package org.activiti.cloud.services.identity.keycloak.config;

import com.fasterxml.jackson.databind.ObjectMapper;
import com.github.benmanes.caffeine.cache.Caffeine;
import feign.Feign;
import java.time.Duration;
import org.activiti.cloud.security.feign.configuration.ClientCredentialsAuthConfiguration;
import org.activiti.cloud.services.common.security.jwt.validator.PublicKeyValidationCheck;
import org.activiti.cloud.services.identity.keycloak.ActivitiKeycloakProperties;
import org.activiti.cloud.services.identity.keycloak.KeycloakClientPrincipalDetailsProvider;
import org.activiti.cloud.services.identity.keycloak.KeycloakHealthService;
import org.activiti.cloud.services.identity.keycloak.KeycloakManagementService;
import org.activiti.cloud.services.identity.keycloak.KeycloakProperties;
import org.activiti.cloud.services.identity.keycloak.KeycloakUserGroupManager;
import org.activiti.cloud.services.identity.keycloak.client.KeycloakClient;
import org.activiti.cloud.services.identity.keycloak.validator.RealmValidationCheck;
import org.springframework.beans.factory.ObjectFactory;
import org.springframework.beans.factory.ObjectProvider;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.boot.autoconfigure.http.HttpMessageConverters;
import org.springframework.boot.context.properties.EnableConfigurationProperties;
import org.springframework.cache.caffeine.CaffeineCache;
import org.springframework.cloud.openfeign.support.HttpMessageConverterCustomizer;
import org.springframework.cloud.openfeign.support.SpringDecoder;
import org.springframework.cloud.openfeign.support.SpringEncoder;
import org.springframework.cloud.openfeign.support.SpringMvcContract;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.PropertySource;
import org.springframework.core.annotation.Order;
import org.springframework.security.oauth2.client.OAuth2AuthorizedClientService;
import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
import org.springframework.web.util.UriComponentsBuilder;

@EnableConfigurationProperties({ActivitiKeycloakProperties.class, KeycloakProperties.class})
@Configuration
@ConditionalOnProperty(value = {"activiti.cloud.services.oauth2.iam-name"}, havingValue = "keycloak", matchIfMissing = true)
@PropertySource({"classpath:keycloak-client.properties"})
/* loaded from: input_file:org/activiti/cloud/services/identity/keycloak/config/ActivitiKeycloakAutoConfiguration.class */
public class ActivitiKeycloakAutoConfiguration {

    @Value("${identity.client.cache.cacheExpireAfterWrite:PT5m}")
    private String cacheExpireAfterWrite;

    @Value("${identity.client.cache.cacheMaxSize:1000}")
    private int cacheMaxSize;

    @Autowired
    private OAuth2AuthorizedClientService oAuth2AuthorizedClientService;

    @Autowired
    private ClientRegistrationRepository clientRegistrationRepository;

    @ConditionalOnMissingBean({KeycloakUserGroupManager.class})
    @Bean(name = {"userGroupManager"})
    public KeycloakUserGroupManager keycloakUserGroupManager(KeycloakClient keycloakClient) {
        return new KeycloakUserGroupManager(keycloakClient);
    }

    @ConditionalOnMissingBean
    @Bean
    @Order(Integer.MAX_VALUE)
    public KeycloakClientPrincipalDetailsProvider keycloakClientPrincipalDetailsProvider(KeycloakClient keycloakClient) {
        return new KeycloakClientPrincipalDetailsProvider(keycloakClient);
    }

    @ConditionalOnMissingBean
    @Bean
    public KeycloakManagementService identityManagementService(KeycloakClient keycloakClient) {
        return new KeycloakManagementService(keycloakClient);
    }

    @Bean
    public CaffeineCache groupRoleMappingCache() {
        return new CaffeineCache("groupRoleMapping", Caffeine.newBuilder().expireAfterWrite(Duration.parse(this.cacheExpireAfterWrite)).maximumSize(this.cacheMaxSize).build());
    }

    @Bean
    public CaffeineCache userRoleMappingCache() {
        return new CaffeineCache("userRoleMapping", Caffeine.newBuilder().expireAfterWrite(Duration.parse(this.cacheExpireAfterWrite)).maximumSize(this.cacheMaxSize).build());
    }

    @Bean
    public CaffeineCache userGroupsCache() {
        return new CaffeineCache("userGroups", Caffeine.newBuilder().expireAfterWrite(Duration.parse(this.cacheExpireAfterWrite)).maximumSize(this.cacheMaxSize).build());
    }

    @ConditionalOnMissingBean({KeycloakHealthService.class})
    @Bean(name = {"identityHealthService"})
    public KeycloakHealthService keycloakHealthService(KeycloakUserGroupManager keycloakUserGroupManager) {
        return new KeycloakHealthService(keycloakUserGroupManager);
    }

    @Bean
    public PublicKeyValidationCheck publicKeyValidationCheck(ObjectMapper objectMapper, @Value("${keycloak.auth-server-url}") String str, @Value("${keycloak.realm}") String str2) {
        return new PublicKeyValidationCheck(UriComponentsBuilder.fromHttpUrl(str).pathSegment(new String[]{"realms", str2, "protocol/openid-connect/certs"}).build().toUriString(), objectMapper);
    }

    @Bean
    public RealmValidationCheck realmValidationCheck(@Value("${keycloak.auth-server-url}") String str, @Value("${keycloak.realm}") String str2) {
        return new RealmValidationCheck(str, str2);
    }

    @Bean
    public KeycloakClient keycloakClient(@Value("${keycloak.auth-server-url}/admin/realms/${keycloak.realm}/") String str, ObjectFactory<HttpMessageConverters> objectFactory, ObjectProvider<HttpMessageConverterCustomizer> objectProvider) {
        ClientCredentialsAuthConfiguration clientCredentialsAuthConfiguration = new ClientCredentialsAuthConfiguration();
        return (KeycloakClient) Feign.builder().contract(new SpringMvcContract()).encoder(new SpringEncoder(objectFactory)).decoder(new SpringDecoder(objectFactory, objectProvider)).requestInterceptor(clientCredentialsAuthConfiguration.clientCredentialsAuthRequestInterceptor(this.oAuth2AuthorizedClientService, this.clientRegistrationRepository, clientCredentialsAuthConfiguration.clientRegistration(this.clientRegistrationRepository, "keycloak"))).target(KeycloakClient.class, str);
    }
}
