package com.azure.spring.cloud.autoconfigure.implementation.aad.configuration;

import com.azure.spring.cloud.autoconfigure.implementation.aad.configuration.conditions.ClientCertificatePropertiesCondition;
import com.azure.spring.cloud.autoconfigure.implementation.aad.configuration.conditions.ClientRegistrationCondition;
import com.azure.spring.cloud.autoconfigure.implementation.aad.configuration.properties.AadAuthenticationProperties;
import com.azure.spring.cloud.autoconfigure.implementation.aad.configuration.properties.AadProfileProperties;
import com.azure.spring.cloud.autoconfigure.implementation.aad.security.AadAzureDelegatedOAuth2AuthorizedClientProvider;
import com.azure.spring.cloud.autoconfigure.implementation.aad.security.AadClientRegistrationRepository;
import com.azure.spring.cloud.autoconfigure.implementation.aad.security.AadJwtBearerGrantRequestEntityConverter;
import com.azure.spring.cloud.autoconfigure.implementation.aad.security.AadJwtClientAuthenticationParametersConverter;
import com.azure.spring.cloud.autoconfigure.implementation.aad.security.AadOAuth2ClientAuthenticationJwkResolver;
import com.azure.spring.cloud.autoconfigure.implementation.aad.security.AadOidcIdTokenDecoderFactory;
import com.azure.spring.cloud.autoconfigure.implementation.aad.security.JacksonHttpSessionOAuth2AuthorizedClientRepository;
import com.azure.spring.cloud.autoconfigure.implementation.aad.security.OAuth2ClientAuthenticationJwkResolver;
import com.azure.spring.cloud.autoconfigure.implementation.aad.security.properties.AadAuthorizationServerEndpoints;
import com.azure.spring.cloud.autoconfigure.implementation.aad.utils.AadRestTemplateCreator;
import java.util.Objects;
import org.springframework.beans.factory.ObjectProvider;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.boot.web.client.RestTemplateBuilder;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Conditional;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.oauth2.client.JwtBearerOAuth2AuthorizedClientProvider;
import org.springframework.security.oauth2.client.OAuth2AuthorizedClientManager;
import org.springframework.security.oauth2.client.OAuth2AuthorizedClientProviderBuilder;
import org.springframework.security.oauth2.client.RefreshTokenOAuth2AuthorizedClientProvider;
import org.springframework.security.oauth2.client.endpoint.DefaultClientCredentialsTokenResponseClient;
import org.springframework.security.oauth2.client.endpoint.DefaultJwtBearerTokenResponseClient;
import org.springframework.security.oauth2.client.endpoint.DefaultRefreshTokenTokenResponseClient;
import org.springframework.security.oauth2.client.endpoint.OAuth2ClientCredentialsGrantRequestEntityConverter;
import org.springframework.security.oauth2.client.endpoint.OAuth2RefreshTokenGrantRequestEntityConverter;
import org.springframework.security.oauth2.client.registration.ClientRegistration;
import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
import org.springframework.security.oauth2.client.web.DefaultOAuth2AuthorizedClientManager;
import org.springframework.security.oauth2.client.web.OAuth2AuthorizedClientRepository;
import org.springframework.security.oauth2.jwt.JwtDecoderFactory;

@Configuration(proxyBeanMethods = false)
@Conditional({ClientRegistrationCondition.class})
/* loaded from: input_file:com/azure/spring/cloud/autoconfigure/implementation/aad/configuration/AadOAuth2ClientConfiguration.class */
class AadOAuth2ClientConfiguration {
    private final RestTemplateBuilder restTemplateBuilder;

    AadOAuth2ClientConfiguration(RestTemplateBuilder restTemplateBuilder) {
        this.restTemplateBuilder = restTemplateBuilder;
    }

    @ConditionalOnMissingBean
    @Bean
    ClientRegistrationRepository clientRegistrationRepository(AadAuthenticationProperties aadAuthenticationProperties) {
        return new AadClientRegistrationRepository(aadAuthenticationProperties);
    }

    @ConditionalOnMissingBean
    @Bean
    OAuth2AuthorizedClientRepository oAuth2AuthorizedClientRepository() {
        return new JacksonHttpSessionOAuth2AuthorizedClientRepository();
    }

    @ConditionalOnMissingBean
    @Conditional({ClientCertificatePropertiesCondition.class})
    @Bean
    OAuth2ClientAuthenticationJwkResolver oAuth2ClientAuthenticationJwkResolver(AadAuthenticationProperties aadAuthenticationProperties) {
        return new AadOAuth2ClientAuthenticationJwkResolver(aadAuthenticationProperties.getCredential().getClientCertificatePath(), aadAuthenticationProperties.getCredential().getClientCertificatePassword());
    }

    @ConditionalOnMissingBean
    @Bean
    OAuth2AuthorizedClientManager authorizedClientManager(ClientRegistrationRepository clientRegistrationRepository, OAuth2AuthorizedClientRepository oAuth2AuthorizedClientRepository, RefreshTokenOAuth2AuthorizedClientProvider refreshTokenOAuth2AuthorizedClientProvider, JwtBearerOAuth2AuthorizedClientProvider jwtBearerOAuth2AuthorizedClientProvider, ObjectProvider<OAuth2ClientAuthenticationJwkResolver> objectProvider) {
        DefaultOAuth2AuthorizedClientManager defaultOAuth2AuthorizedClientManager = new DefaultOAuth2AuthorizedClientManager(clientRegistrationRepository, oAuth2AuthorizedClientRepository);
        OAuth2ClientAuthenticationJwkResolver oAuth2ClientAuthenticationJwkResolver = (OAuth2ClientAuthenticationJwkResolver) objectProvider.getIfUnique();
        defaultOAuth2AuthorizedClientManager.setAuthorizedClientProvider(OAuth2AuthorizedClientProviderBuilder.builder().authorizationCode().clientCredentials(clientCredentialsGrantBuilder -> {
            clientCredentialsGrantBuilderAccessTokenResponseClientCustomizer(clientCredentialsGrantBuilder, oAuth2ClientAuthenticationJwkResolver);
        }).provider(refreshTokenOAuth2AuthorizedClientProvider).provider(jwtBearerOAuth2AuthorizedClientProvider).provider(azureDelegatedOAuth2AuthorizedClientProvider(refreshTokenOAuth2AuthorizedClientProvider, oAuth2AuthorizedClientRepository)).build());
        return defaultOAuth2AuthorizedClientManager;
    }

    @ConditionalOnMissingBean
    @Bean
    JwtBearerOAuth2AuthorizedClientProvider azureAdJwtBearerProvider(ObjectProvider<OAuth2ClientAuthenticationJwkResolver> objectProvider) {
        JwtBearerOAuth2AuthorizedClientProvider jwtBearerOAuth2AuthorizedClientProvider = new JwtBearerOAuth2AuthorizedClientProvider();
        OAuth2ClientAuthenticationJwkResolver oAuth2ClientAuthenticationJwkResolver = (OAuth2ClientAuthenticationJwkResolver) objectProvider.getIfUnique();
        DefaultJwtBearerTokenResponseClient defaultJwtBearerTokenResponseClient = new DefaultJwtBearerTokenResponseClient();
        defaultJwtBearerTokenResponseClient.setRestOperations(AadRestTemplateCreator.createOAuth2AccessTokenResponseClientRestTemplate(this.restTemplateBuilder));
        AadJwtBearerGrantRequestEntityConverter aadJwtBearerGrantRequestEntityConverter = new AadJwtBearerGrantRequestEntityConverter();
        if (oAuth2ClientAuthenticationJwkResolver != null) {
            Objects.requireNonNull(oAuth2ClientAuthenticationJwkResolver);
            aadJwtBearerGrantRequestEntityConverter.addParametersConverter(new AadJwtClientAuthenticationParametersConverter(oAuth2ClientAuthenticationJwkResolver::resolve));
        }
        defaultJwtBearerTokenResponseClient.setRequestEntityConverter(aadJwtBearerGrantRequestEntityConverter);
        jwtBearerOAuth2AuthorizedClientProvider.setAccessTokenResponseClient(defaultJwtBearerTokenResponseClient);
        return jwtBearerOAuth2AuthorizedClientProvider;
    }

    @ConditionalOnMissingBean
    @Bean
    RefreshTokenOAuth2AuthorizedClientProvider azureRefreshTokenProvider(ObjectProvider<OAuth2ClientAuthenticationJwkResolver> objectProvider) {
        RefreshTokenOAuth2AuthorizedClientProvider refreshTokenOAuth2AuthorizedClientProvider = new RefreshTokenOAuth2AuthorizedClientProvider();
        OAuth2ClientAuthenticationJwkResolver oAuth2ClientAuthenticationJwkResolver = (OAuth2ClientAuthenticationJwkResolver) objectProvider.getIfUnique();
        DefaultRefreshTokenTokenResponseClient defaultRefreshTokenTokenResponseClient = new DefaultRefreshTokenTokenResponseClient();
        defaultRefreshTokenTokenResponseClient.setRestOperations(AadRestTemplateCreator.createOAuth2AccessTokenResponseClientRestTemplate(this.restTemplateBuilder));
        if (oAuth2ClientAuthenticationJwkResolver != null) {
            OAuth2RefreshTokenGrantRequestEntityConverter oAuth2RefreshTokenGrantRequestEntityConverter = new OAuth2RefreshTokenGrantRequestEntityConverter();
            Objects.requireNonNull(oAuth2ClientAuthenticationJwkResolver);
            oAuth2RefreshTokenGrantRequestEntityConverter.addParametersConverter(new AadJwtClientAuthenticationParametersConverter(oAuth2ClientAuthenticationJwkResolver::resolve));
            defaultRefreshTokenTokenResponseClient.setRequestEntityConverter(oAuth2RefreshTokenGrantRequestEntityConverter);
        }
        refreshTokenOAuth2AuthorizedClientProvider.setAccessTokenResponseClient(defaultRefreshTokenTokenResponseClient);
        return refreshTokenOAuth2AuthorizedClientProvider;
    }

    @ConditionalOnMissingBean
    @Bean
    JwtDecoderFactory<ClientRegistration> azureAdJwtDecoderFactory(AadAuthenticationProperties aadAuthenticationProperties) {
        AadProfileProperties profile = aadAuthenticationProperties.getProfile();
        return new AadOidcIdTokenDecoderFactory(new AadAuthorizationServerEndpoints(profile.getEnvironment().getActiveDirectoryEndpoint(), profile.getTenantId()).getJwkSetEndpoint(), AadRestTemplateCreator.createRestTemplate(this.restTemplateBuilder));
    }

    private void clientCredentialsGrantBuilderAccessTokenResponseClientCustomizer(OAuth2AuthorizedClientProviderBuilder.ClientCredentialsGrantBuilder clientCredentialsGrantBuilder, OAuth2ClientAuthenticationJwkResolver oAuth2ClientAuthenticationJwkResolver) {
        DefaultClientCredentialsTokenResponseClient defaultClientCredentialsTokenResponseClient = new DefaultClientCredentialsTokenResponseClient();
        defaultClientCredentialsTokenResponseClient.setRestOperations(AadRestTemplateCreator.createOAuth2AccessTokenResponseClientRestTemplate(this.restTemplateBuilder));
        if (oAuth2ClientAuthenticationJwkResolver != null) {
            OAuth2ClientCredentialsGrantRequestEntityConverter oAuth2ClientCredentialsGrantRequestEntityConverter = new OAuth2ClientCredentialsGrantRequestEntityConverter();
            Objects.requireNonNull(oAuth2ClientAuthenticationJwkResolver);
            oAuth2ClientCredentialsGrantRequestEntityConverter.addParametersConverter(new AadJwtClientAuthenticationParametersConverter(oAuth2ClientAuthenticationJwkResolver::resolve));
            defaultClientCredentialsTokenResponseClient.setRequestEntityConverter(oAuth2ClientCredentialsGrantRequestEntityConverter);
        }
        clientCredentialsGrantBuilder.accessTokenResponseClient(defaultClientCredentialsTokenResponseClient);
    }

    private AadAzureDelegatedOAuth2AuthorizedClientProvider azureDelegatedOAuth2AuthorizedClientProvider(RefreshTokenOAuth2AuthorizedClientProvider refreshTokenOAuth2AuthorizedClientProvider, OAuth2AuthorizedClientRepository oAuth2AuthorizedClientRepository) {
        return new AadAzureDelegatedOAuth2AuthorizedClientProvider(refreshTokenOAuth2AuthorizedClientProvider, oAuth2AuthorizedClientRepository);
    }
}
