package com.azure.spring.cloud.autoconfigure.implementation.aadb2c.configuration;

import com.azure.spring.cloud.autoconfigure.implementation.aad.security.constants.AadJwtClaimNames;
import com.azure.spring.cloud.autoconfigure.implementation.aad.security.jose.RestOperationsResourceRetriever;
import com.azure.spring.cloud.autoconfigure.implementation.aad.security.jwt.AadIssuerJwsKeySelector;
import com.azure.spring.cloud.autoconfigure.implementation.aad.security.jwt.AadJwtIssuerValidator;
import com.azure.spring.cloud.autoconfigure.implementation.aad.security.jwt.AadTrustedIssuerRepository;
import com.azure.spring.cloud.autoconfigure.implementation.aadb2c.configuration.properties.AadB2cProperties;
import com.azure.spring.cloud.autoconfigure.implementation.aadb2c.security.jwt.AadB2cTrustedIssuerRepository;
import com.azure.spring.cloud.autoconfigure.implementation.jdbc.JdbcPropertyConstants;
import com.nimbusds.jose.proc.SecurityContext;
import com.nimbusds.jose.util.ResourceRetriever;
import com.nimbusds.jwt.proc.DefaultJWTProcessor;
import com.nimbusds.jwt.proc.JWTClaimsSetAwareJWSKeySelector;
import com.nimbusds.jwt.proc.JWTProcessor;
import java.util.ArrayList;
import java.util.Objects;
import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication;
import org.springframework.boot.web.client.RestTemplateBuilder;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Import;
import org.springframework.security.oauth2.core.DelegatingOAuth2TokenValidator;
import org.springframework.security.oauth2.jwt.JwtClaimValidator;
import org.springframework.security.oauth2.jwt.JwtDecoder;
import org.springframework.security.oauth2.jwt.JwtTimestampValidator;
import org.springframework.security.oauth2.jwt.NimbusJwtDecoder;
import org.springframework.security.oauth2.server.resource.authentication.BearerTokenAuthenticationToken;
import org.springframework.util.StringUtils;

@Configuration(proxyBeanMethods = false)
@ConditionalOnClass({BearerTokenAuthenticationToken.class})
@ConditionalOnProperty(value = {"spring.cloud.azure.active-directory.b2c.enabled"}, havingValue = JdbcPropertyConstants.MYSQL_PROPERTY_VALUE_USE_SSL)
@ConditionalOnWebApplication(type = ConditionalOnWebApplication.Type.SERVLET)
@Import({AadB2cPropertiesConfiguration.class, AadB2cOAuth2ClientConfiguration.class})
/* loaded from: input_file:com/azure/spring/cloud/autoconfigure/implementation/aadb2c/configuration/AadB2cResourceServerAutoConfiguration.class */
public class AadB2cResourceServerAutoConfiguration {
    private final AadB2cProperties properties;
    private final RestTemplateBuilder restTemplateBuilder;

    AadB2cResourceServerAutoConfiguration(AadB2cProperties aadB2cProperties, RestTemplateBuilder restTemplateBuilder) {
        this.properties = aadB2cProperties;
        this.restTemplateBuilder = restTemplateBuilder;
    }

    @ConditionalOnMissingBean
    @Bean
    AadTrustedIssuerRepository trustedIssuerRepository() {
        return new AadB2cTrustedIssuerRepository(this.properties);
    }

    @ConditionalOnMissingBean({ResourceRetriever.class})
    @Bean
    ResourceRetriever jwtResourceRetriever() {
        return new RestOperationsResourceRetriever(this.restTemplateBuilder);
    }

    @ConditionalOnMissingBean
    @Bean
    JWTClaimsSetAwareJWSKeySelector<SecurityContext> aadIssuerJwsKeySelector(AadTrustedIssuerRepository aadTrustedIssuerRepository, ResourceRetriever resourceRetriever) {
        return new AadIssuerJwsKeySelector(this.restTemplateBuilder, aadTrustedIssuerRepository, resourceRetriever);
    }

    @ConditionalOnMissingBean
    @Bean
    JWTProcessor<SecurityContext> jwtProcessor(JWTClaimsSetAwareJWSKeySelector<SecurityContext> jWTClaimsSetAwareJWSKeySelector) {
        DefaultJWTProcessor defaultJWTProcessor = new DefaultJWTProcessor();
        defaultJWTProcessor.setJWTClaimsSetAwareJWSKeySelector(jWTClaimsSetAwareJWSKeySelector);
        return defaultJWTProcessor;
    }

    @ConditionalOnMissingBean
    @Bean
    JwtDecoder jwtDecoder(JWTProcessor<SecurityContext> jWTProcessor, AadTrustedIssuerRepository aadTrustedIssuerRepository) {
        NimbusJwtDecoder nimbusJwtDecoder = new NimbusJwtDecoder(jWTProcessor);
        ArrayList arrayList = new ArrayList();
        ArrayList arrayList2 = new ArrayList();
        if (StringUtils.hasText(this.properties.getAppIdUri())) {
            arrayList2.add(this.properties.getAppIdUri());
        }
        if (StringUtils.hasText(this.properties.getCredential().getClientId())) {
            arrayList2.add(this.properties.getCredential().getClientId());
        }
        if (!arrayList2.isEmpty()) {
            Objects.requireNonNull(arrayList2);
            arrayList.add(new JwtClaimValidator(AadJwtClaimNames.AUD, (v1) -> {
                return r4.containsAll(v1);
            }));
        }
        arrayList.add(new AadJwtIssuerValidator(aadTrustedIssuerRepository));
        arrayList.add(new JwtTimestampValidator());
        nimbusJwtDecoder.setJwtValidator(new DelegatingOAuth2TokenValidator(arrayList));
        return nimbusJwtDecoder;
    }
}
