package org.entur.jwt.spring;

import java.util.ArrayList;
import java.util.List;
import org.entur.jwt.spring.config.EnturAuthorizeHttpRequestsCustomizer;
import org.entur.jwt.spring.config.EnturOauth2ResourceServerCustomizer;
import org.entur.jwt.spring.config.JwtMappedDiagnosticContextFilter;
import org.entur.jwt.spring.filter.log.JwtMappedDiagnosticContextMapperFactory;
import org.entur.jwt.spring.properties.AuthorizationProperties;
import org.entur.jwt.spring.properties.Flavours;
import org.entur.jwt.spring.properties.JwtProperties;
import org.entur.jwt.spring.properties.MdcProperties;
import org.entur.jwt.spring.properties.SecurityProperties;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.boot.autoconfigure.AutoConfigureAfter;
import org.springframework.boot.autoconfigure.condition.ConditionalOnBean;
import org.springframework.boot.autoconfigure.condition.ConditionalOnExpression;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.boot.context.properties.EnableConfigurationProperties;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.Customizer;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.oauth2.core.OAuth2TokenValidator;
import org.springframework.security.oauth2.jwt.Jwt;
import org.springframework.security.web.DefaultSecurityFilterChain;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.access.intercept.AuthorizationFilter;
import org.springframework.security.web.header.writers.XXssProtectionHeaderWriter;

@EnableConfigurationProperties({SecurityProperties.class})
@Configuration
@AutoConfigureAfter({JwtWebAutoConfiguration.class})
@ConditionalOnExpression("${entur.authorization.enabled:true} || ${entur.jwt.enabled:true}")
/* loaded from: input_file:org/entur/jwt/spring/JwtWebSecurityChainAutoConfiguration.class */
public class JwtWebSecurityChainAutoConfiguration {
    private static final Logger log = LoggerFactory.getLogger(JwtWebSecurityChainAutoConfiguration.class);

    @Configuration
    @ConditionalOnBean(name = {"springSecurityFilterChain"})
    @ConditionalOnProperty(name = {"entur.authorization.enabled"}, havingValue = "true", matchIfMissing = true)
    /* loaded from: input_file:org/entur/jwt/spring/JwtWebSecurityChainAutoConfiguration$AuthorizationConfigurationGuard.class */
    public static class AuthorizationConfigurationGuard {
        public AuthorizationConfigurationGuard() {
            throw new IllegalStateException("Authorization does not work for custom spring filter chain. Add 'entur.authorization.enabled=false' or disable this starter using @SpringBootApplication(exclude = {JwtWebSecurityConfigurerAdapterAutoConfiguration.class}).");
        }
    }

    @Configuration
    @ConditionalOnMissingBean(name = {"springSecurityFilterChain"})
    @ConditionalOnExpression("${entur.authorization.enabled:true} || ${entur.jwt.enabled:true}")
    @EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
    /* loaded from: input_file:org/entur/jwt/spring/JwtWebSecurityChainAutoConfiguration$CompositeWebSecurityConfigurerAdapter.class */
    public static class CompositeWebSecurityConfigurerAdapter {
        private SecurityProperties securityProperties;

        public CompositeWebSecurityConfigurerAdapter(SecurityProperties securityProperties) {
            this.securityProperties = securityProperties;
        }

        @Bean
        @ConditionalOnExpression("${entur.authorization.enabled:true} && !${entur.jwt.enabled:true}")
        public SecurityFilterChain securityWebFilterChain(HttpSecurity httpSecurity) throws Exception {
            JwtWebSecurityChainAutoConfiguration.log.info("Configure without JWT");
            AuthorizationProperties authorization = this.securityProperties.getAuthorization();
            if (authorization.isEnabled()) {
                httpSecurity.authorizeHttpRequests(new EnturAuthorizeHttpRequestsCustomizer(authorization));
            }
            return getSecurityFilterChain(httpSecurity);
        }

        @Bean
        @ConditionalOnExpression("${entur.jwt.enabled:true}")
        public SecurityFilterChain filterChain(HttpSecurity httpSecurity, JwkSourceMap jwkSourceMap, List<JwtAuthorityEnricher> list, List<OAuth2TokenValidator<Jwt>> list2) throws Exception {
            AuthorizationProperties authorization = this.securityProperties.getAuthorization();
            if (authorization.isEnabled()) {
                httpSecurity.authorizeHttpRequests(new EnturAuthorizeHttpRequestsCustomizer(authorization));
            }
            JwtProperties jwt = this.securityProperties.getJwt();
            if (jwt.isEnabled()) {
                Flavours flavours = jwt.getFlavours();
                if (flavours.isEnabled()) {
                    ArrayList arrayList = new ArrayList(list);
                    if (flavours.getAuth0().isEnabled()) {
                        arrayList.add(new Auth0JwtAuthorityEnricher());
                    }
                    if (flavours.getKeycloak().isEnabled()) {
                        arrayList.add(new KeycloakJwtAuthorityEnricher());
                    }
                    list = arrayList;
                }
                httpSecurity.oauth2ResourceServer(new EnturOauth2ResourceServerCustomizer(jwkSourceMap.getJwkSources(), list, list2));
            }
            MdcProperties mdc = jwt.getMdc();
            if (mdc.isEnabled()) {
                httpSecurity.addFilterBefore(new JwtMappedDiagnosticContextFilter(new JwtMappedDiagnosticContextMapperFactory().mapper(mdc)), AuthorizationFilter.class);
            }
            return getSecurityFilterChain(httpSecurity);
        }

        private static DefaultSecurityFilterChain getSecurityFilterChain(HttpSecurity httpSecurity) throws Exception {
            httpSecurity.headers().xssProtection().headerValue(XXssProtectionHeaderWriter.HeaderValue.ENABLED_MODE_BLOCK).and().contentSecurityPolicy("script-src 'self'");
            return (DefaultSecurityFilterChain) httpSecurity.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and().csrf().disable().formLogin().disable().httpBasic().disable().logout().disable().cors(Customizer.withDefaults()).build();
        }
    }

    @Configuration
    @ConditionalOnBean(name = {"springSecurityFilterChain"})
    @ConditionalOnProperty(name = {"entur.jwt.enabled"}, havingValue = "true", matchIfMissing = true)
    /* loaded from: input_file:org/entur/jwt/spring/JwtWebSecurityChainAutoConfiguration$JwtConfigurationGuard.class */
    public static class JwtConfigurationGuard {
        public JwtConfigurationGuard() {
            throw new IllegalStateException("JWT authentication does not work for custom spring filter chain. Add 'entur.jwt.enabled=false' or disable this starter using @SpringBootApplication(exclude = {JwtWebSecurityConfigurerAdapterAutoConfiguration.class}).");
        }
    }

    @ConditionalOnMissingBean({JwtAuthorityEnricher.class})
    @ConditionalOnProperty(name = {"entur.jwt.enabled"}, havingValue = "true", matchIfMissing = true)
    @Bean
    public JwtAuthorityEnricher jwtAuthorityEnricher() {
        return new DefaultJwtAuthorityEnricher();
    }

    @ConditionalOnMissingBean({UserDetailsService.class})
    @ConditionalOnProperty(name = {"entur.jwt.enabled"}, havingValue = "true", matchIfMissing = true)
    @Bean
    public UserDetailsService userDetailsService() {
        return new NoUserDetailsService();
    }
}
