package top.dcenter.ums.security.jwt.config;

import com.nimbusds.jose.JWSSigner;
import com.nimbusds.jose.crypto.MACSigner;
import com.nimbusds.jose.crypto.RSASSASigner;
import com.nimbusds.jose.jwk.KeyUse;
import java.nio.charset.StandardCharsets;
import java.security.KeyPair;
import java.security.interfaces.RSAPublicKey;
import java.time.Duration;
import java.util.Objects;
import javax.crypto.spec.SecretKeySpec;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.BeanUtils;
import org.springframework.beans.factory.InitializingBean;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.autoconfigure.AutoConfigureAfter;
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.boot.autoconfigure.security.oauth2.resource.OAuth2ResourceServerProperties;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Primary;
import org.springframework.core.annotation.Order;
import org.springframework.core.io.Resource;
import org.springframework.data.redis.connection.RedisConnectionFactory;
import org.springframework.lang.NonNull;
import org.springframework.security.oauth2.core.OAuth2TokenValidator;
import org.springframework.security.oauth2.jose.jws.JwsAlgorithm;
import org.springframework.security.oauth2.jose.jws.MacAlgorithm;
import org.springframework.security.oauth2.jose.jws.SignatureAlgorithm;
import org.springframework.security.oauth2.jwt.Jwt;
import org.springframework.security.oauth2.jwt.JwtDecoder;
import org.springframework.security.oauth2.jwt.MappedJwtClaimSetConverter;
import org.springframework.util.StringUtils;
import top.dcenter.ums.security.common.utils.ReflectionUtil;
import top.dcenter.ums.security.core.api.service.UmsUserDetailsService;
import top.dcenter.ums.security.jwt.JwtContext;
import top.dcenter.ums.security.jwt.api.cache.service.JwtCacheTransformService;
import top.dcenter.ums.security.jwt.api.endpoind.service.JwkEndpointPermissionService;
import top.dcenter.ums.security.jwt.api.id.service.JwtIdService;
import top.dcenter.ums.security.jwt.claims.service.GenerateClaimsSetService;
import top.dcenter.ums.security.jwt.controller.JwtRefreshTokenController;
import top.dcenter.ums.security.jwt.decoder.UmsNimbusJwtDecoder;
import top.dcenter.ums.security.jwt.endpoint.JwkEndpoint;
import top.dcenter.ums.security.jwt.enums.JwtRefreshHandlerPolicy;
import top.dcenter.ums.security.jwt.factory.KeyStoreKeyFactory;
import top.dcenter.ums.security.jwt.properties.BearerTokenProperties;
import top.dcenter.ums.security.jwt.properties.JwtBlacklistProperties;
import top.dcenter.ums.security.jwt.properties.JwtProperties;

@Configuration
@AutoConfigureAfter({JwtPropertiesAutoConfiguration.class, JwtServiceAutoConfiguration.class, RedisSerializerAutoConfiguration.class})
@ConditionalOnProperty(prefix = "ums.jwt", name = {"enable"}, havingValue = "true")
@Order(99)
/* loaded from: input_file:top/dcenter/ums/security/jwt/config/JwtAutoConfiguration.class */
public class JwtAutoConfiguration implements InitializingBean {
    private static final Logger log = LoggerFactory.getLogger(JwtAutoConfiguration.class);
    public static final String SIGNER_PARAM_NAME = "signer";
    public static final String JWS_ALGORITHM_PARAM_NAME = "jwsAlgorithm";
    public static final String KID_PARAM_NAME = "kid";
    public static final String JWT_TIMEOUT = "timeout";
    public static final String CLOCK_SKEW = "clockSkew";
    public static final String BEARER_TOKEN = "bearerToken";
    public static final String REDIS_CONNECTION_FACTORY = "redisConnectionFactory";
    public static final String BLACKLIST_PROPERTIES = "blacklistProperties";
    public static final String REFRESH_HANDLER_POLICY = "refreshHandlerPolicy";
    public static final String JWT_ID_SERVICE = "jwtIdService";
    public static final String JWT_CACHE_TRANSFORM_SERVICE = "jwtCacheTransformService";
    private final RSAPublicKey publicKey;
    private final JWSSigner signer;
    private final JwsAlgorithm jwsAlgorithm;
    private final String kid;
    private final BearerTokenProperties bearerTokenProperties;
    private final RedisConnectionFactory redisConnectionFactory;
    private final JwtBlacklistProperties jwtBlacklistProperties;
    private final JwtRefreshHandlerPolicy refreshHandlerPolicy;
    private final JwtIdService jwtIdService;
    private final JwtCacheTransformService<?> jwtCacheTransformService;
    private final Duration timeout;
    private final Duration clockSkew;
    private final OAuth2TokenValidator<Jwt> oAuth2TokenValidator;
    private final MappedJwtClaimSetConverter mappedJwtClaimSetConverter;

    public JwtAutoConfiguration(JwtProperties jwtProperties, RedisConnectionFactory redisConnectionFactory, @Autowired(required = false) OAuth2ResourceServerProperties oAuth2ResourceServerProperties, JwtIdService jwtIdService, JwtCacheTransformService<?> jwtCacheTransformService, OAuth2TokenValidator<Jwt> oAuth2TokenValidator, MappedJwtClaimSetConverter mappedJwtClaimSetConverter) throws Exception {
        this.timeout = jwtProperties.getTimeout();
        this.bearerTokenProperties = jwtProperties.getBearer();
        this.jwtBlacklistProperties = jwtProperties.getBlacklist();
        this.redisConnectionFactory = redisConnectionFactory;
        this.refreshHandlerPolicy = jwtProperties.getRefreshHandlerPolicy();
        this.clockSkew = jwtProperties.getClockSkew();
        this.jwtIdService = jwtIdService;
        this.jwtCacheTransformService = jwtCacheTransformService;
        this.oAuth2TokenValidator = oAuth2TokenValidator;
        this.mappedJwtClaimSetConverter = mappedJwtClaimSetConverter;
        Resource jksKeyPairLocation = jwtProperties.getJksKeyPairLocation();
        if (Objects.nonNull(jksKeyPairLocation)) {
            KeyPair keyPair = new KeyStoreKeyFactory(jksKeyPairLocation, jwtProperties.getJksPassword().toCharArray()).getKeyPair(jwtProperties.getJksAlias());
            this.publicKey = (RSAPublicKey) keyPair.getPublic();
            this.kid = jwtProperties.getKid();
            this.signer = new RSASSASigner(JwtContext.generateJwk(keyPair, this.kid, KeyUse.SIGNATURE));
            this.jwsAlgorithm = SignatureAlgorithm.from(jwtProperties.getJwsAlgorithms());
            return;
        }
        if (!Objects.nonNull(jwtProperties.getMacsSecret())) {
            if (Objects.nonNull(oAuth2ResourceServerProperties)) {
                this.jwsAlgorithm = SignatureAlgorithm.from(oAuth2ResourceServerProperties.getJwt().getJwsAlgorithm());
            } else {
                this.jwsAlgorithm = null;
            }
            this.publicKey = null;
            this.signer = null;
            this.kid = null;
            return;
        }
        String macsSecret = jwtProperties.getMacsSecret();
        if (macsSecret.length() < 32) {
            throw new RuntimeException("用于 JWT 的 HMAC protection 的 secret, 字符长度必须大于等于 32");
        }
        this.signer = new MACSigner(macsSecret.getBytes(StandardCharsets.UTF_8));
        this.jwsAlgorithm = MacAlgorithm.from(jwtProperties.getJwsAlgorithms());
        this.publicKey = null;
        this.kid = jwtProperties.getKid();
    }

    @ConditionalOnProperty(prefix = "ums.jwt", name = {"expose-refresh-token-uri"}, havingValue = "true")
    @Bean
    public JwtRefreshTokenController jwtRefreshTokenController(GenerateClaimsSetService generateClaimsSetService, UmsUserDetailsService umsUserDetailsService, UmsNimbusJwtDecoder umsNimbusJwtDecoder, JwtProperties jwtProperties) {
        return new JwtRefreshTokenController(generateClaimsSetService, umsUserDetailsService, umsNimbusJwtDecoder, jwtProperties);
    }

    @ConditionalOnProperty(prefix = "ums.jwt", name = {"expose-jwk-set-uri"}, havingValue = "true")
    @Bean
    public JwkEndpoint jwkEndpoint(JwtProperties jwtProperties, JwkEndpointPermissionService jwkEndpointPermissionService) {
        Objects.requireNonNull(this.publicKey, "jks-key-pair-location cannot bu null");
        Objects.requireNonNull(jwkEndpointPermissionService, "jwkEndpointPermissionService cannot bu null");
        return new JwkEndpoint(this.publicKey, jwtProperties.getJwsAlgorithms(), jwkEndpointPermissionService, jwtProperties.getKid());
    }

    @Bean
    @Primary
    public JwtDecoder jwtDecoder(@Autowired(required = false) OAuth2ResourceServerProperties oAuth2ResourceServerProperties, JwtProperties jwtProperties) {
        Resource jksKeyPairLocation = jwtProperties.getJksKeyPairLocation();
        String macsSecret = jwtProperties.getMacsSecret();
        UmsNimbusJwtDecoder umsNimbusJwtDecoder = null;
        if (Objects.nonNull(jksKeyPairLocation)) {
            umsNimbusJwtDecoder = UmsNimbusJwtDecoder.withPublicKey(this.publicKey, jwtProperties.getRefreshHandlerPolicy(), jwtProperties.getRemainingRefreshInterval(), jwtProperties.getPrincipalClaimName()).signatureAlgorithm((SignatureAlgorithm) this.jwsAlgorithm).build();
        } else if (StringUtils.hasText(macsSecret)) {
            umsNimbusJwtDecoder = UmsNimbusJwtDecoder.withSecretKey(new SecretKeySpec(macsSecret.getBytes(StandardCharsets.UTF_8), "MAC"), jwtProperties.getRefreshHandlerPolicy(), jwtProperties.getRemainingRefreshInterval(), jwtProperties.getPrincipalClaimName()).build();
        } else if (Objects.nonNull(oAuth2ResourceServerProperties)) {
            umsNimbusJwtDecoder = UmsNimbusJwtDecoder.withJwkSetUri(oAuth2ResourceServerProperties.getJwt().getJwkSetUri(), jwtProperties.getRefreshHandlerPolicy(), jwtProperties.getRemainingRefreshInterval(), jwtProperties.getPrincipalClaimName()).build();
        }
        if (Objects.isNull(umsNimbusJwtDecoder)) {
            throw new RuntimeException("未成功创建 org.springframework.security.oauth2.jwt.JwtDecoder; \n当需要拥有创建 JWT 功能时需要配置 \"ums.jwt.jksKeyPairLocation\" 或 \"ums.jwt.macsSecret\" 的属性, \n当仅仅需要解析 JWT 时请配置 \"spring.security.oauth2.resourceserver.jwt.jwk-set-uri\" 属性");
        }
        setJwtValidatorAndClaimSetConverter(this.oAuth2TokenValidator, this.mappedJwtClaimSetConverter, umsNimbusJwtDecoder);
        return umsNimbusJwtDecoder;
    }

    public void afterPropertiesSet() throws Exception {
        Class.forName(JwtContext.class.getName());
        if (Objects.nonNull(this.signer)) {
            ReflectionUtil.setFieldValue(SIGNER_PARAM_NAME, this.signer, (Object) null, JwtContext.class);
        }
        if (Objects.nonNull(this.jwsAlgorithm)) {
            ReflectionUtil.setFieldValue(JWS_ALGORITHM_PARAM_NAME, this.jwsAlgorithm.getName(), (Object) null, JwtContext.class);
        }
        if (Objects.nonNull(this.kid)) {
            ReflectionUtil.setFieldValue(KID_PARAM_NAME, this.kid, (Object) null, JwtContext.class);
        }
        if (Objects.nonNull(this.timeout)) {
            ReflectionUtil.setFieldValue(JWT_TIMEOUT, this.timeout, (Object) null, JwtContext.class);
        }
        if (Objects.nonNull(this.clockSkew)) {
            ReflectionUtil.setFieldValue(CLOCK_SKEW, this.clockSkew, (Object) null, JwtContext.class);
        }
        if (Objects.nonNull(this.bearerTokenProperties)) {
            BearerTokenProperties bearerTokenProperties = new BearerTokenProperties();
            BeanUtils.copyProperties(this.bearerTokenProperties, bearerTokenProperties);
            ReflectionUtil.setFieldValue(BEARER_TOKEN, bearerTokenProperties, (Object) null, JwtContext.class);
        }
        if (Objects.nonNull(this.jwtBlacklistProperties)) {
            JwtBlacklistProperties jwtBlacklistProperties = new JwtBlacklistProperties();
            BeanUtils.copyProperties(this.jwtBlacklistProperties, jwtBlacklistProperties);
            ReflectionUtil.setFieldValue(BLACKLIST_PROPERTIES, jwtBlacklistProperties, (Object) null, JwtContext.class);
        }
        if (Objects.nonNull(this.redisConnectionFactory)) {
            ReflectionUtil.setFieldValue(REDIS_CONNECTION_FACTORY, this.redisConnectionFactory, (Object) null, JwtContext.class);
        }
        if (Objects.nonNull(this.refreshHandlerPolicy)) {
            ReflectionUtil.setFieldValue(REFRESH_HANDLER_POLICY, this.refreshHandlerPolicy, (Object) null, JwtContext.class);
        }
        if (Objects.nonNull(this.jwtIdService)) {
            ReflectionUtil.setFieldValue(JWT_ID_SERVICE, this.jwtIdService, (Object) null, JwtContext.class);
        }
        if (Objects.nonNull(this.jwtCacheTransformService)) {
            ReflectionUtil.setFieldValue(JWT_CACHE_TRANSFORM_SERVICE, this.jwtCacheTransformService, (Object) null, JwtContext.class);
        }
    }

    private void setJwtValidatorAndClaimSetConverter(@NonNull OAuth2TokenValidator<Jwt> oAuth2TokenValidator, @NonNull MappedJwtClaimSetConverter mappedJwtClaimSetConverter, @NonNull UmsNimbusJwtDecoder umsNimbusJwtDecoder) {
        umsNimbusJwtDecoder.setJwtValidator(oAuth2TokenValidator);
        umsNimbusJwtDecoder.setClaimSetConverter(mappedJwtClaimSetConverter);
    }
}
