package gr.cite.commons.web.oidc.configuration;

import gr.cite.commons.web.oidc.apikey.ApiKeyService;
import gr.cite.commons.web.oidc.configuration.WebSecurityProperties;
import gr.cite.commons.web.oidc.configuration.converter.BaseJwtAuthenticationConverter;
import gr.cite.commons.web.oidc.configuration.filter.ApiKeyFilter;
import gr.cite.commons.web.oidc.configuration.token.BaseOpaqueTokenIntrospector;
import gr.cite.commons.web.oidc.configuration.token.DefaultOpaqueTokenAuthenticationProvider;
import jakarta.servlet.Filter;
import jakarta.servlet.http.HttpServletRequest;
import java.util.Objects;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.context.properties.EnableConfigurationProperties;
import org.springframework.context.ApplicationContext;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationManagerResolver;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.oauth2.jwt.JwtDecoder;
import org.springframework.security.oauth2.jwt.JwtDecoders;
import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationProvider;
import org.springframework.security.oauth2.server.resource.authentication.OpaqueTokenAuthenticationProvider;
import org.springframework.security.oauth2.server.resource.introspection.OpaqueTokenIntrospector;

@EnableConfigurationProperties({WebSecurityProperties.class})
@Configuration
/* loaded from: input_file:gr/cite/commons/web/oidc/configuration/CiteAuthnSecurityConfiguration.class */
public class CiteAuthnSecurityConfiguration {
    private final WebSecurityProperties webSecurityProperties;

    @Autowired
    private ApplicationContext applicationContext;

    @Autowired
    public CiteAuthnSecurityConfiguration(WebSecurityProperties webSecurityProperties) {
        this.webSecurityProperties = webSecurityProperties;
    }

    @Bean({"apiKeyFilter"})
    public Filter apiKeyFilter() {
        return new ApiKeyFilter(this.webSecurityProperties.getIdp().getApiKey(), (ApiKeyService) this.applicationContext.getBean(ApiKeyService.class));
    }

    @Bean({"tokenAuthenticationResolver"})
    public AuthenticationManagerResolver<HttpServletRequest> tokenAuthenticationManagerResolver() {
        JwtAuthenticationProvider opaqueTokenAuthenticationProvider;
        TokenType resolveTokenType = resolveTokenType();
        switch (resolveTokenType) {
            case JWT:
                opaqueTokenAuthenticationProvider = jwtAuthenticationProvider();
                break;
            case OPAQUE:
                opaqueTokenAuthenticationProvider = opaqueTokenAuthenticationProvider();
                break;
            default:
                throw new UnsupportedOperationException("Token type [" + resolveTokenType + "] not supported");
        }
        JwtAuthenticationProvider jwtAuthenticationProvider = opaqueTokenAuthenticationProvider;
        return httpServletRequest -> {
            Objects.requireNonNull(jwtAuthenticationProvider);
            return jwtAuthenticationProvider::authenticate;
        };
    }

    private TokenType resolveTokenType() {
        WebSecurityProperties.IdpConfig.ResourceServer resource = this.webSecurityProperties.getIdp().getResource();
        if (resource.getTokenType() != null && resource.getTokenType().equalsIgnoreCase("jwt")) {
            return TokenType.JWT;
        }
        if (resource.getTokenType() == null || !resource.getTokenType().equalsIgnoreCase("opaque")) {
            throw new IllegalArgumentException("jwt or opaque configuration must be defined");
        }
        return TokenType.OPAQUE;
    }

    public JwtAuthenticationProvider jwtAuthenticationProvider() {
        JwtAuthenticationProvider jwtAuthenticationProvider = new JwtAuthenticationProvider(jwtDecoder());
        jwtAuthenticationProvider.setJwtAuthenticationConverter(jwtAuthenticationConverter());
        return jwtAuthenticationProvider;
    }

    public BaseJwtAuthenticationConverter jwtAuthenticationConverter() {
        return new BaseJwtAuthenticationConverter(this.webSecurityProperties.getIdp().getResource().getJwt().getClaims());
    }

    public JwtDecoder jwtDecoder() {
        return JwtDecoders.fromOidcIssuerLocation(this.webSecurityProperties.getIdp().getResource().getJwt().getIssuerUri());
    }

    public AuthenticationProvider opaqueTokenAuthenticationProvider() {
        return new DefaultOpaqueTokenAuthenticationProvider(new OpaqueTokenAuthenticationProvider(opaqueTokenIntrospector()));
    }

    public OpaqueTokenIntrospector opaqueTokenIntrospector() {
        String introspectionUri = this.webSecurityProperties.getIdp().getResource().getOpaque().getIntrospectionUri();
        String clientId = this.webSecurityProperties.getIdp().getResource().getOpaque().getClientId();
        String clientSecret = this.webSecurityProperties.getIdp().getResource().getOpaque().getClientSecret();
        String strip = introspectionUri.strip();
        String strip2 = clientId.strip();
        String strip3 = clientSecret.strip();
        if (strip == null || strip2 == null || strip3 == null) {
            throw new IllegalArgumentException("Pomolo introspection-uri, client-id and client-secret must be defined");
        }
        return new BaseOpaqueTokenIntrospector(strip, strip2, strip3);
    }
}
