package cn.hiboot.mcn.cloud.security.resource;

import cn.hiboot.mcn.autoconfigure.web.exception.HttpStatusCodeResolver;
import cn.hiboot.mcn.autoconfigure.web.exception.handler.ExceptionHandler;
import cn.hiboot.mcn.autoconfigure.web.mvc.ResponseUtils;
import cn.hiboot.mcn.autoconfigure.web.reactor.ServerHttpResponseUtils;
import cn.hiboot.mcn.cloud.security.SessionHolder;
import cn.hiboot.mcn.cloud.security.configurer.AuthenticationReload;
import cn.hiboot.mcn.cloud.security.configurer.ReloadAuthenticationConfigurer;
import cn.hiboot.mcn.core.exception.ServiceException;
import cn.hiboot.mcn.core.model.result.RestResp;
import cn.hiboot.mcn.core.util.McnUtils;
import java.util.HashMap;
import java.util.Map;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.beans.factory.ObjectProvider;
import org.springframework.boot.autoconfigure.AutoConfiguration;
import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication;
import org.springframework.boot.autoconfigure.security.ConditionalOnDefaultWebSecurity;
import org.springframework.boot.context.properties.EnableConfigurationProperties;
import org.springframework.context.annotation.Bean;
import org.springframework.http.server.reactive.ServerHttpRequest;
import org.springframework.http.server.reactive.ServerHttpResponse;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer;
import org.springframework.security.config.web.server.SecurityWebFiltersOrder;
import org.springframework.security.config.web.server.ServerHttpSecurity;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.context.ReactiveSecurityContextHolder;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.oauth2.jwt.Jwt;
import org.springframework.security.oauth2.server.resource.BearerTokenAuthenticationToken;
import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationToken;
import org.springframework.security.oauth2.server.resource.web.BearerTokenResolver;
import org.springframework.security.oauth2.server.resource.web.DefaultBearerTokenResolver;
import org.springframework.security.oauth2.server.resource.web.server.ServerBearerTokenAuthenticationConverter;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.server.SecurityWebFilterChain;
import org.springframework.stereotype.Component;
import org.springframework.web.server.ServerWebExchange;
import org.springframework.web.server.WebFilter;
import org.springframework.web.server.WebFilterChain;
import reactor.core.publisher.Mono;

@EnableConfigurationProperties({ResourceServerProperties.class})
@AutoConfiguration
@ConditionalOnClass({JwtAuthenticationToken.class})
@ConditionalOnProperty(value = {"spring.security.oauth2.resourceserver.jwt.public-key-location"}, havingValue = "classpath:config/public.txt")
/* loaded from: input_file:cn/hiboot/mcn/cloud/security/resource/ResourceServerAutoConfiguration.class */
public class ResourceServerAutoConfiguration {

    @ConditionalOnWebApplication(type = ConditionalOnWebApplication.Type.REACTIVE)
    /* loaded from: input_file:cn/hiboot/mcn/cloud/security/resource/ResourceServerAutoConfiguration$ReactiveResourceServerConfiguration.class */
    static class ReactiveResourceServerConfiguration {
        private final ExceptionHandler exceptionHandler;

        /* JADX INFO: Access modifiers changed from: package-private */
        /* loaded from: input_file:cn/hiboot/mcn/cloud/security/resource/ResourceServerAutoConfiguration$ReactiveResourceServerConfiguration$ReloadAuthenticationWebFilter.class */
        public static class ReloadAuthenticationWebFilter implements WebFilter {
            private final AuthenticationReload authenticationReload;

            public ReloadAuthenticationWebFilter(AuthenticationReload authenticationReload) {
                this.authenticationReload = authenticationReload;
            }

            public Mono<Void> filter(ServerWebExchange serverWebExchange, WebFilterChain webFilterChain) {
                return ReactiveSecurityContextHolder.getContext().filter(securityContext -> {
                    return securityContext.getAuthentication() != null;
                }).flatMap(securityContext2 -> {
                    Jwt jwt;
                    Map<String, Object> claimAsMap;
                    Map<String, Object> reload;
                    JwtAuthenticationToken authentication = securityContext2.getAuthentication();
                    Object principal = authentication.getPrincipal();
                    if (principal instanceof Map) {
                        Map<String, Object> map = (Map) principal;
                        Map<String, Object> reload2 = this.authenticationReload.reload(map);
                        if (reload2 != null) {
                            map.putAll(reload2);
                        }
                    } else if ((principal instanceof Jwt) && (reload = this.authenticationReload.reload((claimAsMap = (jwt = (Jwt) principal).getClaimAsMap(SessionHolder.USER_NAME)))) != null) {
                        claimAsMap.putAll(reload);
                        HashMap hashMap = new HashMap(jwt.getClaims());
                        hashMap.put(SessionHolder.USER_NAME, claimAsMap);
                        JwtAuthenticationToken jwtAuthenticationToken = authentication;
                        JwtAuthenticationToken jwtAuthenticationToken2 = new JwtAuthenticationToken(new Jwt(jwt.getTokenValue(), jwt.getIssuedAt(), jwt.getExpiresAt(), jwt.getHeaders(), hashMap), jwtAuthenticationToken.getAuthorities());
                        jwtAuthenticationToken2.setDetails(jwtAuthenticationToken.getDetails());
                        SecurityContextHolder.getContext().setAuthentication(jwtAuthenticationToken2);
                    }
                    return Mono.empty();
                }).switchIfEmpty(webFilterChain.filter(serverWebExchange).then(Mono.empty())).then();
            }
        }

        ReactiveResourceServerConfiguration(ExceptionHandler exceptionHandler) {
            this.exceptionHandler = exceptionHandler;
        }

        @ConditionalOnMissingBean({SecurityWebFilterChain.class})
        @Bean
        SecurityWebFilterChain resourceServerSecurityFilterChain(ServerHttpSecurity serverHttpSecurity, ResourceServerProperties resourceServerProperties, ObjectProvider<AuthenticationReload> objectProvider, ObjectProvider<TokenResolver> objectProvider2) {
            objectProvider.ifUnique(authenticationReload -> {
                serverHttpSecurity.addFilterBefore(new ReloadAuthenticationWebFilter(authenticationReload), SecurityWebFiltersOrder.ANONYMOUS_AUTHENTICATION);
            });
            return serverHttpSecurity.authorizeExchange(authorizeExchangeSpec -> {
                if (McnUtils.isNotNullAndEmpty(resourceServerProperties.getAllowedPaths())) {
                    ((ServerHttpSecurity.AuthorizeExchangeSpec.Access) authorizeExchangeSpec.pathMatchers((String[]) resourceServerProperties.getAllowedPaths().toArray(new String[0]))).permitAll();
                }
                authorizeExchangeSpec.anyExchange().authenticated();
            }).oauth2ResourceServer(oAuth2ResourceServerSpec -> {
                if (resourceServerProperties.isOpaqueToken()) {
                    oAuth2ResourceServerSpec.opaqueToken();
                } else {
                    oAuth2ResourceServerSpec.jwt();
                }
                oAuth2ResourceServerSpec.accessDeniedHandler((serverWebExchange, accessDeniedException) -> {
                    return handleException(accessDeniedException, serverWebExchange.getResponse());
                }).authenticationEntryPoint((serverWebExchange2, authenticationException) -> {
                    return handleException(authenticationException, serverWebExchange2.getResponse());
                });
                objectProvider2.ifUnique(tokenResolver -> {
                    oAuth2ResourceServerSpec.bearerTokenConverter(new ServerBearerTokenAuthenticationConverter() { // from class: cn.hiboot.mcn.cloud.security.resource.ResourceServerAutoConfiguration.ReactiveResourceServerConfiguration.1
                        public Mono<Authentication> convert(ServerWebExchange serverWebExchange3) {
                            ServerHttpRequest request = serverWebExchange3.getRequest();
                            if (McnUtils.isNotNullAndEmpty(request.getHeaders().getFirst("Authorization"))) {
                                return super.convert(serverWebExchange3);
                            }
                            Mono just = Mono.just(tokenResolver.paramName());
                            TokenResolver tokenResolver = tokenResolver;
                            return just.flatMap(str -> {
                                String first = request.getHeaders().getFirst(str);
                                if (McnUtils.isNullOrEmpty(first)) {
                                    first = request.getHeaders().getFirst(str);
                                }
                                RestResp<LoginRsp> resolve = tokenResolver.resolve(first);
                                String trim = resolve.getData() != null ? ((LoginRsp) resolve.getData()).getToken().substring("Bearer".length()).trim() : "";
                                return trim.isEmpty() ? Mono.error(ServiceException.newInstance(str + "不正确")) : Mono.just(new BearerTokenAuthenticationToken(trim));
                            });
                        }
                    });
                });
            }).build();
        }

        private Mono<Void> handleException(RuntimeException runtimeException, ServerHttpResponse serverHttpResponse) {
            return ServerHttpResponseUtils.write(this.exceptionHandler.handleException(runtimeException), serverHttpResponse);
        }
    }

    @ConditionalOnWebApplication(type = ConditionalOnWebApplication.Type.SERVLET)
    /* loaded from: input_file:cn/hiboot/mcn/cloud/security/resource/ResourceServerAutoConfiguration$ServletResourceServerConfiguration.class */
    static class ServletResourceServerConfiguration {
        private final ExceptionHandler exceptionHandler;

        @Component
        /* loaded from: input_file:cn/hiboot/mcn/cloud/security/resource/ResourceServerAutoConfiguration$ServletResourceServerConfiguration$CustomBearerTokenResolver.class */
        static class CustomBearerTokenResolver implements BearerTokenResolver {
            private final TokenResolver tokenResolver;
            private final BearerTokenResolver defaultBearerTokenResolver = new DefaultBearerTokenResolver();

            public CustomBearerTokenResolver(ObjectProvider<TokenResolver> objectProvider) {
                this.tokenResolver = (TokenResolver) objectProvider.getIfUnique();
            }

            public String resolve(HttpServletRequest httpServletRequest) {
                if (McnUtils.isNotNullAndEmpty(httpServletRequest.getHeader("Authorization"))) {
                    return this.defaultBearerTokenResolver.resolve(httpServletRequest);
                }
                if (this.tokenResolver == null) {
                    return null;
                }
                String paramName = this.tokenResolver.paramName();
                String header = httpServletRequest.getHeader(paramName);
                if (McnUtils.isNullOrEmpty(header)) {
                    header = httpServletRequest.getParameter(paramName);
                }
                if (!McnUtils.isNotNullAndEmpty(header)) {
                    return null;
                }
                RestResp<LoginRsp> resolve = this.tokenResolver.resolve(header);
                if (resolve.getData() != null) {
                    return ((LoginRsp) resolve.getData()).getToken().substring("Bearer".length()).trim();
                }
                return null;
            }
        }

        ServletResourceServerConfiguration(ExceptionHandler exceptionHandler) {
            this.exceptionHandler = exceptionHandler;
        }

        @ConditionalOnDefaultWebSecurity
        @Bean
        SecurityFilterChain resourceServerSecurityFilterChain(HttpSecurity httpSecurity, ResourceServerProperties resourceServerProperties) throws Exception {
            return (SecurityFilterChain) httpSecurity.authorizeRequests(expressionInterceptUrlRegistry -> {
                if (McnUtils.isNotNullAndEmpty(resourceServerProperties.getAllowedPaths())) {
                    ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) expressionInterceptUrlRegistry.antMatchers((String[]) resourceServerProperties.getAllowedPaths().toArray(new String[0]))).permitAll();
                }
                ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) expressionInterceptUrlRegistry.anyRequest()).authenticated();
            }).oauth2ResourceServer(oAuth2ResourceServerConfigurer -> {
                if (resourceServerProperties.isOpaqueToken()) {
                    oAuth2ResourceServerConfigurer.opaqueToken();
                } else {
                    oAuth2ResourceServerConfigurer.jwt();
                }
                oAuth2ResourceServerConfigurer.accessDeniedHandler((httpServletRequest, httpServletResponse, accessDeniedException) -> {
                    handleException(accessDeniedException, httpServletResponse);
                }).authenticationEntryPoint((httpServletRequest2, httpServletResponse2, authenticationException) -> {
                    handleException(authenticationException, httpServletResponse2);
                });
            }).apply(new ReloadAuthenticationConfigurer()).and().build();
        }

        private void handleException(RuntimeException runtimeException, HttpServletResponse httpServletResponse) {
            ResponseUtils.write(this.exceptionHandler.handleException(runtimeException), httpServletResponse);
        }
    }

    @Bean
    HttpStatusCodeResolver resourceServerHttpStatusCodeResolver() {
        return th -> {
            if (th instanceof AuthenticationException) {
                return 800401;
            }
            return th instanceof AccessDeniedException ? 800403 : null;
        };
    }
}
