package uk.co.gresearch.siembol.common.authorisation;

import com.nimbusds.jose.JOSEObjectType;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.jwk.source.RemoteJWKSet;
import com.nimbusds.jose.proc.DefaultJOSEObjectTypeVerifier;
import com.nimbusds.jose.proc.JWSVerificationKeySelector;
import com.nimbusds.jose.util.DefaultResourceRetriever;
import com.nimbusds.jwt.proc.DefaultJWTProcessor;
import io.swagger.v3.oas.models.Components;
import io.swagger.v3.oas.models.OpenAPI;
import io.swagger.v3.oas.models.security.OAuthFlow;
import io.swagger.v3.oas.models.security.OAuthFlows;
import io.swagger.v3.oas.models.security.Scopes;
import io.swagger.v3.oas.models.security.SecurityScheme;
import java.net.MalformedURLException;
import java.net.URL;
import java.time.Duration;
import java.util.ArrayList;
import org.springframework.security.oauth2.core.DelegatingOAuth2TokenValidator;
import org.springframework.security.oauth2.core.OAuth2Error;
import org.springframework.security.oauth2.core.OAuth2TokenValidatorResult;
import org.springframework.security.oauth2.jwt.JwtDecoder;
import org.springframework.security.oauth2.jwt.JwtIssuerValidator;
import org.springframework.security.oauth2.jwt.JwtTimestampValidator;
import org.springframework.security.oauth2.jwt.NimbusJwtDecoder;

/* loaded from: input_file:BOOT-INF/lib/siembol-common-2.3.0.jar:uk/co/gresearch/siembol/common/authorisation/Oauth2Helper.class */
public class Oauth2Helper {
    private static final String MISSING_REQUIRED_AUDIENCE = "missing required audience";
    private static final int JWT_CLOCK_SKEW_IN_SECONDS = 30;
    private static final int JWKSET_TIMEOUT_IN_MILLI_SECONDS = 10000;

    public static JwtDecoder createJwtDecoder(ResourceServerOauth2Properties resourceServerOauth2Properties) throws MalformedURLException {
        ArrayList arrayList = new ArrayList();
        arrayList.add(new JwtTimestampValidator(Duration.ofSeconds(30L)));
        arrayList.add(new JwtIssuerValidator(resourceServerOauth2Properties.getIssuerUrl()));
        arrayList.add(jwt -> {
            return jwt.getAudience().contains(resourceServerOauth2Properties.getAudience()) ? OAuth2TokenValidatorResult.success() : OAuth2TokenValidatorResult.failure(new OAuth2Error[]{new OAuth2Error(MISSING_REQUIRED_AUDIENCE)});
        });
        DelegatingOAuth2TokenValidator delegatingOAuth2TokenValidator = new DelegatingOAuth2TokenValidator(arrayList);
        RemoteJWKSet remoteJWKSet = new RemoteJWKSet(new URL(resourceServerOauth2Properties.getJwkSetUrl()), new DefaultResourceRetriever(10000, 10000));
        DefaultJWTProcessor defaultJWTProcessor = new DefaultJWTProcessor();
        defaultJWTProcessor.setJWSTypeVerifier(new DefaultJOSEObjectTypeVerifier(new JOSEObjectType[]{new JOSEObjectType(resourceServerOauth2Properties.getJwtType())}));
        defaultJWTProcessor.setJWSKeySelector(new JWSVerificationKeySelector(new JWSAlgorithm(resourceServerOauth2Properties.getJwsAlgorithm()), remoteJWKSet));
        defaultJWTProcessor.setJWTClaimsSetVerifier((jWTClaimsSet, securityContext) -> {
        });
        NimbusJwtDecoder nimbusJwtDecoder = new NimbusJwtDecoder(defaultJWTProcessor);
        nimbusJwtDecoder.setJwtValidator(delegatingOAuth2TokenValidator);
        return nimbusJwtDecoder;
    }

    public static OpenAPI createSwaggerOpenAPI(ResourceServerOauth2Properties resourceServerOauth2Properties, String str) {
        Scopes scopes = new Scopes();
        resourceServerOauth2Properties.getScopes().forEach(str2 -> {
            scopes.addString(str2, "");
        });
        OAuthFlow scopes2 = new OAuthFlow().authorizationUrl(resourceServerOauth2Properties.getAuthorizationUrl()).tokenUrl(resourceServerOauth2Properties.getTokenUrl()).scopes(scopes);
        OAuthFlows oAuthFlows = new OAuthFlows();
        oAuthFlows.setAuthorizationCode(scopes2);
        return new OpenAPI().components(new Components().addSecuritySchemes(str, new SecurityScheme().type(SecurityScheme.Type.OAUTH2).flows(oAuthFlows)));
    }
}
