package top.klw8.alita.starter.cfg;

import java.io.IOException;
import java.nio.charset.Charset;
import java.security.KeyFactory;
import java.security.NoSuchAlgorithmException;
import java.security.interfaces.RSAPublicKey;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.X509EncodedKeySpec;
import java.util.Base64;
import java.util.Iterator;
import javax.annotation.Resource;
import org.apache.commons.collections4.CollectionUtils;
import org.apache.commons.io.IOUtils;
import org.apache.dubbo.config.annotation.DubboReference;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.boot.context.properties.EnableConfigurationProperties;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Import;
import org.springframework.core.io.ClassPathResource;
import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity;
import org.springframework.security.config.web.server.ServerHttpSecurity;
import org.springframework.security.web.server.SecurityWebFilterChain;
import org.springframework.util.Assert;
import top.klw8.alita.service.api.authority.IAuthorityAdminProvider;
import top.klw8.alita.service.result.code.CommonResultCodeEnum;
import top.klw8.alita.starter.aures.AuthoritysResourceControllerMethodsLoader;
import top.klw8.alita.starter.common.UserCacheHelper;
import top.klw8.alita.starter.validator.AlitaResponseGenerator;
import top.klw8.alita.starter.web.interceptor.AuthorityInterceptor;
import top.klw8.alita.starter.web.interceptor.TokenCheckInterceptor;
import top.klw8.alita.validator.EnableValidator;

@EnableConfigurationProperties({ResServerAuthPathCfgBean.class, TokenConfigBean.class})
@Configuration
@EnableWebFluxSecurity
@EnableValidator(responseMsgGenerator = AlitaResponseGenerator.class)
@Import({TokenCheckInterceptor.class, AuthorityInterceptor.class, AuthoritysResourceControllerMethodsLoader.class})
/* loaded from: input_file:top/klw8/alita/starter/cfg/OAuth2ResourceServerConfig.class */
public class OAuth2ResourceServerConfig {
    private static final Logger log = LoggerFactory.getLogger(OAuth2ResourceServerConfig.class);

    @Resource
    private ResServerAuthPathCfgBean cfgBean;

    @Resource
    private TokenConfigBean tokenConfigBean;

    @DubboReference(async = true)
    private IAuthorityAdminProvider adminProvider;

    @Value("${alita.authority.app.tag:}")
    private String currectAppTag;

    @Value("${alita.authority.app.name:}")
    private String currectAppName;

    @Value("${alita.authority.app.remark:}")
    private String currectAppRemark;

    @Bean
    public AuthorityAppInfoInConfigBean authorityAppInfoInConfig() {
        Assert.hasText(this.currectAppTag, CommonResultCodeEnum.APP_TAG_NOT_EXIST.getCodeMsg());
        return new AuthorityAppInfoInConfigBean(this.currectAppTag, this.currectAppName, this.currectAppRemark);
    }

    @Bean
    public UserCacheHelper userCacheHelper() {
        return new UserCacheHelper(this.adminProvider);
    }

    @Bean
    public SecurityWebFilterChain configure(ServerHttpSecurity serverHttpSecurity) throws Exception {
        if (this.cfgBean == null || CollectionUtils.isEmpty(this.cfgBean.getAuthPath())) {
            log.warn("---------------------------------------------------------------------");
            log.warn("【警告】没有配制需要验证权限的url, 如果项目本身没有这个需求请忽略本警告!");
            log.warn("---------------------------------------------------------------------");
        }
        SecurityAuthenticationEntryPoint securityAuthenticationEntryPoint = new SecurityAuthenticationEntryPoint();
        serverHttpSecurity.exceptionHandling().accessDeniedHandler(securityAuthenticationEntryPoint).authenticationEntryPoint(securityAuthenticationEntryPoint).and().csrf().disable();
        if (CollectionUtils.isNotEmpty(this.tokenConfigBean.getCheckExcludePaths())) {
            Iterator<String> it = this.tokenConfigBean.getCheckExcludePaths().iterator();
            while (it.hasNext()) {
                ((ServerHttpSecurity.AuthorizeExchangeSpec.Access) serverHttpSecurity.authorizeExchange().pathMatchers(new String[]{it.next()})).permitAll();
            }
        }
        serverHttpSecurity.authorizeExchange().anyExchange().authenticated();
        serverHttpSecurity.oauth2ResourceServer().jwt().publicKey(jwtPublicKey());
        return serverHttpSecurity.build();
    }

    private RSAPublicKey jwtPublicKey() {
        try {
            RSAPublicKey rSAPublicKey = null;
            try {
                rSAPublicKey = (RSAPublicKey) KeyFactory.getInstance("RSA").generatePublic(new X509EncodedKeySpec(Base64.getDecoder().decode(IOUtils.toString(new ClassPathResource("authorizationKeyPublic.txt").getInputStream(), Charset.defaultCharset()).replace("\r\n", "").replace("\n", ""))));
            } catch (NoSuchAlgorithmException | InvalidKeySpecException e) {
            }
            return rSAPublicKey;
        } catch (IOException e2) {
            throw new RuntimeException(e2);
        }
    }
}
