package com.azure.spring.aad.webapp;

import com.azure.spring.aad.AADAuthorizationServerEndpoints;
import com.azure.spring.aad.AADClientRegistrationRepository;
import com.azure.spring.autoconfigure.aad.AADAuthenticationProperties;
import java.util.ArrayList;
import java.util.HashSet;
import java.util.LinkedHashMap;
import java.util.List;
import java.util.Optional;
import java.util.Set;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.autoconfigure.condition.ConditionalOnBean;
import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingClass;
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.boot.context.properties.EnableConfigurationProperties;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.ObjectPostProcessor;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer;
import org.springframework.security.oauth2.client.oidc.userinfo.OidcUserRequest;
import org.springframework.security.oauth2.client.registration.ClientRegistration;
import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
import org.springframework.security.oauth2.client.userinfo.OAuth2UserService;
import org.springframework.security.oauth2.client.web.OAuth2AuthorizedClientRepository;
import org.springframework.security.oauth2.core.AuthorizationGrantType;
import org.springframework.security.oauth2.core.oidc.user.OidcUser;

@ConditionalOnMissingClass({"org.springframework.security.oauth2.server.resource.BearerTokenAuthenticationToken"})
@EnableConfigurationProperties({AADAuthenticationProperties.class})
@Configuration
@ConditionalOnClass({ClientRegistrationRepository.class})
@ConditionalOnProperty({"azure.activedirectory.client-id"})
/* loaded from: input_file:com/azure/spring/aad/webapp/AADWebAppConfiguration.class */
public class AADWebAppConfiguration {

    @Autowired
    private AADAuthenticationProperties properties;

    @ConditionalOnMissingBean({WebSecurityConfigurerAdapter.class})
    @Configuration
    @ConditionalOnBean({ObjectPostProcessor.class})
    /* loaded from: input_file:com/azure/spring/aad/webapp/AADWebAppConfiguration$DefaultAADWebSecurityConfigurerAdapter.class */
    public static class DefaultAADWebSecurityConfigurerAdapter extends AADWebSecurityConfigurerAdapter {
        /* JADX INFO: Access modifiers changed from: protected */
        @Override // com.azure.spring.aad.webapp.AADWebSecurityConfigurerAdapter
        public void configure(HttpSecurity httpSecurity) throws Exception {
            super.configure(httpSecurity);
            ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) httpSecurity.authorizeRequests().antMatchers(new String[]{"/login"})).permitAll().anyRequest()).authenticated();
        }
    }

    @ConditionalOnMissingBean({ClientRegistrationRepository.class, AADWebAppClientRegistrationRepository.class})
    @Bean
    public AADWebAppClientRegistrationRepository clientRegistrationRepository() {
        return new AADWebAppClientRegistrationRepository(createDefaultClient(), createAuthzClients(), this.properties);
    }

    @ConditionalOnMissingBean
    @Bean
    public OAuth2AuthorizedClientRepository authorizedClientRepository(AADWebAppClientRegistrationRepository aADWebAppClientRegistrationRepository) {
        return new AADOAuth2AuthorizedClientRepository(aADWebAppClientRegistrationRepository);
    }

    @Bean
    public OAuth2UserService<OidcUserRequest, OidcUser> oidcUserService(AADAuthenticationProperties aADAuthenticationProperties) {
        return new AADOAuth2UserService(aADAuthenticationProperties);
    }

    private AzureClientRegistration createDefaultClient() {
        ClientRegistration.Builder createClientBuilder = createClientBuilder(AADClientRegistrationRepository.AZURE_CLIENT_REGISTRATION_ID);
        Set<String> authorizationCodeScopes = authorizationCodeScopes();
        createClientBuilder.scope(authorizationCodeScopes);
        ClientRegistration build = createClientBuilder.build();
        Set<String> accessTokenScopes = accessTokenScopes();
        if (resourceServerCount(accessTokenScopes) == 0 && resourceServerCount(authorizationCodeScopes) > 1) {
            accessTokenScopes.add(this.properties.getGraphBaseUri() + "User.Read");
        }
        return new AzureClientRegistration(build, accessTokenScopes);
    }

    public static int resourceServerCount(Set<String> set) {
        return (int) set.stream().filter(str -> {
            return str.contains("/");
        }).map(str2 -> {
            return str2.substring(0, str2.lastIndexOf(47));
        }).distinct().count();
    }

    private Set<String> authorizationCodeScopes() {
        Set<String> accessTokenScopes = accessTokenScopes();
        for (AuthorizationClientProperties authorizationClientProperties : this.properties.getAuthorizationClients().values()) {
            if (!authorizationClientProperties.isOnDemand()) {
                accessTokenScopes.addAll(authorizationClientProperties.getScopes());
            }
        }
        return accessTokenScopes;
    }

    private Set<String> accessTokenScopes() {
        Set<String> set = (Set) ((Stream) Optional.of(this.properties).map((v0) -> {
            return v0.getAuthorizationClients();
        }).map(map -> {
            return (AuthorizationClientProperties) map.get(AADClientRegistrationRepository.AZURE_CLIENT_REGISTRATION_ID);
        }).map((v0) -> {
            return v0.getScopes();
        }).map((v0) -> {
            return v0.stream();
        }).orElseGet(Stream::empty)).collect(Collectors.toSet());
        set.addAll(openidScopes());
        if (this.properties.allowedGroupsConfigured()) {
            set.add(this.properties.getGraphBaseUri() + "User.Read");
            set.add(this.properties.getGraphBaseUri() + "Directory.Read.All");
        }
        return set;
    }

    private Set<String> openidScopes() {
        HashSet hashSet = new HashSet();
        hashSet.add("openid");
        hashSet.add("profile");
        if (!this.properties.getAuthorizationClients().isEmpty()) {
            hashSet.add("offline_access");
        }
        return hashSet;
    }

    private List<ClientRegistration> createAuthzClients() {
        ArrayList arrayList = new ArrayList();
        for (String str : this.properties.getAuthorizationClients().keySet()) {
            if (!AADClientRegistrationRepository.AZURE_CLIENT_REGISTRATION_ID.equals(str)) {
                arrayList.add(createClientBuilder(str, this.properties.getAuthorizationClients().get(str)));
            }
        }
        return arrayList;
    }

    private ClientRegistration createClientBuilder(String str, AuthorizationClientProperties authorizationClientProperties) {
        ClientRegistration.Builder createClientBuilder = createClientBuilder(str);
        List<String> scopes = authorizationClientProperties.getScopes();
        if (authorizationClientProperties.isOnDemand()) {
            if (!scopes.contains("openid")) {
                scopes.add("openid");
            }
            if (!scopes.contains("profile")) {
                scopes.add("profile");
            }
        }
        createClientBuilder.scope(scopes);
        return createClientBuilder.build();
    }

    private ClientRegistration.Builder createClientBuilder(String str) {
        ClientRegistration.Builder withRegistrationId = ClientRegistration.withRegistrationId(str);
        withRegistrationId.authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE);
        withRegistrationId.redirectUriTemplate("{baseUrl}/login/oauth2/code/");
        withRegistrationId.clientId(this.properties.getClientId());
        withRegistrationId.clientSecret(this.properties.getClientSecret());
        AADAuthorizationServerEndpoints aADAuthorizationServerEndpoints = new AADAuthorizationServerEndpoints(this.properties.getBaseUri(), this.properties.getTenantId());
        withRegistrationId.authorizationUri(aADAuthorizationServerEndpoints.authorizationEndpoint());
        withRegistrationId.tokenUri(aADAuthorizationServerEndpoints.tokenEndpoint());
        withRegistrationId.jwkSetUri(aADAuthorizationServerEndpoints.jwkSetEndpoint());
        LinkedHashMap linkedHashMap = new LinkedHashMap();
        linkedHashMap.put("end_session_endpoint", aADAuthorizationServerEndpoints.endSessionEndpoint());
        withRegistrationId.providerConfigurationMetadata(linkedHashMap);
        return withRegistrationId;
    }
}
