package it.geosolutions.geostore.services.rest.security.oauth2.openid_connect;

import it.geosolutions.geostore.services.rest.security.TokenAuthenticationCache;
import it.geosolutions.geostore.services.rest.security.oauth2.GeoStoreOAuthRestTemplate;
import it.geosolutions.geostore.services.rest.security.oauth2.OAuth2Configuration;
import it.geosolutions.geostore.services.rest.security.oauth2.OAuth2GeoStoreSecurityConfiguration;
import it.geosolutions.geostore.services.rest.security.oauth2.openid_connect.bearer.AudienceAccessTokenValidator;
import it.geosolutions.geostore.services.rest.security.oauth2.openid_connect.bearer.MultiTokenValidator;
import it.geosolutions.geostore.services.rest.security.oauth2.openid_connect.bearer.OpenIdTokenValidator;
import it.geosolutions.geostore.services.rest.security.oauth2.openid_connect.bearer.SubjectTokenValidator;
import it.geosolutions.geostore.services.rest.security.oauth2.openid_connect.enancher.ClientSecretRequestEnhancer;
import it.geosolutions.geostore.services.rest.security.oauth2.openid_connect.enancher.PKCERequestEnhancer;
import java.util.Arrays;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Scope;
import org.springframework.context.annotation.ScopedProxyMode;
import org.springframework.security.oauth2.client.resource.OAuth2ProtectedResourceDetails;
import org.springframework.security.oauth2.client.token.AccessTokenProvider;
import org.springframework.security.oauth2.client.token.AccessTokenProviderChain;
import org.springframework.security.oauth2.client.token.DefaultRequestEnhancer;
import org.springframework.security.oauth2.client.token.grant.client.ClientCredentialsAccessTokenProvider;
import org.springframework.security.oauth2.client.token.grant.code.AuthorizationCodeAccessTokenProvider;
import org.springframework.security.oauth2.client.token.grant.code.AuthorizationCodeResourceDetails;
import org.springframework.security.oauth2.client.token.grant.implicit.ImplicitAccessTokenProvider;
import org.springframework.security.oauth2.client.token.grant.password.ResourceOwnerPasswordAccessTokenProvider;
import org.springframework.security.oauth2.config.annotation.web.configuration.EnableOAuth2Client;
import org.springframework.security.oauth2.provider.token.store.jwk.JwkTokenStore;

@Configuration("oidcSecConfig")
@EnableOAuth2Client
/* loaded from: input_file:it/geosolutions/geostore/services/rest/security/oauth2/openid_connect/OpenIdConnectSecurityConfiguration.class */
public class OpenIdConnectSecurityConfiguration extends OAuth2GeoStoreSecurityConfiguration {
    static final String CONF_BEAN_NAME = "oidcOAuth2Config";
    private static final Logger LOGGER = LogManager.getLogger(OpenIdConnectSecurityConfiguration.class);

    @Override // it.geosolutions.geostore.services.rest.security.oauth2.OAuth2GeoStoreSecurityConfiguration
    public OAuth2ProtectedResourceDetails resourceDetails() {
        AuthorizationCodeResourceDetails resourceDetails = super.resourceDetails();
        resourceDetails.setTokenName("authorization_code");
        return resourceDetails;
    }

    @Override // it.geosolutions.geostore.services.rest.security.oauth2.OAuth2GeoStoreSecurityConfiguration
    @Bean({CONF_BEAN_NAME})
    public OAuth2Configuration configuration() {
        return new OpenIdConnectConfiguration();
    }

    @Override // it.geosolutions.geostore.services.rest.security.oauth2.OAuth2GeoStoreSecurityConfiguration
    @Scope(value = "request", proxyMode = ScopedProxyMode.TARGET_CLASS)
    @Bean({"oidcOpenIdRestTemplate"})
    public GeoStoreOAuthRestTemplate oauth2RestTemplate() {
        GeoStoreOAuthRestTemplate restTemplate = restTemplate();
        setJacksonConverter(restTemplate);
        AccessTokenProvider authorizationAccessTokenProvider = authorizationAccessTokenProvider();
        OpenIdConnectConfiguration openIdConnectConfiguration = (OpenIdConnectConfiguration) configuration();
        if (openIdConnectConfiguration.isUsePKCE()) {
            LOGGER.info("Using PKCE for OpenID Connect");
            authorizationAccessTokenProvider.setTokenRequestEnhancer(new PKCERequestEnhancer(openIdConnectConfiguration));
        } else if (openIdConnectConfiguration.isSendClientSecret()) {
            LOGGER.info("Using client secret for OpenID Connect");
            authorizationAccessTokenProvider.setTokenRequestEnhancer(new ClientSecretRequestEnhancer());
        } else {
            LOGGER.info("Using default request enhancer for OpenID Connect");
            authorizationAccessTokenProvider.setTokenRequestEnhancer(new DefaultRequestEnhancer());
        }
        restTemplate.setAccessTokenProvider(new AccessTokenProviderChain(Arrays.asList(authorizationAccessTokenProvider, new ImplicitAccessTokenProvider(), new ResourceOwnerPasswordAccessTokenProvider(), new ClientCredentialsAccessTokenProvider())));
        if (openIdConnectConfiguration.getJwkURI() != null && !"".equals(openIdConnectConfiguration.getJwkURI())) {
            LOGGER.info("Using JWK for OpenID Connect");
            restTemplate.setTokenStore(new JwkTokenStore(openIdConnectConfiguration.getJwkURI()));
        }
        return restTemplate;
    }

    @Scope("prototype")
    @Bean(name = {"authorizationAccessTokenProvider"})
    public AuthorizationCodeAccessTokenProvider authorizationAccessTokenProvider() {
        AuthorizationCodeAccessTokenProvider authorizationCodeAccessTokenProvider = new AuthorizationCodeAccessTokenProvider();
        authorizationCodeAccessTokenProvider.setStateMandatory(false);
        authorizationCodeAccessTokenProvider.setTokenRequestEnhancer(new DefaultRequestEnhancer());
        return authorizationCodeAccessTokenProvider;
    }

    @Bean
    public OpenIdConnectFilter oidcOpenIdFilter() {
        return new OpenIdConnectFilter(oidcTokenServices(), oauth2RestTemplate(), configuration(), oAuth2Cache(), openIdConnectBearerTokenValidator());
    }

    @Bean
    public OpenIdTokenValidator openIdConnectBearerTokenValidator() {
        return new MultiTokenValidator(Arrays.asList(new AudienceAccessTokenValidator(), new SubjectTokenValidator()));
    }

    @Bean
    public OpenIdConnectTokenServices oidcTokenServices() {
        return new OpenIdConnectTokenServices(configuration().getPrincipalKey());
    }

    @Bean
    public TokenAuthenticationCache oAuth2Cache() {
        return new TokenAuthenticationCache();
    }
}
