package com.liferay.client.extension.util.spring.boot;

import com.nimbusds.jose.JOSEObjectType;
import com.nimbusds.jose.proc.DefaultJOSEObjectTypeVerifier;
import com.nimbusds.jose.proc.JWSAlgorithmFamilyJWSKeySelector;
import com.nimbusds.jwt.proc.DefaultJWTProcessor;
import java.net.URL;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
import java.util.concurrent.TimeUnit;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.env.Environment;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configurers.AuthorizeHttpRequestsConfigurer;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.oauth2.core.DelegatingOAuth2TokenValidator;
import org.springframework.security.oauth2.core.OAuth2Error;
import org.springframework.security.oauth2.core.OAuth2TokenValidator;
import org.springframework.security.oauth2.core.OAuth2TokenValidatorResult;
import org.springframework.security.oauth2.jwt.Jwt;
import org.springframework.security.oauth2.jwt.JwtDecoder;
import org.springframework.security.oauth2.jwt.NimbusJwtDecoder;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.web.cors.CorsConfiguration;
import org.springframework.web.cors.CorsConfigurationSource;
import org.springframework.web.cors.UrlBasedCorsConfigurationSource;

@Configuration
@EnableWebSecurity
/* loaded from: input_file:com/liferay/client/extension/util/spring/boot/LiferayOAuth2ResourceServerEnableWebSecurity.class */
public class LiferayOAuth2ResourceServerEnableWebSecurity {
    private static final Log _log = LogFactory.getLog(LiferayOAuth2ResourceServerEnableWebSecurity.class);

    @Autowired
    private Environment _environment;

    @Value("${liferay.oauth.urls.excludes:}")
    private String[] _liferayOauthURLsExcludes;

    @Value("${com.liferay.lxc.dxp.domains}")
    private String _lxcDXPDomains;

    @Value("${com.liferay.lxc.dxp.mainDomain}")
    private String _lxcDXPMainDomain;

    @Value("${com.liferay.lxc.dxp.server.protocol}")
    private String _lxcDXPServerProtocol;

    /* loaded from: input_file:com/liferay/client/extension/util/spring/boot/LiferayOAuth2ResourceServerEnableWebSecurity$ClientIdOAuth2TokenValidator.class */
    private class ClientIdOAuth2TokenValidator implements OAuth2TokenValidator<Jwt> {
        private final OAuth2Error _oAuth2Error;
        private final Set<String> _validClientIds;

        public OAuth2TokenValidatorResult validate(Jwt jwt) {
            return this._validClientIds.contains(jwt.getClaimAsString("client_id")) ? OAuth2TokenValidatorResult.success() : OAuth2TokenValidatorResult.failure(new OAuth2Error[]{this._oAuth2Error});
        }

        private ClientIdOAuth2TokenValidator(Set<String> set) {
            this._oAuth2Error = new OAuth2Error("invalid_token", "The client_id does not match", (String) null);
            this._validClientIds = set;
        }
    }

    @Bean
    public CorsConfigurationSource corsConfigurationSource() {
        UrlBasedCorsConfigurationSource urlBasedCorsConfigurationSource = new UrlBasedCorsConfigurationSource();
        CorsConfiguration corsConfiguration = new CorsConfiguration();
        corsConfiguration.setAllowedHeaders(Arrays.asList("Authorization", "Content-Type"));
        corsConfiguration.setAllowedMethods(Arrays.asList("DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"));
        corsConfiguration.setAllowedOrigins(_getAllowedOrigins());
        urlBasedCorsConfigurationSource.registerCorsConfiguration("/**", corsConfiguration);
        return urlBasedCorsConfigurationSource;
    }

    @Bean
    public JwtDecoder jwtDecoder() throws Exception {
        String property = this._environment.getProperty("liferay.oauth.application.external.reference.codes");
        if (property == null) {
            throw new IllegalArgumentException("Property \"liferay.oauth.application.external.reference.codes\" is not defined");
        }
        DefaultJWTProcessor defaultJWTProcessor = new DefaultJWTProcessor();
        URL url = new URL(this._lxcDXPServerProtocol + "://" + this._lxcDXPMainDomain + "/o/oauth2/jwks");
        if (_log.isDebugEnabled()) {
            _log.debug("Using " + url);
        }
        defaultJWTProcessor.setJWSKeySelector(JWSAlgorithmFamilyJWSKeySelector.fromJWKSetURL(url));
        defaultJWTProcessor.setJWSTypeVerifier(new DefaultJOSEObjectTypeVerifier(new JOSEObjectType[]{new JOSEObjectType("at+jwt")}));
        NimbusJwtDecoder nimbusJwtDecoder = new NimbusJwtDecoder(defaultJWTProcessor);
        HashSet hashSet = new HashSet();
        for (String str : property.split(",")) {
            String property2 = this._environment.getProperty(str + ".oauth2.user.agent.client.id");
            long millis = TimeUnit.MINUTES.toMillis(5L);
            while (property2 == null && millis > 0) {
                property2 = LiferayOAuth2Util.getClientId(str, this._lxcDXPMainDomain, this._lxcDXPServerProtocol);
                if (property2 == null) {
                    long millis2 = TimeUnit.SECONDS.toMillis(1L);
                    Thread.sleep(millis2);
                    millis -= millis2;
                }
            }
            hashSet.add(property2);
            if (_log.isInfoEnabled()) {
                _log.info("Using client ID " + property2);
            }
        }
        nimbusJwtDecoder.setJwtValidator(new DelegatingOAuth2TokenValidator(new OAuth2TokenValidator[]{new ClientIdOAuth2TokenValidator(hashSet)}));
        return nimbusJwtDecoder;
    }

    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity httpSecurity) throws Exception {
        return (SecurityFilterChain) httpSecurity.cors().and().csrf().disable().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and().authorizeHttpRequests(authorizationManagerRequestMatcherRegistry -> {
            ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) authorizationManagerRequestMatcherRegistry.antMatchers(this._liferayOauthURLsExcludes)).permitAll().anyRequest()).authenticated();
        }).oauth2ResourceServer((v0) -> {
            v0.jwt();
        }).build();
    }

    private List<String> _getAllowedOrigins() {
        ArrayList arrayList = new ArrayList();
        for (String str : this._lxcDXPDomains.split("\\s*[,\n]\\s*")) {
            arrayList.add("http://" + str);
            arrayList.add("https://" + str);
        }
        return arrayList;
    }
}
