package cn.kduck.security.oauth2.configuration;

import cn.kduck.security.KduckSecurityProperties;
import cn.kduck.security.RoleAccessVoter;
import cn.kduck.security.oauth2.matcher.OAuthRequestMatcher;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.List;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.access.vote.AffirmativeBased;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.oauth2.config.annotation.web.configuration.EnableResourceServer;
import org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfigurerAdapter;
import org.springframework.security.oauth2.config.annotation.web.configurers.ResourceServerSecurityConfigurer;
import org.springframework.security.oauth2.provider.endpoint.FrameworkEndpointHandlerMapping;
import org.springframework.security.oauth2.provider.token.DefaultTokenServices;
import org.springframework.security.oauth2.provider.token.TokenStore;
import org.springframework.security.oauth2.provider.token.store.JwtTokenStore;

@Configuration
@ConditionalOnClass({EnableResourceServer.class})
@EnableResourceServer
@ConditionalOnProperty(prefix = "kduck.security.oauth2.resServer", name = {"enabled"}, havingValue = "true")
/* loaded from: input_file:cn/kduck/security/oauth2/configuration/OAuthResourceServerConfiguration.class */
public class OAuthResourceServerConfiguration extends ResourceServerConfigurerAdapter {
    private static final String RESOURCE_ID = "kduck-oauth2-resource";
    private static List<String> notAuthPathList = new ArrayList();

    @Autowired
    private RoleAccessVoter roleAccessVoter;

    @Autowired
    private KduckSecurityProperties securityProperties;

    @Autowired
    private TokenStore tokenStore;

    @Autowired
    private FrameworkEndpointHandlerMapping endpointHandlerMapping;

    public void configure(ResourceServerSecurityConfigurer resourceServerSecurityConfigurer) throws Exception {
        resourceServerSecurityConfigurer.resourceId(RESOURCE_ID).stateless(true);
        if (this.tokenStore instanceof JwtTokenStore) {
            DefaultTokenServices defaultTokenServices = new DefaultTokenServices();
            defaultTokenServices.setTokenStore(this.tokenStore);
            resourceServerSecurityConfigurer.tokenServices(defaultTokenServices);
        }
    }

    public void configure(HttpSecurity httpSecurity) throws Exception {
        ArrayList arrayList = new ArrayList();
        arrayList.add(this.roleAccessVoter);
        ArrayList arrayList2 = new ArrayList(notAuthPathList);
        String[] resourcePaths = this.securityProperties.getOauth2().getResServer().getResourcePaths();
        if (resourcePaths == null) {
            arrayList2.add("any");
        } else {
            arrayList2.addAll(Arrays.asList(resourcePaths));
        }
        Collections.sort(arrayList2);
        String[] strArr = new String[arrayList2.size() + 1];
        strArr[0] = "/oauth/user_info";
        System.arraycopy(arrayList2.toArray(new String[0]), 0, strArr, 1, arrayList2.size());
        httpSecurity.requestMatcher(new OAuthRequestMatcher(strArr));
        httpSecurity.csrf().disable();
        ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) httpSecurity.cors().and().authorizeRequests().accessDecisionManager(new AffirmativeBased(arrayList)).antMatchers(new String[]{"/oauth/*"})).permitAll().anyRequest()).authenticated().and().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED);
    }

    static {
        notAuthPathList.add("!/oauth/**");
        notAuthPathList.add("!/actuator/**");
        notAuthPathList.add("!/login");
        notAuthPathList.add("!/currentUser");
        notAuthPathList.add("!/mfa/validate");
        notAuthPathList.add("!/oauth2/authorization/**");
        notAuthPathList.add("!/login/oauth2/**");
        notAuthPathList.add("!/user_info");
    }
}
