package io.dialob.security.spring;

import io.dialob.security.spring.audit.AuditConfiguration;
import io.dialob.security.spring.filter.MDCRequestIdFilter;
import io.dialob.security.spring.oauth2.Groups2GrantedAuthorisations;
import io.dialob.security.spring.oauth2.Groups2GroupGrantedAuthoritiesMapper;
import io.dialob.security.spring.oauth2.MapClaimToGroups;
import io.dialob.security.spring.oauth2.StreamingGrantedAuthoritiesMapper;
import io.dialob.security.spring.oauth2.UsersAndGroupsService;
import io.dialob.security.spring.tenant.GrantedTenantAccessEvaluator;
import io.dialob.security.spring.tenant.GroupGrantedAuthority;
import io.dialob.security.spring.tenant.ImmutableTenantGrantedAuthority;
import io.dialob.security.spring.tenant.MapTenantGroupToTenantGrantedAuthority;
import io.dialob.security.spring.tenant.TenantAccessEvaluator;
import io.dialob.settings.DialobSettings;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.function.Function;
import java.util.stream.Stream;
import lombok.Generated;
import org.apache.commons.lang3.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.boot.autoconfigure.condition.AnyNestedCondition;
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.boot.context.properties.EnableConfigurationProperties;
import org.springframework.boot.web.servlet.FilterRegistrationBean;
import org.springframework.boot.web.servlet.ServletRegistrationBean;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Conditional;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.ConfigurationCondition;
import org.springframework.context.annotation.Import;
import org.springframework.context.annotation.Profile;
import org.springframework.core.env.Environment;
import org.springframework.security.authentication.AbstractAuthenticationToken;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.mapping.GrantedAuthoritiesMapper;

@EnableConfigurationProperties({DialobSettings.class})
@Configuration(proxyBeanMethods = false)
@Conditional({OnSecurityEnabled.class})
@Import({AuditConfiguration.class})
/* loaded from: input_file:io/dialob/security/spring/DialobSecuritySpringAutoConfiguration.class */
public class DialobSecuritySpringAutoConfiguration {
    private String groupsClaim;

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger(DialobSecuritySpringAutoConfiguration.class);
    public static final DialobSettings.TenantSettings.Tenant UNKNOWN_TENANT = new DialobSettings.TenantSettings.Tenant("unknown");

    /* loaded from: input_file:io/dialob/security/spring/DialobSecuritySpringAutoConfiguration$OnSecurityEnabled.class */
    static class OnSecurityEnabled extends AnyNestedCondition {

        @ConditionalOnProperty(prefix = "dialob.security", name = {"enabled"}, havingValue = "true")
        /* loaded from: input_file:io/dialob/security/spring/DialobSecuritySpringAutoConfiguration$OnSecurityEnabled$OnSecurity.class */
        static class OnSecurity {
            OnSecurity() {
            }
        }

        @ConditionalOnProperty(prefix = "dialob.session.security", name = {"enabled"}, havingValue = "true")
        /* loaded from: input_file:io/dialob/security/spring/DialobSecuritySpringAutoConfiguration$OnSecurityEnabled$OnSessionSecurity.class */
        static class OnSessionSecurity {
            OnSessionSecurity() {
            }
        }

        OnSecurityEnabled() {
            super(ConfigurationCondition.ConfigurationPhase.PARSE_CONFIGURATION);
        }
    }

    @Bean
    public FilterRegistrationBean<MDCRequestIdFilter> requestIdFilter() {
        FilterRegistrationBean<MDCRequestIdFilter> filterRegistrationBean = new FilterRegistrationBean<>(new MDCRequestIdFilter(), new ServletRegistrationBean[0]);
        filterRegistrationBean.setOrder(Integer.MIN_VALUE);
        return filterRegistrationBean;
    }

    @Deprecated
    static Function<GroupGrantedAuthority, Stream<? extends GrantedAuthority>> uaaGroupNameToTenantMapper(String str) {
        String appendIfMissing = StringUtils.appendIfMissing((String) Objects.requireNonNull(str), "/", new CharSequence[0]);
        return groupGrantedAuthority -> {
            String authority = groupGrantedAuthority.getAuthority();
            return (authority.contains("/") && authority.startsWith(appendIfMissing)) ? Stream.of(ImmutableTenantGrantedAuthority.builder().authority(authority.substring(appendIfMissing.length())).tenantId(groupGrantedAuthority.getGroupId()).build()) : Stream.of(groupGrantedAuthority);
        };
    }

    public static Function<GroupGrantedAuthority, Stream<? extends GrantedAuthority>> groupNameToTenantMapper(Map<String, Set<String>> map, Map<String, DialobSettings.TenantSettings.Tenant> map2) {
        if (LOGGER.isDebugEnabled()) {
            LOGGER.debug("Number of group mappings: {}, Number of tenants: {}", Integer.valueOf(map.size()), Integer.valueOf(map2.size()));
        }
        return groupGrantedAuthority -> {
            Set set = (Set) map.get(groupGrantedAuthority.getAuthority());
            return set == null ? Stream.of(groupGrantedAuthority) : set.stream().map(str -> {
                return ImmutableTenantGrantedAuthority.builder().authority(((DialobSettings.TenantSettings.Tenant) map2.getOrDefault(str, UNKNOWN_TENANT)).name()).tenantId(str).build();
            });
        };
    }

    @Profile({"uaa | aws | oauth2"})
    @Bean
    public GrantedAuthoritiesMapper grantedAuthoritiesMapper(Environment environment, DialobSettings dialobSettings, Optional<UsersAndGroupsService> optional) {
        ArrayList arrayList = new ArrayList();
        Function<GroupGrantedAuthority, Stream<? extends GrantedAuthority>> uaaGroupNameToTenantMapper = environment.matchesProfiles(new String[]{"uaa"}) ? uaaGroupNameToTenantMapper(dialobSettings.getTenant().getEnv()) : groupNameToTenantMapper(dialobSettings.getTenant().getGroupToTenants(), dialobSettings.getTenant().getTenants());
        Map groupPermissions = dialobSettings.getSecurity().getGroupPermissions();
        arrayList.add(new Groups2GrantedAuthorisations(str -> {
            return (Collection) groupPermissions.getOrDefault(str, Collections.emptySet());
        }));
        arrayList.add(new MapTenantGroupToTenantGrantedAuthority(uaaGroupNameToTenantMapper, true));
        optional.ifPresent(usersAndGroupsService -> {
            arrayList.add(new Groups2GroupGrantedAuthoritiesMapper(usersAndGroupsService));
        });
        arrayList.add(new MapClaimToGroups(dialobSettings.getSecurity().getGroupsClaim()));
        return new StreamingGrantedAuthoritiesMapper(arrayList);
    }

    @Bean
    public TenantAccessEvaluator tenantAccessEvaluator(DialobSettings dialobSettings) {
        return dialobSettings.getTenant().getMode() == DialobSettings.TenantSettings.Mode.FIXED ? tenant -> {
            return true;
        } : new GrantedTenantAccessEvaluator() { // from class: io.dialob.security.spring.DialobSecuritySpringAutoConfiguration.1
            @Override // io.dialob.security.spring.tenant.GrantedTenantAccessEvaluator
            protected boolean canAccessAnyTenant(AbstractAuthenticationToken abstractAuthenticationToken) {
                return abstractAuthenticationToken.getAuthorities().stream().anyMatch(grantedAuthority -> {
                    return grantedAuthority.getAuthority().equals("tenant.all");
                });
            }
        };
    }
}
