package com.c4_soft.springaddons.security.oauth2.config.synchronised;

import com.c4_soft.springaddons.security.oauth2.config.SpringAddonsSecurityProperties;
import jakarta.servlet.http.HttpServletRequest;
import java.util.Arrays;
import java.util.Collection;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import lombok.Generated;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.boot.autoconfigure.AutoConfiguration;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.boot.autoconfigure.security.oauth2.resource.OAuth2ResourceServerProperties;
import org.springframework.boot.autoconfigure.web.ServerProperties;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Import;
import org.springframework.core.annotation.Order;
import org.springframework.core.convert.converter.Converter;
import org.springframework.http.HttpStatus;
import org.springframework.security.authentication.AbstractAuthenticationToken;
import org.springframework.security.authentication.AuthenticationManagerResolver;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configurers.AuthorizeHttpRequestsConfigurer;
import org.springframework.security.config.annotation.web.configurers.ChannelSecurityConfigurer;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.oauth2.jwt.Jwt;
import org.springframework.security.oauth2.jwt.JwtDecoders;
import org.springframework.security.oauth2.jwt.NimbusJwtDecoder;
import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationProvider;
import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationToken;
import org.springframework.security.oauth2.server.resource.authentication.JwtIssuerAuthenticationManagerResolver;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.csrf.CookieCsrfTokenRepository;
import org.springframework.util.StringUtils;
import org.springframework.web.cors.CorsConfiguration;
import org.springframework.web.cors.CorsConfigurationSource;
import org.springframework.web.cors.UrlBasedCorsConfigurationSource;

@AutoConfiguration
@EnableWebSecurity
@Import({AddonsSecurityBeans.class})
/* loaded from: input_file:com/c4_soft/springaddons/security/oauth2/config/synchronised/AddonsWebSecurityBeans.class */
public class AddonsWebSecurityBeans {

    @Generated
    private static final Logger log = LoggerFactory.getLogger(AddonsWebSecurityBeans.class);

    /* renamed from: com.c4_soft.springaddons.security.oauth2.config.synchronised.AddonsWebSecurityBeans$1, reason: invalid class name */
    /* loaded from: input_file:com/c4_soft/springaddons/security/oauth2/config/synchronised/AddonsWebSecurityBeans$1.class */
    static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$com$c4_soft$springaddons$security$oauth2$config$SpringAddonsSecurityProperties$Csrf = new int[SpringAddonsSecurityProperties.Csrf.values().length];

        static {
            try {
                $SwitchMap$com$c4_soft$springaddons$security$oauth2$config$SpringAddonsSecurityProperties$Csrf[SpringAddonsSecurityProperties.Csrf.DISABLE.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$com$c4_soft$springaddons$security$oauth2$config$SpringAddonsSecurityProperties$Csrf[SpringAddonsSecurityProperties.Csrf.DEFAULT.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$com$c4_soft$springaddons$security$oauth2$config$SpringAddonsSecurityProperties$Csrf[SpringAddonsSecurityProperties.Csrf.SESSION.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$com$c4_soft$springaddons$security$oauth2$config$SpringAddonsSecurityProperties$Csrf[SpringAddonsSecurityProperties.Csrf.COOKIE_HTTP_ONLY.ordinal()] = 4;
            } catch (NoSuchFieldError e4) {
            }
            try {
                $SwitchMap$com$c4_soft$springaddons$security$oauth2$config$SpringAddonsSecurityProperties$Csrf[SpringAddonsSecurityProperties.Csrf.COOKIE_ACCESSIBLE_FROM_JS.ordinal()] = 5;
            } catch (NoSuchFieldError e5) {
            }
        }
    }

    /* loaded from: input_file:com/c4_soft/springaddons/security/oauth2/config/synchronised/AddonsWebSecurityBeans$Jwt2AuthenticationConverter.class */
    public interface Jwt2AuthenticationConverter<T extends AbstractAuthenticationToken> extends Converter<Jwt, T> {
    }

    @Order(Integer.MAX_VALUE)
    @Bean
    SecurityFilterChain c4ResourceServerSecurityFilterChain(HttpSecurity httpSecurity, ServerProperties serverProperties, SpringAddonsSecurityProperties springAddonsSecurityProperties, ExpressionInterceptUrlRegistryPostProcessor expressionInterceptUrlRegistryPostProcessor, HttpSecurityPostProcessor httpSecurityPostProcessor, AuthenticationManagerResolver<HttpServletRequest> authenticationManagerResolver) throws Exception {
        httpSecurity.oauth2ResourceServer(oAuth2ResourceServerConfigurer -> {
            oAuth2ResourceServerConfigurer.authenticationManagerResolver(authenticationManagerResolver);
        });
        if (springAddonsSecurityProperties.getPermitAll().length > 0) {
            httpSecurity.anonymous();
        }
        if (springAddonsSecurityProperties.getCors().length > 0) {
            httpSecurity.cors().configurationSource(corsConfigurationSource(springAddonsSecurityProperties));
        } else {
            httpSecurity.cors().disable();
        }
        switch (AnonymousClass1.$SwitchMap$com$c4_soft$springaddons$security$oauth2$config$SpringAddonsSecurityProperties$Csrf[springAddonsSecurityProperties.getCsrf().ordinal()]) {
            case 1:
                httpSecurity.csrf().disable();
                break;
            case 2:
                if (!springAddonsSecurityProperties.isStatlessSessions()) {
                    httpSecurity.csrf();
                    break;
                } else {
                    httpSecurity.csrf().disable();
                    break;
                }
            case 3:
                httpSecurity.csrf();
                break;
            case 4:
                httpSecurity.csrf().csrfTokenRepository(new CookieCsrfTokenRepository());
                break;
            case 5:
                httpSecurity.csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());
                break;
        }
        if (springAddonsSecurityProperties.isStatlessSessions()) {
            httpSecurity.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
        }
        if (!springAddonsSecurityProperties.isRedirectToLoginIfUnauthorizedOnRestrictedContent()) {
            httpSecurity.exceptionHandling().authenticationEntryPoint((httpServletRequest, httpServletResponse, authenticationException) -> {
                httpServletResponse.addHeader("WWW-Authenticate", "Basic realm=\"Restricted Content\"");
                httpServletResponse.sendError(HttpStatus.UNAUTHORIZED.value(), HttpStatus.UNAUTHORIZED.getReasonPhrase());
            });
        }
        if (serverProperties.getSsl() != null && serverProperties.getSsl().isEnabled()) {
            ((ChannelSecurityConfigurer.RequiresChannelUrl) httpSecurity.requiresChannel().anyRequest()).requiresSecure();
        }
        expressionInterceptUrlRegistryPostProcessor.authorizeHttpRequests(((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) httpSecurity.authorizeHttpRequests().requestMatchers(springAddonsSecurityProperties.getPermitAll())).permitAll());
        return (SecurityFilterChain) httpSecurityPostProcessor.process(httpSecurity).build();
    }

    @ConditionalOnMissingBean
    @Bean
    ExpressionInterceptUrlRegistryPostProcessor authorizePostProcessor() {
        return authorizationManagerRequestMatcherRegistry -> {
            return ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) authorizationManagerRequestMatcherRegistry.anyRequest()).authenticated();
        };
    }

    @ConditionalOnMissingBean
    @Bean
    HttpSecurityPostProcessor httpPostProcessor() {
        return httpSecurity -> {
            return httpSecurity;
        };
    }

    private CorsConfigurationSource corsConfigurationSource(SpringAddonsSecurityProperties springAddonsSecurityProperties) {
        log.debug("Building default CorsConfigurationSource with: {}", Stream.of((Object[]) springAddonsSecurityProperties.getCors()).toList());
        UrlBasedCorsConfigurationSource urlBasedCorsConfigurationSource = new UrlBasedCorsConfigurationSource();
        for (SpringAddonsSecurityProperties.CorsProperties corsProperties : springAddonsSecurityProperties.getCors()) {
            CorsConfiguration corsConfiguration = new CorsConfiguration();
            corsConfiguration.setAllowedOrigins(Arrays.asList(corsProperties.getAllowedOrigins()));
            corsConfiguration.setAllowedMethods(Arrays.asList(corsProperties.getAllowedMethods()));
            corsConfiguration.setAllowedHeaders(Arrays.asList(corsProperties.getAllowedHeaders()));
            corsConfiguration.setExposedHeaders(Arrays.asList(corsProperties.getExposedHeaders()));
            urlBasedCorsConfigurationSource.registerCorsConfiguration(corsProperties.getPath(), corsConfiguration);
        }
        return urlBasedCorsConfigurationSource;
    }

    @ConditionalOnMissingBean
    @Bean
    Jwt2AuthenticationConverter<? extends AbstractAuthenticationToken> jwtAuthenticationConverter(Converter<Map<String, Object>, Collection<? extends GrantedAuthority>> converter, SpringAddonsSecurityProperties springAddonsSecurityProperties, Optional<OAuth2AuthenticationFactory> optional) {
        return jwt -> {
            return (AbstractAuthenticationToken) optional.map(oAuth2AuthenticationFactory -> {
                return oAuth2AuthenticationFactory.build(jwt.getTokenValue(), jwt.getClaims());
            }).orElse(new JwtAuthenticationToken(jwt, (Collection) converter.convert(jwt.getClaims())));
        };
    }

    @ConditionalOnMissingBean
    @Bean
    JwtIssuerAuthenticationManagerResolver authenticationManagerResolver(OAuth2ResourceServerProperties oAuth2ResourceServerProperties, SpringAddonsSecurityProperties springAddonsSecurityProperties, Converter<Jwt, ? extends AbstractAuthenticationToken> converter) {
        Optional map = Optional.ofNullable(oAuth2ResourceServerProperties).map((v0) -> {
            return v0.getJwt();
        });
        ((Optional) Optional.ofNullable(map.map((v0) -> {
            return v0.getIssuerUri();
        })).orElse(map.map((v0) -> {
            return v0.getJwkSetUri();
        }))).filter(StringUtils::hasLength).ifPresent(str -> {
            log.warn("spring.security.oauth2.resourceserver configuration will be ignored in favor of com.c4-soft.springaddons.security");
        });
        Map map2 = (Map) Stream.of((Object[]) springAddonsSecurityProperties.getIssuers()).collect(Collectors.toMap(issuerProperties -> {
            return issuerProperties.getLocation().toString();
        }, issuerProperties2 -> {
            JwtAuthenticationProvider jwtAuthenticationProvider = new JwtAuthenticationProvider((issuerProperties2.getJwkSetUri() == null || !StringUtils.hasLength(issuerProperties2.getJwkSetUri().toString())) ? JwtDecoders.fromIssuerLocation(issuerProperties2.getLocation().toString()) : NimbusJwtDecoder.withJwkSetUri(issuerProperties2.getJwkSetUri().toString()).build());
            jwtAuthenticationProvider.setJwtAuthenticationConverter(converter);
            Objects.requireNonNull(jwtAuthenticationProvider);
            return jwtAuthenticationProvider::authenticate;
        }));
        log.debug("Building default JwtIssuerAuthenticationManagerResolver with: ", oAuth2ResourceServerProperties.getJwt(), Stream.of((Object[]) springAddonsSecurityProperties.getIssuers()).toList());
        Objects.requireNonNull(map2);
        return new JwtIssuerAuthenticationManagerResolver((v1) -> {
            return r2.get(v1);
        });
    }
}
