package org.factcast.server.grpc;

import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
import java.io.IOException;
import java.io.InputStream;
import java.util.Collections;
import java.util.List;
import lombok.Generated;
import net.devh.boot.grpc.server.autoconfigure.GrpcServerSecurityAutoConfiguration;
import net.devh.boot.grpc.server.security.authentication.BasicGrpcAuthenticationReader;
import net.devh.boot.grpc.server.security.authentication.GrpcAuthenticationReader;
import org.factcast.server.grpc.auth.CredentialConfiguration;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.boot.autoconfigure.AutoConfigureBefore;
import org.springframework.boot.autoconfigure.condition.ConditionalOnBean;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.boot.autoconfigure.condition.ConditionalOnResource;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Primary;
import org.springframework.core.io.ClassPathResource;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.ProviderManager;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.core.authority.AuthorityUtils;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.crypto.password.NoOpPasswordEncoder;

@AutoConfigureBefore({GrpcServerSecurityAutoConfiguration.class})
@Configuration
@EnableGlobalMethodSecurity(securedEnabled = true, proxyTargetClass = true)
/* loaded from: input_file:org/factcast/server/grpc/FactCastSecurityConfiguration.class */
public class FactCastSecurityConfiguration {

    @SuppressFBWarnings(justification = "generated code")
    @Generated
    private static final Logger log = LoggerFactory.getLogger(FactCastSecurityConfiguration.class);

    @ConditionalOnMissingBean({CredentialConfiguration.class})
    @ConditionalOnResource(resources = {"classpath:factcast-security.json"})
    @Bean
    public CredentialConfiguration credentialConfigurationFromClasspath() throws IOException {
        InputStream inputStream = new ClassPathResource("/factcast-security.json").getInputStream();
        Throwable th = null;
        try {
            CredentialConfiguration read = CredentialConfiguration.read(inputStream);
            if (inputStream != null) {
                if (0 != 0) {
                    try {
                        inputStream.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                } else {
                    inputStream.close();
                }
            }
            return read;
        } catch (Throwable th3) {
            if (inputStream != null) {
                if (0 != 0) {
                    try {
                        inputStream.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    inputStream.close();
                }
            }
            throw th3;
        }
    }

    @ConditionalOnBean({CredentialConfiguration.class})
    @Bean
    @Primary
    UserDetailsService userDetailsService(CredentialConfiguration credentialConfiguration) {
        log.info("FactCast Security is enabled.");
        return str -> {
            log.debug("*** username is " + str);
            credentialConfiguration.find(str).ifPresent(accessCredential -> {
                log.debug("*** found: " + accessCredential);
            });
            return (UserDetails) credentialConfiguration.find(str).map((v0) -> {
                return v0.toUser();
            }).orElseThrow(() -> {
                return new UsernameNotFoundException(str);
            });
        };
    }

    @ConditionalOnBean({CredentialConfiguration.class})
    @Bean
    @Primary
    GrpcAuthenticationReader authenticationReader() {
        return new BasicGrpcAuthenticationReader();
    }

    @Bean
    AuthenticationManager authenticationManager(DaoAuthenticationProvider daoAuthenticationProvider) {
        return new ProviderManager(Collections.singletonList(daoAuthenticationProvider));
    }

    @Bean
    DaoAuthenticationProvider daoAuthenticationProvider(UserDetailsService userDetailsService) {
        DaoAuthenticationProvider daoAuthenticationProvider = new DaoAuthenticationProvider();
        daoAuthenticationProvider.setUserDetailsService(userDetailsService);
        daoAuthenticationProvider.setPasswordEncoder(NoOpPasswordEncoder.getInstance());
        return daoAuthenticationProvider;
    }

    @ConditionalOnMissingBean({CredentialConfiguration.class})
    @Bean
    UserDetailsService godModeUserDetailsService() {
        log.warn("**** FactCast Security is disabled. This is discouraged for production environments. You have been warned. ****");
        List commaSeparatedStringToAuthorityList = AuthorityUtils.commaSeparatedStringToAuthorityList("ROLE_READ,ROLE_WRITE");
        String str = "security_disabled";
        return str2 -> {
            return new User(str, str, commaSeparatedStringToAuthorityList);
        };
    }

    @ConditionalOnMissingBean({CredentialConfiguration.class})
    @Bean
    GrpcAuthenticationReader noOpAuthenticationReader() {
        UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken = new UsernamePasswordAuthenticationToken("security_disabled", "security_disabled");
        return (serverCall, metadata) -> {
            return usernamePasswordAuthenticationToken;
        };
    }
}
