package org.factcast.server.security;

import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
import java.io.IOException;
import java.io.InputStream;
import java.util.List;
import java.util.Optional;
import lombok.Generated;
import org.factcast.server.security.auth.FactCastAccessConfiguration;
import org.factcast.server.security.auth.FactCastAccount;
import org.factcast.server.security.auth.FactCastSecretProperties;
import org.factcast.server.security.auth.FactCastSecurityProperties;
import org.factcast.server.security.auth.FactCastUser;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.boot.autoconfigure.condition.ConditionalOnBean;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.boot.autoconfigure.condition.ConditionalOnResource;
import org.springframework.boot.context.properties.ConfigurationProperties;
import org.springframework.boot.context.properties.EnableConfigurationProperties;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.io.ClassPathResource;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.crypto.password.NoOpPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;

@EnableConfigurationProperties
@Configuration
/* loaded from: input_file:org/factcast/server/security/CommonSecurityConfiguration.class */
public class CommonSecurityConfiguration {

    @SuppressFBWarnings(justification = "generated code")
    @Generated
    private static final Logger log = LoggerFactory.getLogger(CommonSecurityConfiguration.class);
    private static final String FACTCAST_ACCESS_JSON = "/factcast-access.json";

    @ConditionalOnMissingBean
    @ConfigurationProperties(prefix = "factcast.access", ignoreUnknownFields = false)
    @Bean
    public FactCastSecretProperties factCastSecretProperties() {
        return new FactCastSecretProperties();
    }

    @ConditionalOnMissingBean
    @ConfigurationProperties(prefix = "factcast.security", ignoreUnknownFields = false)
    @Bean
    public FactCastSecurityProperties factcastSecurityProperties() {
        return new FactCastSecurityProperties();
    }

    @ConditionalOnMissingBean
    @ConditionalOnResource(resources = {"classpath:/factcast-access.json"})
    @Bean
    public FactCastAccessConfiguration authenticationConfig(FactCastSecretProperties factCastSecretProperties) throws IOException {
        return parseAccessConfiguration(factCastSecretProperties, new ClassPathResource(FACTCAST_ACCESS_JSON));
    }

    @ConditionalOnMissingBean
    @ConditionalOnResource(resources = {"file:./config//factcast-access.json"})
    @Bean
    public FactCastAccessConfiguration authenticationConfigViaConfig(FactCastSecretProperties factCastSecretProperties) throws IOException {
        return parseAccessConfiguration(factCastSecretProperties, new ClassPathResource("file:./config//factcast-access.json"));
    }

    @ConditionalOnMissingBean
    @Bean
    public PasswordEncoder passwordEncoder() {
        return NoOpPasswordEncoder.getInstance();
    }

    @ConditionalOnMissingBean({UserDetailsService.class})
    @ConditionalOnBean({FactCastAccessConfiguration.class})
    @Bean
    UserDetailsService userDetailsService(FactCastAccessConfiguration factCastAccessConfiguration, FactCastSecretProperties factCastSecretProperties, PasswordEncoder passwordEncoder) {
        log.info("FactCast Security is enabled.");
        return str -> {
            return (UserDetails) factCastAccessConfiguration.findAccountById(str).flatMap(factCastAccount -> {
                return Optional.of(factCastSecretProperties.getSecrets().get(factCastAccount.id())).map(str -> {
                    return toUser(factCastAccount, passwordEncoder.encode(str));
                });
            }).orElseThrow(() -> {
                return new UsernameNotFoundException(str);
            });
        };
    }

    private FactCastUser toUser(FactCastAccount factCastAccount, String str) {
        return new FactCastUser(factCastAccount, str);
    }

    @ConditionalOnMissingBean({FactCastAccessConfiguration.class, UserDetailsService.class})
    @Bean
    UserDetailsService godModeUserDetailsService(FactCastSecurityProperties factCastSecurityProperties, PasswordEncoder passwordEncoder) {
        if (!factCastSecurityProperties.isEnabled()) {
            log.warn("**** FactCast Security is disabled. This is discouraged for production environments. You have been warned. ****");
            return str -> {
                return new FactCastUser(FactCastAccount.GOD, passwordEncoder.encode("security_disabled"));
            };
        }
        log.error("**** FactCast Security is disabled. ****");
        log.error("* If you really want to, you can run Factcast in such a configuration ");
        log.error("* by adding a property 'factcast.security.enabled=false' to your setup. However, it is");
        log.error("* highly encouraged to provide a factcast-access.json instead.");
        log.error("**** -> see https://docs.factcast.org/setup/grpc-client/grpc-config-basicauth/");
        System.exit(1);
        return null;
    }

    private static FactCastAccessConfiguration parseAccessConfiguration(FactCastSecretProperties factCastSecretProperties, ClassPathResource classPathResource) throws IOException {
        InputStream inputStream = classPathResource.getInputStream();
        try {
            FactCastAccessConfiguration read = FactCastAccessConfiguration.read(inputStream);
            if (factCastSecretProperties.getSecrets().isEmpty()) {
                log.info("'factcast.access' does not contain any secrets. We assume you are using a different authentication mechanism by providing a custom UserDetailsService bean.");
                if (inputStream != null) {
                    inputStream.close();
                }
                return read;
            }
            List<String> list = read.accounts().stream().map((v0) -> {
                return v0.id();
            }).toList();
            for (String str : list) {
                if (!factCastSecretProperties.getSecrets().containsKey(str)) {
                    throw new IllegalArgumentException("Missing secret for account: '" + str + "'");
                }
            }
            for (String str2 : factCastSecretProperties.getSecrets().keySet()) {
                if (!list.contains(str2)) {
                    log.warn("Secret found for account '" + str2 + "' but the account is not defined in FactCastAccessConfiguration");
                }
            }
            if (inputStream != null) {
                inputStream.close();
            }
            return read;
        } catch (Throwable th) {
            if (inputStream != null) {
                try {
                    inputStream.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }
}
