package org.entur.jwt.spring;

import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import org.entur.jwt.spring.config.EnturAuthorizeHttpRequestsCustomizer;
import org.entur.jwt.spring.config.EnturOauth2ResourceServerCustomizer;
import org.entur.jwt.spring.properties.AuthorizationProperties;
import org.entur.jwt.spring.properties.Flavours;
import org.entur.jwt.spring.properties.JwtProperties;
import org.entur.jwt.spring.properties.SecurityProperties;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.boot.autoconfigure.AutoConfigureAfter;
import org.springframework.boot.autoconfigure.condition.ConditionalOnBean;
import org.springframework.boot.autoconfigure.condition.ConditionalOnExpression;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.boot.context.properties.EnableConfigurationProperties;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.Customizer;
import org.springframework.security.config.annotation.method.configuration.EnableReactiveMethodSecurity;
import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity;
import org.springframework.security.config.web.server.ServerHttpSecurity;
import org.springframework.security.core.userdetails.MapReactiveUserDetailsService;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.oauth2.core.OAuth2TokenValidator;
import org.springframework.security.oauth2.jwt.Jwt;
import org.springframework.security.web.server.SecurityWebFilterChain;
import org.springframework.security.web.server.header.XXssProtectionServerHttpHeadersWriter;
import org.springframework.security.web.server.savedrequest.NoOpServerRequestCache;

@EnableConfigurationProperties({SecurityProperties.class})
@Configuration
@AutoConfigureAfter({JwtWebFluxAutoConfiguration.class})
@ConditionalOnExpression("${entur.authorization.enabled:true} || ${entur.jwt.enabled:true}")
/* loaded from: input_file:org/entur/jwt/spring/JwtWebFluxSecurityAutoConfiguration.class */
public class JwtWebFluxSecurityAutoConfiguration {
    private static final Logger log = LoggerFactory.getLogger(JwtWebFluxSecurityAutoConfiguration.class);

    @Configuration
    @ConditionalOnBean(name = {"springSecurityFilterChain"})
    @ConditionalOnProperty(name = {"entur.authorization.enabled"}, havingValue = "true", matchIfMissing = true)
    /* loaded from: input_file:org/entur/jwt/spring/JwtWebFluxSecurityAutoConfiguration$AuthorizationConfigurationGuard.class */
    public static class AuthorizationConfigurationGuard {
        public AuthorizationConfigurationGuard() {
            throw new IllegalStateException("Authorization does not work for custom spring filter chain. Add 'entur.authorization.enabled=false' or disable this starter using @SpringBootApplication(exclude = {JwtWebSecurityConfigurerAdapterAutoConfiguration.class}).");
        }
    }

    @Configuration
    @EnableWebFluxSecurity
    @ConditionalOnMissingBean(name = {"springSecurityFilterChain"})
    @EnableReactiveMethodSecurity
    @ConditionalOnExpression("${entur.authorization.enabled:true} || ${entur.jwt.enabled:true}")
    /* loaded from: input_file:org/entur/jwt/spring/JwtWebFluxSecurityAutoConfiguration$CompositeWebSecurityConfigurerAdapter.class */
    public static class CompositeWebSecurityConfigurerAdapter {
        private SecurityProperties securityProperties;

        public CompositeWebSecurityConfigurerAdapter(SecurityProperties securityProperties) {
            this.securityProperties = securityProperties;
        }

        @Bean
        @ConditionalOnExpression("${entur.authorization.enabled:true} && !${entur.jwt.enabled:true}")
        public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity serverHttpSecurity) throws Exception {
            JwtWebFluxSecurityAutoConfiguration.log.info("Configure without JWT");
            AuthorizationProperties authorization = this.securityProperties.getAuthorization();
            if (authorization.isEnabled()) {
                serverHttpSecurity.authorizeExchange(new EnturAuthorizeHttpRequestsCustomizer(authorization));
            }
            return getSecurityWebFilterChain(serverHttpSecurity);
        }

        @Bean
        @ConditionalOnExpression("${entur.jwt.enabled:true}")
        public SecurityWebFilterChain jwtSecurityWebFilterChain(ServerHttpSecurity serverHttpSecurity, JwkSourceMap jwkSourceMap, List<JwtAuthorityEnricher> list, List<OAuth2TokenValidator<Jwt>> list2) throws Exception {
            JwtWebFluxSecurityAutoConfiguration.log.info("Configure with JWT");
            AuthorizationProperties authorization = this.securityProperties.getAuthorization();
            if (authorization.isEnabled()) {
                serverHttpSecurity.authorizeExchange(new EnturAuthorizeHttpRequestsCustomizer(authorization));
            }
            JwtProperties jwt = this.securityProperties.getJwt();
            if (jwt.isEnabled()) {
                Flavours flavours = jwt.getFlavours();
                if (flavours.isEnabled()) {
                    ArrayList arrayList = new ArrayList(list);
                    if (flavours.getAuth0().isEnabled()) {
                        arrayList.add(new Auth0JwtAuthorityEnricher());
                    }
                    if (flavours.getKeycloak().isEnabled()) {
                        arrayList.add(new KeycloakJwtAuthorityEnricher());
                    }
                    list = arrayList;
                }
                serverHttpSecurity.oauth2ResourceServer(new EnturOauth2ResourceServerCustomizer(jwkSourceMap.getJwkSources(), list, list2));
            }
            if (jwt.getMdc().isEnabled()) {
                throw new IllegalStateException("MDC not supported for webflux yet");
            }
            return getSecurityWebFilterChain(serverHttpSecurity);
        }

        private static SecurityWebFilterChain getSecurityWebFilterChain(ServerHttpSecurity serverHttpSecurity) {
            serverHttpSecurity.headers().xssProtection().headerValue(XXssProtectionServerHttpHeadersWriter.HeaderValue.ENABLED_MODE_BLOCK);
            return serverHttpSecurity.requestCache().requestCache(NoOpServerRequestCache.getInstance()).and().csrf().disable().formLogin().disable().httpBasic().disable().logout().disable().cors(Customizer.withDefaults()).build();
        }

        @ConditionalOnMissingBean({MapReactiveUserDetailsService.class})
        @Bean
        public MapReactiveUserDetailsService reactiveUserDetailsService() {
            return new MapReactiveUserDetailsService(new HashMap());
        }

        @ConditionalOnMissingBean({UserDetailsService.class})
        @Bean
        public UserDetailsService userDetailsService() {
            return new NoUserDetailsService();
        }
    }

    @Configuration
    @ConditionalOnBean(name = {"springSecurityFilterChain"})
    @ConditionalOnProperty(name = {"entur.jwt.enabled"}, havingValue = "true", matchIfMissing = true)
    /* loaded from: input_file:org/entur/jwt/spring/JwtWebFluxSecurityAutoConfiguration$JwtConfigurationGuard.class */
    public static class JwtConfigurationGuard {
        public JwtConfigurationGuard() {
            throw new IllegalStateException("JWT authentication does not work for custom spring filter chain. Add 'entur.jwt.enabled=false' or disable this starter using @SpringBootApplication(exclude = {JwtWebSecurityConfigurerAdapterAutoConfiguration.class}).");
        }
    }

    @ConditionalOnMissingBean({JwtAuthorityEnricher.class})
    @ConditionalOnProperty(name = {"entur.jwt.enabled"}, havingValue = "true", matchIfMissing = true)
    @Bean
    public JwtAuthorityEnricher jwtAuthorityEnricher() {
        return new DefaultJwtAuthorityEnricher();
    }
}
