package com.okta.spring.oauth;

import java.net.MalformedURLException;
import java.net.URL;
import org.springframework.beans.InvalidPropertyException;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.boot.context.properties.EnableConfigurationProperties;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.oauth2.config.annotation.web.configuration.EnableResourceServer;
import org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfigurerAdapter;
import org.springframework.security.oauth2.config.annotation.web.configurers.ResourceServerSecurityConfigurer;
import org.springframework.security.oauth2.provider.token.AccessTokenConverter;
import org.springframework.security.oauth2.provider.token.DefaultTokenServices;
import org.springframework.security.oauth2.provider.token.ResourceServerTokenServices;
import org.springframework.security.oauth2.provider.token.TokenStore;
import org.springframework.security.oauth2.provider.token.store.IssuerClaimVerifier;
import org.springframework.security.oauth2.provider.token.store.JwtAccessTokenConverter;
import org.springframework.security.oauth2.provider.token.store.JwtClaimsSetVerifier;
import org.springframework.security.oauth2.provider.token.store.jwk.JwkTokenStore;
import org.springframework.util.Assert;

@EnableConfigurationProperties({OktaOAuthProperties.class})
@EnableWebSecurity
@Configuration
@EnableResourceServer
/* loaded from: input_file:com/okta/spring/oauth/ResourceServerConfig.class */
public class ResourceServerConfig extends ResourceServerConfigurerAdapter {

    @Autowired
    private OktaOAuthProperties OAuthProperties;

    public void configure(ResourceServerSecurityConfigurer resourceServerSecurityConfigurer) {
        resourceServerSecurityConfigurer.resourceId(this.OAuthProperties.getAudience());
        resourceServerSecurityConfigurer.tokenServices(tokenServices());
    }

    @ConditionalOnMissingBean
    @Bean
    public ResourceServerTokenServices tokenServices() {
        DefaultTokenServices defaultTokenServices = new DefaultTokenServices();
        defaultTokenServices.setTokenStore(tokenStore());
        return defaultTokenServices;
    }

    @ConditionalOnMissingBean
    @Bean
    public TokenStore tokenStore() {
        return new JwkTokenStore(issuerUrl() + "/v1/keys", accessTokenConverter(), jwtClaimsSetVerifier());
    }

    @ConditionalOnMissingBean
    @Bean
    public AccessTokenConverter accessTokenConverter() {
        JwtAccessTokenConverter jwtAccessTokenConverter = new JwtAccessTokenConverter();
        jwtAccessTokenConverter.setAccessTokenConverter(new ConfigurableAccessTokenConverter(this.OAuthProperties.getScopeClaim(), this.OAuthProperties.getRolesClaim()));
        return jwtAccessTokenConverter;
    }

    @ConditionalOnMissingBean
    @Bean
    public JwtClaimsSetVerifier jwtClaimsSetVerifier() {
        try {
            return new IssuerClaimVerifier(new URL(issuerUrl()));
        } catch (MalformedURLException e) {
            throw new InvalidPropertyException(JwtClaimsSetVerifier.class, "okta.oauth2.issuer", "Failed to parse issuer URL", e);
        }
    }

    private String issuerUrl() {
        String issuer = this.OAuthProperties.getIssuer();
        Assert.hasText(issuer, "Property 'okta.oauth.issuer' is required, must not be null or empty.");
        return issuer;
    }
}
