package org.frankframework.lifecycle.servlets;

import java.io.FileNotFoundException;
import java.net.URL;
import java.util.List;
import java.util.stream.Collectors;
import org.apache.commons.lang3.StringUtils;
import org.frankframework.util.ClassUtils;
import org.frankframework.util.EnumUtils;
import org.frankframework.util.SpringUtils;
import org.frankframework.util.StringUtil;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.oauth2.client.CommonOAuth2Provider;
import org.springframework.security.oauth2.client.InMemoryOAuth2AuthorizedClientService;
import org.springframework.security.oauth2.client.registration.ClientRegistration;
import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
import org.springframework.security.oauth2.client.registration.InMemoryClientRegistrationRepository;
import org.springframework.security.oauth2.core.AuthorizationGrantType;
import org.springframework.security.oauth2.core.ClientAuthenticationMethod;
import org.springframework.security.web.SecurityFilterChain;

/* loaded from: input_file:org/frankframework/lifecycle/servlets/OAuth2Authenticator.class */
public class OAuth2Authenticator extends ServletAuthenticatorBase {
    private String scopes;
    private String authorizationUri;
    private String tokenUri;
    private String jwkSetUri;
    private String issuerUri;
    private String userInfoUri;
    private String userNameAttributeName;
    private String provider;
    private ClientRegistrationRepository clientRepository;
    private String oauthBaseUrl;
    private String clientId = null;
    private String clientSecret = null;
    private String roleMappingFile = "oauth-role-mapping.properties";
    private URL roleMappingURL = null;

    @Override // org.frankframework.lifecycle.servlets.ServletAuthenticatorBase
    public SecurityFilterChain configure(HttpSecurity httpSecurity) throws Exception {
        configure();
        httpSecurity.oauth2Login().clientRegistrationRepository(this.clientRepository).authorizedClientService(new InMemoryOAuth2AuthorizedClientService(this.clientRepository)).failureUrl(this.oauthBaseUrl + "/oauth2/failure/").authorizationEndpoint().baseUri(this.oauthBaseUrl + "/oauth2/authorization").and().userInfoEndpoint().userAuthoritiesMapper(new AuthorityMapper(this.roleMappingURL, getSecurityRoles(), getEnvironmentProperties())).and().loginProcessingUrl(this.oauthBaseUrl + "/oauth2/code/*");
        return (SecurityFilterChain) httpSecurity.build();
    }

    private void configure() throws FileNotFoundException {
        if (StringUtils.isEmpty(this.clientId) || StringUtils.isEmpty(this.clientSecret)) {
            throw new IllegalStateException("clientId and clientSecret must be set");
        }
        this.roleMappingURL = ClassUtils.getResourceURL(this.roleMappingFile);
        if (this.roleMappingURL == null) {
            throw new FileNotFoundException("unable to find OAUTH role-mapping file [" + this.roleMappingFile + "]");
        }
        this.log.info("found rolemapping file [{}]", this.roleMappingURL);
        this.oauthBaseUrl = computeBaseUrl();
        this.clientRepository = createClientRegistrationRepository();
        SpringUtils.registerSingleton(getApplicationContext(), "clientRegistrationRepository", this.clientRepository);
    }

    public ClientRegistrationRepository createClientRegistrationRepository() {
        return new InMemoryClientRegistrationRepository((List) StringUtil.splitToStream(this.provider).map(this::getRegistration).collect(Collectors.toList()));
    }

    private ClientRegistration getRegistration(String str) {
        ClientRegistration.Builder createCustomBuilder;
        String lowerCase = str.toLowerCase();
        boolean z = -1;
        switch (lowerCase.hashCode()) {
            case -1349088399:
                if (lowerCase.equals("custom")) {
                    z = 4;
                    break;
                }
                break;
            case -1245635613:
                if (lowerCase.equals("github")) {
                    z = true;
                    break;
                }
                break;
            case -1240244679:
                if (lowerCase.equals("google")) {
                    z = false;
                    break;
                }
                break;
            case 3413321:
                if (lowerCase.equals("okta")) {
                    z = 3;
                    break;
                }
                break;
            case 497130182:
                if (lowerCase.equals("facebook")) {
                    z = 2;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
            case true:
            case true:
            case true:
                createCustomBuilder = EnumUtils.parse(CommonOAuth2Provider.class, str).getBuilder(str);
                break;
            case true:
                createCustomBuilder = createCustomBuilder(str, str.toLowerCase());
                break;
            default:
                throw new IllegalStateException("unknown OAuth provider");
        }
        createCustomBuilder.clientId(this.clientId).clientSecret(this.clientSecret);
        createCustomBuilder.redirectUri(String.format("{baseUrl}/%s/oauth2/code/{registrationId}", this.oauthBaseUrl));
        return createCustomBuilder.build();
    }

    public ClientRegistration.Builder createCustomBuilder(String str, String str2) {
        ClientRegistration.Builder withRegistrationId = ClientRegistration.withRegistrationId(str2);
        withRegistrationId.clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC);
        withRegistrationId.authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE);
        withRegistrationId.scope(StringUtil.split(this.scopes));
        withRegistrationId.authorizationUri(this.authorizationUri);
        withRegistrationId.tokenUri(this.tokenUri);
        withRegistrationId.jwkSetUri(this.jwkSetUri);
        withRegistrationId.issuerUri(this.issuerUri);
        withRegistrationId.userInfoUri(this.userInfoUri);
        withRegistrationId.userNameAttributeName(this.userNameAttributeName);
        withRegistrationId.clientName(str);
        return withRegistrationId;
    }

    private String computeBaseUrl() {
        String orElse = getPrivateEndpoints().stream().findFirst().orElse("");
        if (orElse.endsWith("*")) {
            orElse = orElse.substring(0, orElse.length() - 1);
        }
        if (orElse.endsWith("/")) {
            orElse = orElse.substring(0, orElse.length() - 1);
        }
        return orElse;
    }

    public void setScopes(String str) {
        this.scopes = str;
    }

    public void setAuthorizationUri(String str) {
        this.authorizationUri = str;
    }

    public void setTokenUri(String str) {
        this.tokenUri = str;
    }

    public void setJwkSetUri(String str) {
        this.jwkSetUri = str;
    }

    public void setIssuerUri(String str) {
        this.issuerUri = str;
    }

    public void setUserInfoUri(String str) {
        this.userInfoUri = str;
    }

    public void setUserNameAttributeName(String str) {
        this.userNameAttributeName = str;
    }

    public void setClientId(String str) {
        this.clientId = str;
    }

    public void setClientSecret(String str) {
        this.clientSecret = str;
    }

    public void setProvider(String str) {
        this.provider = str;
    }

    public void setRoleMappingFile(String str) {
        this.roleMappingFile = str;
    }
}
