package com.example.loginapi

import org.springframework.beans.factory.annotation.Value
import org.springframework.context.annotation.Bean
import org.springframework.context.annotation.Configuration
import org.springframework.security.config.annotation.web.builders.HttpSecurity
import org.springframework.security.oauth2.config.annotation.web.configuration.EnableResourceServer
import org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfigurerAdapter
import org.springframework.security.oauth2.config.annotation.web.configurers.ResourceServerSecurityConfigurer
import org.springframework.security.oauth2.provider.token.DefaultTokenServices
import org.springframework.security.oauth2.provider.token.TokenStore
import org.springframework.security.oauth2.provider.token.store.JwtAccessTokenConverter
import org.springframework.security.oauth2.provider.token.store.jwk.JwkTokenStore

/**
 * @author sombochea
 * @since 1.0
 */
@Configuration
@EnableResourceServer
open class OauthResourceServerSecurity :
    ResourceServerConfigurerAdapter() {
    private val jwtAccessTokenConverter: CubeJwtAccessTokenConverter = CubeJwtAccessTokenConverter()

    @Value("\${spring.security.oauth2.resourceserver.jwt.public-key}")
    var publicKey: String? = null

    @Value("\${spring.security.oauth2.resourceserver.jwt.jwk-set-uri}")
    var jwkSetUri: String? = null

    private var tokenStore: TokenStore? = null

    override fun configure(resources: ResourceServerSecurityConfigurer) {
        val resourceId = "cubetiq-clinic-dev"
       println("Loaded system with resource id: $resourceId")
        resources
            .tokenStore(tokenStore())
            .resourceId(resourceId)
            .stateless(false)
    }

    @Throws(Exception::class)
    override fun configure(http: HttpSecurity) {
        http.exceptionHandling()
            .and()
            .authorizeRequests()
            .antMatchers("/api/**")
            .access("#oauth2.hasAnyScope('read','write')")
            .antMatchers("/actuator/**")
            .hasAnyRole("SUPER_ADMIN", "SYS_ADMIN","ACTUATOR")
    }

    @Bean
    fun tokenServices(tokenStore: TokenStore?): DefaultTokenServices {
        val tokenServices = DefaultTokenServices()
        tokenServices.setTokenStore(tokenStore)
        return tokenServices
    }

    @Bean
    fun tokenStore(): TokenStore? {
        if (tokenStore == null) {
            tokenStore = JwkTokenStore(jwkSetUri, jwtAccessTokenConverter)
        }

        return tokenStore
    }

    @Bean
    fun jwtAccessTokenConverter(): JwtAccessTokenConverter {
        val converter = JwtAccessTokenConverter()
        converter.accessTokenConverter = jwtAccessTokenConverter
        converter.setVerifierKey(publicKey)
        return converter
    }
}