package com.azure.spring.cloud.autoconfigure.aad.properties;

import com.azure.spring.cloud.autoconfigure.aad.AadClientRegistrationRepository;
import com.azure.spring.cloud.autoconfigure.aad.implementation.constants.Constants;
import java.time.Duration;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.InitializingBean;
import org.springframework.boot.context.properties.NestedConfigurationProperty;
import org.springframework.security.oauth2.core.AuthorizationGrantType;
import org.springframework.security.oauth2.core.ClientAuthenticationMethod;
import org.springframework.util.StringUtils;

/* loaded from: input_file:com/azure/spring/cloud/autoconfigure/aad/properties/AadAuthenticationProperties.class */
public class AadAuthenticationProperties implements InitializingBean {
    public static final String PREFIX = "spring.cloud.azure.active-directory";
    private static final String UNMATCHING_OAUTH_GRANT_TYPE_FROMAT = "When 'spring.cloud.azure.active-directory.application-type=%s', 'spring.cloud.azure.active-directory.authorization-clients.%s.authorization-grant-type' can not be '%s'.";
    private String userNameAttribute;
    private String appIdUri;
    private String postLogoutRedirectUri;
    private AadApplicationType applicationType;
    private static final Logger LOGGER = LoggerFactory.getLogger(AadAuthenticationProperties.class);
    private static final Map<AadApplicationType, Set<AuthorizationGrantType>> NON_COMPATIBLE_APPLICATION_TYPE_AND_GRANT_TYPES = initCompatibleApplicationTypeAndGrantTypes();

    @NestedConfigurationProperty
    private final AadProfileProperties profile = new AadProfileProperties();

    @NestedConfigurationProperty
    private final AadCredentialProperties credential = new AadCredentialProperties();
    private final UserGroupProperties userGroup = new UserGroupProperties();
    private String redirectUriTemplate = "{baseUrl}/login/oauth2/code/";
    private final Map<String, Object> authenticateAdditionalParameters = new HashMap();
    private Duration jwtConnectTimeout = Duration.ofMillis(500);
    private Duration jwtReadTimeout = Duration.ofMillis(500);
    private int jwtSizeLimit = 51200;
    private Duration jwkSetCacheLifespan = Duration.ofMinutes(5);
    private Duration jwkSetCacheRefreshTime = Duration.ofMinutes(5);
    private Boolean sessionStateless = false;
    private final Map<String, AuthorizationClientProperties> authorizationClients = new HashMap();

    /* loaded from: input_file:com/azure/spring/cloud/autoconfigure/aad/properties/AadAuthenticationProperties$UserGroupProperties.class */
    public static class UserGroupProperties {
        private List<String> allowedGroupNames = new ArrayList();
        private Set<String> allowedGroupIds = new HashSet();
        private boolean useTransitiveMembers = false;

        public Set<String> getAllowedGroupIds() {
            return this.allowedGroupIds;
        }

        public void setAllowedGroupIds(Set<String> set) {
            this.allowedGroupIds = set;
        }

        public List<String> getAllowedGroupNames() {
            return this.allowedGroupNames;
        }

        public void setAllowedGroupNames(List<String> list) {
            this.allowedGroupNames = list;
        }

        public boolean isUseTransitiveMembers() {
            return this.useTransitiveMembers;
        }

        public void setUseTransitiveMembers(boolean z) {
            this.useTransitiveMembers = z;
        }
    }

    private static Map<AadApplicationType, Set<AuthorizationGrantType>> initCompatibleApplicationTypeAndGrantTypes() {
        HashMap hashMap = new HashMap();
        hashMap.put(AadApplicationType.WEB_APPLICATION, (Set) Stream.of((Object[]) new AuthorizationGrantType[]{Constants.ON_BEHALF_OF, AuthorizationGrantType.JWT_BEARER}).collect(Collectors.toSet()));
        hashMap.put(AadApplicationType.RESOURCE_SERVER, (Set) Stream.of((Object[]) new AuthorizationGrantType[]{AuthorizationGrantType.AUTHORIZATION_CODE, Constants.ON_BEHALF_OF, AuthorizationGrantType.JWT_BEARER}).collect(Collectors.toSet()));
        hashMap.put(AadApplicationType.RESOURCE_SERVER_WITH_OBO, (Set) Stream.of(AuthorizationGrantType.AUTHORIZATION_CODE).collect(Collectors.toSet()));
        return hashMap;
    }

    public AadProfileProperties getProfile() {
        return this.profile;
    }

    public AadCredentialProperties getCredential() {
        return this.credential;
    }

    public AadApplicationType getApplicationType() {
        return this.applicationType;
    }

    public void setApplicationType(AadApplicationType aadApplicationType) {
        this.applicationType = aadApplicationType;
    }

    public boolean isAllowedGroupNamesConfigured() {
        return ((Boolean) Optional.of(getUserGroup()).map((v0) -> {
            return v0.getAllowedGroupNames();
        }).map(list -> {
            return Boolean.valueOf(!list.isEmpty());
        }).orElse(false)).booleanValue();
    }

    public boolean isAllowedGroupIdsConfigured() {
        return ((Boolean) Optional.of(getUserGroup()).map((v0) -> {
            return v0.getAllowedGroupIds();
        }).map(set -> {
            return Boolean.valueOf(!set.isEmpty());
        }).orElse(false)).booleanValue();
    }

    public UserGroupProperties getUserGroup() {
        return this.userGroup;
    }

    public String getUserNameAttribute() {
        return this.userNameAttribute;
    }

    public void setUserNameAttribute(String str) {
        this.userNameAttribute = str;
    }

    public String getRedirectUriTemplate() {
        return this.redirectUriTemplate;
    }

    public void setRedirectUriTemplate(String str) {
        this.redirectUriTemplate = str;
    }

    public String getAppIdUri() {
        return this.appIdUri;
    }

    public void setAppIdUri(String str) {
        this.appIdUri = str;
    }

    public Map<String, Object> getAuthenticateAdditionalParameters() {
        return this.authenticateAdditionalParameters;
    }

    public Duration getJwtConnectTimeout() {
        return this.jwtConnectTimeout;
    }

    public void setJwtConnectTimeout(Duration duration) {
        this.jwtConnectTimeout = duration;
    }

    public Duration getJwtReadTimeout() {
        return this.jwtReadTimeout;
    }

    public void setJwtReadTimeout(Duration duration) {
        this.jwtReadTimeout = duration;
    }

    public int getJwtSizeLimit() {
        return this.jwtSizeLimit;
    }

    public void setJwtSizeLimit(int i) {
        this.jwtSizeLimit = i;
    }

    public Duration getJwkSetCacheLifespan() {
        return this.jwkSetCacheLifespan;
    }

    public void setJwkSetCacheLifespan(Duration duration) {
        this.jwkSetCacheLifespan = duration;
    }

    public Duration getJwkSetCacheRefreshTime() {
        return this.jwkSetCacheRefreshTime;
    }

    public void setJwkSetCacheRefreshTime(Duration duration) {
        this.jwkSetCacheRefreshTime = duration;
    }

    public String getPostLogoutRedirectUri() {
        return this.postLogoutRedirectUri;
    }

    public void setPostLogoutRedirectUri(String str) {
        this.postLogoutRedirectUri = str;
    }

    public Boolean getSessionStateless() {
        return this.sessionStateless;
    }

    public void setSessionStateless(Boolean bool) {
        this.sessionStateless = bool;
    }

    public String getGraphMembershipUri() {
        return getProfile().getEnvironment().getMicrosoftGraphEndpoint() + (getUserGroup().isUseTransitiveMembers() ? "v1.0/me/transitiveMemberOf" : "v1.0/me/memberOf");
    }

    public Map<String, AuthorizationClientProperties> getAuthorizationClients() {
        return this.authorizationClients;
    }

    public boolean isAllowedGroup(String str) {
        return ((List) Optional.ofNullable(getUserGroup()).map((v0) -> {
            return v0.getAllowedGroupNames();
        }).orElseGet(Collections::emptyList)).contains(str) || ((Set) Optional.ofNullable(getUserGroup()).map((v0) -> {
            return v0.getAllowedGroupIds();
        }).orElseGet(Collections::emptySet)).contains(str);
    }

    public void afterPropertiesSet() {
        if (!StringUtils.hasText(getProfile().getTenantId())) {
            getProfile().setTenantId("common");
        }
        validateProperties();
    }

    private void validateProperties() {
        Set<String> allowedGroupIds = this.userGroup.getAllowedGroupIds();
        if (allowedGroupIds.size() > 1 && allowedGroupIds.contains("all")) {
            throw new IllegalStateException("When spring.cloud.azure.active-directory.user-group.allowed-group-ids contains 'all', no other group ids can be configured. But actually spring.cloud.azure.active-directory.user-group.allowed-group-ids=" + allowedGroupIds);
        }
        validateTenantId();
        validateApplicationType();
        validateAuthorizationClients();
    }

    private void validateAuthorizationClients() {
        this.authorizationClients.forEach(this::validateAuthorizationClientProperties);
    }

    private void validateTenantId() {
        if (isMultiTenantsApplication(getProfile().getTenantId()) && !this.userGroup.getAllowedGroupNames().isEmpty()) {
            throw new IllegalStateException("When spring.cloud.azure.active-directory.profile.tenant-id is 'common/organizations/consumers', spring.cloud.azure.active-directory.user-group.allowed-group-names should be empty. But actually spring.cloud.azure.active-directory.profile.tenant-id=" + getProfile().getTenantId() + ", and spring.cloud.azure.active-directory.user-group.allowed-group-names=" + this.userGroup.getAllowedGroupNames());
        }
        if (isMultiTenantsApplication(getProfile().getTenantId()) && !this.userGroup.getAllowedGroupIds().isEmpty()) {
            throw new IllegalStateException("When spring.cloud.azure.active-directory.profile.tenant-id is 'common/organizations/consumers', spring.cloud.azure.active-directory.user-group.allowed-group-ids should be empty. But actually spring.cloud.azure.active-directory.profile.tenant-id=" + getProfile().getTenantId() + ", and spring.cloud.azure.active-directory.user-group.allowed-group-ids=" + this.userGroup.getAllowedGroupIds());
        }
    }

    private void validateApplicationType() {
        AadApplicationType inferApplicationTypeByDependencies = AadApplicationType.inferApplicationTypeByDependencies();
        if (this.applicationType == null) {
            this.applicationType = inferApplicationTypeByDependencies;
        } else if (!isValidApplicationType(this.applicationType, inferApplicationTypeByDependencies)) {
            throw new IllegalStateException("Invalid property 'spring.cloud.azure.active-directory.application-type', the configured value is '" + this.applicationType.getValue() + "', but the inferred value is '" + inferApplicationTypeByDependencies.getValue() + "'.");
        }
    }

    private boolean isValidApplicationType(AadApplicationType aadApplicationType, AadApplicationType aadApplicationType2) {
        return aadApplicationType2 == aadApplicationType || aadApplicationType2 == AadApplicationType.RESOURCE_SERVER_WITH_OBO;
    }

    private void validateAuthorizationClientProperties(String str, AuthorizationClientProperties authorizationClientProperties) {
        if (ClientAuthenticationMethod.CLIENT_SECRET_JWT.equals(authorizationClientProperties.getClientAuthenticationMethod())) {
            throw new IllegalStateException("The client authentication method of '" + str + "' is not supported.");
        }
        AuthorizationGrantType authorizationGrantType = authorizationClientProperties.getAuthorizationGrantType();
        if (authorizationGrantType != null) {
            validateAuthorizationGrantType(str, authorizationGrantType);
        } else {
            AuthorizationGrantType decideDefaultGrantTypeFromApplicationType = decideDefaultGrantTypeFromApplicationType(str, this.applicationType);
            authorizationClientProperties.setAuthorizationGrantType(decideDefaultGrantTypeFromApplicationType);
            LOGGER.debug("The client '{}' sets the default value of AuthorizationGrantType to '{}'.", decideDefaultGrantTypeFromApplicationType, str);
        }
        addNecessaryScopesForAuthorizationCodeClients(str, authorizationClientProperties, extractValidatedScopes(str, authorizationClientProperties));
    }

    private void addNecessaryScopesForAuthorizationCodeClients(String str, AuthorizationClientProperties authorizationClientProperties, List<String> list) {
        if (!(AadClientRegistrationRepository.AZURE_CLIENT_REGISTRATION_ID.equals(str) && (list == null || list.isEmpty())) && authorizationClientProperties.getAuthorizationGrantType().equals(AuthorizationGrantType.AUTHORIZATION_CODE)) {
            for (String str2 : new String[]{"openid", "profile", "offline_access"}) {
                if (!list.contains(str2)) {
                    list.add(str2);
                }
            }
        }
    }

    private List<String> extractValidatedScopes(String str, AuthorizationClientProperties authorizationClientProperties) {
        List<String> scopes = authorizationClientProperties.getScopes();
        if (AadClientRegistrationRepository.AZURE_CLIENT_REGISTRATION_ID.equals(str) || !(scopes == null || scopes.isEmpty())) {
            return scopes;
        }
        throw new IllegalStateException("'spring.cloud.azure.active-directory.authorization-clients." + str + ".scopes' must be configured");
    }

    private void validateAuthorizationGrantType(String str, AuthorizationGrantType authorizationGrantType) {
        if (NON_COMPATIBLE_APPLICATION_TYPE_AND_GRANT_TYPES.containsKey(this.applicationType)) {
            if (NON_COMPATIBLE_APPLICATION_TYPE_AND_GRANT_TYPES.get(this.applicationType).contains(authorizationGrantType)) {
                throw new IllegalStateException(String.format(UNMATCHING_OAUTH_GRANT_TYPE_FROMAT, this.applicationType.getValue(), str, authorizationGrantType.getValue()));
            }
            LOGGER.debug("'spring.cloud.azure.active-directory.authorization-clients.{}.authorization-grant-type' is valid.", str);
        }
        if (AadClientRegistrationRepository.AZURE_CLIENT_REGISTRATION_ID.equals(str) && !AuthorizationGrantType.AUTHORIZATION_CODE.equals(authorizationGrantType)) {
            throw new IllegalStateException("spring.cloud.azure.active-directory.authorization-clients.azure.authorization-grant-type must be configured to 'authorization_code'.");
        }
    }

    private AuthorizationGrantType decideDefaultGrantTypeFromApplicationType(String str, AadApplicationType aadApplicationType) {
        AuthorizationGrantType authorizationGrantType;
        switch (aadApplicationType) {
            case WEB_APPLICATION:
                if (!str.equals(AadClientRegistrationRepository.AZURE_CLIENT_REGISTRATION_ID)) {
                    authorizationGrantType = Constants.AZURE_DELEGATED;
                    break;
                } else {
                    authorizationGrantType = AuthorizationGrantType.AUTHORIZATION_CODE;
                    break;
                }
            case RESOURCE_SERVER:
            case RESOURCE_SERVER_WITH_OBO:
                authorizationGrantType = AuthorizationGrantType.JWT_BEARER;
                break;
            case WEB_APPLICATION_AND_RESOURCE_SERVER:
                throw new IllegalStateException("spring.cloud.azure.active-directory.authorization-clients." + str + ".authorization-grant-grantType must be configured. ");
            default:
                throw new IllegalStateException("Unsupported authorization grantType " + aadApplicationType.getValue());
        }
        return authorizationGrantType;
    }

    private boolean isMultiTenantsApplication(String str) {
        return "common".equals(str) || "organizations".equals(str) || "consumers".equals(str);
    }
}
