package io.gardenerframework.camellia.authentication.server.configuration;

import com.nimbusds.jose.jwk.JWKSet;
import com.nimbusds.jose.jwk.RSAKey;
import com.nimbusds.jose.jwk.source.JWKSource;
import com.nimbusds.jose.proc.SecurityContext;
import io.gardenerframework.camellia.authentication.server.common.configuration.AuthenticationServerPathOption;
import io.gardenerframework.camellia.authentication.server.main.spring.oauth2.OAuth2AuthorizationIdModifier;
import java.io.InputStreamReader;
import java.nio.charset.StandardCharsets;
import java.security.KeyFactory;
import java.security.interfaces.RSAPrivateKey;
import java.security.interfaces.RSAPublicKey;
import java.security.spec.PKCS8EncodedKeySpec;
import java.security.spec.X509EncodedKeySpec;
import java.util.UUID;
import javax.crypto.Cipher;
import org.bouncycastle.util.io.pem.PemReader;
import org.springframework.beans.factory.config.ConfigurableListableBeanFactory;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Condition;
import org.springframework.context.annotation.ConditionContext;
import org.springframework.context.annotation.Conditional;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.io.ClassPathResource;
import org.springframework.core.type.AnnotatedTypeMetadata;
import org.springframework.security.oauth2.jwt.JwtDecoder;
import org.springframework.security.oauth2.jwt.JwtEncoder;
import org.springframework.security.oauth2.jwt.NimbusJwtEncoder;
import org.springframework.security.oauth2.server.authorization.config.annotation.web.configuration.OAuth2AuthorizationServerConfiguration;
import org.springframework.security.oauth2.server.authorization.settings.AuthorizationServerSettings;
import org.springframework.util.Assert;

@Configuration
/* loaded from: input_file:io/gardenerframework/camellia/authentication/server/configuration/AuthenticationServerEngineOAuth2ComponentConfiguration.class */
public class AuthenticationServerEngineOAuth2ComponentConfiguration {
    private final AuthenticationServerPathOption authenticationServerPathOption;

    /* loaded from: input_file:io/gardenerframework/camellia/authentication/server/configuration/AuthenticationServerEngineOAuth2ComponentConfiguration$MissingJWKSourceBeanAndKeyPemProvided.class */
    public static class MissingJWKSourceBeanAndKeyPemProvided implements Condition {
        public boolean matches(ConditionContext conditionContext, AnnotatedTypeMetadata annotatedTypeMetadata) {
            ConfigurableListableBeanFactory beanFactory = conditionContext.getBeanFactory();
            Assert.notNull(beanFactory, "beanFactory must not be null");
            return beanFactory.getBeanNamesForType(JWKSource.class).length < 1 && new ClassPathResource("authentication-server-engine/pki/private.pem").exists() && new ClassPathResource("authentication-server-engine/pki/public.pem").exists();
        }
    }

    @Bean
    public AuthorizationServerSettings providerSettings() {
        return AuthorizationServerSettings.builder().authorizationEndpoint(this.authenticationServerPathOption.getOAuth2AuthorizationEndpoint()).tokenEndpoint(this.authenticationServerPathOption.getOAuth2TokenEndpoint()).oidcUserInfoEndpoint(this.authenticationServerPathOption.getOidcUserInfoEndpoint()).build();
    }

    @Bean
    public JwtEncoder jwtEncoder(JWKSource<SecurityContext> jWKSource) {
        return new NimbusJwtEncoder(jWKSource);
    }

    @Bean
    public JwtDecoder jwtDecoder(JWKSource<SecurityContext> jWKSource) {
        return OAuth2AuthorizationServerConfiguration.jwtDecoder(jWKSource);
    }

    @ConditionalOnMissingBean({OAuth2AuthorizationIdModifier.class})
    @Bean
    public OAuth2AuthorizationIdModifier defaultOAuth2AuthorizationIdModifier() {
        return (str, httpServletRequest, registeredClient, user) -> {
            return str;
        };
    }

    @Conditional({MissingJWKSourceBeanAndKeyPemProvided.class})
    @Bean
    public JWKSource<SecurityContext> jwkSource() throws Exception {
        RSAPrivateKey readPrivateKey = readPrivateKey();
        RSAPublicKey readPublicKey = readPublicKey();
        validateKey(readPublicKey, readPrivateKey);
        JWKSet jWKSet = new JWKSet(new RSAKey.Builder(readPublicKey).privateKey(readPrivateKey).keyID(UUID.randomUUID().toString()).build());
        return (jWKSelector, securityContext) -> {
            return jWKSelector.select(jWKSet);
        };
    }

    private RSAPrivateKey readPrivateKey() throws Exception {
        return (RSAPrivateKey) KeyFactory.getInstance("RSA").generatePrivate(new PKCS8EncodedKeySpec(new PemReader(new InputStreamReader(new ClassPathResource("authentication-server-engine/pki/private.pem").getInputStream())).readPemObject().getContent()));
    }

    private RSAPublicKey readPublicKey() throws Exception {
        return (RSAPublicKey) KeyFactory.getInstance("RSA").generatePublic(new X509EncodedKeySpec(new PemReader(new InputStreamReader(new ClassPathResource("authentication-server-engine/pki/public.pem").getInputStream())).readPemObject().getContent()));
    }

    private void validateKey(RSAPublicKey rSAPublicKey, RSAPrivateKey rSAPrivateKey) throws Exception {
        Cipher cipher = Cipher.getInstance("RSA");
        cipher.init(1, rSAPublicKey);
        String uuid = UUID.randomUUID().toString();
        byte[] doFinal = cipher.doFinal(uuid.getBytes(StandardCharsets.UTF_8));
        Cipher cipher2 = Cipher.getInstance("RSA");
        cipher2.init(2, rSAPrivateKey);
        Assert.isTrue(new String(cipher2.doFinal(doFinal)).equals(uuid), "key validation failed");
    }

    public AuthenticationServerEngineOAuth2ComponentConfiguration(AuthenticationServerPathOption authenticationServerPathOption) {
        this.authenticationServerPathOption = authenticationServerPathOption;
    }
}
