package com.cm.serviceusercenter.config;

import com.cm.serviceusercenter.converter.UserAccessTokenConverter;
import com.cm.serviceusercenter.service.OauthClientDetailsService;
import com.cm.serviceusercenter.service.OauthClientTokenService;
import com.cm.serviceusercenter.service.UserDetailServiceImpl;
import com.cm.serviceusercenter.service.system.role.IRoleService;
import com.cm.serviceusercenter.service.system.user.IUserService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.oauth2.common.OAuth2AccessToken;
import org.springframework.security.oauth2.config.annotation.configurers.ClientDetailsServiceConfigurer;
import org.springframework.security.oauth2.config.annotation.web.configuration.AuthorizationServerConfigurerAdapter;
import org.springframework.security.oauth2.config.annotation.web.configuration.EnableAuthorizationServer;
import org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerEndpointsConfigurer;
import org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerSecurityConfigurer;
import org.springframework.security.oauth2.provider.CompositeTokenGranter;
import org.springframework.security.oauth2.provider.OAuth2RequestFactory;
import org.springframework.security.oauth2.provider.TokenGranter;
import org.springframework.security.oauth2.provider.TokenRequest;
import org.springframework.security.oauth2.provider.approval.TokenStoreUserApprovalHandler;
import org.springframework.security.oauth2.provider.approval.UserApprovalHandler;
import org.springframework.security.oauth2.provider.client.ClientCredentialsTokenGranter;
import org.springframework.security.oauth2.provider.code.AuthorizationCodeServices;
import org.springframework.security.oauth2.provider.code.AuthorizationCodeTokenGranter;
import org.springframework.security.oauth2.provider.code.InMemoryAuthorizationCodeServices;
import org.springframework.security.oauth2.provider.implicit.ImplicitTokenGranter;
import org.springframework.security.oauth2.provider.password.ResourceOwnerPasswordTokenGranter;
import org.springframework.security.oauth2.provider.refresh.RefreshTokenGranter;
import org.springframework.security.oauth2.provider.request.DefaultOAuth2RequestFactory;
import org.springframework.security.oauth2.provider.token.TokenStore;
import org.springframework.security.oauth2.provider.token.store.JwtAccessTokenConverter;
import org.springframework.security.oauth2.provider.token.store.JwtTokenStore;

import javax.sql.DataSource;
import java.util.ArrayList;
import java.util.List;

/**
 * @ClassName: SsoAuthorizationConfig
 * @Description: 单点登录服务配置
 * @Author: WangGeng
 * @Date: 2019/2/14 11:26 PM
 * @Version: 1.0
 **/
@Configuration
@EnableAuthorizationServer
public class AuthorizationConfig extends AuthorizationServerConfigurerAdapter {

    @Autowired
    private AuthenticationManager authenticationManager;
    @Autowired
    private DataSource dataSource;
    @Autowired
    private UserDetailServiceImpl userDetailService;
    @Autowired
    private IRoleService roleService;
    @Autowired
    private IUserService userService;
    @Autowired
    private OauthClientDetailsService oauthClientDetailsService;
    @Autowired
    private OauthClientTokenService oauthClientTokenService;

    @Override
    public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
        // 通过内存的方式来完成认证服务
        clients.withClientDetails(oauthClientDetailsService);
    }

    @Override
    public void configure(AuthorizationServerSecurityConfigurer security) {
        // 标识可以全部操作
        security
                .tokenKeyAccess("permitAll()")
                .checkTokenAccess("permitAll()")
                .allowFormAuthenticationForClients();
    }

    @Override
    public void configure(AuthorizationServerEndpointsConfigurer endpoints) {
        // 添加JWT授权机制
        endpoints
                .pathMapping("/oauth/authorize", "/oauth_client/authorize")
                .pathMapping("/oauth/token", "/oauth_client/token")
                .pathMapping("/oauth/token_key", "/oauth_client/token_key")
                .pathMapping("/oauth/check_token", "/oauth_client/check_token")
                .pathMapping("/oauth/confirm_access", "/oauth_client/confirm_access")
                .pathMapping("/oauth/error", "/oauth_client/error")
                .authenticationManager(authenticationManager)
                .tokenStore(jwtTokenStore())
                .accessTokenConverter(jwtAccessTokenConverter())
                .userDetailsService(userDetailService);
    }

    @Bean(name = "jwtTokenStore")
    public TokenStore jwtTokenStore() {
        return new JwtTokenStore(jwtAccessTokenConverter());
    }

    @Bean(name = "jwtAccessTokenConverter")
    public JwtAccessTokenConverter jwtAccessTokenConverter() {
        // 添加自定义的认证机制，用来将自定义登陆后客户端拿到的信息
        JwtAccessTokenConverter jwtAccessTokenConverter = new JwtAccessTokenConverter();
        jwtAccessTokenConverter.setAccessTokenConverter(new UserAccessTokenConverter(roleService, userService));
        jwtAccessTokenConverter.setSigningKey("cmxx");
        return jwtAccessTokenConverter;
    }

    @Bean
    public TokenGranter tokenGranter() {
        return new TokenGranter() {
            private CompositeTokenGranter delegate;

            @Override
            public OAuth2AccessToken grant(String grantType, TokenRequest tokenRequest) {
                if (delegate == null) {
                    delegate = new CompositeTokenGranter(getDefaultTokenGranters());
                }
                return delegate.grant(grantType, tokenRequest);
            }
        };
    }

    @Bean
    public AuthorizationCodeServices authorizationCodeServices() {
        return new InMemoryAuthorizationCodeServices();
    }

    private List<TokenGranter> getDefaultTokenGranters() {
        AuthorizationCodeServices authorizationCodeServices = authorizationCodeServices();
        OAuth2RequestFactory requestFactory = new DefaultOAuth2RequestFactory(oauthClientDetailsService);
        List<TokenGranter> tokenGranters = new ArrayList<TokenGranter>();
        tokenGranters.add(new AuthorizationCodeTokenGranter(oauthClientTokenService, authorizationCodeServices, oauthClientDetailsService, requestFactory));
        tokenGranters.add(new RefreshTokenGranter(oauthClientTokenService, oauthClientDetailsService, requestFactory));
        ImplicitTokenGranter implicit = new ImplicitTokenGranter(oauthClientTokenService, oauthClientDetailsService, requestFactory);
        tokenGranters.add(implicit);
        tokenGranters.add(new ClientCredentialsTokenGranter(oauthClientTokenService, oauthClientDetailsService, requestFactory));
        if (authenticationManager != null) {
            tokenGranters.add(new ResourceOwnerPasswordTokenGranter(authenticationManager, oauthClientTokenService, oauthClientDetailsService, requestFactory));
        }
        return tokenGranters;
    }

    @Bean
    public OAuth2RequestFactory oAuth2RequestFactory() {
        OAuth2RequestFactory oAuth2RequestFactory = new DefaultOAuth2RequestFactory(oauthClientDetailsService);
        return oAuth2RequestFactory;
    }

    @Bean
    public UserApprovalHandler userApprovalHandler() {
        TokenStoreUserApprovalHandler tokenStoreUserApprovalHandler = new TokenStoreUserApprovalHandler();
        tokenStoreUserApprovalHandler.setClientDetailsService(oauthClientDetailsService);
        tokenStoreUserApprovalHandler.setTokenStore(jwtTokenStore());
        tokenStoreUserApprovalHandler.setRequestFactory(oAuth2RequestFactory());
        return tokenStoreUserApprovalHandler;
    }

}