package org.opentmf.security.config;

import lombok.Generated;
import org.opentmf.security.jwt.GrantedAuthoritiesConverter;
import org.opentmf.security.model.OpenTmfSecurityProperties;
import org.springframework.boot.autoconfigure.AutoConfiguration;
import org.springframework.boot.autoconfigure.AutoConfigureAfter;
import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication;
import org.springframework.boot.autoconfigure.web.reactive.function.client.WebClientAutoConfiguration;
import org.springframework.boot.context.properties.EnableConfigurationProperties;
import org.springframework.context.annotation.Bean;
import org.springframework.security.config.Customizer;
import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configurers.AuthorizeHttpRequestsConfigurer;
import org.springframework.security.config.annotation.web.configurers.oauth2.server.resource.OAuth2ResourceServerConfigurer;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.oauth2.jwt.JwtDecoder;
import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationConverter;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.util.CollectionUtils;

@EnableConfigurationProperties({OpenTmfSecurityProperties.class})
@AutoConfiguration(after = {ServletJwtAutoConfiguration.class})
@EnableWebSecurity
@EnableMethodSecurity(securedEnabled = true, jsr250Enabled = true)
@AutoConfigureAfter({WebClientAutoConfiguration.class})
@ConditionalOnWebApplication(type = ConditionalOnWebApplication.Type.SERVLET)
/* loaded from: input_file:org/opentmf/security/config/ServletSecurityAutoConfiguration.class */
public class ServletSecurityAutoConfiguration {
    private final OpenTmfSecurityProperties openTmfSecurityProperties;
    private final JwtDecoder jwtDecoder;

    @Bean
    public SecurityFilterChain servletSecurityFilterChain(HttpSecurity httpSecurity) throws Exception {
        return (SecurityFilterChain) httpSecurity.sessionManagement(sessionManagementConfigurer -> {
            sessionManagementConfigurer.sessionCreationPolicy(SessionCreationPolicy.STATELESS);
        }).csrf((v0) -> {
            v0.disable();
        }).formLogin((v0) -> {
            v0.disable();
        }).httpBasic((v0) -> {
            v0.disable();
        }).logout((v0) -> {
            v0.disable();
        }).headers(Customizer.withDefaults()).cors(Customizer.withDefaults()).authorizeHttpRequests(this::applyOpenTmfSecurityDefinitions).oauth2ResourceServer(this::configureResourceServer).build();
    }

    private void applyOpenTmfSecurityDefinitions(AuthorizeHttpRequestsConfigurer<HttpSecurity>.AuthorizationManagerRequestMatcherRegistry authorizationManagerRequestMatcherRegistry) {
        configureBlacklist(authorizationManagerRequestMatcherRegistry);
        configureWhitelist(authorizationManagerRequestMatcherRegistry);
        configureAllowedEndpoints(authorizationManagerRequestMatcherRegistry);
        configureSecureEndpoints(authorizationManagerRequestMatcherRegistry);
        ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) authorizationManagerRequestMatcherRegistry.anyRequest()).denyAll();
    }

    private void configureWhitelist(AuthorizeHttpRequestsConfigurer<HttpSecurity>.AuthorizationManagerRequestMatcherRegistry authorizationManagerRequestMatcherRegistry) {
        if (CollectionUtils.isEmpty(this.openTmfSecurityProperties.getWhitelist())) {
            return;
        }
        this.openTmfSecurityProperties.getWhitelist().forEach(str -> {
            ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) authorizationManagerRequestMatcherRegistry.requestMatchers(new String[]{str})).permitAll();
        });
    }

    private void configureBlacklist(AuthorizeHttpRequestsConfigurer<HttpSecurity>.AuthorizationManagerRequestMatcherRegistry authorizationManagerRequestMatcherRegistry) {
        if (CollectionUtils.isEmpty(this.openTmfSecurityProperties.getBlacklist())) {
            return;
        }
        this.openTmfSecurityProperties.getBlacklist().forEach(str -> {
            ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) authorizationManagerRequestMatcherRegistry.requestMatchers(new String[]{str})).denyAll();
        });
    }

    private void configureAllowedEndpoints(AuthorizeHttpRequestsConfigurer<HttpSecurity>.AuthorizationManagerRequestMatcherRegistry authorizationManagerRequestMatcherRegistry) {
        this.openTmfSecurityProperties.getAllowedEndpoints().forEach(endpoint -> {
            ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) authorizationManagerRequestMatcherRegistry.requestMatchers(endpoint.getMethod(), new String[]{endpoint.getPath()})).permitAll();
        });
    }

    private void configureSecureEndpoints(AuthorizeHttpRequestsConfigurer<HttpSecurity>.AuthorizationManagerRequestMatcherRegistry authorizationManagerRequestMatcherRegistry) {
        this.openTmfSecurityProperties.getSecureEndpoints().forEach(secureEndpoint -> {
            ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) authorizationManagerRequestMatcherRegistry.requestMatchers(secureEndpoint.getMethod(), new String[]{secureEndpoint.getPath()})).hasAnyAuthority(secureEndpoint.getRoles());
        });
    }

    private void configureResourceServer(OAuth2ResourceServerConfigurer<HttpSecurity> oAuth2ResourceServerConfigurer) {
        oAuth2ResourceServerConfigurer.jwt(jwtConfigurer -> {
            jwtConfigurer.decoder(this.jwtDecoder);
            jwtConfigurer.jwtAuthenticationConverter(jwtAuthenticationConverter());
        });
    }

    private JwtAuthenticationConverter jwtAuthenticationConverter() {
        GrantedAuthoritiesConverter grantedAuthoritiesConverter = new GrantedAuthoritiesConverter(CommonConfig.authoritiesClaimName(this.openTmfSecurityProperties.getAuthoritiesClaim()));
        JwtAuthenticationConverter jwtAuthenticationConverter = new JwtAuthenticationConverter();
        jwtAuthenticationConverter.setPrincipalClaimName(CommonConfig.principalClaimName(this.openTmfSecurityProperties.getUserClaim()));
        jwtAuthenticationConverter.setJwtGrantedAuthoritiesConverter(grantedAuthoritiesConverter);
        return jwtAuthenticationConverter;
    }

    @Generated
    public ServletSecurityAutoConfiguration(OpenTmfSecurityProperties openTmfSecurityProperties, JwtDecoder jwtDecoder) {
        this.openTmfSecurityProperties = openTmfSecurityProperties;
        this.jwtDecoder = jwtDecoder;
    }
}
