package org.chenile.configuration.security;

import jakarta.servlet.http.HttpServletRequest;
import java.util.HashMap;
import java.util.Map;
import org.chenile.security.KeycloakConnectionDetails;
import org.chenile.security.SecurityServiceImpl;
import org.chenile.security.service.SecurityService;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.convert.converter.Converter;
import org.springframework.security.authentication.AbstractAuthenticationToken;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.AuthenticationManagerResolver;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.authentication.ProviderManager;
import org.springframework.security.config.Customizer;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configurers.AuthorizeHttpRequestsConfigurer;
import org.springframework.security.config.oauth2.client.CommonOAuth2Provider;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.oauth2.client.InMemoryOAuth2AuthorizedClientService;
import org.springframework.security.oauth2.client.OAuth2AuthorizedClientService;
import org.springframework.security.oauth2.client.registration.ClientRegistration;
import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
import org.springframework.security.oauth2.client.registration.InMemoryClientRegistrationRepository;
import org.springframework.security.oauth2.client.web.DefaultOAuth2AuthorizationRequestResolver;
import org.springframework.security.oauth2.client.web.OAuth2AuthorizationRequestResolver;
import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest;
import org.springframework.security.oauth2.jwt.Jwt;
import org.springframework.security.oauth2.jwt.JwtDecoder;
import org.springframework.security.oauth2.jwt.NimbusJwtDecoder;
import org.springframework.security.oauth2.server.resource.InvalidBearerTokenException;
import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationProvider;
import org.springframework.security.oauth2.server.resource.authentication.JwtBearerTokenAuthenticationConverter;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler;

@Configuration
/* loaded from: input_file:org/chenile/configuration/security/ChenileSecurityConfiguration.class */
public class ChenileSecurityConfiguration {

    @Autowired
    KeycloakConnectionDetails connectionDetails;

    @Value("${chenile.security.client.id}")
    String clientId;

    @Value("${chenile.security.client.secret}")
    String clientSecret;

    @Value("${chenile.security.login.success.url:/}")
    String loginSuccessUrl;

    @Value("${chenile.security.login.failure.url:/}")
    String loginFailureUrl;

    @Value("${chenile.security.ignore:false}")
    boolean ignoreSecurity;
    private final Logger logger = LoggerFactory.getLogger(ChenileSecurityConfiguration.class);
    private final Map<String, ClientRegistrationRepository> repositories = new HashMap();
    private final Map<String, AuthenticationManager> authenticationManagers = new HashMap();
    Map<String, JwtDecoder> jwtDecoderMap = new HashMap();

    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity httpSecurity) throws Exception {
        if (this.ignoreSecurity) {
            return (SecurityFilterChain) httpSecurity.build();
        }
        httpSecurity.csrf().disable().authorizeHttpRequests(authorizationManagerRequestMatcherRegistry -> {
            ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl) authorizationManagerRequestMatcherRegistry.anyRequest()).authenticated();
        }).oauth2Login(oAuth2LoginConfigurer -> {
            oAuth2LoginConfigurer.authorizationEndpoint().authorizationRequestResolver(resolver());
            if (this.loginSuccessUrl != null) {
                oAuth2LoginConfigurer.defaultSuccessUrl(this.loginSuccessUrl);
            }
            if (this.loginFailureUrl != null) {
                oAuth2LoginConfigurer.failureHandler(new SimpleUrlAuthenticationFailureHandler(this.loginFailureUrl));
            }
        }).oauth2Client(Customizer.withDefaults()).oauth2ResourceServer(oAuth2ResourceServerConfigurer -> {
            oAuth2ResourceServerConfigurer.authenticationManagerResolver(authenticationManagerResolver());
        });
        return (SecurityFilterChain) httpSecurity.build();
    }

    private OAuth2AuthorizationRequestResolver resolver() {
        return new OAuth2AuthorizationRequestResolver() { // from class: org.chenile.configuration.security.ChenileSecurityConfiguration.1
            public OAuth2AuthorizationRequest resolve(HttpServletRequest httpServletRequest) {
                String header = httpServletRequest.getHeader("x-chenile-tenant-id");
                return new DefaultOAuth2AuthorizationRequestResolver(ChenileSecurityConfiguration.this.clientRegistrationRepository(header), ChenileSecurityConfiguration.this.connectionDetails.host + "/realms" + header + "/protocol/openid-connect/auth").resolve(httpServletRequest);
            }

            public OAuth2AuthorizationRequest resolve(HttpServletRequest httpServletRequest, String str) {
                System.out.println("Hi there at the resolve method with clientRegistrationId");
                return null;
            }
        };
    }

    @Bean
    public ClientRegistrationRepository clientRegistrationRepository() {
        return new InMemoryClientRegistrationRepository(new ClientRegistration[]{client()});
    }

    private ClientRegistrationRepository clientRegistrationRepository(String str) {
        return this.repositories.computeIfAbsent(str, str2 -> {
            return new InMemoryClientRegistrationRepository(new ClientRegistration[]{client(str2)});
        });
    }

    @Bean
    public OAuth2AuthorizedClientService authorizedClientService(ClientRegistrationRepository clientRegistrationRepository) {
        return new InMemoryOAuth2AuthorizedClientService(clientRegistrationRepository);
    }

    public ClientRegistration client() {
        return client(this.connectionDetails.baseRealm);
    }

    @Bean
    public ClientRegistration client(String str) {
        ClientRegistration.Builder builder = CommonOAuth2Provider.OKTA.getBuilder("authz_servlet");
        builder.clientId(this.clientId);
        builder.clientSecret(this.clientSecret);
        builder.issuerUri(keycloakBaseUrl(str));
        builder.authorizationUri(keycloakOpenIdUrl(str) + "auth");
        builder.tokenUri(keycloakOpenIdUrl(str) + "token");
        builder.jwkSetUri(keycloakOpenIdUrl(str) + "certs");
        builder.userInfoUri(keycloakOpenIdUrl(str) + "userinfo");
        builder.scope(new String[]{"openid", "profile", "email"});
        return builder.build();
    }

    private AuthenticationManagerResolver<HttpServletRequest> authenticationManagerResolver() {
        return httpServletRequest -> {
            return getAuthenticationManager(httpServletRequest.getHeader("x-chenile-tenant-id"));
        };
    }

    private AuthenticationManager getAuthenticationManager(String str) {
        return this.authenticationManagers.computeIfAbsent(str, this::jwt);
    }

    private AuthenticationManager jwt(String str) {
        AuthenticationProvider jwtAuthenticationProvider = new JwtAuthenticationProvider(jwtDecoder(str));
        jwtAuthenticationProvider.setJwtAuthenticationConverter(jwtBearerTokenAuthenticationConverter());
        return new ProviderManager(jwtAuthenticationProvider) { // from class: org.chenile.configuration.security.ChenileSecurityConfiguration.2
            public Authentication authenticate(Authentication authentication) throws AuthenticationException {
                try {
                    return super.authenticate(authentication);
                } catch (Throwable th) {
                    if (th.getClass().isAssignableFrom(InvalidBearerTokenException.class)) {
                        throw th;
                    }
                    ChenileSecurityConfiguration.this.logger.warn("Authentication error occurred. Recasting it to InvalidBearerTokenException.", th);
                    throw new InvalidBearerTokenException("Cannot authenticate bearer token", th);
                }
            }
        };
    }

    private Converter<Jwt, ? extends AbstractAuthenticationToken> jwtBearerTokenAuthenticationConverter() {
        return new JwtBearerTokenAuthenticationConverter();
    }

    private String keycloakBaseUrl(String str) {
        return this.connectionDetails.host + "/realms/" + str;
    }

    private String keycloakOpenIdUrl(String str) {
        return keycloakBaseUrl(str) + "/protocol/openid-connect/";
    }

    JwtDecoder jwtDecoder(String str) {
        return this.jwtDecoderMap.computeIfAbsent(str, str2 -> {
            return NimbusJwtDecoder.withJwkSetUri(keycloakOpenIdUrl(str) + "certs").build();
        });
    }

    @Bean
    SecurityService securityService() {
        return new SecurityServiceImpl();
    }
}
