package com.azure.spring.cloud.autoconfigure.implementation.aad.configuration;

import com.azure.spring.cloud.autoconfigure.implementation.aad.configuration.conditions.ResourceServerCondition;
import com.azure.spring.cloud.autoconfigure.implementation.aad.configuration.properties.AadAuthenticationProperties;
import com.azure.spring.cloud.autoconfigure.implementation.aad.configuration.properties.AadResourceServerProperties;
import com.azure.spring.cloud.autoconfigure.implementation.aad.security.AadResourceServerHttpSecurityConfigurer;
import com.azure.spring.cloud.autoconfigure.implementation.aad.security.constants.AadJwtClaimNames;
import com.azure.spring.cloud.autoconfigure.implementation.aad.security.jwt.AadJwtIssuerValidator;
import com.azure.spring.cloud.autoconfigure.implementation.aad.security.properties.AadAuthorizationServerEndpoints;
import com.azure.spring.cloud.autoconfigure.implementation.aad.utils.AadRestTemplateCreator;
import java.util.ArrayList;
import java.util.List;
import java.util.Objects;
import org.springframework.boot.autoconfigure.condition.ConditionalOnBean;
import org.springframework.boot.autoconfigure.condition.ConditionalOnExpression;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.boot.autoconfigure.security.ConditionalOnDefaultWebSecurity;
import org.springframework.boot.web.client.RestTemplateBuilder;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Conditional;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.oauth2.core.DelegatingOAuth2TokenValidator;
import org.springframework.security.oauth2.core.OAuth2TokenValidator;
import org.springframework.security.oauth2.jwt.Jwt;
import org.springframework.security.oauth2.jwt.JwtClaimValidator;
import org.springframework.security.oauth2.jwt.JwtDecoder;
import org.springframework.security.oauth2.jwt.JwtTimestampValidator;
import org.springframework.security.oauth2.jwt.NimbusJwtDecoder;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.util.StringUtils;

@Configuration(proxyBeanMethods = false)
@Conditional({ResourceServerCondition.class})
/* loaded from: input_file:com/azure/spring/cloud/autoconfigure/implementation/aad/configuration/AadResourceServerConfiguration.class */
class AadResourceServerConfiguration {
    private final RestTemplateBuilder restTemplateBuilder;

    @EnableWebSecurity
    @EnableMethodSecurity
    @ConditionalOnDefaultWebSecurity
    @ConditionalOnExpression("!'${spring.cloud.azure.active-directory.application-type}'.equalsIgnoreCase('web_application_and_resource_server')")
    /* loaded from: input_file:com/azure/spring/cloud/autoconfigure/implementation/aad/configuration/AadResourceServerConfiguration$DefaultAadResourceServerConfiguration.class */
    static class DefaultAadResourceServerConfiguration {
        DefaultAadResourceServerConfiguration() {
        }

        @ConditionalOnBean({AadResourceServerProperties.class})
        @Bean
        SecurityFilterChain defaultAadResourceServerFilterChain(HttpSecurity httpSecurity) throws Exception {
            httpSecurity.apply(AadResourceServerHttpSecurityConfigurer.aadResourceServer());
            return (SecurityFilterChain) httpSecurity.build();
        }
    }

    AadResourceServerConfiguration(RestTemplateBuilder restTemplateBuilder) {
        this.restTemplateBuilder = restTemplateBuilder;
    }

    @ConditionalOnMissingBean({JwtDecoder.class})
    @Bean
    JwtDecoder jwtDecoder(AadAuthenticationProperties aadAuthenticationProperties) {
        NimbusJwtDecoder build = NimbusJwtDecoder.withJwkSetUri(new AadAuthorizationServerEndpoints(aadAuthenticationProperties.getProfile().getEnvironment().getActiveDirectoryEndpoint(), aadAuthenticationProperties.getProfile().getTenantId()).getJwkSetEndpoint()).restOperations(AadRestTemplateCreator.createRestTemplate(this.restTemplateBuilder)).build();
        build.setJwtValidator(new DelegatingOAuth2TokenValidator(createDefaultValidator(aadAuthenticationProperties)));
        return build;
    }

    List<OAuth2TokenValidator<Jwt>> createDefaultValidator(AadAuthenticationProperties aadAuthenticationProperties) {
        ArrayList arrayList = new ArrayList();
        ArrayList arrayList2 = new ArrayList();
        if (StringUtils.hasText(aadAuthenticationProperties.getAppIdUri())) {
            arrayList2.add(aadAuthenticationProperties.getAppIdUri());
        }
        if (StringUtils.hasText(aadAuthenticationProperties.getCredential().getClientId())) {
            arrayList2.add(aadAuthenticationProperties.getCredential().getClientId());
        }
        if (!arrayList2.isEmpty()) {
            Objects.requireNonNull(arrayList2);
            arrayList.add(new JwtClaimValidator(AadJwtClaimNames.AUD, (v1) -> {
                return r4.containsAll(v1);
            }));
        }
        arrayList.add(new AadJwtIssuerValidator());
        arrayList.add(new JwtTimestampValidator());
        return arrayList;
    }
}
