package org.opentmf.security.config;

import lombok.Generated;
import org.opentmf.security.jwt.GrantedAuthoritiesConverter;
import org.opentmf.security.model.Endpoint;
import org.opentmf.security.model.OpenTmfSecurityProperties;
import org.opentmf.security.model.SecureEndpoint;
import org.springframework.boot.autoconfigure.AutoConfiguration;
import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication;
import org.springframework.boot.context.properties.EnableConfigurationProperties;
import org.springframework.context.annotation.Bean;
import org.springframework.security.config.Customizer;
import org.springframework.security.config.annotation.method.configuration.EnableReactiveMethodSecurity;
import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity;
import org.springframework.security.config.web.server.ServerHttpSecurity;
import org.springframework.security.oauth2.jwt.ReactiveJwtDecoder;
import org.springframework.security.oauth2.server.resource.authentication.ReactiveJwtAuthenticationConverter;
import org.springframework.security.oauth2.server.resource.authentication.ReactiveJwtGrantedAuthoritiesConverterAdapter;
import org.springframework.security.web.server.SecurityWebFilterChain;
import org.springframework.security.web.server.savedrequest.NoOpServerRequestCache;
import org.springframework.util.CollectionUtils;

@EnableConfigurationProperties({OpenTmfSecurityProperties.class})
@AutoConfiguration(after = {ReactiveJwtAutoConfiguration.class})
@EnableWebFluxSecurity
@EnableReactiveMethodSecurity
@ConditionalOnWebApplication(type = ConditionalOnWebApplication.Type.REACTIVE)
/* loaded from: input_file:org/opentmf/security/config/ReactiveSecurityAutoConfiguration.class */
public class ReactiveSecurityAutoConfiguration {
    private final OpenTmfSecurityProperties openTmfSecurityProperties;
    private final ReactiveJwtDecoder reactiveJwtDecoder;

    @Bean
    public SecurityWebFilterChain reactiveSecurityFilterChain(ServerHttpSecurity serverHttpSecurity) {
        return serverHttpSecurity.requestCache(requestCacheSpec -> {
            requestCacheSpec.requestCache(NoOpServerRequestCache.getInstance());
        }).csrf((v0) -> {
            v0.disable();
        }).formLogin((v0) -> {
            v0.disable();
        }).httpBasic((v0) -> {
            v0.disable();
        }).logout((v0) -> {
            v0.disable();
        }).headers(Customizer.withDefaults()).cors(Customizer.withDefaults()).authorizeExchange(applyOpenTmfSecurityDefinitions()).oauth2ResourceServer(configureResourceServer()).build();
    }

    private Customizer<ServerHttpSecurity.OAuth2ResourceServerSpec> configureResourceServer() {
        return oAuth2ResourceServerSpec -> {
            oAuth2ResourceServerSpec.jwt(jwtSpec -> {
                jwtSpec.jwtDecoder(this.reactiveJwtDecoder).jwtAuthenticationConverter(jwtAuthenticationConverter());
            });
        };
    }

    private ReactiveJwtAuthenticationConverter jwtAuthenticationConverter() {
        ReactiveJwtGrantedAuthoritiesConverterAdapter reactiveJwtGrantedAuthoritiesConverterAdapter = new ReactiveJwtGrantedAuthoritiesConverterAdapter(new GrantedAuthoritiesConverter(CommonConfig.authoritiesClaimName(this.openTmfSecurityProperties.getAuthoritiesClaim())));
        ReactiveJwtAuthenticationConverter reactiveJwtAuthenticationConverter = new ReactiveJwtAuthenticationConverter();
        reactiveJwtAuthenticationConverter.setPrincipalClaimName(CommonConfig.principalClaimName(this.openTmfSecurityProperties.getUserClaim()));
        reactiveJwtAuthenticationConverter.setJwtGrantedAuthoritiesConverter(reactiveJwtGrantedAuthoritiesConverterAdapter);
        return reactiveJwtAuthenticationConverter;
    }

    private Customizer<ServerHttpSecurity.AuthorizeExchangeSpec> applyOpenTmfSecurityDefinitions() {
        return authorizeExchangeSpec -> {
            configureBlacklist(authorizeExchangeSpec);
            configureWhiteList(authorizeExchangeSpec);
            configureAllowedEndpoints(authorizeExchangeSpec);
            configureSecureEndpoints(authorizeExchangeSpec);
            authorizeExchangeSpec.anyExchange().denyAll();
        };
    }

    private void configureAllowedEndpoints(ServerHttpSecurity.AuthorizeExchangeSpec authorizeExchangeSpec) {
        for (Endpoint endpoint : this.openTmfSecurityProperties.getAllowedEndpoints()) {
            ((ServerHttpSecurity.AuthorizeExchangeSpec.Access) authorizeExchangeSpec.pathMatchers(endpoint.getMethod(), new String[]{endpoint.getPath()})).permitAll();
        }
    }

    private void configureWhiteList(ServerHttpSecurity.AuthorizeExchangeSpec authorizeExchangeSpec) {
        if (CollectionUtils.isEmpty(this.openTmfSecurityProperties.getWhitelist())) {
            return;
        }
        ((ServerHttpSecurity.AuthorizeExchangeSpec.Access) authorizeExchangeSpec.pathMatchers((String[]) this.openTmfSecurityProperties.getWhitelist().toArray(i -> {
            return new String[i];
        }))).permitAll();
    }

    private void configureBlacklist(ServerHttpSecurity.AuthorizeExchangeSpec authorizeExchangeSpec) {
        if (CollectionUtils.isEmpty(this.openTmfSecurityProperties.getBlacklist())) {
            return;
        }
        ((ServerHttpSecurity.AuthorizeExchangeSpec.Access) authorizeExchangeSpec.pathMatchers((String[]) this.openTmfSecurityProperties.getBlacklist().toArray(i -> {
            return new String[i];
        }))).denyAll();
    }

    private void configureSecureEndpoints(ServerHttpSecurity.AuthorizeExchangeSpec authorizeExchangeSpec) {
        for (SecureEndpoint secureEndpoint : this.openTmfSecurityProperties.getSecureEndpoints()) {
            ((ServerHttpSecurity.AuthorizeExchangeSpec.Access) authorizeExchangeSpec.pathMatchers(secureEndpoint.getMethod(), new String[]{secureEndpoint.getPath()})).hasAnyAuthority(secureEndpoint.getRoles());
        }
    }

    @Generated
    public ReactiveSecurityAutoConfiguration(OpenTmfSecurityProperties openTmfSecurityProperties, ReactiveJwtDecoder reactiveJwtDecoder) {
        this.openTmfSecurityProperties = openTmfSecurityProperties;
        this.reactiveJwtDecoder = reactiveJwtDecoder;
    }
}
