package org.factcast.server.grpc;

import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
import java.io.IOException;
import java.io.InputStream;
import java.util.Collections;
import java.util.List;
import java.util.stream.Collectors;
import lombok.Generated;
import net.devh.boot.grpc.server.autoconfigure.GrpcServerSecurityAutoConfiguration;
import net.devh.boot.grpc.server.security.authentication.BasicGrpcAuthenticationReader;
import net.devh.boot.grpc.server.security.authentication.GrpcAuthenticationReader;
import org.factcast.server.grpc.auth.FactCastAccessConfiguration;
import org.factcast.server.grpc.auth.FactCastAccount;
import org.factcast.server.grpc.auth.FactCastUser;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.boot.autoconfigure.AutoConfigureBefore;
import org.springframework.boot.autoconfigure.condition.ConditionalOnBean;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.boot.autoconfigure.condition.ConditionalOnResource;
import org.springframework.boot.context.properties.ConfigurationProperties;
import org.springframework.boot.context.properties.EnableConfigurationProperties;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Primary;
import org.springframework.core.io.ClassPathResource;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.ProviderManager;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.crypto.password.NoOpPasswordEncoder;

@AutoConfigureBefore({GrpcServerSecurityAutoConfiguration.class})
@EnableConfigurationProperties
@Configuration
@EnableGlobalMethodSecurity(securedEnabled = true, proxyTargetClass = true)
/* loaded from: input_file:org/factcast/server/grpc/FactCastSecurityConfiguration.class */
public class FactCastSecurityConfiguration {

    @SuppressFBWarnings(justification = "generated code")
    @Generated
    private static final Logger log = LoggerFactory.getLogger(FactCastSecurityConfiguration.class);
    private static final String CLASSPATH_FACTCAST_ACCESS_JSON = "/factcast-access.json";

    @ConditionalOnResource(resources = {"classpath:factcast-security.json"})
    @Bean(name = {"no_longer_used"})
    public Object credentialConfigurationFromClasspath() {
        throw new IllegalArgumentException("classpath:factcast-security.json was removed in this release. Please read the migration guide.");
    }

    @ConfigurationProperties(prefix = "factcast.access", ignoreUnknownFields = false)
    @Bean
    public FactCastSecretProperties factCastSecretProperties() {
        return new FactCastSecretProperties();
    }

    @ConfigurationProperties(prefix = "factcast.security", ignoreUnknownFields = false)
    @Bean
    public FactcastSecurityProperties factcastSecurityProperties() {
        return new FactcastSecurityProperties();
    }

    @ConditionalOnMissingBean({FactCastAccessConfiguration.class})
    @ConditionalOnResource(resources = {"classpath:/factcast-access.json"})
    @Bean
    @Primary
    public FactCastAccessConfiguration authenticationConfig(FactCastSecretProperties factCastSecretProperties) throws IOException {
        InputStream inputStream = new ClassPathResource(CLASSPATH_FACTCAST_ACCESS_JSON).getInputStream();
        try {
            FactCastAccessConfiguration read = FactCastAccessConfiguration.read(inputStream);
            List<String> list = (List) read.accounts().stream().map((v0) -> {
                return v0.id();
            }).collect(Collectors.toList());
            for (String str : list) {
                if (!factCastSecretProperties.getSecrets().containsKey(str)) {
                    throw new IllegalArgumentException("Missing secret for account: '" + str + "'");
                }
            }
            for (String str2 : factCastSecretProperties.getSecrets().keySet()) {
                if (!list.contains(str2)) {
                    log.warn("Secret found for account '" + str2 + "' but the account is not defined in FactCastAccessConfiguration");
                }
            }
            if (inputStream != null) {
                inputStream.close();
            }
            return read;
        } catch (Throwable th) {
            if (inputStream != null) {
                try {
                    inputStream.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @ConditionalOnBean({FactCastAccessConfiguration.class})
    @Bean
    @Primary
    UserDetailsService userDetailsService(FactCastAccessConfiguration factCastAccessConfiguration, FactCastSecretProperties factCastSecretProperties) {
        log.info("FactCast Security is enabled.");
        return str -> {
            return (UserDetails) factCastAccessConfiguration.findAccountById(str).map(factCastAccount -> {
                return toUser(factCastAccount, factCastSecretProperties.getSecrets().get(factCastAccount.id()));
            }).orElseThrow(() -> {
                return new UsernameNotFoundException(str);
            });
        };
    }

    private FactCastUser toUser(FactCastAccount factCastAccount, String str) {
        return new FactCastUser(factCastAccount, str);
    }

    @ConditionalOnBean({FactCastAccessConfiguration.class})
    @Bean
    @Primary
    GrpcAuthenticationReader authenticationReader() {
        return new BasicGrpcAuthenticationReader();
    }

    @Bean
    AuthenticationManager authenticationManager(DaoAuthenticationProvider daoAuthenticationProvider) {
        return new ProviderManager(Collections.singletonList(daoAuthenticationProvider));
    }

    @Bean
    DaoAuthenticationProvider daoAuthenticationProvider(UserDetailsService userDetailsService) {
        DaoAuthenticationProvider daoAuthenticationProvider = new DaoAuthenticationProvider();
        daoAuthenticationProvider.setUserDetailsService(userDetailsService);
        daoAuthenticationProvider.setPasswordEncoder(NoOpPasswordEncoder.getInstance());
        return daoAuthenticationProvider;
    }

    @ConditionalOnMissingBean({FactCastAccessConfiguration.class})
    @Bean
    UserDetailsService godModeUserDetailsService(FactcastSecurityProperties factcastSecurityProperties) {
        if (!factcastSecurityProperties.isEnabled()) {
            log.warn("**** FactCast Security is disabled. This is discouraged for production environments. You have been warned. ****");
            return str -> {
                return new FactCastUser(FactCastAccount.GOD, "security_disabled");
            };
        }
        log.error("**** FactCast Security is disabled. ****");
        log.error("* If you really want to, you can run Factcast in such a configuration ");
        log.error("* by adding a property 'factcast.security.enabled=false' to your setup. However, it is");
        log.error("* highly encouraged to provide a factcast-access.json instead.");
        log.error("**** -> see https://docs.factcast.org/setup/examples/grpc-config-basicauth/");
        System.exit(1);
        return null;
    }

    @ConditionalOnMissingBean({FactCastAccessConfiguration.class})
    @Bean
    GrpcAuthenticationReader noOpAuthenticationReader() {
        UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken = new UsernamePasswordAuthenticationToken("security_disabled", "security_disabled");
        return (serverCall, metadata) -> {
            return usernamePasswordAuthenticationToken;
        };
    }
}
