package ai.yda.framework.channel.rest.spring.security;

import ai.yda.framework.channel.rest.spring.RestSpringProperties;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configurers.AuthorizeHttpRequestsConfigurer;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.authentication.AnonymousAuthenticationFilter;
import org.springframework.web.cors.CorsConfiguration;

@Configuration
@EnableWebSecurity
/* loaded from: input_file:ai/yda/framework/channel/rest/spring/security/SecurityConfiguration.class */
public class SecurityConfiguration {
    @ConditionalOnProperty(prefix = RestSpringProperties.CONFIG_PREFIX, name = {"security-token"})
    @Bean
    public SecurityFilterChain combinedFilterChain(HttpSecurity httpSecurity, RestSpringProperties restSpringProperties) throws Exception {
        httpSecurity.csrf((v0) -> {
            v0.disable();
        }).authorizeHttpRequests(authorizationManagerRequestMatcherRegistry -> {
            ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) authorizationManagerRequestMatcherRegistry.requestMatchers(new String[]{restSpringProperties.getEndpointRelativePath()})).authenticated().anyRequest()).permitAll();
        }).addFilterAfter(new TokenAuthenticationFilter(restSpringProperties.getSecurityToken()), AnonymousAuthenticationFilter.class);
        configureCors(httpSecurity, restSpringProperties);
        configureSessionManagement(httpSecurity);
        return (SecurityFilterChain) httpSecurity.build();
    }

    @ConditionalOnMissingBean
    @Bean
    public SecurityFilterChain defaultFilterChain(HttpSecurity httpSecurity, RestSpringProperties restSpringProperties) throws Exception {
        httpSecurity.csrf((v0) -> {
            v0.disable();
        }).authorizeHttpRequests(authorizationManagerRequestMatcherRegistry -> {
            ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) authorizationManagerRequestMatcherRegistry.anyRequest()).permitAll();
        });
        configureCors(httpSecurity, restSpringProperties);
        configureSessionManagement(httpSecurity);
        return (SecurityFilterChain) httpSecurity.build();
    }

    private void configureCors(HttpSecurity httpSecurity, RestSpringProperties restSpringProperties) throws Exception {
        if (restSpringProperties.getCorsEnabled().booleanValue()) {
            httpSecurity.cors(corsConfigurer -> {
                CorsConfiguration corsConfiguration = new CorsConfiguration();
                corsConfiguration.setAllowedOrigins(restSpringProperties.getAllowedOrigins());
                corsConfiguration.setAllowedMethods(restSpringProperties.getAllowedMethods());
                corsConfiguration.setAllowCredentials(true);
                corsConfiguration.addAllowedHeader("*");
                corsConfigurer.configurationSource(httpServletRequest -> {
                    return corsConfiguration;
                });
            });
        } else {
            httpSecurity.cors((v0) -> {
                v0.disable();
            });
        }
    }

    private void configureSessionManagement(HttpSecurity httpSecurity) throws Exception {
        httpSecurity.sessionManagement(sessionManagementConfigurer -> {
            sessionManagementConfigurer.sessionCreationPolicy(SessionCreationPolicy.ALWAYS).maximumSessions(1);
        });
    }
}
