package org.bremersee.actuator.security.authentication;

import java.util.Objects;
import org.bremersee.security.authentication.AccessTokenRetriever;
import org.bremersee.security.authentication.AuthProperties;
import org.bremersee.security.authentication.AutoSecurityMode;
import org.bremersee.security.authentication.InMemoryUserDetailsAutoConfiguration;
import org.bremersee.security.authentication.JsonPathJwtConverter;
import org.bremersee.security.authentication.PasswordFlowAuthenticationManager;
import org.bremersee.security.authentication.PasswordFlowProperties;
import org.bremersee.security.authentication.RestTemplateAccessTokenRetriever;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.ObjectProvider;
import org.springframework.boot.actuate.autoconfigure.security.servlet.EndpointRequest;
import org.springframework.boot.actuate.info.Info;
import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
import org.springframework.boot.autoconfigure.condition.ConditionalOnExpression;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication;
import org.springframework.boot.autoconfigure.security.SecurityProperties;
import org.springframework.boot.context.event.ApplicationReadyEvent;
import org.springframework.boot.context.properties.EnableConfigurationProperties;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Conditional;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.event.EventListener;
import org.springframework.core.Ordered;
import org.springframework.http.HttpMethod;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.oauth2.jose.jws.SignatureAlgorithm;
import org.springframework.security.oauth2.jwt.JwtDecoder;
import org.springframework.security.oauth2.jwt.JwtValidators;
import org.springframework.security.oauth2.jwt.NimbusJwtDecoder;
import org.springframework.security.web.util.matcher.AndRequestMatcher;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.springframework.security.web.util.matcher.RequestMatcher;
import org.springframework.util.Assert;
import org.springframework.util.ClassUtils;
import org.springframework.util.StringUtils;
import org.springframework.web.client.RestTemplate;

@EnableConfigurationProperties({SecurityProperties.class, AuthProperties.class, ActuatorAuthProperties.class})
@ConditionalOnClass({HttpSecurity.class, PasswordFlowProperties.class, Info.class})
@Configuration
@Conditional({ActuatorAutoSecurityCondition.class})
@ConditionalOnWebApplication(type = ConditionalOnWebApplication.Type.SERVLET)
/* loaded from: input_file:org/bremersee/actuator/security/authentication/ActuatorSecurityAutoConfiguration.class */
public class ActuatorSecurityAutoConfiguration extends WebSecurityConfigurerAdapter implements Ordered {
    private static final Logger log = LoggerFactory.getLogger(ActuatorSecurityAutoConfiguration.class);
    private final SecurityProperties securityProperties;
    private final AuthProperties authProperties;
    private final ActuatorAuthProperties actuatorAuthProperties;
    private final ObjectProvider<JsonPathJwtConverter> jsonPathJwtConverterProvider;
    private final ObjectProvider<RestTemplateAccessTokenRetriever> tokenRetrieverProvider;
    private final ObjectProvider<PasswordEncoder> passwordEncoderProvider;

    public ActuatorSecurityAutoConfiguration(SecurityProperties securityProperties, AuthProperties authProperties, ActuatorAuthProperties actuatorAuthProperties, ObjectProvider<JsonPathJwtConverter> objectProvider, ObjectProvider<RestTemplateAccessTokenRetriever> objectProvider2, ObjectProvider<PasswordEncoder> objectProvider3) {
        this.securityProperties = securityProperties;
        this.authProperties = authProperties;
        this.actuatorAuthProperties = actuatorAuthProperties;
        this.jsonPathJwtConverterProvider = objectProvider;
        this.tokenRetrieverProvider = objectProvider2;
        this.passwordEncoderProvider = objectProvider3;
    }

    @EventListener({ApplicationReadyEvent.class})
    public void init() {
        boolean hasText = StringUtils.hasText(this.actuatorAuthProperties.getJwkSetUri());
        log.info("\n*********************************************************************************\n* {}\n*********************************************************************************\n* enable = {}\n* order = {}\n* jwt = {}\n* cors = {}\n*********************************************************************************", new Object[]{ClassUtils.getUserClass(getClass()).getSimpleName(), this.actuatorAuthProperties.getEnable().name(), Integer.valueOf(this.actuatorAuthProperties.getOrder()), Boolean.valueOf(hasText), Boolean.valueOf(this.actuatorAuthProperties.isEnableCors())});
        if (hasText) {
            Assert.hasText(this.actuatorAuthProperties.getPasswordFlow().getTokenEndpoint(), "Token endpoint of actuator password flow must be present.");
            Assert.hasText(this.actuatorAuthProperties.getPasswordFlow().getClientId(), "Client ID of actuator password flow must be present.");
            Assert.notNull(this.actuatorAuthProperties.getPasswordFlow().getClientSecret(), "Client secret of actuator password flow must be present.");
        }
    }

    public int getOrder() {
        return this.actuatorAuthProperties.getOrder();
    }

    private EndpointRequest.EndpointRequestMatcher[] unauthenticatedEndpointMatchers() {
        return (EndpointRequest.EndpointRequestMatcher[]) this.actuatorAuthProperties.unauthenticatedEndpointsOrDefaults().stream().map(cls -> {
            return EndpointRequest.to(new Class[]{cls});
        }).toArray(i -> {
            return new EndpointRequest.EndpointRequestMatcher[i];
        });
    }

    protected void configure(HttpSecurity httpSecurity) throws Exception {
        HttpSecurity and;
        log.info("Securing requests to /actuator/**");
        ExpressionUrlAuthorizationConfigurer.ExpressionInterceptUrlRegistry authorizeRequests = httpSecurity.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests();
        if (this.actuatorAuthProperties.getEnable() == AutoSecurityMode.NONE) {
            and = (HttpSecurity) ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) authorizeRequests.anyRequest()).permitAll().and().httpBasic().disable();
        } else {
            if (this.actuatorAuthProperties.isEnableCors()) {
                authorizeRequests = ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) authorizeRequests.antMatchers(HttpMethod.OPTIONS, new String[]{"/**"})).permitAll();
            }
            HttpSecurity and2 = ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) authorizeRequests.requestMatchers(unauthenticatedEndpointMatchers())).permitAll().requestMatchers(new RequestMatcher[]{new AndRequestMatcher(new RequestMatcher[]{EndpointRequest.toAnyEndpoint(), new AntPathRequestMatcher("/**", "GET")})})).access(this.actuatorAuthProperties.buildAccessExpression()).anyRequest()).access(this.actuatorAuthProperties.buildAdminAccessExpression()).and();
            if (StringUtils.hasText(this.actuatorAuthProperties.getJwkSetUri())) {
                and2.authenticationProvider(passwordFlowAuthenticationManager());
            }
            and = and2.formLogin().disable().httpBasic().realmName("actuator").and();
        }
        and.csrf().disable().cors(corsConfigurer -> {
            if (this.actuatorAuthProperties.isEnableCors()) {
                return;
            }
            corsConfigurer.disable();
        }).sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
    }

    @ConditionalOnMissingBean
    @ConditionalOnExpression("'${bremersee.actuator.auth.jwk-set-uri:}'.empty")
    @Bean
    public UserDetailsService userDetailsServiceBean() {
        return new InMemoryUserDetailsAutoConfiguration().inMemoryUserDetailsManager(this.securityProperties, this.authProperties, this.passwordEncoderProvider);
    }

    private PasswordFlowAuthenticationManager passwordFlowAuthenticationManager() {
        RestTemplateAccessTokenRetriever restTemplateAccessTokenRetriever = (RestTemplateAccessTokenRetriever) this.tokenRetrieverProvider.getIfAvailable();
        log.info("Creating actuator {} with token retriever {} ...", PasswordFlowAuthenticationManager.class.getSimpleName(), restTemplateAccessTokenRetriever);
        return new PasswordFlowAuthenticationManager(this.actuatorAuthProperties.getPasswordFlow(), jwtDecoder(), jwtConverter(), (AccessTokenRetriever) Objects.requireNonNullElseGet(restTemplateAccessTokenRetriever, () -> {
            return new RestTemplateAccessTokenRetriever(new RestTemplate());
        }));
    }

    private JwtDecoder jwtDecoder() {
        NimbusJwtDecoder build = NimbusJwtDecoder.withJwkSetUri(this.actuatorAuthProperties.getJwkSetUri()).jwsAlgorithm(SignatureAlgorithm.from(this.actuatorAuthProperties.getJwsAlgorithm())).build();
        if (StringUtils.hasText(this.actuatorAuthProperties.getIssuerUri())) {
            build.setJwtValidator(JwtValidators.createDefaultWithIssuer(this.actuatorAuthProperties.getIssuerUri()));
        }
        return build;
    }

    private JsonPathJwtConverter jwtConverter() {
        JsonPathJwtConverter jsonPathJwtConverter = new JsonPathJwtConverter();
        jsonPathJwtConverter.setNameJsonPath(this.actuatorAuthProperties.getNameJsonPath());
        jsonPathJwtConverter.setRolePrefix(this.actuatorAuthProperties.getRolePrefix());
        jsonPathJwtConverter.setRolesJsonPath(this.actuatorAuthProperties.getRolesJsonPath());
        jsonPathJwtConverter.setRolesValueList(this.actuatorAuthProperties.isRolesValueList());
        jsonPathJwtConverter.setRolesValueSeparator(this.actuatorAuthProperties.getRolesValueSeparator());
        JsonPathJwtConverter jsonPathJwtConverter2 = (JsonPathJwtConverter) this.jsonPathJwtConverterProvider.getIfAvailable();
        return jsonPathJwtConverter.equals(jsonPathJwtConverter2) ? jsonPathJwtConverter2 : jsonPathJwtConverter;
    }
}
