package org.eclipse.hawkbit.autoconfigure.security;

import java.io.IOException;
import java.lang.invoke.MethodHandles;
import java.lang.invoke.MethodType;
import java.lang.runtime.ObjectMethods;
import java.util.Collections;
import java.util.LinkedHashSet;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.eclipse.hawkbit.im.authentication.TenantAwareAuthenticationDetails;
import org.eclipse.hawkbit.im.authentication.UserAuthenticationFilter;
import org.eclipse.hawkbit.repository.SystemManagement;
import org.eclipse.hawkbit.security.SystemSecurityContext;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.boot.autoconfigure.security.oauth2.client.ClientsConfiguredCondition;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Conditional;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AbstractAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.AuthorityUtils;
import org.springframework.security.core.authority.mapping.GrantedAuthoritiesMapper;
import org.springframework.security.core.authority.mapping.SimpleAuthorityMapper;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.oauth2.client.authentication.OAuth2AuthenticationToken;
import org.springframework.security.oauth2.client.oidc.userinfo.OidcUserRequest;
import org.springframework.security.oauth2.client.oidc.userinfo.OidcUserService;
import org.springframework.security.oauth2.client.registration.ClientRegistration;
import org.springframework.security.oauth2.client.userinfo.OAuth2UserService;
import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
import org.springframework.security.oauth2.core.OAuth2Error;
import org.springframework.security.oauth2.core.oidc.OidcIdToken;
import org.springframework.security.oauth2.core.oidc.OidcUserInfo;
import org.springframework.security.oauth2.core.oidc.user.DefaultOidcUser;
import org.springframework.security.oauth2.core.oidc.user.OidcUser;
import org.springframework.security.oauth2.jose.jws.JwsAlgorithms;
import org.springframework.security.oauth2.jose.jws.SignatureAlgorithm;
import org.springframework.security.oauth2.jwt.Jwt;
import org.springframework.security.oauth2.jwt.JwtException;
import org.springframework.security.oauth2.jwt.NimbusJwtDecoder;
import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationToken;
import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
import org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler;
import org.springframework.security.web.authentication.logout.LogoutHandler;
import org.springframework.security.web.authentication.logout.LogoutSuccessHandler;
import org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler;
import org.springframework.security.web.authentication.logout.SimpleUrlLogoutSuccessHandler;
import org.springframework.util.CollectionUtils;
import org.springframework.util.StringUtils;
import org.springframework.web.client.RestTemplate;
import org.springframework.web.util.UriComponentsBuilder;

@Configuration
@Conditional({ClientsConfiguredCondition.class})
/* loaded from: input_file:BOOT-INF/lib/hawkbit-autoconfigure-0.4.0.jar:org/eclipse/hawkbit/autoconfigure/security/OidcUserManagementAutoConfiguration.class */
public class OidcUserManagementAutoConfiguration {

    /* loaded from: input_file:BOOT-INF/lib/hawkbit-autoconfigure-0.4.0.jar:org/eclipse/hawkbit/autoconfigure/security/OidcUserManagementAutoConfiguration$DefaultJwtAuthoritiesExtractor.class */
    private static final class DefaultJwtAuthoritiesExtractor extends Record implements JwtAuthoritiesExtractor {
        private final GrantedAuthoritiesMapper authoritiesMapper;
        private static final OAuth2Error INVALID_REQUEST = new OAuth2Error("invalid_request");

        private DefaultJwtAuthoritiesExtractor(GrantedAuthoritiesMapper grantedAuthoritiesMapper) {
            this.authoritiesMapper = grantedAuthoritiesMapper;
        }

        @Override // org.eclipse.hawkbit.autoconfigure.security.OidcUserManagementAutoConfiguration.JwtAuthoritiesExtractor
        public Set<GrantedAuthority> extract(Jwt jwt, ClientRegistration clientRegistration) {
            try {
                return extract(clientRegistration.getClientId(), jwt.getClaims());
            } catch (JwtException e) {
                throw new OAuth2AuthenticationException(INVALID_REQUEST, e);
            }
        }

        private Set<GrantedAuthority> extract(String str, Map<String, Object> map) {
            Map map2 = (Map) map.get("resource_access");
            if (CollectionUtils.isEmpty((Map<?, ?>) map2)) {
                return Collections.emptySet();
            }
            Map map3 = (Map) map2.get(str);
            if (CollectionUtils.isEmpty((Map<?, ?>) map3)) {
                return Collections.emptySet();
            }
            List list = (List) map3.get("roles");
            if (CollectionUtils.isEmpty(list)) {
                return Collections.emptySet();
            }
            List<GrantedAuthority> createAuthorityList = AuthorityUtils.createAuthorityList((String[]) list.toArray(new String[0]));
            return this.authoritiesMapper != null ? new LinkedHashSet(this.authoritiesMapper.mapAuthorities(createAuthorityList)) : new LinkedHashSet(createAuthorityList);
        }

        @Override // java.lang.Record
        public final String toString() {
            return (String) ObjectMethods.bootstrap(MethodHandles.lookup(), "toString", MethodType.methodType(String.class, DefaultJwtAuthoritiesExtractor.class), DefaultJwtAuthoritiesExtractor.class, "authoritiesMapper", "FIELD:Lorg/eclipse/hawkbit/autoconfigure/security/OidcUserManagementAutoConfiguration$DefaultJwtAuthoritiesExtractor;->authoritiesMapper:Lorg/springframework/security/core/authority/mapping/GrantedAuthoritiesMapper;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final int hashCode() {
            return (int) ObjectMethods.bootstrap(MethodHandles.lookup(), "hashCode", MethodType.methodType(Integer.TYPE, DefaultJwtAuthoritiesExtractor.class), DefaultJwtAuthoritiesExtractor.class, "authoritiesMapper", "FIELD:Lorg/eclipse/hawkbit/autoconfigure/security/OidcUserManagementAutoConfiguration$DefaultJwtAuthoritiesExtractor;->authoritiesMapper:Lorg/springframework/security/core/authority/mapping/GrantedAuthoritiesMapper;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final boolean equals(Object obj) {
            return (boolean) ObjectMethods.bootstrap(MethodHandles.lookup(), "equals", MethodType.methodType(Boolean.TYPE, DefaultJwtAuthoritiesExtractor.class, Object.class), DefaultJwtAuthoritiesExtractor.class, "authoritiesMapper", "FIELD:Lorg/eclipse/hawkbit/autoconfigure/security/OidcUserManagementAutoConfiguration$DefaultJwtAuthoritiesExtractor;->authoritiesMapper:Lorg/springframework/security/core/authority/mapping/GrantedAuthoritiesMapper;").dynamicInvoker().invoke(this, obj) /* invoke-custom */;
        }

        public GrantedAuthoritiesMapper authoritiesMapper() {
            return this.authoritiesMapper;
        }
    }

    /* loaded from: input_file:BOOT-INF/lib/hawkbit-autoconfigure-0.4.0.jar:org/eclipse/hawkbit/autoconfigure/security/OidcUserManagementAutoConfiguration$JwtAuthoritiesExtractor.class */
    public interface JwtAuthoritiesExtractor {
        Set<GrantedAuthority> extract(Jwt jwt, ClientRegistration clientRegistration);
    }

    /* loaded from: input_file:BOOT-INF/lib/hawkbit-autoconfigure-0.4.0.jar:org/eclipse/hawkbit/autoconfigure/security/OidcUserManagementAutoConfiguration$JwtAuthoritiesOidcUserService.class */
    private static class JwtAuthoritiesOidcUserService extends OidcUserService {
        private final JwtAuthoritiesExtractor authoritiesExtractor;

        JwtAuthoritiesOidcUserService(JwtAuthoritiesExtractor jwtAuthoritiesExtractor) {
            this.authoritiesExtractor = jwtAuthoritiesExtractor;
        }

        /* JADX WARN: Can't rename method to resolve collision */
        @Override // org.springframework.security.oauth2.client.oidc.userinfo.OidcUserService, org.springframework.security.oauth2.client.userinfo.OAuth2UserService
        public OidcUser loadUser(OidcUserRequest oidcUserRequest) {
            OidcUser loadUser = super.loadUser(oidcUserRequest);
            ClientRegistration clientRegistration = oidcUserRequest.getClientRegistration();
            Set<GrantedAuthority> extract = this.authoritiesExtractor.extract(NimbusJwtDecoder.withJwkSetUri(clientRegistration.getProviderDetails().getJwkSetUri()).jwsAlgorithm(SignatureAlgorithm.from(JwsAlgorithms.RS256)).build().decode(oidcUserRequest.getAccessToken().getTokenValue()), clientRegistration);
            if (extract.isEmpty()) {
                return loadUser;
            }
            String userNameAttributeName = clientRegistration.getProviderDetails().getUserInfoEndpoint().getUserNameAttributeName();
            return StringUtils.hasText(userNameAttributeName) ? new DefaultOidcUser(extract, oidcUserRequest.getIdToken(), loadUser.getUserInfo(), userNameAttributeName) : new DefaultOidcUser(extract, oidcUserRequest.getIdToken(), loadUser.getUserInfo());
        }
    }

    /* loaded from: input_file:BOOT-INF/lib/hawkbit-autoconfigure-0.4.0.jar:org/eclipse/hawkbit/autoconfigure/security/OidcUserManagementAutoConfiguration$OidcAuthenticationSuccessHandler.class */
    private static class OidcAuthenticationSuccessHandler extends SavedRequestAwareAuthenticationSuccessHandler {
        private final SystemManagement systemManagement;
        private final SystemSecurityContext systemSecurityContext;

        OidcAuthenticationSuccessHandler(SystemManagement systemManagement, SystemSecurityContext systemSecurityContext) {
            this.systemManagement = systemManagement;
            this.systemSecurityContext = systemSecurityContext;
        }

        @Override // org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler, org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler, org.springframework.security.web.authentication.AuthenticationSuccessHandler
        public void onAuthenticationSuccess(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Authentication authentication) throws ServletException, IOException {
            if (authentication instanceof AbstractAuthenticationToken) {
                ((AbstractAuthenticationToken) authentication).setDetails(new TenantAwareAuthenticationDetails("DEFAULT", false));
                SystemSecurityContext systemSecurityContext = this.systemSecurityContext;
                SystemManagement systemManagement = this.systemManagement;
                Objects.requireNonNull(systemManagement);
                systemSecurityContext.runAsSystemAsTenant(systemManagement::getTenantMetadata, "DEFAULT");
            }
            super.onAuthenticationSuccess(httpServletRequest, httpServletResponse, authentication);
        }
    }

    /* loaded from: input_file:BOOT-INF/lib/hawkbit-autoconfigure-0.4.0.jar:org/eclipse/hawkbit/autoconfigure/security/OidcUserManagementAutoConfiguration$OidcBearerTokenAuthenticationFilter.class */
    static class OidcBearerTokenAuthenticationFilter implements UserAuthenticationFilter, Filter {
        private final JwtAuthoritiesExtractor authoritiesExtractor;
        private final SystemManagement systemManagement;
        private final SystemSecurityContext systemSecurityContext;
        private ClientRegistration clientRegistration;

        OidcBearerTokenAuthenticationFilter(JwtAuthoritiesExtractor jwtAuthoritiesExtractor, SystemManagement systemManagement, SystemSecurityContext systemSecurityContext) {
            this.authoritiesExtractor = jwtAuthoritiesExtractor;
            this.systemManagement = systemManagement;
            this.systemSecurityContext = systemSecurityContext;
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        public void setClientRegistration(ClientRegistration clientRegistration) {
            this.clientRegistration = clientRegistration;
        }

        @Override // org.eclipse.hawkbit.im.authentication.UserAuthenticationFilter, javax.servlet.Filter
        public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
            Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
            if (authentication instanceof JwtAuthenticationToken) {
                Jwt token = ((JwtAuthenticationToken) authentication).getToken();
                OidcIdToken oidcIdToken = new OidcIdToken(token.getTokenValue(), token.getIssuedAt(), token.getExpiresAt(), token.getClaims());
                OidcUserInfo oidcUserInfo = new OidcUserInfo(token.getClaims());
                Set<GrantedAuthority> extract = this.authoritiesExtractor.extract(token, this.clientRegistration);
                if (extract.isEmpty()) {
                    ((HttpServletResponse) servletResponse).sendError(403);
                    return;
                }
                OAuth2AuthenticationToken oAuth2AuthenticationToken = new OAuth2AuthenticationToken(new DefaultOidcUser(extract, oidcIdToken, oidcUserInfo), extract, this.clientRegistration.getRegistrationId());
                oAuth2AuthenticationToken.setDetails(new TenantAwareAuthenticationDetails("DEFAULT", false));
                SystemSecurityContext systemSecurityContext = this.systemSecurityContext;
                SystemManagement systemManagement = this.systemManagement;
                Objects.requireNonNull(systemManagement);
                systemSecurityContext.runAsSystemAsTenant(systemManagement::getTenantMetadata, "DEFAULT");
                SecurityContextHolder.getContext().setAuthentication(oAuth2AuthenticationToken);
            }
            filterChain.doFilter(servletRequest, servletResponse);
        }

        @Override // org.eclipse.hawkbit.im.authentication.UserAuthenticationFilter, javax.servlet.Filter
        public void init(FilterConfig filterConfig) {
        }

        @Override // org.eclipse.hawkbit.im.authentication.UserAuthenticationFilter, javax.servlet.Filter
        public void destroy() {
        }
    }

    /* loaded from: input_file:BOOT-INF/lib/hawkbit-autoconfigure-0.4.0.jar:org/eclipse/hawkbit/autoconfigure/security/OidcUserManagementAutoConfiguration$OidcLogoutHandler.class */
    private static class OidcLogoutHandler extends SecurityContextLogoutHandler {
        private OidcLogoutHandler() {
        }

        @Override // org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler, org.springframework.security.web.authentication.logout.LogoutHandler
        public void logout(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Authentication authentication) {
            super.logout(httpServletRequest, httpServletResponse, authentication);
            if (authentication.getPrincipal() instanceof OidcUser) {
                OidcUser oidcUser = (OidcUser) authentication.getPrincipal();
                new RestTemplate().getForEntity(UriComponentsBuilder.fromUriString(oidcUser.getIssuer() + "/protocol/openid-connect/logout").queryParam("id_token_hint", oidcUser.getIdToken().getTokenValue()).toUriString(), String.class, new Object[0]);
            }
        }
    }

    /* loaded from: input_file:BOOT-INF/lib/hawkbit-autoconfigure-0.4.0.jar:org/eclipse/hawkbit/autoconfigure/security/OidcUserManagementAutoConfiguration$OidcLogoutSuccessHandler.class */
    private static class OidcLogoutSuccessHandler extends SimpleUrlLogoutSuccessHandler {
        private OidcLogoutSuccessHandler() {
        }

        @Override // org.springframework.security.web.authentication.logout.SimpleUrlLogoutSuccessHandler, org.springframework.security.web.authentication.logout.LogoutSuccessHandler
        public void onLogoutSuccess(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Authentication authentication) throws IOException, ServletException {
            if (authentication instanceof OAuth2AuthenticationToken) {
                setTargetUrlParameter("/");
            } else {
                setTargetUrlParameter("login");
            }
            super.onLogoutSuccess(httpServletRequest, httpServletResponse, authentication);
        }
    }

    @Bean
    public AuthenticationSuccessHandler oidcAuthenticationSuccessHandler(SystemManagement systemManagement, SystemSecurityContext systemSecurityContext) {
        return new OidcAuthenticationSuccessHandler(systemManagement, systemSecurityContext);
    }

    @Bean
    public LogoutSuccessHandler oidcLogoutSuccessHandler() {
        return new OidcLogoutSuccessHandler();
    }

    @Bean
    public LogoutHandler oidcLogoutHandler() {
        return new OidcLogoutHandler();
    }

    @ConditionalOnMissingBean
    @Bean
    public JwtAuthoritiesExtractor jwtAuthoritiesExtractor() {
        SimpleAuthorityMapper simpleAuthorityMapper = new SimpleAuthorityMapper();
        simpleAuthorityMapper.setPrefix("");
        simpleAuthorityMapper.setConvertToUpperCase(true);
        return new DefaultJwtAuthoritiesExtractor(simpleAuthorityMapper);
    }

    @ConditionalOnMissingBean
    @Bean
    OAuth2UserService<OidcUserRequest, OidcUser> oidcUserDetailsService(JwtAuthoritiesExtractor jwtAuthoritiesExtractor) {
        return new JwtAuthoritiesOidcUserService(jwtAuthoritiesExtractor);
    }

    @ConditionalOnMissingBean
    @Bean
    OidcBearerTokenAuthenticationFilter oidcBearerTokenAuthenticationFilter(JwtAuthoritiesExtractor jwtAuthoritiesExtractor, SystemManagement systemManagement, SystemSecurityContext systemSecurityContext) {
        return new OidcBearerTokenAuthenticationFilter(jwtAuthoritiesExtractor, systemManagement, systemSecurityContext);
    }
}
