package io.github.microcks.config;

import io.github.microcks.security.AuthorizationChecker;
import io.github.microcks.security.MicrocksJwtConverter;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.boot.autoconfigure.EnableAutoConfiguration;
import org.springframework.boot.autoconfigure.security.oauth2.client.servlet.OAuth2ClientAutoConfiguration;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpMethod;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configurers.AuthorizeHttpRequestsConfigurer;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.web.SecurityFilterChain;

@Configuration
@EnableWebSecurity
@EnableAutoConfiguration(exclude = {OAuth2ClientAutoConfiguration.class})
/* loaded from: input_file:io/github/microcks/config/SecurityConfiguration.class */
public class SecurityConfiguration {
    private static Logger log = LoggerFactory.getLogger(SecurityConfiguration.class);

    @Value("${keycloak.enabled}")
    private final Boolean keycloakEnabled = true;

    @Bean
    public SecurityFilterChain configureMockSecurityFilterChain(HttpSecurity httpSecurity) throws Exception {
        log.info("Starting security configuration for mocks");
        httpSecurity.sessionManagement(sessionManagementConfigurer -> {
            sessionManagementConfigurer.sessionCreationPolicy(SessionCreationPolicy.STATELESS);
        });
        httpSecurity.csrf(csrfConfigurer -> {
            csrfConfigurer.disable();
        });
        httpSecurity.cors(corsConfigurer -> {
            corsConfigurer.disable();
        });
        httpSecurity.securityMatcher(new String[]{"/rest/**", "/graphql/**", "/soap/**"}).authorizeHttpRequests(authorizationManagerRequestMatcherRegistry -> {
            ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) authorizationManagerRequestMatcherRegistry.anyRequest()).permitAll();
        });
        httpSecurity.headers(headersConfigurer -> {
            headersConfigurer.frameOptions((v0) -> {
                v0.disable();
            });
        });
        return (SecurityFilterChain) httpSecurity.build();
    }

    @Bean
    public SecurityFilterChain configureAPISecurityFilterChain(HttpSecurity httpSecurity) throws Exception {
        log.info("Starting security configuration for APIs");
        httpSecurity.sessionManagement(sessionManagementConfigurer -> {
            sessionManagementConfigurer.sessionCreationPolicy(SessionCreationPolicy.STATELESS);
        });
        httpSecurity.csrf(csrfConfigurer -> {
            csrfConfigurer.disable();
        });
        httpSecurity.cors(corsConfigurer -> {
            corsConfigurer.disable();
        });
        if (Boolean.TRUE.equals(this.keycloakEnabled)) {
            log.info("Keycloak is enabled, configuring oauth2 & request authorization");
            httpSecurity.authorizeHttpRequests(authorizationManagerRequestMatcherRegistry -> {
                ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) authorizationManagerRequestMatcherRegistry.requestMatchers(new String[]{"/api/services", "/api/services/*", "/api/jobs", "/api/jobs/*"})).hasAnyRole(new String[]{AuthorizationChecker.ROLE_USER, AuthorizationChecker.ROLE_MANAGER, AuthorizationChecker.ROLE_ADMIN}).requestMatchers(new String[]{"/api/services/*/*"})).hasAnyRole(new String[]{AuthorizationChecker.ROLE_MANAGER, AuthorizationChecker.ROLE_ADMIN}).requestMatchers(new String[]{"/api/jobs/*/*"})).hasAnyRole(new String[]{AuthorizationChecker.ROLE_MANAGER, AuthorizationChecker.ROLE_ADMIN}).requestMatchers(new String[]{"/api/artifact/*"})).hasAnyRole(new String[]{AuthorizationChecker.ROLE_MANAGER, AuthorizationChecker.ROLE_ADMIN}).requestMatchers(new String[]{"/api/import/*", "/api/export/*"})).hasAnyRole(new String[]{AuthorizationChecker.ROLE_ADMIN}).requestMatchers(HttpMethod.GET, new String[]{"/api/secrets"})).hasAnyRole(new String[]{AuthorizationChecker.ROLE_USER, AuthorizationChecker.ROLE_MANAGER, AuthorizationChecker.ROLE_ADMIN}).requestMatchers(HttpMethod.GET, new String[]{"/api/secrets/*"})).hasAnyRole(new String[]{AuthorizationChecker.ROLE_USER, AuthorizationChecker.ROLE_MANAGER, AuthorizationChecker.ROLE_ADMIN}).requestMatchers(HttpMethod.POST, new String[]{"/api/secrets"})).hasAnyRole(new String[]{AuthorizationChecker.ROLE_ADMIN}).requestMatchers(HttpMethod.PUT, new String[]{"/api/secrets/*"})).hasAnyRole(new String[]{AuthorizationChecker.ROLE_ADMIN}).requestMatchers(HttpMethod.DELETE, new String[]{"/api/secrets/*"})).hasAnyRole(new String[]{AuthorizationChecker.ROLE_ADMIN}).anyRequest()).permitAll();
            });
            httpSecurity.oauth2ResourceServer(oAuth2ResourceServerConfigurer -> {
                oAuth2ResourceServerConfigurer.jwt(jwtConfigurer -> {
                    jwtConfigurer.jwtAuthenticationConverter(new MicrocksJwtConverter());
                });
            });
        } else {
            log.info("Keycloak is disabled, permitting all requests");
            httpSecurity.authorizeHttpRequests(authorizationManagerRequestMatcherRegistry2 -> {
                ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) authorizationManagerRequestMatcherRegistry2.anyRequest()).permitAll();
            });
        }
        httpSecurity.headers(headersConfigurer -> {
            headersConfigurer.frameOptions((v0) -> {
                v0.disable();
            });
        });
        return (SecurityFilterChain) httpSecurity.build();
    }
}
