package com.okta.spring.oauth;

import com.okta.spring.config.OktaOAuth2Properties;
import java.net.MalformedURLException;
import java.net.URL;
import org.springframework.beans.InvalidPropertyException;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.boot.autoconfigure.security.oauth2.resource.AuthoritiesExtractor;
import org.springframework.boot.autoconfigure.security.oauth2.resource.PrincipalExtractor;
import org.springframework.boot.autoconfigure.security.oauth2.resource.ResourceServerProperties;
import org.springframework.boot.autoconfigure.security.oauth2.resource.UserInfoRestTemplateFactory;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Import;
import org.springframework.context.annotation.Primary;
import org.springframework.security.oauth2.client.OAuth2ClientContext;
import org.springframework.security.oauth2.provider.token.AccessTokenConverter;
import org.springframework.security.oauth2.provider.token.ResourceServerTokenServices;
import org.springframework.security.oauth2.provider.token.TokenStore;
import org.springframework.security.oauth2.provider.token.store.IssuerClaimVerifier;
import org.springframework.security.oauth2.provider.token.store.JwtAccessTokenConverter;
import org.springframework.security.oauth2.provider.token.store.JwtClaimsSetVerifier;
import org.springframework.security.oauth2.provider.token.store.jwk.JwkTokenStore;

@Configuration
@Import({RemoteTokenValidationConfig.class, LocalTokenValidationConfig.class})
/* loaded from: input_file:com/okta/spring/oauth/OktaTokenServicesConfig.class */
public class OktaTokenServicesConfig {

    @Configuration
    @ConditionalOnProperty(name = {"okta.oauth2.localTokenValidation"}, matchIfMissing = true)
    /* loaded from: input_file:com/okta/spring/oauth/OktaTokenServicesConfig$LocalTokenValidationConfig.class */
    public static class LocalTokenValidationConfig {
        private final OktaOAuth2Properties oktaOAuth2Properties;

        public LocalTokenValidationConfig(OktaOAuth2Properties oktaOAuth2Properties) {
            this.oktaOAuth2Properties = oktaOAuth2Properties;
        }

        @ConditionalOnMissingBean
        @Bean
        protected AuthoritiesExtractor authoritiesExtractor() {
            return new ClaimsAuthoritiesExtractor(this.oktaOAuth2Properties.getRolesClaim());
        }

        @ConditionalOnMissingBean
        @Bean
        protected PrincipalExtractor principalExtractor() {
            return new ClaimsPrincipalExtractor(this.oktaOAuth2Properties.getPrincipalClaim());
        }

        @Bean
        public TokenStore tokenStore() {
            return new JwkTokenStore(this.oktaOAuth2Properties.getIssuer() + "/v1/keys", accessTokenConverter(), jwtClaimsSetVerifier());
        }

        @ConditionalOnMissingBean
        @Bean
        public JwtClaimsSetVerifier jwtClaimsSetVerifier() {
            try {
                return new IssuerClaimVerifier(new URL(this.oktaOAuth2Properties.getIssuer()));
            } catch (MalformedURLException e) {
                throw new InvalidPropertyException(JwtClaimsSetVerifier.class, "okta.oauth2.issuer", "Failed to parse issuer URL", e);
            }
        }

        @ConditionalOnMissingBean
        @Bean
        public AccessTokenConverter accessTokenConverter() {
            JwtAccessTokenConverter jwtAccessTokenConverter = new JwtAccessTokenConverter();
            jwtAccessTokenConverter.setAccessTokenConverter(new ConfigurableAccessTokenConverter(this.oktaOAuth2Properties.getScopeClaim(), this.oktaOAuth2Properties.getRolesClaim()));
            return jwtAccessTokenConverter;
        }
    }

    @Configuration
    @ConditionalOnProperty(name = {"okta.oauth2.localTokenValidation"}, havingValue = "false")
    /* loaded from: input_file:com/okta/spring/oauth/OktaTokenServicesConfig$RemoteTokenValidationConfig.class */
    public static class RemoteTokenValidationConfig {
        private final OktaOAuth2Properties oktaOAuth2Properties;

        public RemoteTokenValidationConfig(OktaOAuth2Properties oktaOAuth2Properties) {
            this.oktaOAuth2Properties = oktaOAuth2Properties;
        }

        @ConditionalOnMissingBean
        @Bean
        protected AuthoritiesExtractor authoritiesExtractor() {
            return new ClaimsAuthoritiesExtractor(this.oktaOAuth2Properties.getRolesClaim());
        }

        @ConditionalOnMissingBean
        @Bean
        protected PrincipalExtractor principalExtractor() {
            return new ClaimsPrincipalExtractor(this.oktaOAuth2Properties.getPrincipalClaim());
        }

        @Bean
        @Primary
        protected ResourceServerTokenServices resourceServerTokenServices(ResourceServerProperties resourceServerProperties, OAuth2ClientContext oAuth2ClientContext, UserInfoRestTemplateFactory userInfoRestTemplateFactory) {
            OktaUserInfoTokenServices oktaUserInfoTokenServices = new OktaUserInfoTokenServices(resourceServerProperties.getUserInfoUri(), resourceServerProperties.getClientId(), oAuth2ClientContext);
            oktaUserInfoTokenServices.setRestTemplate(userInfoRestTemplateFactory.getUserInfoRestTemplate());
            oktaUserInfoTokenServices.setTokenType(resourceServerProperties.getTokenType());
            oktaUserInfoTokenServices.setAuthoritiesExtractor(authoritiesExtractor());
            oktaUserInfoTokenServices.setPrincipalExtractor(principalExtractor());
            return oktaUserInfoTokenServices;
        }
    }
}
