package org.crue.hercules.sgi.framework.web.config;

import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.List;
import java.util.Map;
import java.util.stream.Collectors;
import lombok.Generated;
import org.crue.hercules.sgi.framework.security.oauth2.client.oicd.userinfo.KeycloakOidcUserService;
import org.crue.hercules.sgi.framework.security.oauth2.server.resource.authentication.SgiJwtAuthenticationConverter;
import org.crue.hercules.sgi.framework.security.web.authentication.logout.KeycloakLogoutHandler;
import org.crue.hercules.sgi.framework.security.web.exception.handler.WebSecurityExceptionHandler;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.annotation.Order;
import org.springframework.core.convert.converter.Converter;
import org.springframework.security.authentication.AbstractAuthenticationToken;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.oauth2.client.oidc.userinfo.OidcUserRequest;
import org.springframework.security.oauth2.client.userinfo.OAuth2UserService;
import org.springframework.security.oauth2.core.oidc.user.OidcUser;
import org.springframework.security.oauth2.jwt.Jwt;
import org.springframework.security.oauth2.jwt.JwtDecoder;
import org.springframework.security.web.csrf.CookieCsrfTokenRepository;
import org.springframework.web.client.RestTemplate;

@Configuration
@Order(2147483642)
/* loaded from: input_file:org/crue/hercules/sgi/framework/web/config/SgiWebSecurityConfig.class */
public class SgiWebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Generated
    private static final Logger log = LoggerFactory.getLogger(SgiWebSecurityConfig.class);

    @Value("${spring.security.oauth2.enable-login:false}")
    private boolean loginEnabled;

    @Value("${spring.security.oauth2.resourceserver.jwt.user-name-claim:sub}")
    private String userNameClaim;

    @Value("${spring.security.csrf.enable:true}")
    private boolean csrfEnabled;

    @Value("${spring.security.frameoptions.enable:true}")
    private boolean frameoptionsEnabled;

    @Autowired
    private JwtDecoder jwtDecoder;

    @Autowired(required = false)
    WebSecurityExceptionHandler webSecurityExceptionHandler;

    protected void configure(HttpSecurity httpSecurity) throws Exception {
        log.debug("configure(HttpSecurity http) - start");
        ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) httpSecurity.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED).and().authorizeRequests().antMatchers(new String[]{"/error", "/actuator/health/liveness", "/actuator/health/readiness"})).permitAll().antMatchers(new String[]{"/public/**", "/config/time-zone"})).permitAll().antMatchers(new String[]{"/**"})).authenticated().and().oauth2ResourceServer().jwt().jwtAuthenticationConverter(jwtAuthenticationConverter()).and().and();
        if (this.csrfEnabled) {
            httpSecurity.csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());
        } else {
            httpSecurity.csrf().disable();
        }
        if (!this.frameoptionsEnabled) {
            httpSecurity.headers().frameOptions().disable();
        }
        if (this.loginEnabled) {
            httpSecurity.oauth2Login().userInfoEndpoint().oidcUserService(keycloakOidcUserService()).and().and().logout().addLogoutHandler(keycloakLogoutHandler());
        }
        if (this.webSecurityExceptionHandler != null) {
            if (this.loginEnabled) {
                httpSecurity.exceptionHandling().accessDeniedHandler(this.webSecurityExceptionHandler);
            } else {
                httpSecurity.exceptionHandling().accessDeniedHandler(this.webSecurityExceptionHandler).authenticationEntryPoint(this.webSecurityExceptionHandler);
            }
        }
        log.debug("configure(HttpSecurity http) - end");
    }

    protected OAuth2UserService<OidcUserRequest, OidcUser> keycloakOidcUserService() {
        log.debug("keycloakOidcUserService() - start");
        KeycloakOidcUserService keycloakOidcUserService = new KeycloakOidcUserService(this.jwtDecoder, jwtAuthenticationConverter());
        log.debug("keycloakOidcUserService() - start");
        return keycloakOidcUserService;
    }

    protected Converter<Jwt, AbstractAuthenticationToken> jwtAuthenticationConverter() {
        log.debug("jwtAuthenticationConverter() - start");
        SgiJwtAuthenticationConverter sgiJwtAuthenticationConverter = new SgiJwtAuthenticationConverter();
        sgiJwtAuthenticationConverter.setJwtGrantedAuthoritiesConverter(jwtGrantedAuthoritiesConverter());
        sgiJwtAuthenticationConverter.setUserNameClaim(this.userNameClaim);
        log.debug("jwtAuthenticationConverter() - end");
        return sgiJwtAuthenticationConverter;
    }

    protected Converter<Jwt, Collection<GrantedAuthority>> jwtGrantedAuthoritiesConverter() {
        log.debug("jwtGrantedAuthoritiesConverter() - start");
        Converter<Jwt, Collection<GrantedAuthority>> converter = new Converter<Jwt, Collection<GrantedAuthority>>() { // from class: org.crue.hercules.sgi.framework.web.config.SgiWebSecurityConfig.1
            private final Logger log = LoggerFactory.getLogger(getClass());

            public Collection<GrantedAuthority> convert(Jwt jwt) {
                this.log.debug("convert(final Jwt jwt) - start");
                Map map = (Map) jwt.getClaims().get("realm_access");
                if (map != null) {
                    Collection<GrantedAuthority> collection = (Collection) ((List) map.get("roles")).stream().map(SimpleGrantedAuthority::new).collect(Collectors.toList());
                    this.log.debug("convert(final Jwt jwt) - end");
                    return collection;
                }
                ArrayList arrayList = new ArrayList(Arrays.asList(new SimpleGrantedAuthority("ROLE_USER")));
                String str = (String) jwt.getClaims().get("scope");
                if (str != null) {
                    arrayList.addAll((Collection) Arrays.asList(str.split(" ")).stream().map(str2 -> {
                        return new SimpleGrantedAuthority("SCOPE_" + str2);
                    }).collect(Collectors.toList()));
                }
                this.log.warn("No realm_acces found in token");
                this.log.debug("convert(final Jwt jwt) - end");
                return arrayList;
            }
        };
        log.debug("jwtGrantedAuthoritiesConverter() - end");
        return converter;
    }

    protected KeycloakLogoutHandler keycloakLogoutHandler() {
        log.debug("keycloakLogoutHandler() - start");
        KeycloakLogoutHandler keycloakLogoutHandler = new KeycloakLogoutHandler(new RestTemplate());
        log.debug("keycloakLogoutHandler() - end");
        return keycloakLogoutHandler;
    }
}
