package cn.bestwu.simpleframework.security.config;

import cn.bestwu.simpleframework.security.URLFilterInvocationSecurityMetadataSource;
import cn.bestwu.simpleframework.security.exception.CustomWebResponseExceptionTranslator;
import cn.bestwu.simpleframework.security.exception.SecurityOAuth2ErrorHandler;
import java.util.Collection;
import java.util.Iterator;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication;
import org.springframework.context.MessageSource;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.access.AccessDecisionManager;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.access.ConfigAttribute;
import org.springframework.security.authentication.AnonymousAuthenticationToken;
import org.springframework.security.config.annotation.ObjectPostProcessor;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.oauth2.common.exceptions.OAuth2Exception;
import org.springframework.security.oauth2.common.exceptions.UnauthorizedUserException;
import org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfigurerAdapter;
import org.springframework.security.oauth2.config.annotation.web.configurers.ResourceServerSecurityConfigurer;
import org.springframework.security.oauth2.provider.endpoint.TokenEndpoint;
import org.springframework.security.oauth2.provider.error.DefaultOAuth2ExceptionRenderer;
import org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler;
import org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint;
import org.springframework.security.oauth2.provider.error.WebResponseExceptionTranslator;
import org.springframework.security.web.access.intercept.FilterSecurityInterceptor;
import org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter;

@ConditionalOnClass({OAuth2Exception.class})
@Configuration
@ConditionalOnWebApplication
/* loaded from: input_file:cn/bestwu/simpleframework/security/config/SecurityResourceServerConfiguration.class */
public class SecurityResourceServerConfiguration {

    @Value("${app.web.ok.enable:false}")
    private Boolean okEnable;
    public final MessageSource messageSource;

    @Configuration
    @ConditionalOnWebApplication
    /* loaded from: input_file:cn/bestwu/simpleframework/security/config/SecurityResourceServerConfiguration$ResourceServerConfiguration.class */
    public class ResourceServerConfiguration extends ResourceServerConfigurerAdapter {
        private final WebResponseExceptionTranslator<OAuth2Exception> webResponseExceptionTranslator;

        @Value("${server.client-cache:true}")
        private boolean supportClientCache;

        @Value("${security.cors.enable:false}")
        private boolean enableCors;

        @Value("${security.http.session-creation-policy:STATELESS}")
        private SessionCreationPolicy sessionCreationPolicy;

        @Value("${security.http.frame-options-disable:true}")
        private boolean frameOptionsDisable;
        private final URLFilterInvocationSecurityMetadataSource securityMetadataSource;
        private final RequestMappingHandlerAdapter requestMappingHandlerAdapter;

        public ResourceServerConfiguration(TokenEndpoint tokenEndpoint, WebResponseExceptionTranslator<OAuth2Exception> webResponseExceptionTranslator, URLFilterInvocationSecurityMetadataSource uRLFilterInvocationSecurityMetadataSource, RequestMappingHandlerAdapter requestMappingHandlerAdapter) {
            this.webResponseExceptionTranslator = webResponseExceptionTranslator;
            this.securityMetadataSource = uRLFilterInvocationSecurityMetadataSource;
            this.requestMappingHandlerAdapter = requestMappingHandlerAdapter;
            tokenEndpoint.setProviderExceptionHandler(webResponseExceptionTranslator);
        }

        @Bean
        public AccessDecisionManager accessDecisionManager() {
            return new AccessDecisionManager() { // from class: cn.bestwu.simpleframework.security.config.SecurityResourceServerConfiguration.ResourceServerConfiguration.1
                public void decide(Authentication authentication, Object obj, Collection<ConfigAttribute> collection) {
                    if (collection.isEmpty()) {
                        return;
                    }
                    Collection authorities = authentication.getAuthorities();
                    Iterator<ConfigAttribute> it = collection.iterator();
                    while (it.hasNext()) {
                        String attribute = it.next().getAttribute();
                        Iterator it2 = authorities.iterator();
                        while (it2.hasNext()) {
                            if (attribute.trim().equals(((GrantedAuthority) it2.next()).getAuthority().trim())) {
                                return;
                            }
                        }
                    }
                    if (!(authentication instanceof AnonymousAuthenticationToken)) {
                        throw new AccessDeniedException("无权访问");
                    }
                    throw new UnauthorizedUserException("请重新登录");
                }

                public boolean supports(ConfigAttribute configAttribute) {
                    return true;
                }

                public boolean supports(Class<?> cls) {
                    return true;
                }
            };
        }

        public void configure(ResourceServerSecurityConfigurer resourceServerSecurityConfigurer) {
            resourceServerSecurityConfigurer.stateless(false);
            DefaultOAuth2ExceptionRenderer defaultOAuth2ExceptionRenderer = new DefaultOAuth2ExceptionRenderer();
            defaultOAuth2ExceptionRenderer.setMessageConverters(this.requestMappingHandlerAdapter.getMessageConverters());
            OAuth2AuthenticationEntryPoint oAuth2AuthenticationEntryPoint = new OAuth2AuthenticationEntryPoint();
            oAuth2AuthenticationEntryPoint.setExceptionTranslator(this.webResponseExceptionTranslator);
            oAuth2AuthenticationEntryPoint.setExceptionRenderer(defaultOAuth2ExceptionRenderer);
            resourceServerSecurityConfigurer.authenticationEntryPoint(oAuth2AuthenticationEntryPoint);
            OAuth2AccessDeniedHandler oAuth2AccessDeniedHandler = new OAuth2AccessDeniedHandler();
            oAuth2AccessDeniedHandler.setExceptionTranslator(this.webResponseExceptionTranslator);
            oAuth2AccessDeniedHandler.setExceptionRenderer(defaultOAuth2ExceptionRenderer);
            resourceServerSecurityConfigurer.accessDeniedHandler(oAuth2AccessDeniedHandler);
        }

        public void configure(HttpSecurity httpSecurity) throws Exception {
            if (this.supportClientCache) {
                httpSecurity.headers().cacheControl().disable();
            }
            if (this.enableCors) {
                httpSecurity.cors();
            }
            if (this.frameOptionsDisable) {
                httpSecurity.headers().frameOptions().disable();
            }
            ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) httpSecurity.sessionManagement().sessionCreationPolicy(this.sessionCreationPolicy).and().authorizeRequests().withObjectPostProcessor(new ObjectPostProcessor<FilterSecurityInterceptor>() { // from class: cn.bestwu.simpleframework.security.config.SecurityResourceServerConfiguration.ResourceServerConfiguration.2
                public <O extends FilterSecurityInterceptor> O postProcess(O o) {
                    o.setSecurityMetadataSource(ResourceServerConfiguration.this.securityMetadataSource);
                    o.setAccessDecisionManager(ResourceServerConfiguration.this.accessDecisionManager());
                    return o;
                }
            }).anyRequest()).authenticated();
        }
    }

    public SecurityResourceServerConfiguration(MessageSource messageSource) {
        this.messageSource = messageSource;
    }

    @Bean
    public SecurityOAuth2ErrorHandler securityErrorHandler() {
        return new SecurityOAuth2ErrorHandler();
    }

    @Bean
    public WebResponseExceptionTranslator<OAuth2Exception> webResponseExceptionTranslator() {
        return new CustomWebResponseExceptionTranslator(this.okEnable, this.messageSource);
    }
}
