package org.entur.jwt.spring;

import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import org.entur.jwt.spring.actuate.JwksHealthIndicator;
import org.entur.jwt.spring.filter.JwtAuthenticationExceptionAdvice;
import org.entur.jwt.spring.filter.JwtAuthenticationFilter;
import org.entur.jwt.spring.filter.JwtAuthorityMapper;
import org.entur.jwt.spring.filter.log.DefaultJwtMappedDiagnosticContextMapper;
import org.entur.jwt.spring.filter.log.JwtMappedDiagnosticContextMapper;
import org.entur.jwt.spring.filter.resolver.JwtArgumentResolver;
import org.entur.jwt.spring.properties.AuthorizationProperties;
import org.entur.jwt.spring.properties.CorsProperties;
import org.entur.jwt.spring.properties.HttpMethodMatcher;
import org.entur.jwt.spring.properties.JwtProperties;
import org.entur.jwt.spring.properties.MatcherConfiguration;
import org.entur.jwt.spring.properties.MdcPair;
import org.entur.jwt.spring.properties.PermitAll;
import org.entur.jwt.spring.properties.SecurityProperties;
import org.entur.jwt.verifier.JwtClaimExtractor;
import org.entur.jwt.verifier.JwtVerifier;
import org.entur.jwt.verifier.JwtVerifierFactory;
import org.entur.jwt.verifier.config.JwtTenantProperties;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.autoconfigure.condition.ConditionalOnBean;
import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.boot.context.properties.EnableConfigurationProperties;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Lazy;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import org.springframework.web.cors.CorsConfiguration;
import org.springframework.web.cors.CorsConfigurationSource;
import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
import org.springframework.web.method.support.HandlerMethodArgumentResolver;
import org.springframework.web.servlet.HandlerExceptionResolver;
import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;

@EnableConfigurationProperties({SecurityProperties.class})
@Configuration
@ConditionalOnClass({WebSecurityConfigurerAdapter.class})
@ConditionalOnProperty(name = {"entur.jwt.enabled"}, havingValue = "true", matchIfMissing = false)
/* loaded from: input_file:org/entur/jwt/spring/JwtAutoConfiguration.class */
public class JwtAutoConfiguration {
    private static Logger log = LoggerFactory.getLogger(JwtAutoConfiguration.class);

    @Configuration
    @ConditionalOnBean(name = {"springSecurityFilterChain"})
    /* loaded from: input_file:org/entur/jwt/spring/JwtAutoConfiguration$DefaultEnturWebMvcConfigurer.class */
    public static class DefaultEnturWebMvcConfigurer implements WebMvcConfigurer {
        private final JwtArgumentResolver resolver;

        @Autowired
        public DefaultEnturWebMvcConfigurer(JwtArgumentResolver jwtArgumentResolver) {
            this.resolver = jwtArgumentResolver;
        }

        public void addArgumentResolvers(List<HandlerMethodArgumentResolver> list) {
            list.add(this.resolver);
        }
    }

    @ConditionalOnMissingBean(name = {"springSecurityFilterChain"})
    @Configuration
    @EnableGlobalMethodSecurity(prePostEnabled = true)
    /* loaded from: input_file:org/entur/jwt/spring/JwtAutoConfiguration$DefaultEnturWebSecurityConfig.class */
    public static class DefaultEnturWebSecurityConfig extends WebSecurityConfigurerAdapter implements WebMvcConfigurer {
        private final JwtAuthenticationFilter<?> filter;
        private final JwtArgumentResolver resolver;
        private final SecurityProperties properties;

        @Autowired
        public DefaultEnturWebSecurityConfig(JwtAuthenticationFilter<?> jwtAuthenticationFilter, JwtArgumentResolver jwtArgumentResolver, SecurityProperties securityProperties) {
            this.filter = jwtAuthenticationFilter;
            this.resolver = jwtArgumentResolver;
            this.properties = securityProperties;
        }

        @Bean
        public UserDetailsService userDetailsService() {
            return new NoUserDetailsService();
        }

        protected void configure(HttpSecurity httpSecurity) throws Exception {
            httpSecurity.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and().csrf().disable().formLogin().disable().httpBasic().disable().logout().disable().cors().and().addFilterBefore(this.filter, UsernamePasswordAuthenticationFilter.class);
            AuthorizationProperties authorization = this.properties.getAuthorization();
            if (authorization.isEnabled()) {
                PermitAll permitAll = authorization.getPermitAll();
                if (permitAll.isActive()) {
                    configurePermitAll(httpSecurity, permitAll);
                }
                ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) httpSecurity.authorizeRequests().anyRequest()).fullyAuthenticated();
            }
        }

        protected void configurePermitAll(HttpSecurity httpSecurity, PermitAll permitAll) throws Exception {
            MatcherConfiguration mvcMatcher = permitAll.getMvcMatcher();
            if (mvcMatcher.isActive()) {
                if (mvcMatcher.hasPatterns()) {
                    httpSecurity.authorizeRequests().mvcMatchers(mvcMatcher.getPatternsAsArray()).permitAll();
                }
                for (HttpMethodMatcher httpMethodMatcher : mvcMatcher.getMethod().getActiveMethods()) {
                    if (httpMethodMatcher.isActive()) {
                        httpSecurity.authorizeRequests().mvcMatchers(httpMethodMatcher.getVerb(), httpMethodMatcher.getPatternsAsArray()).permitAll();
                    }
                }
            }
            MatcherConfiguration antMatcher = permitAll.getAntMatcher();
            if (antMatcher.isActive()) {
                if (antMatcher.hasPatterns()) {
                    ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) httpSecurity.authorizeRequests().antMatchers(antMatcher.getPatternsAsArray())).permitAll();
                }
                for (HttpMethodMatcher httpMethodMatcher2 : antMatcher.getMethod().getActiveMethods()) {
                    if (httpMethodMatcher2.isActive()) {
                        ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) httpSecurity.authorizeRequests().antMatchers(httpMethodMatcher2.getVerb(), httpMethodMatcher2.getPatternsAsArray())).permitAll();
                    }
                }
            }
        }

        public void addArgumentResolvers(List<HandlerMethodArgumentResolver> list) {
            list.add(this.resolver);
        }
    }

    /* loaded from: input_file:org/entur/jwt/spring/JwtAutoConfiguration$NoUserDetailsService.class */
    private static class NoUserDetailsService implements UserDetailsService {
        private NoUserDetailsService() {
        }

        public UserDetails loadUserByUsername(String str) {
            throw new UsernameNotFoundException("");
        }
    }

    @ConditionalOnMissingBean({JwtMappedDiagnosticContextMapper.class})
    @ConditionalOnProperty(name = {"entur.jwt.mdc.enabled"}, havingValue = "true", matchIfMissing = false)
    @Bean
    public <T> JwtMappedDiagnosticContextMapper<T> mapper(SecurityProperties securityProperties, JwtClaimExtractor<T> jwtClaimExtractor) {
        List<MdcPair> mappings = securityProperties.getJwt().getMdc().getMappings();
        ArrayList arrayList = new ArrayList();
        ArrayList arrayList2 = new ArrayList();
        for (int i = 0; i < mappings.size(); i++) {
            MdcPair mdcPair = mappings.get(i);
            arrayList.add(mdcPair.getTo());
            arrayList2.add(mdcPair.getFrom());
            log.info("Map JWT claim '{}' to MDC key '{}'", mdcPair.getFrom(), mdcPair.getTo());
        }
        return new DefaultJwtMappedDiagnosticContextMapper(arrayList2, arrayList, jwtClaimExtractor);
    }

    @ConditionalOnMissingBean({JwtVerifier.class})
    @Bean
    public <T> JwtVerifier<T> verifier(SecurityProperties securityProperties, JwtVerifierFactory<T> jwtVerifierFactory) {
        HashMap hashMap = new HashMap();
        JwtProperties jwt = securityProperties.getJwt();
        List<String> filter = jwt.getFilter();
        if (filter == null) {
            hashMap.putAll(jwt.getTenants());
        } else {
            if (filter.isEmpty()) {
                throw new IllegalStateException("Tenant filter is empty");
            }
            for (Map.Entry<String, JwtTenantProperties> entry : jwt.getTenants().entrySet()) {
                String key = entry.getKey();
                if (key != null && filter.contains(key) && entry.getValue().isEnabled()) {
                    hashMap.put(key, entry.getValue());
                }
            }
        }
        if (!hashMap.isEmpty()) {
            return jwtVerifierFactory.getVerifier(hashMap, jwt.getJwk(), jwt.getClaims());
        }
        if (filter != null) {
            throw new IllegalStateException("No configured tenants for filter '" + filter + "'");
        }
        throw new IllegalStateException("No configured tenants");
    }

    @ConditionalOnMissingBean({JwtAuthenticationFilter.class})
    @Bean
    public <T> JwtAuthenticationFilter<T> auth(SecurityProperties securityProperties, JwtVerifier<T> jwtVerifier, @Autowired(required = false) JwtMappedDiagnosticContextMapper<T> jwtMappedDiagnosticContextMapper, JwtAuthorityMapper<T> jwtAuthorityMapper, JwtClaimExtractor<T> jwtClaimExtractor, @Lazy HandlerExceptionResolver handlerExceptionResolver) {
        AuthorizationProperties authorization = securityProperties.getAuthorization();
        boolean z = authorization.isEnabled() && !authorization.getPermitAll().isActive();
        if (z) {
            log.info("Authentication with Json Web Token is required");
        } else {
            log.info("Authentication with Json Web Token is optional");
        }
        return new JwtAuthenticationFilter<>(jwtVerifier, z, jwtAuthorityMapper, jwtMappedDiagnosticContextMapper, jwtClaimExtractor, handlerExceptionResolver);
    }

    @ConditionalOnProperty(name = {"entur.cors.enabled"}, havingValue = "true", matchIfMissing = false)
    @Bean({"corsConfigurationSource"})
    public CorsConfigurationSource corsConfigurationSource(SecurityProperties securityProperties) {
        CorsProperties cors = securityProperties.getCors();
        if (cors.getMode().equals("api")) {
            return getCorsConfiguration(cors);
        }
        if (!cors.getOrigins().isEmpty()) {
            throw new IllegalStateException("Expected empty hosts configuration for CORS mode '" + cors.getMode() + "'");
        }
        log.info("Disable CORS requests for webapp mode");
        return getEmptyCorsConfiguration();
    }

    @ConditionalOnProperty(name = {"entur.security.cors.mode"}, havingValue = "webapp", matchIfMissing = false)
    @Bean({"corsConfigurationSource"})
    public CorsConfigurationSource corsConfigurationSourceForWebapp(SecurityProperties securityProperties) {
        log.info("Disable CORS requests for webapp mode");
        return getEmptyCorsConfiguration();
    }

    public static CorsConfigurationSource getEmptyCorsConfiguration() {
        UrlBasedCorsConfigurationSource urlBasedCorsConfigurationSource = new UrlBasedCorsConfigurationSource();
        CorsConfiguration corsConfiguration = new CorsConfiguration();
        corsConfiguration.setAllowedOrigins(Collections.emptyList());
        corsConfiguration.setAllowedHeaders(Collections.emptyList());
        corsConfiguration.setAllowedMethods(Collections.emptyList());
        urlBasedCorsConfigurationSource.registerCorsConfiguration("/**", corsConfiguration);
        return urlBasedCorsConfigurationSource;
    }

    public static CorsConfigurationSource getCorsConfiguration(CorsProperties corsProperties) {
        List asList = Arrays.asList("GET", "HEAD", "POST", "PUT", "DELETE", "PATCH", "OPTIONS");
        List asList2 = Arrays.asList("*");
        List<String> origins = corsProperties.getOrigins();
        Logger logger = log;
        Object[] objArr = new Object[3];
        objArr[0] = corsProperties.getOrigins();
        objArr[1] = corsProperties.hasMethods() ? corsProperties.getMethods() : "default (" + asList + ")";
        objArr[2] = corsProperties.hasHeaders() ? corsProperties.getHeaders() : "default (" + asList2 + ")";
        logger.info("Enable CORS request with origins {}, methods {} and headers {} for API mode", objArr);
        UrlBasedCorsConfigurationSource urlBasedCorsConfigurationSource = new UrlBasedCorsConfigurationSource();
        CorsConfiguration corsConfiguration = new CorsConfiguration();
        corsConfiguration.setAllowedOrigins(origins);
        if (corsProperties.hasHeaders()) {
            corsConfiguration.setAllowedHeaders(corsProperties.getHeaders());
        } else {
            corsConfiguration.setAllowedHeaders(asList2);
        }
        if (corsProperties.hasMethods()) {
            corsConfiguration.setAllowedMethods(corsProperties.getMethods());
        } else {
            corsConfiguration.setAllowedMethods(asList);
        }
        corsConfiguration.setMaxAge(86400L);
        corsConfiguration.setAllowCredentials(true);
        urlBasedCorsConfigurationSource.registerCorsConfiguration("/**", corsConfiguration);
        return urlBasedCorsConfigurationSource;
    }

    protected List<String> getDefaultMethods() {
        return Arrays.asList("GET", "HEAD", "POST", "PUT", "DELETE", "PATCH", "OPTIONS");
    }

    protected List<String> getDefaultAllowedHeaders() {
        return Arrays.asList("*");
    }

    @ConditionalOnProperty(name = {"entur.jwt.jwk.health-indicator.enabled"}, havingValue = "true", matchIfMissing = true)
    @ConditionalOnBean({JwtVerifier.class})
    @Bean
    public <T> JwksHealthIndicator jwksProviderHealthIndicator(JwtVerifier<T> jwtVerifier) {
        return new JwksHealthIndicator(jwtVerifier);
    }

    @ConditionalOnMissingBean({JwtAuthenticationExceptionAdvice.class})
    @Bean
    public JwtAuthenticationExceptionAdvice advice() {
        return new JwtAuthenticationExceptionAdvice();
    }
}
