package org.activiti.cloud.services.notifications.qraphql.ws.security;

import java.util.function.Function;
import org.activiti.cloud.services.common.security.jwt.JwtAccessTokenValidator;
import org.activiti.cloud.services.common.security.jwt.JwtAdapter;
import org.activiti.cloud.services.common.security.jwt.JwtUserInfoUriAuthenticationConverter;
import org.activiti.cloud.services.notifications.qraphql.ws.security.tokenverifier.GraphQLAccessTokenVerifier;
import org.activiti.cloud.services.notifications.qraphql.ws.security.tokenverifier.jwt.JwtAccessTokenVerifier;
import org.springframework.boot.autoconfigure.condition.ConditionalOnExpression;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Import;
import org.springframework.context.annotation.PropertySource;
import org.springframework.context.annotation.PropertySources;
import org.springframework.security.oauth2.jwt.Jwt;
import org.springframework.security.oauth2.jwt.JwtDecoder;

@Configuration
@ConditionalOnProperty(name = {"spring.activiti.cloud.services.notification.graphql.ws.security.enabled"}, matchIfMissing = true)
@Import({WebSocketMessageBrokerSecurityConfigurer.class})
/* loaded from: input_file:org/activiti/cloud/services/notifications/qraphql/ws/security/WebSocketMessageBrokerSecurityAutoConfiguration.class */
public class WebSocketMessageBrokerSecurityAutoConfiguration {

    @Configuration
    @PropertySources({@PropertySource({"classpath:META-INF/graphql-security.properties"}), @PropertySource(value = {"classpath:graphql-security.properties"}, ignoreResourceNotFound = true)})
    /* loaded from: input_file:org/activiti/cloud/services/notifications/qraphql/ws/security/WebSocketMessageBrokerSecurityAutoConfiguration$DefaultWebSocketMessageBrokerSecurityConfiguration.class */
    public static class DefaultWebSocketMessageBrokerSecurityConfiguration {
        @ConditionalOnMissingBean
        @Bean
        public JWSAuthenticationInterceptorConfigurer jwsTokenChannelSecurityContextConfigurer(JWSAuthenticationManager jWSAuthenticationManager) {
            return new JWSAuthenticationInterceptorConfigurer(jWSAuthenticationManager);
        }

        @ConditionalOnMissingBean
        @Bean
        public JwtInterceptorConfigurer jwsTokenChannelAuthenticationConfigurer(GraphQLAccessTokenVerifier graphQLAccessTokenVerifier) {
            return new JwtInterceptorConfigurer(graphQLAccessTokenVerifier);
        }

        @ConditionalOnMissingBean
        @Bean
        @ConditionalOnExpression("'${activiti.cloud.services.oauth2.iam-name}'!='keycloak'")
        public GraphQLAccessTokenVerifier jwtTokenVerifier(JwtAccessTokenValidator jwtAccessTokenValidator, JwtUserInfoUriAuthenticationConverter jwtUserInfoUriAuthenticationConverter, JwtDecoder jwtDecoder) {
            return new JwtAccessTokenVerifier(jwtAccessTokenValidator, jwtUserInfoUriAuthenticationConverter, jwtDecoder, jwt -> {
                return jwt.getClaimAsStringList("role");
            });
        }

        @ConditionalOnMissingBean
        @ConditionalOnProperty(value = {"activiti.cloud.services.oauth2.iam-name"}, havingValue = "keycloak")
        @Bean
        public GraphQLAccessTokenVerifier keycloakTokenVerifier(JwtAccessTokenValidator jwtAccessTokenValidator, JwtUserInfoUriAuthenticationConverter jwtUserInfoUriAuthenticationConverter, JwtDecoder jwtDecoder, Function<Jwt, JwtAdapter> function) {
            return new JwtAccessTokenVerifier(jwtAccessTokenValidator, jwtUserInfoUriAuthenticationConverter, jwtDecoder, jwt -> {
                return ((JwtAdapter) function.apply(jwt)).getRoles();
            });
        }

        @ConditionalOnMissingBean
        @Bean
        public JWSAuthenticationManager keycloakWebSocketAuthManager(GraphQLAccessTokenVerifier graphQLAccessTokenVerifier) {
            return new JWSAuthenticationManager(graphQLAccessTokenVerifier);
        }
    }
}
