package io.camunda.authentication.config;

import io.camunda.authentication.handler.AuthFailureHandler;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Primary;
import org.springframework.context.annotation.Profile;
import org.springframework.security.config.Customizer;
import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configurers.AuthorizeHttpRequestsConfigurer;
import org.springframework.security.web.SecurityFilterChain;

@Configuration
@EnableWebSecurity
@EnableMethodSecurity
@Profile({"auth-basic"})
/* loaded from: input_file:io/camunda/authentication/config/WebSecurityConfig.class */
public class WebSecurityConfig {
    public static final String[] UNAUTHENTICATED_PATHS = {"/login**", "/logout**", "/error**", "/actuator**"};
    private static final Logger LOG = LoggerFactory.getLogger(WebSecurityConfig.class);

    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity httpSecurity) {
        try {
            return (SecurityFilterChain) httpSecurity.build();
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }

    @Bean
    @Primary
    public HttpSecurity localHttpSecurity(HttpSecurity httpSecurity, AuthFailureHandler authFailureHandler) throws Exception {
        LOG.info("Configuring basic auth login");
        return baseHttpSecurity(httpSecurity, authFailureHandler).httpBasic(Customizer.withDefaults()).logout(logoutConfigurer -> {
            logoutConfigurer.logoutSuccessUrl("/");
        });
    }

    private HttpSecurity baseHttpSecurity(HttpSecurity httpSecurity, AuthFailureHandler authFailureHandler) {
        try {
            return httpSecurity.authorizeHttpRequests(authorizationManagerRequestMatcherRegistry -> {
                ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) authorizationManagerRequestMatcherRegistry.requestMatchers(UNAUTHENTICATED_PATHS)).permitAll().anyRequest()).authenticated();
            }).headers(headersConfigurer -> {
                headersConfigurer.httpStrictTransportSecurity(hstsConfig -> {
                    hstsConfig.includeSubDomains(true).maxAgeInSeconds(63072000L).preload(true);
                });
            }).exceptionHandling(exceptionHandlingConfigurer -> {
                exceptionHandlingConfigurer.accessDeniedHandler(authFailureHandler);
            }).csrf((v0) -> {
                v0.disable();
            }).cors((v0) -> {
                v0.disable();
            }).formLogin((v0) -> {
                v0.disable();
            }).anonymous((v0) -> {
                v0.disable();
            });
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }
}
