package com.okta.spring.boot.oauth;

import com.okta.commons.lang.Strings;
import com.okta.spring.boot.oauth.config.OktaOAuth2Properties;
import com.okta.spring.boot.oauth.http.UserAgentRequestInterceptor;
import java.net.InetSocketAddress;
import java.net.Proxy;
import java.util.Arrays;
import java.util.Collections;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import org.springframework.boot.autoconfigure.AutoConfiguration;
import org.springframework.boot.autoconfigure.AutoConfigureBefore;
import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication;
import org.springframework.boot.autoconfigure.security.oauth2.resource.OAuth2ResourceServerProperties;
import org.springframework.boot.autoconfigure.security.oauth2.resource.servlet.OAuth2ResourceServerAutoConfiguration;
import org.springframework.boot.context.properties.EnableConfigurationProperties;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Conditional;
import org.springframework.http.client.SimpleClientHttpRequestFactory;
import org.springframework.http.client.support.BasicAuthenticationInterceptor;
import org.springframework.http.converter.FormHttpMessageConverter;
import org.springframework.http.converter.StringHttpMessageConverter;
import org.springframework.security.oauth2.core.DefaultOAuth2AuthenticatedPrincipal;
import org.springframework.security.oauth2.core.OAuth2AuthenticatedPrincipal;
import org.springframework.security.oauth2.core.http.converter.OAuth2AccessTokenResponseHttpMessageConverter;
import org.springframework.security.oauth2.jwt.JwtDecoder;
import org.springframework.security.oauth2.jwt.NimbusJwtDecoder;
import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationConverter;
import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationToken;
import org.springframework.security.oauth2.server.resource.introspection.NimbusOpaqueTokenIntrospector;
import org.springframework.security.oauth2.server.resource.introspection.OpaqueTokenIntrospector;
import org.springframework.web.client.RestTemplate;

@AutoConfigureBefore({OAuth2ResourceServerAutoConfiguration.class})
@EnableConfigurationProperties({OktaOAuth2Properties.class})
@AutoConfiguration
@ConditionalOnClass({JwtAuthenticationToken.class})
@ConditionalOnOktaResourceServerProperties
@ConditionalOnWebApplication(type = ConditionalOnWebApplication.Type.SERVLET)
/* loaded from: input_file:com/okta/spring/boot/oauth/OktaOAuth2ResourceServerAutoConfig.class */
class OktaOAuth2ResourceServerAutoConfig {
    OktaOAuth2ResourceServerAutoConfig() {
    }

    @Bean
    public JwtAuthenticationConverter jwtAuthenticationConverter(OktaOAuth2Properties oktaOAuth2Properties) {
        return new OktaJwtAuthenticationConverter(oktaOAuth2Properties.getGroupsClaim());
    }

    @ConditionalOnMissingBean
    @Bean
    JwtDecoder jwtDecoder(OAuth2ResourceServerProperties oAuth2ResourceServerProperties, OktaOAuth2Properties oktaOAuth2Properties) {
        NimbusJwtDecoder.JwkSetUriJwtDecoderBuilder withJwkSetUri = NimbusJwtDecoder.withJwkSetUri(oAuth2ResourceServerProperties.getJwt().getJwkSetUri());
        withJwkSetUri.restOperations(restTemplate(oktaOAuth2Properties));
        NimbusJwtDecoder build = withJwkSetUri.build();
        build.setJwtValidator(TokenUtil.jwtValidator(oAuth2ResourceServerProperties.getJwt().getIssuerUri(), oktaOAuth2Properties.getAudience()));
        return build;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static RestTemplate restTemplate(OktaOAuth2Properties oktaOAuth2Properties) {
        Proxy proxy = null;
        OktaOAuth2Properties.Proxy proxy2 = oktaOAuth2Properties.getProxy();
        Optional empty = Optional.empty();
        if (proxy2 != null && Strings.hasText(proxy2.getHost()) && proxy2.getPort() > 0) {
            proxy = new Proxy(Proxy.Type.HTTP, new InetSocketAddress(proxy2.getHost(), proxy2.getPort()));
            if (Strings.hasText(proxy2.getUsername()) && Strings.hasText(proxy2.getPassword())) {
                empty = Optional.of(new BasicAuthenticationInterceptor(proxy2.getUsername(), proxy2.getPassword()));
            }
        }
        RestTemplate restTemplate = new RestTemplate(Arrays.asList(new FormHttpMessageConverter(), new OAuth2AccessTokenResponseHttpMessageConverter(), new StringHttpMessageConverter()));
        restTemplate.getInterceptors().add(new UserAgentRequestInterceptor());
        List interceptors = restTemplate.getInterceptors();
        Objects.requireNonNull(interceptors);
        empty.ifPresent((v1) -> {
            r1.add(v1);
        });
        SimpleClientHttpRequestFactory simpleClientHttpRequestFactory = new SimpleClientHttpRequestFactory();
        if (Objects.nonNull(proxy)) {
            simpleClientHttpRequestFactory.setProxy(proxy);
        }
        restTemplate.setRequestFactory(simpleClientHttpRequestFactory);
        return restTemplate;
    }

    @Conditional({OktaOpaqueTokenIntrospectConditional.class})
    @Bean
    OpaqueTokenIntrospector opaqueTokenIntrospector(OktaOAuth2Properties oktaOAuth2Properties, OAuth2ResourceServerProperties oAuth2ResourceServerProperties) {
        RestTemplate restTemplate = restTemplate(oktaOAuth2Properties);
        restTemplate.getInterceptors().add(new BasicAuthenticationInterceptor(oAuth2ResourceServerProperties.getOpaquetoken().getClientId(), oAuth2ResourceServerProperties.getOpaquetoken().getClientSecret()));
        NimbusOpaqueTokenIntrospector nimbusOpaqueTokenIntrospector = new NimbusOpaqueTokenIntrospector(oAuth2ResourceServerProperties.getOpaquetoken().getIntrospectionUri(), restTemplate);
        return str -> {
            OAuth2AuthenticatedPrincipal introspect = nimbusOpaqueTokenIntrospector.introspect(str);
            return new DefaultOAuth2AuthenticatedPrincipal(introspect.getName(), introspect.getAttributes(), Collections.unmodifiableCollection(TokenUtil.opaqueTokenClaimsToAuthorities(introspect.getAttributes(), oktaOAuth2Properties.getGroupsClaim(), introspect.getAuthorities())));
        };
    }
}
