUDE_DEFAULT_SCOPES, Boolean.class, true)).booleanValue()) {
            hashSet.add("openid");
            hashSet.add("email");
        }
        Optional ofNullable = Optional.ofNullable(EnvironmentUtils.readList(this.environment, "proxy.openid.scopes"));
        Objects.requireNonNull(hashSet);
        ofNullable.ifPresent((v1) -> {
            r1.addAll(v1);
        });
        return new InMemoryClientRegistrationRepository((List<ClientRegistration>) Collections.singletonList(ClientRegistration.withRegistrationId("shinyproxy").authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE).clientName("shinyproxy").redirectUri(getOpenIdRedirectUri()).scope((String[]) hashSet.toArray(new String[0])).userNameAttributeName(this.environment.getProperty("proxy.openid.username-attribute", "email")).authorizationUri(this.environment.getProperty("proxy.openid.auth-url")).tokenUri(this.environment.getProperty("proxy.openid.token-url")).jwkSetUri(this.environment.getProperty("proxy.openid.jwks-url")).clientId(this.environment.getProperty("proxy.openid.client-id")).clientSecret(this.environment.getProperty("proxy.openid.client-secret")).userInfoUri(this.environment.getProperty("proxy.openid.userinfo-url")).clientAuthenticationMethod((ClientAuthenticationMethod) this.environment.getProperty("proxy.openid.client-authentication-method", ClientAuthenticationMethod.class)).build()));
    }

    @Bean
    public OAuth2AuthorizedClientRepository oAuth2AuthorizedClientRepository() {
        return new AuthenticatedPrincipalOAuth2AuthorizedClientRepository(oAuth2AuthorizedClientService());
    }

    @Bean
    public OAuth2AuthorizedClientManager oAuth2AuthorizedClientManager() {
        return new DefaultOAuth2AuthorizedClientManager(clientRegistrationRepository(), oAuth2AuthorizedClientRepository());
    }

    @Bean
    public OpenIdReAuthorizeFilter openIdReAuthorizeFilter() {
        return new OpenIdReAuthorizeFilter();
    }

    @Bean
    public JwtDecoderFactory<ClientRegistration> oidcIdTokenDecoderFactory() {
        OidcIdTokenDecoderFactory oidcIdTokenDecoderFactory = new OidcIdTokenDecoderFactory();
        SignatureAlgorithm from = SignatureAlgorithm.from(this.environment.getProperty(PROP_OPENID_JWKS_SIGNATURE_ALGORITHM, "RS256"));
        oidcIdTokenDecoderFactory.setJwsAlgorithmResolver(clientRegistration -> {
            return from;
        });
        return oidcIdTokenDecoderFactory;
    }

    private String getOpenIdRedirectUri() {
        return ((Boolean) this.environment.getProperty(PROP_ENFORCE_HTTPS_REDIRECT_URI, Boolean.class, false)).booleanValue() ? "https://{baseHost}{basePort}{basePath}/login/oauth2/code/{registrationId}" : "{baseUrl}/login/oauth2/code/{registrationId}";
    }
}
