package com.okta.spring.boot.oauth;

import com.okta.commons.lang.Strings;
import com.okta.spring.boot.oauth.config.OktaOAuth2Properties;
import java.lang.reflect.Field;
import java.security.AccessController;
import java.util.Optional;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.boot.autoconfigure.security.oauth2.client.OAuth2ClientProperties;
import org.springframework.context.ApplicationContext;
import org.springframework.core.env.Environment;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
import org.springframework.security.config.annotation.web.configurers.oauth2.server.resource.OAuth2ResourceServerConfigurer;
import org.springframework.security.oauth2.client.endpoint.DefaultAuthorizationCodeTokenResponseClient;
import org.springframework.security.oauth2.client.endpoint.OAuth2AccessTokenResponseClient;
import org.springframework.security.oauth2.client.endpoint.OAuth2AuthorizationCodeGrantRequest;
import org.springframework.security.oauth2.client.oidc.web.logout.OidcClientInitiatedLogoutSuccessHandler;
import org.springframework.security.web.authentication.logout.LogoutSuccessHandler;
import org.springframework.web.client.RestTemplate;

/* loaded from: input_file:com/okta/spring/boot/oauth/OktaOAuth2Configurer.class */
final class OktaOAuth2Configurer extends AbstractHttpConfigurer<OktaOAuth2Configurer, HttpSecurity> {
    private static final Logger log = LoggerFactory.getLogger(OktaOAuth2Configurer.class);

    OktaOAuth2Configurer() {
    }

    public void init(HttpSecurity httpSecurity) throws Exception {
        OAuth2ClientProperties.Provider provider;
        OAuth2ClientProperties.Registration registration;
        ApplicationContext applicationContext = (ApplicationContext) httpSecurity.getSharedObject(ApplicationContext.class);
        if (applicationContext.getBeansOfType(OktaOAuth2Properties.class).isEmpty()) {
            return;
        }
        OktaOAuth2Properties oktaOAuth2Properties = (OktaOAuth2Properties) applicationContext.getBean(OktaOAuth2Properties.class);
        if (applicationContext.getBeansOfType(OAuth2ClientProperties.class).isEmpty() || (provider = (OAuth2ClientProperties.Provider) ((OAuth2ClientProperties) applicationContext.getBean(OAuth2ClientProperties.class)).getProvider().get("okta")) == null || (registration = (OAuth2ClientProperties.Registration) ((OAuth2ClientProperties) applicationContext.getBean(OAuth2ClientProperties.class)).getRegistration().get("okta")) == null || Strings.isEmpty(provider.getIssuerUri()) || Strings.isEmpty(registration.getClientId())) {
            log.debug("OAuth/OIDC Login not configured due to missing issuer, client-id, or client-secret property");
            return;
        }
        configureLogin(httpSecurity, oktaOAuth2Properties, (Environment) applicationContext.getBean(Environment.class));
        if (!applicationContext.getBeansOfType(OidcClientInitiatedLogoutSuccessHandler.class).isEmpty()) {
            httpSecurity.logout().logoutSuccessHandler((LogoutSuccessHandler) applicationContext.getBean(OidcClientInitiatedLogoutSuccessHandler.class));
        }
        if (TokenUtil.isRootOrgIssuer(provider.getIssuerUri())) {
            log.debug("Opaque Token validation/introspection will be configured.");
            configureResourceServerForOpaqueTokenValidation(httpSecurity, oktaOAuth2Properties);
            return;
        }
        OAuth2ResourceServerConfigurer<?> oAuth2ResourceServerConfigurer = (OAuth2ResourceServerConfigurer) httpSecurity.getConfigurer(OAuth2ResourceServerConfigurer.class);
        if (getJwtConfigurer(oAuth2ResourceServerConfigurer).isPresent()) {
            log.debug("JWT configurer is set in OAuth resource server configuration. JWT validation will be configured.");
            configureResourceServerForJwtValidation(httpSecurity, oktaOAuth2Properties);
        } else if (!getOpaqueTokenConfigurer(oAuth2ResourceServerConfigurer).isPresent()) {
            log.debug("OAuth2ResourceServerConfigurer bean not configured, Resource Server support will not be enabled.");
        } else {
            log.debug("Opaque Token configurer is set in OAuth resource server configuration. Opaque Token validation/introspection will be configured.");
            configureResourceServerForOpaqueTokenValidation(httpSecurity, oktaOAuth2Properties);
        }
    }

    private Optional<OAuth2ResourceServerConfigurer<?>.JwtConfigurer> getJwtConfigurer(OAuth2ResourceServerConfigurer<?> oAuth2ResourceServerConfigurer) throws IllegalAccessException {
        return oAuth2ResourceServerConfigurer != null ? getFieldValue(oAuth2ResourceServerConfigurer, "jwtConfigurer") : Optional.empty();
    }

    private Optional<OAuth2ResourceServerConfigurer<?>.OpaqueTokenConfigurer> getOpaqueTokenConfigurer(OAuth2ResourceServerConfigurer<?> oAuth2ResourceServerConfigurer) throws IllegalAccessException {
        return oAuth2ResourceServerConfigurer != null ? getFieldValue(oAuth2ResourceServerConfigurer, "opaqueTokenConfigurer") : Optional.empty();
    }

    private <T> Optional<T> getFieldValue(Object obj, String str) throws IllegalAccessException {
        Field field = (Field) AccessController.doPrivileged(() -> {
            Field field2 = null;
            try {
                field2 = OAuth2ResourceServerConfigurer.class.getDeclaredField(str);
                field2.setAccessible(true);
            } catch (NoSuchFieldException e) {
                log.warn("Could not get field '" + str + "' of {} via reflection", OAuth2ResourceServerConfigurer.class.getName(), e);
            }
            return field2;
        });
        if (field == null) {
            throw new RuntimeException("Expected field '" + str + "' was not found in OAuth resource server configuration. Version incompatibility with Spring Security detected.Check https://github.com/okta/okta-spring-boot for project updates.");
        }
        return Optional.ofNullable(field.get(obj));
    }

    private void configureLogin(HttpSecurity httpSecurity, OktaOAuth2Properties oktaOAuth2Properties, Environment environment) throws Exception {
        httpSecurity.oauth2Login().tokenEndpoint().accessTokenResponseClient(accessTokenResponseClient(OktaOAuth2ResourceServerAutoConfig.restTemplate(oktaOAuth2Properties)));
        String property = environment.getProperty("spring.security.oauth2.client.registration.okta.redirect-uri");
        if (property != null) {
            httpSecurity.oauth2Login().redirectionEndpoint().baseUri(property.replace("{baseUrl}", ""));
        }
    }

    private void configureResourceServerForJwtValidation(HttpSecurity httpSecurity, OktaOAuth2Properties oktaOAuth2Properties) throws Exception {
        httpSecurity.oauth2ResourceServer().jwt().jwtAuthenticationConverter(new OktaJwtAuthenticationConverter(oktaOAuth2Properties.getGroupsClaim()));
    }

    private void configureResourceServerForOpaqueTokenValidation(HttpSecurity httpSecurity, OktaOAuth2Properties oktaOAuth2Properties) throws Exception {
        if (Strings.isEmpty(oktaOAuth2Properties.getClientId()) || Strings.isEmpty(oktaOAuth2Properties.getClientSecret())) {
            return;
        }
        httpSecurity.oauth2ResourceServer().opaqueToken();
    }

    private OAuth2AccessTokenResponseClient<OAuth2AuthorizationCodeGrantRequest> accessTokenResponseClient(RestTemplate restTemplate) {
        DefaultAuthorizationCodeTokenResponseClient defaultAuthorizationCodeTokenResponseClient = new DefaultAuthorizationCodeTokenResponseClient();
        defaultAuthorizationCodeTokenResponseClient.setRestOperations(restTemplate);
        return defaultAuthorizationCodeTokenResponseClient;
    }
}
