package com.c4_soft.springaddons.security.oauth2.config.synchronised;

import com.c4_soft.springaddons.security.oauth2.OAuthentication;
import com.c4_soft.springaddons.security.oauth2.OpenidClaimSet;
import com.c4_soft.springaddons.security.oauth2.SynchronizedJwt2AuthenticationConverter;
import com.c4_soft.springaddons.security.oauth2.SynchronizedJwt2ClaimSetConverter;
import com.c4_soft.springaddons.security.oauth2.SynchronizedJwt2OAuthenticationConverter;
import com.c4_soft.springaddons.security.oauth2.config.ConfigurableJwtGrantedAuthoritiesConverter;
import com.c4_soft.springaddons.security.oauth2.config.Jwt2AuthoritiesConverter;
import com.c4_soft.springaddons.security.oauth2.config.SpringAddonsSecurityProperties;
import java.io.Serializable;
import java.util.Arrays;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.servlet.http.HttpServletRequest;
import lombok.Generated;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.boot.autoconfigure.AutoConfiguration;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.boot.autoconfigure.security.oauth2.resource.OAuth2ResourceServerProperties;
import org.springframework.boot.autoconfigure.web.ServerProperties;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Import;
import org.springframework.core.convert.converter.Converter;
import org.springframework.http.HttpStatus;
import org.springframework.security.authentication.AbstractAuthenticationToken;
import org.springframework.security.authentication.AuthenticationManagerResolver;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configurers.ChannelSecurityConfigurer;
import org.springframework.security.config.annotation.web.configurers.CsrfConfigurer;
import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.oauth2.jwt.Jwt;
import org.springframework.security.oauth2.jwt.JwtDecoders;
import org.springframework.security.oauth2.jwt.SupplierJwtDecoder;
import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationProvider;
import org.springframework.security.oauth2.server.resource.authentication.JwtIssuerAuthenticationManagerResolver;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.csrf.CookieCsrfTokenRepository;
import org.springframework.util.StringUtils;
import org.springframework.web.cors.CorsConfiguration;
import org.springframework.web.cors.CorsConfigurationSource;
import org.springframework.web.cors.UrlBasedCorsConfigurationSource;

@AutoConfiguration
@EnableWebSecurity
@Import({SpringAddonsSecurityProperties.class})
/* loaded from: input_file:com/c4_soft/springaddons/security/oauth2/config/synchronised/ServletSecurityBeans.class */
public class ServletSecurityBeans {

    @Generated
    private static final Logger log = LoggerFactory.getLogger(ServletSecurityBeans.class);

    @ConditionalOnMissingBean
    @Bean
    ExpressionInterceptUrlRegistryPostProcessor expressionInterceptUrlRegistryPostProcessor(SpringAddonsSecurityProperties springAddonsSecurityProperties) {
        return expressionInterceptUrlRegistry -> {
            return ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) expressionInterceptUrlRegistry.anyRequest()).authenticated();
        };
    }

    @ConditionalOnMissingBean
    @Bean
    HttpSecurityPostProcessor httpSecurityPostProcessor() {
        return httpSecurity -> {
            return httpSecurity;
        };
    }

    @ConditionalOnMissingBean
    @Bean
    SecurityFilterChain filterChain(HttpSecurity httpSecurity, AuthenticationManagerResolver<HttpServletRequest> authenticationManagerResolver, ExpressionInterceptUrlRegistryPostProcessor expressionInterceptUrlRegistryPostProcessor, HttpSecurityPostProcessor httpSecurityPostProcessor, ServerProperties serverProperties, SpringAddonsSecurityProperties springAddonsSecurityProperties) throws Exception {
        httpSecurity.oauth2ResourceServer(oAuth2ResourceServerConfigurer -> {
            oAuth2ResourceServerConfigurer.authenticationManagerResolver(authenticationManagerResolver);
        });
        if (springAddonsSecurityProperties.getPermitAll().length > 0) {
            httpSecurity.anonymous();
        }
        if (springAddonsSecurityProperties.getCors().length > 0) {
            httpSecurity.cors().configurationSource(corsConfigurationSource(springAddonsSecurityProperties));
        }
        if (springAddonsSecurityProperties.isCsrfEnabled()) {
            CsrfConfigurer csrf = httpSecurity.csrf();
            if (springAddonsSecurityProperties.isStatlessSessions()) {
                csrf.csrfTokenRepository(new CookieCsrfTokenRepository());
            }
        } else {
            httpSecurity.csrf().disable();
        }
        if (springAddonsSecurityProperties.isStatlessSessions()) {
            httpSecurity.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
        }
        if (!springAddonsSecurityProperties.isRedirectToLoginIfUnauthorizedOnRestrictedContent()) {
            httpSecurity.exceptionHandling().authenticationEntryPoint((httpServletRequest, httpServletResponse, authenticationException) -> {
                httpServletResponse.addHeader("WWW-Authenticate", "Basic realm=\"Restricted Content\"");
                httpServletResponse.sendError(HttpStatus.UNAUTHORIZED.value(), HttpStatus.UNAUTHORIZED.getReasonPhrase());
            });
        }
        if (serverProperties.getSsl() == null || !serverProperties.getSsl().isEnabled()) {
            ((ChannelSecurityConfigurer.RequiresChannelUrl) httpSecurity.requiresChannel().anyRequest()).requiresInsecure();
        } else {
            ((ChannelSecurityConfigurer.RequiresChannelUrl) httpSecurity.requiresChannel().anyRequest()).requiresSecure();
        }
        expressionInterceptUrlRegistryPostProcessor.authorizeRequests(((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) httpSecurity.authorizeRequests().antMatchers(springAddonsSecurityProperties.getPermitAll())).permitAll());
        return (SecurityFilterChain) httpSecurityPostProcessor.process(httpSecurity).build();
    }

    @ConditionalOnMissingBean
    @Bean
    <T extends Map<String, Object> & Serializable> SynchronizedJwt2AuthenticationConverter<OAuthentication<T>> authenticationConverter(Jwt2AuthoritiesConverter jwt2AuthoritiesConverter, SynchronizedJwt2ClaimSetConverter<T> synchronizedJwt2ClaimSetConverter) {
        log.debug("Building default SynchronizedJwt2OAuthenticationConverter");
        return new SynchronizedJwt2OAuthenticationConverter(jwt2AuthoritiesConverter, synchronizedJwt2ClaimSetConverter);
    }

    @ConditionalOnMissingBean
    @Bean
    Jwt2AuthoritiesConverter authoritiesConverter(SpringAddonsSecurityProperties springAddonsSecurityProperties) {
        log.debug("Building default SimpleJwtGrantedAuthoritiesConverter with: {}", springAddonsSecurityProperties);
        return new ConfigurableJwtGrantedAuthoritiesConverter(springAddonsSecurityProperties);
    }

    @ConditionalOnMissingBean
    @Bean
    SynchronizedJwt2ClaimSetConverter<OpenidClaimSet> claimsConverter() {
        log.debug("Building default SynchronizedJwt2OpenidClaimSetConverter");
        return jwt -> {
            return new OpenidClaimSet(jwt.getClaims());
        };
    }

    @ConditionalOnMissingBean
    @Bean
    JwtIssuerAuthenticationManagerResolver authenticationManagerResolver(OAuth2ResourceServerProperties oAuth2ResourceServerProperties, SpringAddonsSecurityProperties springAddonsSecurityProperties, Converter<Jwt, ? extends AbstractAuthenticationToken> converter) {
        Map map = (Map) ((Set) Stream.concat(Optional.of(oAuth2ResourceServerProperties.getJwt()).map((v0) -> {
            return v0.getIssuerUri();
        }).stream(), Stream.of((Object[]) springAddonsSecurityProperties.getTokenIssuers()).map((v0) -> {
            return v0.getLocation();
        })).filter((v0) -> {
            return Objects.nonNull(v0);
        }).map((v0) -> {
            return v0.toString();
        }).filter(StringUtils::hasLength).collect(Collectors.toSet())).stream().collect(Collectors.toMap(str -> {
            return str;
        }, str2 -> {
            JwtAuthenticationProvider jwtAuthenticationProvider = new JwtAuthenticationProvider(new SupplierJwtDecoder(() -> {
                return JwtDecoders.fromIssuerLocation(str2);
            }));
            jwtAuthenticationProvider.setJwtAuthenticationConverter(converter);
            Objects.requireNonNull(jwtAuthenticationProvider);
            return jwtAuthenticationProvider::authenticate;
        }));
        log.debug("Building default JwtIssuerAuthenticationManagerResolver with: ", oAuth2ResourceServerProperties.getJwt(), Stream.of((Object[]) springAddonsSecurityProperties.getTokenIssuers()).toList());
        Objects.requireNonNull(map);
        return new JwtIssuerAuthenticationManagerResolver((v1) -> {
            return r2.get(v1);
        });
    }

    private CorsConfigurationSource corsConfigurationSource(SpringAddonsSecurityProperties springAddonsSecurityProperties) {
        log.debug("Building default CorsConfigurationSource with: {}", Stream.of((Object[]) springAddonsSecurityProperties.getCors()).toList());
        UrlBasedCorsConfigurationSource urlBasedCorsConfigurationSource = new UrlBasedCorsConfigurationSource();
        for (SpringAddonsSecurityProperties.CorsProperties corsProperties : springAddonsSecurityProperties.getCors()) {
            CorsConfiguration corsConfiguration = new CorsConfiguration();
            corsConfiguration.setAllowedOrigins(Arrays.asList(corsProperties.getAllowedOrigins()));
            corsConfiguration.setAllowedMethods(Arrays.asList(corsProperties.getAllowedMethods()));
            corsConfiguration.setAllowedHeaders(Arrays.asList(corsProperties.getAllowedHeaders()));
            corsConfiguration.setExposedHeaders(Arrays.asList(corsProperties.getExposedHeaders()));
            urlBasedCorsConfigurationSource.registerCorsConfiguration(corsProperties.getPath(), corsConfiguration);
        }
        return urlBasedCorsConfigurationSource;
    }
}
