package com.azure.spring.aad.webapi;

import com.azure.spring.aad.AADAuthorizationGrantType;
import com.azure.spring.aad.AADAuthorizationServerEndpoints;
import com.azure.spring.aad.webapp.AuthorizationClientProperties;
import com.azure.spring.autoconfigure.aad.AADAuthenticationFilterAutoConfiguration;
import com.azure.spring.autoconfigure.aad.AADAuthenticationProperties;
import com.azure.spring.keyvault.KeyVaultProperties;
import java.util.ArrayList;
import java.util.List;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.boot.autoconfigure.condition.ConditionalOnResource;
import org.springframework.boot.context.properties.EnableConfigurationProperties;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.oauth2.client.InMemoryOAuth2AuthorizedClientService;
import org.springframework.security.oauth2.client.OAuth2AuthorizedClientManager;
import org.springframework.security.oauth2.client.OAuth2AuthorizedClientProviderBuilder;
import org.springframework.security.oauth2.client.OAuth2AuthorizedClientService;
import org.springframework.security.oauth2.client.registration.ClientRegistration;
import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
import org.springframework.security.oauth2.client.registration.InMemoryClientRegistrationRepository;
import org.springframework.security.oauth2.client.web.AuthenticatedPrincipalOAuth2AuthorizedClientRepository;
import org.springframework.security.oauth2.client.web.DefaultOAuth2AuthorizedClientManager;
import org.springframework.security.oauth2.client.web.OAuth2AuthorizedClientRepository;
import org.springframework.security.oauth2.client.web.OAuth2LoginAuthenticationFilter;
import org.springframework.security.oauth2.core.AuthorizationGrantType;
import org.springframework.security.oauth2.server.resource.BearerTokenAuthenticationToken;

@EnableConfigurationProperties({AADAuthenticationProperties.class})
@Configuration(proxyBeanMethods = false)
@ConditionalOnClass({BearerTokenAuthenticationToken.class, OAuth2LoginAuthenticationFilter.class})
@ConditionalOnResource(resources = {"classpath:aad.enable.config"})
@ConditionalOnProperty(prefix = AADAuthenticationFilterAutoConfiguration.PROPERTY_PREFIX, value = {"client-id"})
/* loaded from: input_file:com/azure/spring/aad/webapi/AADResourceServerClientConfiguration.class */
public class AADResourceServerClientConfiguration {
    private static final Logger LOGGER = LoggerFactory.getLogger(AADResourceServerClientConfiguration.class);

    @Autowired
    private AADAuthenticationProperties properties;

    @Bean
    OAuth2AuthorizedClientManager authorizedClientManager(ClientRegistrationRepository clientRegistrationRepository, OAuth2AuthorizedClientRepository oAuth2AuthorizedClientRepository) {
        DefaultOAuth2AuthorizedClientManager defaultOAuth2AuthorizedClientManager = new DefaultOAuth2AuthorizedClientManager(clientRegistrationRepository, oAuth2AuthorizedClientRepository);
        defaultOAuth2AuthorizedClientManager.setAuthorizedClientProvider(OAuth2AuthorizedClientProviderBuilder.builder().authorizationCode().refreshToken().clientCredentials().password().provider(new AADOBOOAuth2AuthorizedClientProvider()).build());
        return defaultOAuth2AuthorizedClientManager;
    }

    @ConditionalOnMissingBean({ClientRegistrationRepository.class})
    @Bean
    public ClientRegistrationRepository clientRegistrationRepository() {
        List<ClientRegistration> createClients = createClients();
        if (!createClients.isEmpty()) {
            return new InMemoryClientRegistrationRepository(createClients);
        }
        LOGGER.warn("No client registrations are found for AAD Client.");
        return str -> {
            return null;
        };
    }

    @ConditionalOnMissingBean
    @Bean
    OAuth2AuthorizedClientService authorizedClientService(ClientRegistrationRepository clientRegistrationRepository) {
        return new InMemoryOAuth2AuthorizedClientService(clientRegistrationRepository);
    }

    @ConditionalOnMissingBean
    @Bean
    public OAuth2AuthorizedClientRepository oAuth2AuthorizedClientRepository(OAuth2AuthorizedClientService oAuth2AuthorizedClientService) {
        return new AuthenticatedPrincipalOAuth2AuthorizedClientRepository(oAuth2AuthorizedClientService);
    }

    public List<ClientRegistration> createClients() {
        ArrayList arrayList = new ArrayList();
        for (String str : this.properties.getAuthorizationClients().keySet()) {
            AuthorizationClientProperties authorizationClientProperties = this.properties.getAuthorizationClients().get(str);
            if (AADAuthorizationGrantType.AUTHORIZATION_CODE.equals(authorizationClientProperties.getAuthorizationGrantType())) {
                throw new IllegalStateException("Web Api do not support authorization_code grant type. id = " + str + KeyVaultProperties.DELIMITER);
            }
            if (authorizationClientProperties.getAuthorizationGrantType() == null || AADAuthorizationGrantType.ON_BEHALF_OF.equals(authorizationClientProperties.getAuthorizationGrantType())) {
                arrayList.add(createOboClientBuilder(str, authorizationClientProperties));
            } else if (AADAuthorizationGrantType.CLIENT_CREDENTIALS.equals(authorizationClientProperties.getAuthorizationGrantType())) {
                arrayList.add(createWebClientBuilder(str, authorizationClientProperties));
            }
        }
        return arrayList;
    }

    private ClientRegistration createOboClientBuilder(String str, AuthorizationClientProperties authorizationClientProperties) {
        ClientRegistration.Builder withRegistrationId = ClientRegistration.withRegistrationId(str);
        withRegistrationId.authorizationGrantType(new AuthorizationGrantType(AADAuthorizationGrantType.ON_BEHALF_OF.getValue()));
        withRegistrationId.redirectUri("{baseUrl}/login/oauth2/code/");
        withRegistrationId.clientId(this.properties.getClientId());
        withRegistrationId.clientSecret(this.properties.getClientSecret());
        withRegistrationId.userNameAttributeName(this.properties.getUserNameAttribute());
        withRegistrationId.authorizationUri(new AADAuthorizationServerEndpoints(this.properties.getBaseUri(), this.properties.getTenantId()).authorizationEndpoint());
        withRegistrationId.scope(authorizationClientProperties.getScopes());
        return withRegistrationId.build();
    }

    private ClientRegistration createWebClientBuilder(String str, AuthorizationClientProperties authorizationClientProperties) {
        ClientRegistration.Builder withRegistrationId = ClientRegistration.withRegistrationId(str);
        withRegistrationId.authorizationGrantType(AuthorizationGrantType.CLIENT_CREDENTIALS);
        withRegistrationId.clientId(this.properties.getClientId());
        withRegistrationId.clientSecret(this.properties.getClientSecret());
        withRegistrationId.tokenUri(new AADAuthorizationServerEndpoints(this.properties.getBaseUri(), this.properties.getTenantId()).tokenEndpoint());
        withRegistrationId.scope(authorizationClientProperties.getScopes());
        return withRegistrationId.build();
    }
}
