package fr.enedis.chutney.security;

import com.nimbusds.jose.JOSEException;
import fr.enedis.chutney.security.api.UserDto;
import fr.enedis.chutney.security.domain.AuthenticationService;
import fr.enedis.chutney.security.infra.jwt.ChutneyJwtAuthenticationConverter;
import fr.enedis.chutney.security.infra.jwt.ChutneyJwtProperties;
import fr.enedis.chutney.security.infra.jwt.JwtUtil;
import fr.enedis.chutney.security.infra.sso.OAuth2TokenAuthenticationFilter;
import fr.enedis.chutney.security.infra.sso.SsoOpenIdConnectConfigProperties;
import fr.enedis.chutney.server.core.domain.security.Authorization;
import fr.enedis.chutney.server.core.domain.security.User;
import jakarta.servlet.http.HttpServletRequest;
import java.net.InetSocketAddress;
import java.net.Proxy;
import java.util.ArrayList;
import java.util.Collections;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.boot.autoconfigure.security.oauth2.resource.OAuth2ResourceServerProperties;
import org.springframework.boot.autoconfigure.security.oauth2.server.servlet.OAuth2AuthorizationServerProperties;
import org.springframework.boot.context.properties.ConfigurationProperties;
import org.springframework.boot.context.properties.EnableConfigurationProperties;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Primary;
import org.springframework.context.annotation.Profile;
import org.springframework.http.HttpStatus;
import org.springframework.http.client.SimpleClientHttpRequestFactory;
import org.springframework.http.client.support.BasicAuthenticationInterceptor;
import org.springframework.lang.Nullable;
import org.springframework.security.authentication.AuthenticationManagerResolver;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.authentication.ProviderManager;
import org.springframework.security.config.Customizer;
import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configurers.AuthorizeHttpRequestsConfigurer;
import org.springframework.security.config.annotation.web.configurers.ChannelSecurityConfigurer;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.oauth2.core.DefaultOAuth2AuthenticatedPrincipal;
import org.springframework.security.oauth2.jwt.JwtDecoder;
import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationProvider;
import org.springframework.security.oauth2.server.resource.authentication.OpaqueTokenAuthenticationProvider;
import org.springframework.security.oauth2.server.resource.introspection.OpaqueTokenIntrospector;
import org.springframework.security.oauth2.server.resource.introspection.SpringOpaqueTokenIntrospector;
import org.springframework.security.oauth2.server.resource.web.authentication.BearerTokenAuthenticationFilter;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.authentication.HttpStatusEntryPoint;
import org.springframework.security.web.servlet.util.matcher.MvcRequestMatcher;
import org.springframework.security.web.util.matcher.RequestMatcher;
import org.springframework.web.client.RestOperations;
import org.springframework.web.client.RestTemplate;
import org.springframework.web.cors.CorsConfiguration;
import org.springframework.web.cors.CorsConfigurationSource;
import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
import org.springframework.web.filter.CorsFilter;
import org.springframework.web.servlet.handler.HandlerMappingIntrospector;

@EnableConfigurationProperties({OAuth2AuthorizationServerProperties.class, SsoOpenIdConnectConfigProperties.class})
@Configuration
@EnableWebSecurity
@EnableMethodSecurity
@ConditionalOnProperty(value = {"chutney.security.enabled"}, havingValue = "true", matchIfMissing = true)
/* loaded from: input_file:fr/enedis/chutney/security/ChutneyWebSecurityConfig.class */
public class ChutneyWebSecurityConfig {
    private static final String LOGIN_URL = "/api/v1/user/login";
    private static final String API_BASE_URL_PATTERN = "/api/**";

    @Value("${management.endpoints.web.base-path:/actuator}")
    protected String actuatorBaseUrl;

    @Value("${server.ssl.enabled:true}")
    private Boolean sslEnabled;

    @Profile({"sso-auth"})
    @Configuration
    /* loaded from: input_file:fr/enedis/chutney/security/ChutneyWebSecurityConfig$SsoConfiguration.class */
    public static class SsoConfiguration {
        @Bean
        public RestOperations restOperations(SsoOpenIdConnectConfigProperties ssoOpenIdConnectConfigProperties) {
            SimpleClientHttpRequestFactory simpleClientHttpRequestFactory = new SimpleClientHttpRequestFactory();
            if (ssoOpenIdConnectConfigProperties.proxyHost != null && !ssoOpenIdConnectConfigProperties.proxyHost.isEmpty()) {
                simpleClientHttpRequestFactory.setProxy(new Proxy(Proxy.Type.HTTP, new InetSocketAddress(ssoOpenIdConnectConfigProperties.proxyHost, ssoOpenIdConnectConfigProperties.proxyPort.intValue())));
            }
            RestTemplate restTemplate = new RestTemplate(simpleClientHttpRequestFactory);
            restTemplate.getInterceptors().add(new BasicAuthenticationInterceptor(ssoOpenIdConnectConfigProperties.clientId, ssoOpenIdConnectConfigProperties.clientSecret));
            return restTemplate;
        }

        @ConditionalOnProperty(name = {"spring.security.oauth2.resourceserver.opaquetoken.introspection-uri"})
        @Bean
        @Primary
        public OpaqueTokenIntrospector opaqueTokenIntrospector(OAuth2ResourceServerProperties oAuth2ResourceServerProperties, RestOperations restOperations) {
            return new SpringOpaqueTokenIntrospector(oAuth2ResourceServerProperties.getOpaquetoken().getIntrospectionUri(), restOperations);
        }
    }

    @Bean
    public JwtUtil jwtUtil(ChutneyJwtProperties chutneyJwtProperties) throws JOSEException {
        return new JwtUtil(chutneyJwtProperties);
    }

    @Bean
    public OAuth2TokenAuthenticationFilter oAuth2TokenAuthenticationFilter(JwtUtil jwtUtil, AuthenticationService authenticationService) {
        return new OAuth2TokenAuthenticationFilter(jwtUtil, authenticationService);
    }

    @Bean
    public JwtDecoder jwtDecoder(JwtUtil jwtUtil) throws JOSEException {
        return jwtUtil.nimbusJwtDecoder();
    }

    @Bean
    ChutneyJwtAuthenticationConverter chutneyJwtAuthenticationConverter(AuthenticationService authenticationService) {
        return new ChutneyJwtAuthenticationConverter(authenticationService);
    }

    @Bean
    AuthenticationManagerResolver<HttpServletRequest> tokenAuthenticationManagerResolver(JwtDecoder jwtDecoder, @Nullable OpaqueTokenIntrospector opaqueTokenIntrospector, ChutneyJwtAuthenticationConverter chutneyJwtAuthenticationConverter, RestOperations restOperations) {
        AuthenticationProvider jwtAuthenticationProvider = new JwtAuthenticationProvider(jwtDecoder);
        jwtAuthenticationProvider.setJwtAuthenticationConverter(chutneyJwtAuthenticationConverter);
        OpaqueTokenIntrospector opaqueTokenIntrospector2 = opaqueTokenIntrospector != null ? opaqueTokenIntrospector : str -> {
            return new DefaultOAuth2AuthenticatedPrincipal(Collections.emptyMap(), Collections.emptyList());
        };
        ProviderManager providerManager = new ProviderManager(new AuthenticationProvider[]{jwtAuthenticationProvider});
        ProviderManager providerManager2 = new ProviderManager(new AuthenticationProvider[]{new OpaqueTokenAuthenticationProvider(opaqueTokenIntrospector2)});
        return httpServletRequest -> {
            return useJwt(httpServletRequest) ? providerManager : providerManager2;
        };
    }

    private boolean useJwt(HttpServletRequest httpServletRequest) {
        String header = httpServletRequest.getHeader("Authorization");
        return header != null && header.startsWith("Bearer ") && header.substring(7).split("\\.").length == 3;
    }

    @ConfigurationProperties(prefix = "chutney.security.cors")
    @Bean
    CorsConfiguration corsConfiguration() {
        return new CorsConfiguration();
    }

    @Bean
    UrlBasedCorsConfigurationSource corsConfigurationSource(CorsConfiguration corsConfiguration) {
        UrlBasedCorsConfigurationSource urlBasedCorsConfigurationSource = new UrlBasedCorsConfigurationSource();
        urlBasedCorsConfigurationSource.registerCorsConfiguration("/**", corsConfiguration);
        return urlBasedCorsConfigurationSource;
    }

    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity httpSecurity, AuthenticationManagerResolver<HttpServletRequest> authenticationManagerResolver, OAuth2TokenAuthenticationFilter oAuth2TokenAuthenticationFilter, JwtUtil jwtUtil, CorsConfigurationSource corsConfigurationSource) throws Exception {
        configureBaseHttpSecurity(httpSecurity);
        UserDto anonymous = anonymous();
        httpSecurity.cors(Customizer.withDefaults()).anonymous(anonymousConfigurer -> {
            anonymousConfigurer.principal(anonymous).authorities(new ArrayList(anonymous.getAuthorities()));
        }).authorizeHttpRequests(authorizationManagerRequestMatcherRegistry -> {
            HandlerMappingIntrospector handlerMappingIntrospector = new HandlerMappingIntrospector();
            ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) authorizationManagerRequestMatcherRegistry.requestMatchers(new RequestMatcher[]{new MvcRequestMatcher(handlerMappingIntrospector, LOGIN_URL)})).permitAll().requestMatchers(new RequestMatcher[]{new MvcRequestMatcher(handlerMappingIntrospector, "/api/v1/info/**")})).permitAll().requestMatchers(new RequestMatcher[]{new MvcRequestMatcher(handlerMappingIntrospector, "/api/v1/sso/**")})).permitAll().requestMatchers(new RequestMatcher[]{new MvcRequestMatcher(handlerMappingIntrospector, API_BASE_URL_PATTERN)})).authenticated().requestMatchers(new RequestMatcher[]{new MvcRequestMatcher(handlerMappingIntrospector, this.actuatorBaseUrl + "/**")})).hasAuthority(Authorization.ADMIN_ACCESS.name()).anyRequest()).permitAll();
        }).oauth2ResourceServer(oAuth2ResourceServerConfigurer -> {
            oAuth2ResourceServerConfigurer.authenticationManagerResolver(authenticationManagerResolver);
        }).formLogin(formLoginConfigurer -> {
            formLoginConfigurer.loginProcessingUrl(LOGIN_URL).successHandler(new HttpLoginSuccessHandler(jwtUtil)).failureHandler(new HttpLoginFailureHandler());
        }).httpBasic(Customizer.withDefaults()).addFilterBefore(new CorsFilter(corsConfigurationSource), BearerTokenAuthenticationFilter.class).addFilterAfter(oAuth2TokenAuthenticationFilter, BearerTokenAuthenticationFilter.class);
        return (SecurityFilterChain) httpSecurity.build();
    }

    private void configureBaseHttpSecurity(HttpSecurity httpSecurity) throws Exception {
        httpSecurity.csrf((v0) -> {
            v0.disable();
        }).sessionManagement(sessionManagementConfigurer -> {
            sessionManagementConfigurer.sessionCreationPolicy(SessionCreationPolicy.STATELESS);
        }).exceptionHandling(exceptionHandlingConfigurer -> {
            exceptionHandlingConfigurer.authenticationEntryPoint(new HttpStatusEntryPoint(HttpStatus.UNAUTHORIZED));
        }).requiresChannel(requireChannel(this.sslEnabled));
    }

    private UserDto anonymous() {
        UserDto userDto = new UserDto();
        userDto.setId(User.ANONYMOUS.id);
        userDto.setName(User.ANONYMOUS.id);
        userDto.grantAuthority("ANONYMOUS");
        return userDto;
    }

    private Customizer<ChannelSecurityConfigurer<HttpSecurity>.ChannelRequestMatcherRegistry> requireChannel(Boolean bool) {
        return bool.booleanValue() ? channelRequestMatcherRegistry -> {
            ((ChannelSecurityConfigurer.RequiresChannelUrl) channelRequestMatcherRegistry.anyRequest()).requiresSecure();
        } : channelRequestMatcherRegistry2 -> {
            ((ChannelSecurityConfigurer.RequiresChannelUrl) channelRequestMatcherRegistry2.anyRequest()).requiresInsecure();
        };
    }
}
