package com.mulesoft.modules.oauth2.provider.internal;

import com.mulesoft.modules.oauth2.provider.api.Constants;
import com.mulesoft.modules.oauth2.provider.api.client.Client;
import com.mulesoft.modules.oauth2.provider.api.client.ClientStore;
import com.mulesoft.modules.oauth2.provider.api.client.ObjectStoreClientStore;
import com.mulesoft.modules.oauth2.provider.api.code.AuthorizationCodeStore;
import com.mulesoft.modules.oauth2.provider.api.code.AuthorizationConfig;
import com.mulesoft.modules.oauth2.provider.api.code.ObjectStoreAuthorizationCode;
import com.mulesoft.modules.oauth2.provider.api.ratelimit.PeriodRateLimiter;
import com.mulesoft.modules.oauth2.provider.api.ratelimit.RateLimiter;
import com.mulesoft.modules.oauth2.provider.api.token.ObjectStoreAccessAndRefreshTokenStore;
import com.mulesoft.modules.oauth2.provider.api.token.ObjectStoreAccessTokenStore;
import com.mulesoft.modules.oauth2.provider.api.token.TokenConfig;
import com.mulesoft.modules.oauth2.provider.api.token.TokenStore;
import com.mulesoft.modules.oauth2.provider.api.token.generator.TokenGeneratorDefaultStrategy;
import com.mulesoft.modules.oauth2.provider.api.token.generator.TokenGeneratorStrategy;
import com.mulesoft.modules.oauth2.provider.internal.client.ClientManager;
import com.mulesoft.modules.oauth2.provider.internal.code.AuthorizationCodeManager;
import com.mulesoft.modules.oauth2.provider.internal.config.IllegalConfigurationException;
import com.mulesoft.modules.oauth2.provider.internal.config.OAuthConfiguration;
import com.mulesoft.modules.oauth2.provider.internal.generator.AuthorizationHandlerGenerator;
import com.mulesoft.modules.oauth2.provider.internal.generator.CreateAccessHandlerGenerator;
import com.mulesoft.modules.oauth2.provider.internal.generator.RequestHandlerGenerator;
import com.mulesoft.modules.oauth2.provider.internal.security.ResourceOwnerSecurityProvider;
import com.mulesoft.modules.oauth2.provider.internal.security.SpringAwareResourceOwnerSecurityProvider;
import com.mulesoft.modules.oauth2.provider.internal.token.TokenManager;
import com.mulesoft.modules.oauth2.provider.internal.token.TokenSecurityProvider;
import com.mulesoft.modules.oauth2.provider.internal.token.generator.AbstractRefreshTokenStrategy;
import com.mulesoft.modules.oauth2.provider.internal.token.generator.ObjectStoreAwareRefreshTokenStrategy;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import java.util.concurrent.TimeUnit;
import javax.inject.Inject;
import javax.inject.Named;
import org.mule.runtime.api.artifact.Registry;
import org.mule.runtime.api.exception.MuleException;
import org.mule.runtime.api.exception.MuleRuntimeException;
import org.mule.runtime.api.i18n.I18nMessageFactory;
import org.mule.runtime.api.lifecycle.Initialisable;
import org.mule.runtime.api.lifecycle.Startable;
import org.mule.runtime.api.meta.ExpressionSupport;
import org.mule.runtime.api.store.ObjectStore;
import org.mule.runtime.api.store.ObjectStoreException;
import org.mule.runtime.api.store.ObjectStoreManager;
import org.mule.runtime.api.store.ObjectStoreSettings;
import org.mule.runtime.core.api.lifecycle.LifecycleUtils;
import org.mule.runtime.core.api.security.SecurityManager;
import org.mule.runtime.core.api.security.SecurityProvider;
import org.mule.runtime.core.api.util.ClassUtils;
import org.mule.runtime.extension.api.annotation.Alias;
import org.mule.runtime.extension.api.annotation.Configuration;
import org.mule.runtime.extension.api.annotation.Expression;
import org.mule.runtime.extension.api.annotation.Operations;
import org.mule.runtime.extension.api.annotation.dsl.xml.ParameterDsl;
import org.mule.runtime.extension.api.annotation.param.NullSafe;
import org.mule.runtime.extension.api.annotation.param.Optional;
import org.mule.runtime.extension.api.annotation.param.Parameter;
import org.mule.runtime.extension.api.annotation.param.RefName;
import org.mule.runtime.extension.api.annotation.param.reference.ConfigReference;
import org.mule.runtime.extension.api.annotation.param.reference.ObjectStoreReference;
import org.mule.runtime.http.api.HttpService;
import org.mule.runtime.http.api.server.HttpServer;
import org.mule.runtime.http.api.server.ServerNotFoundException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.core.userdetails.UserDetailsService;

@Configuration
@Operations({OAuth2ProviderOperations.class})
/* loaded from: input_file:com/mulesoft/modules/oauth2/provider/internal/OAuth2ProviderConfiguration.class */
public class OAuth2ProviderConfiguration implements Initialisable, Startable {
    private static final int EXPIRATION_INTERVAL_PERCENTAGE = 10;
    private static final boolean DEFAULT_PERSISTENCE_SETTING = true;
    private static final String DEFAULT_VALUES_DELIMITER = ",";

    @RefName
    private String name;

    @Optional
    @Parameter
    @Expression(ExpressionSupport.NOT_SUPPORTED)
    private String providerName;

    @Parameter
    @Expression(ExpressionSupport.NOT_SUPPORTED)
    @ConfigReference(namespace = "HTTP", name = "LISTENER_CONFIG")
    private String listenerConfig;

    @NullSafe(defaultImplementingType = PeriodRateLimiter.class)
    @Optional
    @Parameter
    private RateLimiter clientValidationRateLimiter;

    @Optional
    @Parameter
    @ObjectStoreReference
    @Expression(ExpressionSupport.NOT_SUPPORTED)
    @Alias("clientStore")
    private ObjectStore clientStoreObjectStore;

    @Optional
    @Parameter
    @Alias("resourceOwnerSecurityProvider")
    private String resourceOwnerSecurityProvider;

    @Parameter
    @Alias("clientSecurityProvider")
    private String clientSecurityProvider;

    @Optional
    @ParameterDsl(allowInlineDefinition = false)
    @Parameter
    @NullSafe(defaultImplementingType = TokenGeneratorDefaultStrategy.class)
    @Expression(ExpressionSupport.NOT_SUPPORTED)
    private TokenGeneratorStrategy tokenGeneratorStrategy;

    @Optional(defaultValue = "AUTHORIZATION_CODE")
    @Parameter
    @Expression(ExpressionSupport.NOT_SUPPORTED)
    @Alias("supportedGrantTypes")
    private String supportedGrantTypesString;

    @Optional
    @Parameter
    @Expression(ExpressionSupport.NOT_SUPPORTED)
    @Alias("scopes")
    private String scopesString;

    @Optional
    @Parameter
    @Expression(ExpressionSupport.NOT_SUPPORTED)
    @Alias("defaultScopes")
    private String defaultScopesString;

    @Optional
    @Parameter
    @NullSafe
    @Expression(ExpressionSupport.NOT_SUPPORTED)
    private TokenConfig tokenConfig;

    @Optional
    @Parameter
    @NullSafe
    @Expression(ExpressionSupport.NOT_SUPPORTED)
    private AuthorizationConfig authorizationConfig;

    @NullSafe
    @Optional
    @Parameter
    private List<Client> clients;

    @Inject
    @Named("_muleObjectStoreManager")
    private ObjectStoreManager objectStoreManager;

    @Inject
    @Named("_muleSecurityManager")
    private SecurityManager securityManager;

    @Inject
    private HttpService httpService;

    @Inject
    private Registry registry;
    private OAuthConfiguration oAuthConfiguration;
    private TokenManager tokenManager;
    private TokenStore tokenStore;
    private TokenSecurityProvider tokenSecurityProvider;
    private ClientManager clientManager;
    private ClientStore clientStore;
    private AuthorizationCodeStore authorizationCodeStore;
    private Set<Constants.ProviderGrantType> supportedGrantTypes;
    private Set<String> scopes;
    private Set<String> defaultScopes;
    private static final Logger logger = LoggerFactory.getLogger(OAuth2ProviderConfiguration.class);
    private static final List<? extends RequestHandlerGenerator> REQUEST_HANDLER_GENERATORS = Arrays.asList(new AuthorizationHandlerGenerator(), new CreateAccessHandlerGenerator());
    private static final long DEFAULT_TOKEN_OS_ENTRY_TTL_MS = TimeUnit.SECONDS.toMillis(86400);
    private static final long DEFAULT_AUTHORIZATION_CODE_OS_ENTRY_TTL_MS = TimeUnit.SECONDS.toMillis(600);
    public static String WWW_AUTHENTICATE_HEADER_VALUE = "Bearer realm=\"OAuth2 Client Realm\"";

    public void initialise() {
        if (this.providerName == null) {
            this.providerName = this.name;
        }
        this.supportedGrantTypes = Utils.parseProviderGrantTypes(this.supportedGrantTypesString);
        if (this.supportedGrantTypes.contains(Constants.ProviderGrantType.CLIENT_CREDENTIALS) && this.resourceOwnerSecurityProvider == null) {
            throw new IllegalConfigurationException(String.format("A Resource Owner Security Provided should be configured if %s is a supported grant type", Constants.ProviderGrantType.CLIENT_CREDENTIALS));
        }
        this.scopes = this.scopesString != null ? Utils.tokenize(this.scopesString, DEFAULT_VALUES_DELIMITER) : new HashSet<>();
        this.defaultScopes = this.defaultScopesString != null ? Utils.tokenize(this.defaultScopesString, DEFAULT_VALUES_DELIMITER) : new HashSet<>();
        if (!this.scopes.containsAll(this.defaultScopes)) {
            throw new IllegalConfigurationException("Error configuring default scopes. Default scopes should be a subset of the configured scopes for the OAuth provider.");
        }
    }

    public void start() throws MuleException {
        try {
            OAuthConfiguration createConfiguration = createConfiguration(this.httpService.getServerFactory().lookup(this.listenerConfig));
            Iterator<? extends RequestHandlerGenerator> it = REQUEST_HANDLER_GENERATORS.iterator();
            while (it.hasNext()) {
                it.next().generate(createConfiguration);
            }
        } catch (ServerNotFoundException e) {
            throw new MuleRuntimeException(I18nMessageFactory.createStaticMessage(String.format("OAuth provider '%s' defines '%s' as the http:listener-config to use for provisioning callbacks, but no such definition exists in the application configuration", this.providerName, this.listenerConfig)), e);
        }
    }

    private OAuthConfiguration createConfiguration(HttpServer httpServer) throws MuleException {
        configureStores();
        this.clientManager = new ClientManager(this.clientStore);
        addClientsToStore();
        AuthorizationCodeManager authorizationCodeManager = new AuthorizationCodeManager(this.authorizationCodeStore);
        ((AbstractRefreshTokenStrategy) this.tokenConfig.getRefreshTokenStrategy()).setTokenGeneratorStrategy(this.tokenGeneratorStrategy);
        this.tokenManager = new TokenManager(this.tokenStore, this.tokenGeneratorStrategy, this.tokenConfig.getRefreshTokenStrategy(), this.tokenConfig.getTokenTtl(), this.tokenConfig.getTokenTtlTimeUnit());
        this.tokenSecurityProvider = new TokenSecurityProvider(this.name, this.tokenManager);
        this.tokenSecurityProvider.initialise();
        this.securityManager.addProvider(this.tokenSecurityProvider);
        this.oAuthConfiguration = new OAuthConfiguration(this.providerName, httpServer, createResourceOwnerSecurityProvider(), createClientSecurityProvider(), this.tokenConfig, this.authorizationConfig, this.clientManager, authorizationCodeManager, this.tokenManager, this.scopes, this.defaultScopes, this.supportedGrantTypes, this.clientValidationRateLimiter);
        return this.oAuthConfiguration;
    }

    private ResourceOwnerSecurityProvider createResourceOwnerSecurityProvider() {
        SecurityProvider provider = this.securityManager.getProvider(this.resourceOwnerSecurityProvider);
        if (provider == null) {
            throw new IllegalConfigurationException(String.format("Could not find resourceOwnerSecurityProvider referenced by the name: '%s'", this.resourceOwnerSecurityProvider));
        }
        if (!ClassUtils.isClassOnPath("org.springframework.security.core.userdetails.UserDetailsService", getClass())) {
            return new ResourceOwnerSecurityProvider(provider);
        }
        Collection lookupAllByType = this.registry.lookupAllByType(UserDetailsService.class);
        if (lookupAllByType == null) {
            lookupAllByType = Collections.emptyList();
        }
        return new SpringAwareResourceOwnerSecurityProvider(provider, new ArrayList(lookupAllByType));
    }

    private SecurityProvider createClientSecurityProvider() {
        SecurityProvider provider = this.securityManager.getProvider(this.clientSecurityProvider);
        if (provider == null) {
            throw new IllegalConfigurationException(String.format("Could not find clientSecurityProvider referenced by the name: '%s'", this.clientSecurityProvider));
        }
        return provider;
    }

    private void configureStores() throws MuleException {
        initializeDefaultStores();
    }

    private void initializeDefaultStores() throws MuleException {
        initializeClientStore();
        initializeAuthorizationCodeStore();
        initializeTokenStore();
    }

    private void addClientsToStore() {
        if (this.clients != null) {
            Iterator<Client> it = this.clients.iterator();
            while (it.hasNext()) {
                try {
                    this.clientManager.addClient(it.next(), true);
                } catch (IllegalArgumentException e) {
                    throw new IllegalConfigurationException(e.getMessage());
                }
            }
        }
    }

    private void initializeClientStore() throws MuleException {
        this.clientStore = new ObjectStoreClientStore();
        if (!useDefaultClientStore()) {
            ((ObjectStoreClientStore) this.clientStore).setObjectStore(this.clientStoreObjectStore);
            LifecycleUtils.startIfNeeded(this.clientStoreObjectStore);
        } else {
            ((ObjectStoreClientStore) this.clientStore).setObjectStore(this.objectStoreManager.getOrCreateObjectStore(ObjectStoreClientStore.CLIENTS_PARTITION, ObjectStoreSettings.builder().entryTtl(0L).expirationInterval(0L).persistent(true).build()));
            try {
                ((ObjectStoreClientStore) this.clientStore).getClientObjectStore().open();
            } catch (ObjectStoreException e) {
                throw new MuleRuntimeException(I18nMessageFactory.createStaticMessage("Error initializing persistent object store for Clients"));
            }
        }
    }

    private void initializeAuthorizationCodeStore() throws MuleException {
        this.authorizationCodeStore = new ObjectStoreAuthorizationCode();
        if (useDefaultAuthorizationCodeStore()) {
            ((ObjectStoreAuthorizationCode) this.authorizationCodeStore).setObjectStore(this.objectStoreManager.getOrCreateObjectStore(ObjectStoreAuthorizationCode.AUTHORIZATION_CODE_PARTITION, ObjectStoreSettings.builder().persistent(true).entryTtl(Long.valueOf(DEFAULT_AUTHORIZATION_CODE_OS_ENTRY_TTL_MS)).expirationInterval(Long.valueOf((DEFAULT_AUTHORIZATION_CODE_OS_ENTRY_TTL_MS * 10) / 100)).maxEntries(-1).build()));
        } else {
            ((ObjectStoreAuthorizationCode) this.authorizationCodeStore).setObjectStore(this.authorizationConfig.getAuthorizationCodeStore());
            LifecycleUtils.startIfNeeded(this.authorizationConfig.getAuthorizationCodeStore());
        }
    }

    private void initializeTokenStore() throws MuleException {
        ObjectStoreAccessTokenStore objectStoreAccessTokenStore;
        if (shouldStoreRefreshTokens()) {
            objectStoreAccessTokenStore = new ObjectStoreAccessAndRefreshTokenStore();
            ObjectStore objectStore = ((ObjectStoreAwareRefreshTokenStrategy) this.tokenConfig.getRefreshTokenStrategy()).getObjectStore();
            if (objectStore != null) {
                LifecycleUtils.startIfNeeded(objectStore);
                objectStoreAccessTokenStore.setRefreshTokenObjectStore(objectStore);
            } else {
                objectStoreAccessTokenStore.setRefreshTokenObjectStore(this.objectStoreManager.getOrCreateObjectStore(ObjectStoreAccessAndRefreshTokenStore.REFRESH_TOKENS_PARTITION, ObjectStoreSettings.builder().persistent(true).maxEntries(-1).entryTtl(Long.valueOf(DEFAULT_TOKEN_OS_ENTRY_TTL_MS)).expirationInterval(Long.valueOf((DEFAULT_TOKEN_OS_ENTRY_TTL_MS * 10) / 100)).build()));
            }
        } else {
            objectStoreAccessTokenStore = new ObjectStoreAccessTokenStore();
        }
        if (useDefaultAccessTokenStore()) {
            long millis = this.tokenConfig.getTokenTtlTimeUnit().toMillis(this.tokenConfig.getTokenTtl());
            objectStoreAccessTokenStore.setAccessTokenObjectStore(this.objectStoreManager.getOrCreateObjectStore(ObjectStoreAccessTokenStore.ACCESS_TOKENS_PARTITION, ObjectStoreSettings.builder().persistent(true).maxEntries(-1).entryTtl(Long.valueOf(millis)).expirationInterval(Long.valueOf((millis * 10) / 100)).build()));
        } else {
            objectStoreAccessTokenStore.setAccessTokenObjectStore(this.tokenConfig.getTokenStore());
            LifecycleUtils.startIfNeeded(this.tokenConfig.getTokenStore());
        }
        this.tokenStore = objectStoreAccessTokenStore;
    }

    private boolean useDefaultClientStore() {
        return this.clientStoreObjectStore == null;
    }

    private boolean useDefaultAccessTokenStore() {
        return this.tokenConfig == null || this.tokenConfig.getTokenStore() == null;
    }

    private boolean shouldStoreRefreshTokens() {
        return ObjectStoreAwareRefreshTokenStrategy.class.isAssignableFrom(this.tokenConfig.getRefreshTokenStrategy().getClass());
    }

    private boolean useDefaultAuthorizationCodeStore() {
        return this.authorizationConfig == null || this.authorizationConfig.getAuthorizationCodeStore() == null;
    }

    public OAuthConfiguration getOAuthConfiguration() {
        return this.oAuthConfiguration;
    }

    public ClientManager getClientManager() {
        return this.clientManager;
    }

    public AuthorizationCodeStore getAuthorizationCodeStore() {
        return this.authorizationCodeStore;
    }

    public TokenStore getTokenStore() {
        return this.tokenStore;
    }

    public TokenSecurityProvider getTokenSecurityProvider() {
        return this.tokenSecurityProvider;
    }
}
